Purpose of Domain 4
Domain 4 is about how data moves, how it is protected in transit, and how networks are designed to resist misuse, interception, and disruption.
Domain 4 mindset:
“If data moves, it must be controlled, segmented, monitored, and protected.”
This domain tests architecture thinking, not device configuration.
1. Core Objectives of Network Security
Network security exists to ensure:
- Confidentiality of data in transit
- Integrity of communications
- Availability of network services
- Controlled access across trust boundaries
Key truth:
Most breaches do not bypass networks — they move through them legitimately.
2. Network Architecture Principles
Defense-in-Depth
- Multiple layers: perimeter, internal, endpoint, application
- No single control is trusted absolutely
Segmentation
- Physical (VLANs, subnets)
- Logical (zones, trust boundaries)
- Functional (user, server, management networks)
CISSP rule:
Flat networks fail catastrophically.
3. Network Models & Protocol Awareness
You are not tested on packet formats — you are tested on where controls belong.
OSI vs TCP/IP
- OSI: conceptual troubleshooting model
- TCP/IP: real-world implementation model
Exam bias:
Know which layer a control or attack belongs to.
4. Secure Network Components
Firewalls
- Packet filtering
- Stateful inspection
- Application-aware firewalls
Design principle:
Firewalls enforce policy, not intelligence.
Intrusion Detection & Prevention
- IDS: detect and alert
- IPS: detect and block
CISSP mindset:
Prevention is preferred, detection is validation.
Proxies & Gateways
- Application-level inspection
- Protocol enforcement
- Content filtering
5. Secure Communication Channels
Encryption in Transit
- TLS / SSL
- VPNs (site-to-site, remote access)
Purpose:
- Prevent eavesdropping
- Prevent session hijacking
- Ensure authenticity
Exam trap:
Encryption does NOT replace access control.
Remote Access Security
- Strong authentication
- Encrypted tunnels
- Least privilege access
- Monitoring of sessions
6. Wireless Network Security
Threats:
- Rogue access points
- Evil twin attacks
- Weak encryption
- Unauthorized associations
Controls:
- Strong encryption
- Authentication
- Network segmentation
- Monitoring
CISSP emphasis:
Wireless is untrusted by default.
7. Network Attacks & Threats
Understand intent, not tools.
Common threats:
- Man-in-the-middle
- Spoofing
- DoS / DDoS
- Session hijacking
- DNS poisoning
- Routing attacks
Architect question:
“What trust assumption does this attack violate?”
8. Secure Network Design Patterns
DMZ Architecture
- Public-facing services isolated
- Limited trust relationship with internal network
Zero Trust Thinking
- Never trust implicitly
- Always verify
- Continuous validation
Exam reality:
Zero Trust is a philosophy, not a product.
9. Monitoring, Logging & Visibility
Network security without visibility is blind.
Key concepts:
- Flow analysis
- Traffic monitoring
- Log correlation
- Alerting
CISSP bias:
Detective controls validate preventive ones.
10. Availability & Resilience
Availability is a design responsibility.
Concepts:
- Redundancy
- Load balancing
- Fault tolerance
- DDoS protection
CISSP mindset:
Availability failures are security failures.
11. Cloud & Virtual Network Considerations
- Software-defined networking
- Virtual firewalls
- Microsegmentation
- Shared responsibility awareness
Key rule:
Responsibility shifts — accountability does not.
12. Network Governance & Policy Alignment
- Network access policies
- Change management
- Configuration baselines
- Risk acceptance
Networks must support:
- Business objectives
- Compliance obligations
- Incident response readiness
13. CISSP Exam Decision Rules for Domain 4
When in doubt:
- Choose segmentation over openness
- Choose prevention over detection
- Choose policy enforcement over intelligence
- Choose architecture over tools
- Choose business impact over technical elegance
Final Domain 4 Playbook Truth
“Networks don’t fail because they are attacked.
They fail because trust is placed where it shouldn’t be.”
