Domain 4 – Section A Review: Network Architecture and Security
This section integrates:
- Secure Network Architecture Design — segmentation, micro-segmentation, SDN, NAT, converged protocols, wireless, NAC
- Secure Network Component Implementation — firewalls, IDS/IPS, switch and router hardening, load balancers, endpoint security, DNS security, proxies
- Secure Communication Channel Implementation — IPSec, SSL/TLS VPN, remote access, VoIP, email security, API security, ZTNA
Domain 4 questions require you to match threats to the correct layer, select the right component or protocol for a specific scenario, and understand why architecture decisions create or eliminate attack surfaces. The right technology at the wrong layer is just as wrong as no technology at all.
1. Architecture Defines the Battlefield
Every breach outcome is shaped by the network architecture that existed before the attacker arrived. Segmentation determines lateral movement. DMZ design determines whether a compromised public server can reach internal systems. Micro-segmentation determines whether east-west traffic is controlled.
When a scenario describes an attacker moving freely after initial compromise, ask:
- Where were the boundaries?
- What control points existed between zones?
- Was east-west traffic inspected or just north-south?
2. Components Must Match the Threat Layer
A WAF solves application-layer problems. A stateful firewall solves transport and network-layer problems. DHCP snooping solves Layer 2 problems. Selecting the right component starts with identifying what layer the attack operates at.
- Application-layer attacks → WAF, application-layer proxy
- Network/transport attacks → stateful firewall, NIPS
- Data link attacks (ARP, VLAN hopping) → switch security features
- Unknown/zero-day attacks → anomaly-based IPS, EDR
3. Channels Protect Data in Motion
Every communication channel needs protection matched to its requirements. Site-to-site connections need IPSec. Remote access needs VPN or ZTNA with MFA. Email needs both content protection (S/MIME/PGP) and sender authentication (SPF/DKIM/DMARC). Voice needs SRTP.
The exam tests whether you can distinguish between:
- Authentication vs. encryption (DMARC vs. S/MIME)
- Integrity vs. confidentiality (AH vs. ESP)
- Network access vs. application access (VPN vs. ZTNA)
Section A Decision Pattern
When facing a Domain 4 Section A question:
- Identify the threat layer — is this a network, transport, or application problem?
- Match the component to the layer — the right control operates at or near the threat layer
- Check for architecture gaps — would segmentation, micro-segmentation, or DMZ design have prevented the scenario?
- Verify the channel — is data in transit protected with the right protocol for confidentiality, integrity, and authentication?
- Eliminate distractors — NAT is not security, VLANs are not physical separation, AH is not encryption, DMARC is not encryption
Section A – Practice Questions
Question 1
A manufacturing company’s SCADA systems and corporate workstations share the same flat network. An employee opens a malicious email attachment on their workstation, and the resulting malware scans the network and discovers the SCADA controllers. The malware begins sending commands to the controllers.
What architectural failure enabled this attack?
A. No network segmentation between IT and OT (operational technology) environments, allowing direct communication from a compromised workstation to SCADA systems
B. The email security gateway failed to detect the malicious attachment
C. The employee was not trained to recognize phishing emails
D. The SCADA systems were not running antivirus software
Answer & reasoning
Correct: A
The fundamental failure is architectural — IT and OT systems on the same flat network means a compromised workstation can directly reach industrial controllers. While email gateway failure (B) and lack of training (C) contributed to the initial compromise, they did not enable the lateral movement to SCADA. Segmentation between IT and OT networks is a foundational industrial security requirement.
Question 2
A security team deploys a network-based intrusion detection system at the perimeter. After a month, the team discovers that attackers have been exfiltrating data through encrypted HTTPS connections that the NIDS cannot inspect.
What is the MOST effective solution to this visibility gap?
A. Replace the NIDS with a web application firewall
B. Block all HTTPS traffic at the perimeter
C. Deploy SSL/TLS inspection capabilities that decrypt, inspect, and re-encrypt HTTPS traffic before it passes the NIDS
D. Switch from signature-based detection to anomaly-based detection
Answer & reasoning
Correct: C
The NIDS cannot inspect encrypted traffic because it sees only ciphertext. SSL/TLS inspection decrypts the traffic, allowing the NIDS to analyze the plaintext content, then re-encrypts it before forwarding. Blocking all HTTPS (B) would halt business operations. A WAF (A) protects inbound web traffic to web servers, not outbound data exfiltration. Anomaly detection (D) might detect unusual patterns but cannot inspect encrypted content without decryption.
Question 3
An organization is connecting to a new cloud service provider. The connection will carry customer financial data. The security team is evaluating whether to use MPLS or an IPSec VPN over the internet.
The CISO requires that the data be encrypted in transit. Which option meets this requirement?
A. MPLS alone, since it provides dedicated circuits that are inherently encrypted
B. IPSec VPN over the internet, since IPSec provides encryption, integrity, and authentication for all traffic in the tunnel
C. Either option, since both MPLS and IPSec encrypt data by default
D. Neither option provides encryption; a separate TLS layer must be added
Answer & reasoning
Correct: B
MPLS provides traffic isolation through label switching but does not encrypt data. If an attacker gains access to the MPLS infrastructure, they can read the traffic. IPSec VPN encrypts all traffic within the tunnel using ESP, satisfying the encryption requirement. If MPLS were chosen, IPSec encryption would need to be layered on top.
Question 4
A hospital network includes medical IoT devices (infusion pumps, patient monitors) on the same VLAN as clinician workstations. A network assessment reveals that the IoT devices run outdated firmware with known vulnerabilities and cannot be patched by the manufacturer for six months.
What is the BEST immediate action to reduce risk?
A. Disconnect all IoT devices until patches are available
B. Install host-based firewalls on each IoT device
C. Implement micro-segmentation to isolate IoT devices from workstations and restrict IoT communication to only required clinical systems
D. Deploy antivirus software on the IoT devices
Answer & reasoning
Correct: C
Micro-segmentation isolates the vulnerable IoT devices so that even if they are compromised, the attacker cannot reach workstations or other systems. Disconnecting devices (A) disrupts patient care. IoT devices typically cannot run host-based firewalls (B) or antivirus (D) due to limited computing resources and closed operating systems. Network-level isolation is the practical compensating control while waiting for patches.
Question 5
An organization’s DNS resolver has been compromised through cache poisoning. Users are being redirected to fraudulent banking sites that steal credentials. The security team wants to prevent this type of attack in the future.
What technology should be deployed?
A. A web application firewall to inspect DNS traffic
B. Network address translation to hide the DNS resolver from external attackers
C. DNS over HTTPS (DoH) to encrypt all DNS queries
D. DNSSEC to validate the authenticity and integrity of DNS responses through digital signatures
Answer & reasoning
Correct: D
DNS cache poisoning succeeds because standard DNS has no mechanism to verify that a response is authentic. DNSSEC adds digital signatures to DNS records, allowing resolvers to verify that responses came from the authoritative name server and were not modified. DoH (C) encrypts queries for privacy but does not authenticate the DNS records themselves. A WAF (A) does not inspect DNS traffic. NAT (B) provides no DNS security.
Question 6
A company’s VoIP system runs on the same network infrastructure as regular data traffic. The security team has discovered that an attacker used ARP spoofing to position themselves as a man-in-the-middle and recorded executive phone calls for two weeks.
Which combination of controls would have prevented BOTH the interception and the eavesdropping?
A. NAT for voice traffic and WPA3 for wireless voice devices
B. A next-generation firewall at the perimeter and port mirroring for voice traffic monitoring
C. VLAN segmentation for voice traffic and antivirus on workstations
D. Dynamic ARP Inspection to prevent ARP spoofing and SRTP to encrypt voice media streams
Answer & reasoning
Correct: D
Dynamic ARP Inspection prevents ARP spoofing at the switch level by validating ARP packets against DHCP snooping bindings, eliminating the man-in-the-middle position. SRTP encrypts voice media streams, so even if traffic were somehow intercepted, it would be unintelligible. Together these two controls address both the interception method and the eavesdropping risk. VLAN segmentation (C) helps but does not prevent ARP spoofing within the voice VLAN. Perimeter controls (B) do not address internal ARP attacks. NAT (A) provides no protection against ARP spoofing or voice interception.
Question 7
A retail company processes credit card transactions through web-based POS terminals. A penetration test reveals that the terminals are accessible from the guest Wi-Fi network because both networks share the same subnet.
What is the FIRST architectural change needed?
A. Deploy a WAF in front of the POS terminals
B. Implement WPA3 on the guest Wi-Fi network
C. Segment the POS network onto a dedicated VLAN with firewall rules that block all traffic from the guest network
D. Enable MAC address filtering on the guest network
Answer & reasoning
Correct: C
PCI DSS requires that cardholder data environments be segmented from untrusted networks. Placing POS terminals on the same subnet as guest Wi-Fi is a fundamental segmentation failure. The immediate fix is a dedicated VLAN for the POS network with firewall rules that prevent any traffic from the guest network from reaching it. WPA3 (B) secures the wireless encryption but does not address network-level segmentation. MAC filtering (D) is easily bypassed.
Question 8
An organization uses a traditional IPSec VPN for remote access. After connecting, remote employees have full access to the entire internal network. The security team has documented several incidents where compromised remote laptops were used to scan and attack internal servers.
What architectural change BEST addresses this problem?
A. Implement Zero-Trust Network Access to provide application-specific access with continuous device posture verification
B. Add a network-based IDS behind the VPN concentrator
C. Replace the IPSec VPN with an SSL/TLS VPN using split tunneling
D. Require stronger passwords for VPN authentication
Answer & reasoning
Correct: A
The problem is that authenticated remote users receive network-level access to everything. ZTNA replaces this with application-level access — users connect to specific applications, not the network, and the system continuously verifies device posture. A compromised laptop would be detected by posture checking and have its access revoked. SSL/TLS VPN with split tunneling (C) still grants network access. IDS (B) detects attacks but does not prevent the access model problem. Stronger passwords (D) do not address post-authentication access scope.
Question 9
A security analyst observes that an attacker is using double-tagging to hop from VLAN 10 (user workstations) to VLAN 20 (database servers) by exploiting the native VLAN configuration on a trunk port.
Which switch configuration change would prevent this VLAN hopping attack?
A. Configure a dedicated unused VLAN as the native VLAN on all trunk ports and ensure all access ports are explicitly assigned to their respective VLANs
B. Enable spanning tree protocol on all ports
C. Deploy a network tap on the trunk port to monitor traffic
D. Increase the VLAN numbering to use higher numbers
Answer & reasoning
Correct: A
Double-tagging VLAN hopping exploits the native VLAN on trunk ports. The attacker sends a frame with two VLAN tags — the outer tag matches the native VLAN (which gets stripped by the first switch) and the inner tag targets the destination VLAN. Setting the native VLAN to an unused, dedicated VLAN that carries no user traffic eliminates this attack vector. Spanning tree (B) prevents loops, not VLAN hopping. Higher VLAN numbers (D) have no security effect. Monitoring (C) detects but does not prevent.
Question 10
A company’s email domain is being spoofed in phishing campaigns targeting the company’s own customers. The attackers send emails that appear to come from the company’s billing department. The company has published SPF records but has not implemented DKIM or DMARC.
Why is SPF alone insufficient to stop this spoofing?
A. SPF encrypts email content, but the attackers are bypassing the encryption
B. SPF only validates the envelope sender (MAIL FROM), not the header From address that users see, and without DMARC there is no policy telling receivers to reject failures
C. SPF requires all recipients to have certificates installed
D. SPF only works for internal email, not external email
Answer & reasoning
Correct: B
SPF validates the envelope sender (the technical routing address) but not the header From address displayed to the user. An attacker can pass SPF checks by using their own domain in the envelope while spoofing the company’s domain in the visible header. DKIM adds a cryptographic signature that ties the message to the sending domain. DMARC enforces alignment between the envelope and header addresses and tells receivers to quarantine or reject messages that fail. Without all three working together, spoofing protection is incomplete.