ISC2 CC Domain 4: Network Security — A Clear, Structured Guide

ISC2 CC
Introduction

If you’re studying for the ISC2 CC (Certified in Cybersecurity) certification, Domain 4 combines network fundamentals and security controls. You must grasp how data travels, how devices identify one another, where vulnerabilities occur, and which methods defenders employ to reduce risk.

This post walks through Domain 4 topics in an orderly way, from basic network types to cloud models and core security principles. Use it as a narrative “map” of the domain.

  1. Network Types: PAN, LAN, MAN, WAN

Understanding network scope helps you quickly reason about risk, exposure, and typical controls.

PAN (Personal Area Network)

A PAN is a very small network centered around one person’s devices, usually within a few meters. It often uses technologies like Bluetooth or short-range wireless. Typical PANs connect smartphones, smartwatches, fitness trackers, and earbuds.

LAN (Local Area Network)

A LAN covers a limited area such as a home, office, or single building. LANs are usually high-speed and privately managed. They connect desktops, laptops, printers, servers, and Wi-Fi access points inside one logical environment.

MAN (Metropolitan Area Network)

A MAN spans a larger physical area than a LAN, such as a city or large campus. It interconnects multiple LANs, often across different buildings or campuses, using high-capacity links managed by a single organization or service provider.

WAN (Wide Area Network)

A WAN connects networks across large geographic regions—multiple cities, countries, or even globally. It ties together LANs and MANs with technologies such as leased lines, MPLS, VPNs, or SD-WAN over the internet. The internet itself is the ultimate WAN.

  1. How Data Travels: Packet vs. Circuit Switching
Circuit Switching

Circuit switching establishes a dedicated path between two endpoints for the duration of a session. Traditional telephone systems used this model. Once the circuit is set up, resources are reserved, which offers predictable performance but poor efficiency when the connection is idle.

Packet Switching

Packet switching breaks data into small packets that may take different paths across the network before being reassembled at the destination. This is how the modern internet works. It’s more efficient and resilient, but packet delay and reordering must be handled by higher-layer protocols.

For CC purposes, it’s enough to remember: the internet = packet-switched, and circuit switching is more of a legacy/telecom concept you might see in diagrams and explanations.

  1. Network Models: OSI and TCP/IP
OSI Model

The OSI (Open Systems Interconnection) model is a seven-layer conceptual framework used to understand network communication:

  1. Physical
  2. Data Link
  3. Network
  4. Transport
  5. Session
  6. Presentation
  7. Application

You use OSI to reason about where issues and controls live: cables and signals at the Physical layer, MAC and switching at Data Link, routing at Network, and user-facing protocols at Application.

TCP/IP Model

The TCP/IP model is the practical protocol stack of the internet. It typically has four layers:

  • Link
  • Internet
  • Transport
  • Application

The TCP/IP Application layer covers what OSI splits into Session, Presentation, and Application. From a CC perspective, focus on understanding how data is encapsulated and how each layer adds its own header to carry data between endpoints.

  1. Addressing and Identity: MAC, IP, ARP
MAC Address

A MAC (Media Access Control) address is a hardware-level identifier associated with a network interface. It is used primarily within local networks by switches to forward frames. MAC addresses can be spoofed, which is important to know from a security standpoint.

IPv4

IPv4 addresses are 32-bit values usually written in dotted-decimal notation (for example, 192.168.1.10). IPv4 has a limited address space and uses concepts like private addressing and NAT to stretch its usability.

IPv6

IPv6 addresses are 128-bit values written in hexadecimal groups (for example, 2001:0db8::1). IPv6 was designed to solve IPv4 exhaustion and improve features such as auto-configuration and more standardized support for secure communication. Its shorthand format allows compressing consecutive zeros with :: for readability.

ARP (Address Resolution Protocol)

ARP is used on IPv4 networks to map IP addresses to MAC addresses on the local segment. When a device wants to communicate with a local IP, it sends an ARP request asking, “Who has this IP?” The device owning that IP responds with its MAC address. ARP is simple and trusting, which is why techniques like ARP poisoning (spoofing ARP replies) are possible and relevant to security.

  1. Ports and Services

Ports identify specific services running on a host. Network connections are typically defined by a 4-tuple: source IP, source port, destination IP, destination port.

You don’t need to memorize every port, but you should be comfortable with key examples like:

  • HTTP → 80
  • HTTPS → 443
  • SSH → 22
  • RDP → 3389

From a security standpoint, each open port is a potential entry point. Using only necessary ports and protecting them with firewalls, encryption, and strong authentication is a basic but crucial control.

  1. Wireless Security: Wi-Fi Basics and Risks
Wi-Fi Basics

Wi-Fi networks use access points (APs) to provide wireless connectivity over radio waves instead of cables. Users authenticate to the AP (or guest portal), and traffic is transferred over the air. This mobility introduces convenience but also more exposure, since attackers don’t need a physical jack; they only need to be within range.

Common Wi-Fi Threats
  • Rogue Access Point: An unauthorized AP added to the environment, intentionally or accidentally. It can bypass policies and monitoring if not detected.
  • Evil Twin: An attacker creates an AP with the same SSID as a legitimate network to trick users into connecting. Once connected, the attacker can monitor or modify traffic.
  • Jamming / Interference: Deliberate or accidental interference can disrupt Wi-Fi signals, affecting availability.

Key takeaway: Wi-Fi must be secured with proper encryption (e.g., WPA2/WPA3), strong passwords and monitoring for rogue or suspicious APs.

  1. Firewalls and DMZ
What Is a Firewall?

A firewall is a security device or software that monitors and filters traffic based on predefined rules at the boundaries between networks or between a host and the network.

Common firewall types include:

  • Packet-filtering firewalls – inspect IP, port, and protocol fields; simple and fast but with limited context.
  • Stateful firewalls – track active connections and understand whether packets belong to an established session.
  • Proxy / application firewalls – act as intermediaries for specific applications (like HTTP), inspecting traffic more deeply.
  • Next-Generation Firewalls (NGFWs) – add features such as deep packet inspection, application awareness, integrated threat intelligence, and sometimes built-in IDS/IPS capabilities. NIST Computer Security Resource Center

Security best practices with firewalls include:

  • Default deny: block everything by default and explicitly allow required traffic.
  • Limiting both inbound and outbound access to what’s needed.
  • Regularly reviewing and cleaning up rules.
  • Enabling logging and feeding logs to monitoring systems.
DMZ (Demilitarized Zone)

A DMZ is a network segment that acts as a buffer between the public internet and the internal network. Systems that must be accessible from the internet—such as web servers, email gateways, VPN endpoints, and public DNS—are often placed in the DMZ.

Typical design goals:

  • Public services in the DMZ can be reached from the internet.
  • The DMZ has strictly controlled access to the internal network.
  • Internal systems are never directly exposed to the internet.

If a DMZ system is compromised, proper segmentation and firewall rules should significantly limit the impact on internal systems.

  1. IDS and IPS
IDS (Intrusion Detection System)

An IDS monitors network or host activities looking for suspicious patterns or known attack signatures. When it detects something, it generates alerts, but does not necessarily block the traffic.

IDS variants:

  • Network-based IDS (NIDS): monitors network traffic on key segments.
  • Host-based IDS (HIDS): monitors activity on a specific host (files, processes, logs).
IPS (Intrusion Prevention System)

An IPS has similar detection capabilities but is placed inline so it can automatically block, drop, or modify traffic when an attack is detected according to policy.

Key points to remember:

  • IDS is primarily detection and alerting.
  • IPS adds automatic prevention actions.
  • Both can use signature-based, anomaly-based, or hybrid detection methods.
  1. SIEM and SOAR

As organizations deploy more tools, they need a way to see and act across everything.

SIEM (Security Information and Event Management)

A SIEM collects logs and security events from multiple sources (firewalls, endpoints, servers, applications) and correlates them to highlight suspicious activity. It provides centralized dashboards, alerting, and investigation support. NIST emphasizes centralized logging and analysis as key to effective monitoring. NIST Computer Security Resource Center

SOAR (Security Orchestration, Automation, and Response)

SOAR platforms take SIEM-style insights and add automation and orchestration. They can:

  • run playbooks when certain alerts fire,
  • integrate with ticketing systems, accounts, firewalls, and other tools,
  • help teams respond consistently and quickly.

Together, SIEM and SOAR help move from “lots of logs and alerts” to a more structured and automated security operations workflow.

  1. Cloud Service Models

Cloud service models describe who is responsible for which parts of the stack. The major models are IaaS, PaaS, and SaaS, with newer patterns like FaaS/serverless and CaaS extending them.

IaaS (Infrastructure as a Service)

IaaS provides virtualized infrastructure—compute, storage, and networking. The provider manages the physical data center and hypervisor, while the customer manages:

  • operating systems
  • applications
  • data
  • network configuration inside their environment
  • security configurations

IaaS offers high flexibility but also high responsibility.

PaaS (Platform as a Service)

PaaS supplies a managed platform for deploying applications. You focus on:

  • your code
  • your data
  • app-level configuration

The provider handles OS patching, runtime environments, and much of the infrastructure management. This accelerates development but requires careful secure coding and configuration.

SaaS (Software as a Service)

SaaS offers fully managed applications delivered over the internet. The provider handles almost everything behind the scenes. You mainly manage:

  • user accounts and roles
  • configuration choices
  • data usage and sharing

Cloud-based email, collaboration tools, and CRM platforms are typical SaaS examples.

FaaS / Serverless

Function as a Service (FaaS) or serverless lets you deploy individual functions that run in response to events. You don’t manage servers; you manage code and access controls. This model encourages fine-grained, event-driven design but requires attention to permissions, dependencies, and logging.

CaaS (Containers as a Service)

CaaS provides managed capabilities for running containers. You package apps in containers, and the provider helps orchestrate them at scale. Security focus points include securing images, secrets, and cluster configuration.

Across all models, the key CC idea is the shared responsibility model: some responsibilities always stay with the customer, especially identity management, data protection, and secure configuration.

  1. Core Security Principles

These principles show up everywhere in Domain 4 scenarios and are aligned with widely used frameworks such as NIST’s guidance on security architecture and governance. NIST Publications

Least Privilege

Give users, systems, and processes only the minimum access needed to perform their tasks. This limits damage if an account is compromised or misused.

Need to Know

Even if a person technically has access, they should only use that access for information that’s necessary to perform their job. It reduces unnecessary exposure of sensitive data.

Separation of Duties

Split critical actions across multiple roles so no single individual can perform every step alone (for example, initiating and approving payments). This reduces fraud and insider risk.

Defense in Depth

Implement multiple layers of security controls—physical, network, host, application, and monitoring—so that if one control fails, others still protect the system.

Secure Defaults

Systems and applications should ship and be deployed with safe, conservative configurations by default. You only relax them when there’s a clear, justified business need. This helps prevent accidental exposure from misconfiguration.

Final Wrap-Up

If you can explain these topics clearly to yourself or someone else, you’re in excellent shape for CC Domain 4:

  • Network scopes: PAN / LAN / MAN / WAN
  • How data is switched and routed
  • OSI vs TCP/IP and why they matter
  • MAC, IPv4, IPv6, and ARP
  • Ports and services as entry points
  • Wi-Fi basics and common wireless threats
  • Firewalls and DMZ as boundary controls
  • IDS/IPS as detection and prevention tools
  • SIEM/SOAR for centralized monitoring and automated response
  • Cloud models: IaaS, PaaS, SaaS, FaaS, CaaS
  • Core security principles: least privilege, need to know, separation of duties, defense in depth, secure default

https://thecyberskills.com/category/learn-train/

 

Must Read

Scroll to Top