Phase 4: Domain 4 — Network Security

Phase 4: Domain 4 — Communication & Network Security (13%)

Timeline: Apr 26-May 2 (Week 4)

This is YOUR domain. CCNP Enterprise + Security, VyOS HA, ISE 802.1X, VLAN segmentation, BGP dual-homing. You live this daily. Accelerate through — focus on CISSP-specific framing, not technical deep dives.

Key Concepts (Review, Not Learn)

OSI Model (CISSP Perspective)

You know the layers. CISSP cares about which attacks and controls map to which layer:

Layer	Attack Examples	Control Examples
7 Application	XSS, SQL injection, buffer overflow	WAF, input validation, OWASP
6 Presentation	SSL stripping	TLS enforcement
5 Session	Session hijacking, replay	Session tokens, MFA
4 Transport	SYN flood	Firewall stateful inspection, rate limiting
3 Network	IP spoofing, routing attacks	ACLs, IPsec, BGP route filtering
2 Data Link	ARP spoofing, VLAN hopping, MAC flooding	DAI, port security, 802.1X (your ISE)
1 Physical	Wiretapping, EMI	Faraday cage, fiber (no EMI)

Layer

Attack Examples

Control Examples

7 Application

XSS, SQL injection, buffer overflow

WAF, input validation, OWASP

6 Presentation

SSL stripping

TLS enforcement

5 Session

Session hijacking, replay

Session tokens, MFA

4 Transport

SYN flood

Firewall stateful inspection, rate limiting

3 Network

IP spoofing, routing attacks

ACLs, IPsec, BGP route filtering

2 Data Link

ARP spoofing, VLAN hopping, MAC flooding

DAI, port security, 802.1X (your ISE)

1 Physical

Wiretapping, EMI

Faraday cage, fiber (no EMI)

Network Attacks and Countermeasures

DoS/DDoS — SYN flood, amplification, application layer
Man-in-the-middle — ARP spoofing, DNS spoofing, SSL stripping
VLAN hopping — switch spoofing, double tagging (you prevent this with ISE)
DNS attacks — cache poisoning, zone transfer abuse (you run BIND with TSIG)

Secure Protocols

Protocol	Your Experience
IPsec (AH/ESP)	VPN tunnels, transport/tunnel mode
TLS/SSL	Vault TLS, EAP-TLS, web services
SSH	Vault SSH CA, daily administration
802.1X	ISE — 26,000+ endpoints
RADIUS/TACACS+	ISE RADIUS, switch AAA
DNSSEC	Aware, not deployed yet
BGP security	Route filtering on VyOS

Protocol

Your Experience

IPsec (AH/ESP)

VPN tunnels, transport/tunnel mode

TLS/SSL

Vault TLS, EAP-TLS, web services

SSH

Vault SSH CA, daily administration

802.1X

ISE — 26,000+ endpoints

RADIUS/TACACS+

ISE RADIUS, switch AAA

DNSSEC

Aware, not deployed yet

BGP security

Route filtering on VyOS

Network Components (CISSP Framing)

Firewalls: stateful (your VyOS), stateless, WAF, NGFW
IDS/IPS: signature-based, anomaly-based, host-based (your Wazuh)
VPN: site-to-site, remote access, split tunnel
NAC: Your ISE is the textbook example of NAC
SDN: control plane / data plane separation (your Cilium CNI)

CISSP Trap: Don’t Go Too Deep

CISSP tests breadth, not depth. They won’t ask about ISE policy set configuration. They’ll ask "which access control technology prevents unauthorized devices from connecting to the network?" Answer: NAC (802.1X).

Practice Questions

25 questions/day — this should be your fastest domain. Target 90%+ accuracy.

Check	Status
Read Study Guide Chapters 11-12 (Network Security)	[ ]
Watch Destination Certification MindMap — Domain 4	[ ]
OSI model attack/control mapping reviewed	[ ]
Secure protocols mapped to real infrastructure	[ ]
25+ practice questions completed (Domain 4) — target 90%+	[ ]

Check

Status

Read Study Guide Chapters 11-12 (Network Security)

[ ]

Watch Destination Certification MindMap — Domain 4

[ ]

OSI model attack/control mapping reviewed

[ ]

Secure protocols mapped to real infrastructure

[ ]

25+ practice questions completed (Domain 4) — target 90%+

[ ]