Competencies: Networking > Network Security
Network Security
Body of Knowledge
| Topic | Description | Relevance | Career Tracks |
|---|---|---|---|
Access Control Lists (ACLs) |
Standard and extended ACLs, named ACLs, reflexive ACLs, time-based ACLs, IPv6 ACLs, best practices for rule ordering. |
Critical |
Network Engineer, Security Engineer |
802.1X Port-Based NAC |
Wired and wireless authentication, EAP methods, authenticator/supplicant/server roles, MAB fallback, RADIUS policy enforcement. |
Critical |
Security Engineer, Network Engineer, IAM Engineer |
EAP-TLS Authentication |
Certificate-based 802.1X, PKI requirements, supplicant configuration, machine vs user authentication, certificate lifecycle. |
High |
Security Engineer, IAM Engineer |
Downloadable ACLs (dACL) |
Dynamic per-session ACLs via RADIUS, ISE policy sets, pre-auth vs post-auth ACLs, VLAN assignment, SGT/SGACL. |
High |
Security Engineer, Network Engineer (Cisco) |
Zone-Based Firewall |
Zone pair model, inspection policies, stateful packet inspection, application inspection, class maps and policy maps. |
High |
Network Engineer, Security Engineer |
Network Address Translation (NAT) |
Static NAT, dynamic NAT, PAT, policy NAT, NAT for overlapping networks, NAT traversal (NAT-T), NAT64 for IPv6 transition. |
High |
Network Engineer, Security Engineer |
Control Plane Policing (CoPP) |
Protecting router/switch CPU, CoPP policies, rate limiting, protocol-specific protections (BGP, OSPF, SSH, SNMP). |
High |
Network Engineer, Security Engineer |
MACsec (802.1AE) |
Layer 2 encryption, MKA key agreement, hop-by-hop vs end-to-end, hardware requirements, integration with 802.1X. |
Medium |
Security Engineer, Network Engineer |
Network Segmentation |
Micro-segmentation strategies, VLAN-based, firewall-based, SDN-based (TrustSec, ACI), PCI-DSS and compliance requirements. |
Critical |
Security Architect, Network Architect |
DDoS Mitigation |
Attack detection, traffic scrubbing, BGP Flowspec, RTBH (remotely triggered black hole), Anycast, cloud-based mitigation. |
High |
Security Engineer, ISP Engineer |
IDS/IPS Network-Based |
Signature and anomaly-based detection, inline vs passive deployment, Snort/Suricata, tuning and false positive management. |
High |
Security Engineer, SOC Analyst |
Network Forensics |
Packet capture for investigation, NetFlow analysis, traffic baseline, evidence preservation, chain of custody for network data. |
Medium |
Security Engineer, SOC Analyst, Forensics Analyst |
Personal Status
| Topic | Level | Evidence | Active Projects | Gaps |
|---|---|---|---|---|
802.1X / EAP-TLS |
Expert |
Production 802.1X deployment at CHLA — Catalyst switches, ISE policy sets, certificate-based authentication; home lab EAP-TLS with Vault-issued certs, RADIUS accounting, dACL enforcement |
Limited experience with EAP chaining (EAP-FAST + EAP-TLS) |
|
Firewall / ACL |
Advanced |
Extended ACLs on Catalyst switches; dACL enforcement via ISE RADIUS; VyOS zone-based firewall with stateful inspection; pfSense rule management |
No Palo Alto, no Fortinet — single-vendor firewall depth |
|
NAT |
Advanced |
Static NAT, PAT, policy NAT on VyOS and pfSense; understand NAT traversal for IPsec, SIP; CHLA NAT rule management |
No CGN/LSN experience, no NAT64/DNS64 |