What is the difference between NIDS and NIPS?

NIDS (Network Intrusion Detection System) passively monitors traffic and generates alerts without blocking. NIPS (Network Intrusion Prevention System) is deployed inline and can actively block malicious traffic. NIDS is placed out-of-band (passive tap or SPAN port); NIPS is inline between network segments. NIDS has no impact on traffic flow; NIPS adds latency but provides active blocking.

What is Network Security Monitoring (NSM)?

NSM is the collection, analysis, and escalation of network data to detect and respond to intrusions. It combines full packet capture, flow data (NetFlow/IPFIX), and protocol logs. Tools include Zeek (protocol analysis), Suricata (signature detection), and Security Onion. NSM provides the forensic data needed to investigate incidents that preventive controls miss.

What is a web proxy and how does it improve security?

A web proxy controls and inspects outbound web traffic. Benefits: URL filtering blocks malicious sites, SSL/TLS inspection reveals encrypted threats, all web traffic is logged for forensics, and C2 callbacks from malware are blocked. Transparent proxies intercept traffic without client configuration; explicit proxies require client browser settings or PAC files.

What is a Next-Generation Firewall (NGFW)?

An NGFW extends traditional stateful firewalls with application-layer (Layer 7) inspection. It identifies applications regardless of port (e.g., detect Dropbox on port 80), enforces user-identity-based policies, includes integrated IPS, performs SSL/TLS inspection, and uses threat intelligence feeds. Traditional firewalls only examine IP/port; NGFWs understand application behavior.

Why is a jump box required for privileged access?

A jump box (bastion host) centralizes all privileged access to critical systems. All admin sessions route through the jump box, enabling session recording, MFA enforcement, and command logging. This creates a single auditable path for privileged access, limits the attack surface of admin interfaces, and detects unauthorized access attempts.

GIAC GDSA Certification: Network Defense Controls Study Guide (Domain 3 of 6)

Domain 3 Overview — Network Defense Controls

Network defense controls form the active layer of a defensible security architecture. This domain covers detection, monitoring, sandboxing, DDoS mitigation, secure proxying, email security, next-generation firewalls, VPNs, and privileged access management via jump boxes.

Domain 3 at a Glance

This domain focuses on the tools and architectures that detect and block threats at the network layer. Unlike perimeter controls (Domain 2), network defense controls are active — they monitor, analyze, and respond to threats in real time. The GDSA exam emphasizes understanding why each control is placed where it is, and what it can and cannot detect.

Core Technology Areas

NIDS/NIPS — passive vs inline detection
Network Security Monitoring (NSM)
Behavioral sandboxing of suspicious files
DDoS protection architectures
Web proxies and SSL/TLS inspection
SMTP security: SPF, DKIM, DMARC
Next-Generation Firewalls (NGFW)
IPsec and SSL/TLS VPNs
Jump boxes and privileged access

Exam Weight and Focus

High-frequency exam topics:

NIDS vs NIPS placement NSM data types SYN cookies SPF/DKIM/DMARC IKEv2 vs IKEv1 Jump box requirements NGFW vs stateful FW Sandbox evasion

Key Exam Theme:

Know not just what each control does, but where it is placed and what it cannot detect — every control has blind spots.

Defense-in-Depth: Network Control Stack

Network defense is most effective when controls are layered. No single control provides complete protection. The GDSA exam tests your ability to select the right combination of controls for a given threat scenario.

Layer 1: Perimeter

NGFW, border ACLs, DDoS scrubbing upstream

Layer 2: Detection

NIDS/NIPS, NSM (Zeek, Suricata), Security Onion

Layer 3: Outbound Control

Web proxy with SSL inspection, DNS filtering

Layer 4: Email

SPF/DKIM/DMARC, attachment sandbox, URL rewriting

Layer 5: Privileged Access

Jump boxes with MFA, session recording, PAM tools

Key Concepts — Network Defense Controls

Expand each topic for in-depth coverage of all concepts tested in Domain 3.

1. NIDS vs NIPS — Detection, Placement, and Evasion +

Detection Types:

Signature-based: Matches known attack patterns (low FP for known threats, misses zero-days and polymorphic attacks)
Anomaly-based: Establishes behavioral baseline, detects deviations (higher FP, catches new/unknown threats)
Hybrid: Combines both approaches — most production IDS/IPS use hybrid detection

Placement (Critical for Exam):

NIDS: Passive — deployed out-of-band via SPAN port (mirror port) or network tap. Does NOT block traffic. Generates alerts only.
NIPS: Active — deployed inline between network segments. Can block malicious traffic. Adds latency. Failure can disrupt traffic (fail-open vs fail-closed policy).

Network Taps vs SPAN Ports:

Hardware taps: Passive optical/copper devices providing 100% packet capture. No packet loss under load. Preferred for forensic-grade NSM.
SPAN ports: Software-configured on switches. May drop packets when switch is under high load. Lower cost but less reliable.

Evasion Techniques:

IP fragmentation — split payload across fragments to hide signature
Protocol encoding — Base64, hex encode attack strings
TTL manipulation — send packets with low TTL to reach IDS but expire before target
Polymorphic payloads — change shellcode structure while preserving behavior
Detection engines must reassemble TCP streams and IP fragments before matching

Key Products: Snort (open source, signature-based), Suricata (multi-threaded, open source), Cisco FTD (Firepower), Palo Alto NGFW with integrated IPS.

Alert Tuning: Reduce false positives by whitelisting known-good traffic patterns, adjusting anomaly thresholds, and suppressing alerts from specific IP/port combinations.

2. Network Security Monitoring (NSM) +

NSM Definition: Collection, analysis, and escalation of network data to detect and respond to intrusions. Provides forensic evidence for incidents that preventive controls miss.

Data Types (Know all three):

Full Packet Capture (FPC): Complete forensic record of all network traffic. Tools: Stenographer (Google), Moloch/Arkime. High storage requirement. Essential for post-incident forensics.
Flow Data (NetFlow/IPFIX/sFlow): Summarized connection metadata (src IP, dst IP, ports, bytes, duration). Much lower storage. Cannot reconstruct payload. Useful for anomaly detection and bandwidth analysis.
Protocol Logs: Zeek/Bro generates structured logs per protocol: conn.log (all connections), dns.log, http.log, ssl.log, files.log. Queryable for threat hunting.

Core NSM Tools:

Zeek (formerly Bro): Protocol analyzer producing structured log files. Passive, no blocking. Excellent for threat hunting and forensics.
Suricata: High-performance IDS/IPS/NSM engine with rule sets (ET Open, ET Pro). Generates eve.json for SIEM integration.
Security Onion: Linux distro bundling Zeek, Suricata, Elasticsearch, Kibana, Strelka, and Filebeat. Full NSM platform.

East-West Monitoring: NSM should capture lateral movement inside the network, not just perimeter traffic. Attackers who pass the perimeter move east-west between systems — this traffic is invisible if only perimeter is monitored.

Retention Requirements: Minimum 90 days of hot storage for active incident response. 1 year archive for compliance. Flow data is cheaper to retain than FPC.

SIEM Integration: Zeek logs and Suricata events forward to Splunk, Elastic SIEM, or Sentinel for correlation, alerting, and long-term retention.

Threat Hunting: Proactive searching for compromise indicators that haven't yet triggered alerts. NSM data is the primary corpus for hunting. Hypotheses driven by threat intelligence.

3. Sandboxing — Behavioral Malware Analysis +

Purpose: Detonate suspicious files in an isolated virtual machine and observe behavior — file writes, registry changes, network connections, process spawning, API calls. Reveals malicious behavior invisible to static analysis.

Analysis Types:

Static analysis: Examine file without executing — strings, hashes, PE header, imports, YARA rule matching. Fast, safe, but misses obfuscated/packed malware.
Dynamic/behavioral analysis: Execute in isolated VM, monitor all actions. Catches packed/obfuscated malware. Requires safe execution environment.

Sandbox Products:

Cuckoo Sandbox: Open source, self-hosted. Supports Windows/Linux/Android. Integrates with Suricata for network analysis.
Joe Sandbox: Commercial, deep analysis including hypervisor-level monitoring.
ANY.RUN: Interactive cloud sandbox — analyst can interact with sample in real time.
VirusTotal: Multi-AV scan plus basic sandbox. Good for initial triage.

Sandbox Evasion Techniques (Critical for Exam):

VM detection: Check CPUID for hypervisor bit, disk size check (sandboxes often have small disks), check for sandbox-specific processes/registry keys, MAC address OUI checks
Timing attacks: Sleep for longer than sandbox analysis window (30-60 seconds) before executing malicious code
User interaction requirements: Wait for mouse movement, require specific user action before executing payload — most sandboxes don't simulate realistic user behavior
Environment checks: Check for domain membership, number of running processes, screen resolution

Integration Points: Email gateway (scan attachments before delivery), web proxy (scan downloaded files), EDR (forward suspicious processes to sandbox). Defense-in-depth requires sandbox at multiple inspection points.

YARA Rules: Pattern-matching language for static file classification. Used to identify malware families, threat actor TTPs, and suspicious strings across file types.

4. DDoS Protection — Attack Types and Mitigations +

DDoS Attack Classification:

Volumetric: Flood and consume bandwidth. UDP flood, ICMP flood, DNS amplification (attacker sends small query → DNS returns large response to victim). Goal: saturate network pipe.
Protocol: Exhaust stateful device tables (firewalls, load balancers). SYN flood (fill TCP half-open connection table), Ping of Death, Smurf attack. Goal: crash network devices.
Application Layer (Layer 7): Exhaust application server resources. HTTP flood, Slowloris (open many slow HTTP connections), DNS query flood. Goal: crash web/app servers. Hardest to filter — traffic looks legitimate.

SYN Cookies (Exam Favorite):

Problem: SYN flood fills the server's half-open connection table (backlog queue) — server can't accept new connections
SYN cookies: server encodes connection state into the TCP ISN (Initial Sequence Number) of the SYN-ACK. Server does NOT store connection state until client completes the handshake (sends ACK)
Result: backlog queue stays empty. Server can handle unlimited SYN packets without state table exhaustion
Downside: loses TCP options (window scaling, timestamps) — minor performance trade-off

Other Mitigations:

Rate limiting: Per-source-IP connection limits. Effective for smaller attacks but doesn't help against distributed botnets.
Black hole routing (RTBH): Null-route the victim IP — stops attack traffic but also legitimate traffic. Last resort.
Upstream scrubbing services: Cloudflare, Akamai, AWS Shield Advanced absorb attack traffic in their scrubbing centers before it reaches your network. Best for large volumetric attacks.
Anycast diffusion: Distribute attack traffic across multiple PoPs globally — no single location is overwhelmed.

5. Web Proxies and SMTP Security (SPF/DKIM/DMARC) +

Web Proxy Architecture:

Forward proxy: All outbound HTTP/HTTPS traffic is routed through the proxy server. Provides URL filtering, logging, content inspection.
Transparent proxy: Network appliance intercepts traffic without client configuration (policy-based routing or WCCP). Client doesn't know proxy exists.
Explicit proxy: Client browser/OS configured with proxy address. Can use PAC (Proxy Auto-Configuration) files to automate browser configuration.

SSL/TLS Inspection: Proxy performs man-in-the-middle — establishes separate TLS sessions with client (using corporate CA certificate) and server. Decrypts, inspects, re-encrypts traffic. Corporate CA must be trusted by all endpoints (deployed via Group Policy/MDM). Reveals malware C2 callbacks, data exfiltration, threats in encrypted traffic.

Email Authentication Standards:

SPF (Sender Policy Framework): DNS TXT record listing IP addresses authorized to send email for the domain. Receiving server checks if sending IP is in the SPF record. Values: +all (pass), -all (hard fail/reject), ~all (soft fail/spam). Does NOT protect against header spoofing — only validates envelope From.
DKIM (DomainKeys Identified Mail): Cryptographic signature applied to email headers and body. Receiving server retrieves public key from DNS (TXT record) and validates signature. Proves message was not altered in transit and originated from authorized sender. Does NOT prevent lookalike domains.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Policy telling receiving servers what to do when SPF/DKIM checks fail. Values: p=none (monitor, take no action), p=quarantine (send to spam), p=reject (block delivery). Also provides rua/ruf reporting for visibility into spoofing. Alignment: requires SPF/DKIM to align with the From: header domain.

Email Gateway Security: Attachment sandboxing, URL rewriting (URLs re-written to proxy for post-delivery scanning), RBL (Reputation Block Lists) to block known bad sending IPs, outbound DLP scanning, DNSSEC for domain validation.

6. NGFWs, VPNs, and Jump Box Architecture +

NGFW vs Traditional Stateful Firewall:

Traditional: inspects IP/port/protocol (Layers 3-4), stateful connection tracking, simple ACLs
NGFW adds: Application identification (Layer 7 DPI — identifies Dropbox regardless of port), user-identity integration (from Active Directory/LDAP), URL filtering, integrated IPS, TLS/SSL inspection, threat intelligence feeds, sandboxing integration
Zone-based policy: Zones (DMZ, internal, external, management) with explicit policies between zones. Implicit deny all. Policy applies between zone pairs.

VPN Technologies:

IPsec IKEv2: Preferred over IKEv1. Shorter handshake, stronger crypto (AES-256/SHA-256), MOBIKE for mobility (handles IP address changes), EAP authentication methods, built-in NAT traversal. IKEv1 had known weaknesses (aggressive mode, weak DH groups).
IPsec components: AH (authentication only, no encryption), ESP (encryption + authentication — use ESP). Tunnel mode (entire IP packet encrypted, new IP header — use for site-to-site and remote access). Transport mode (only payload encrypted — used between hosts).
SSL/TLS VPN: Clientless (browser-based, portal access to internal apps) or full client. Easier to deploy, works through most firewalls. Lower performance than IPsec.
Split tunneling: Risk — non-corporate traffic goes directly to internet, bypassing corporate security controls (proxy, firewall, DLP). Always-on VPN forces all traffic through corporate network.

Jump Box / Bastion Host Requirements:

All privileged/admin access to production systems routes through the jump box
MFA enforced — all authentication requires second factor
Session recording — all admin sessions recorded (video + keystrokes). PAM tools: CyberArk, BeyondTrust, Teleport.
Dedicated management VLAN — isolated from other traffic
Minimal installed software — attack surface reduction
Admin workstation never holds production credentials — credentials only accessible from jump box
Quarterly access reviews — ensure only authorized admins have access

Exam Readiness Checklist

Check off topics as you master them. Track your preparation progress.

Progress 0 / 17

✓

ExamKnow NIDS vs NIPS placement: NIDS=passive/SPAN, NIPS=inline; impact on traffic

✓

ConceptUnderstand signature vs anomaly detection trade-offs — FP rates and threat coverage

✓

ExamKnow NSM components: full packet capture vs flow data vs protocol logs (Zeek)

✓

ConceptUnderstand sandbox evasion techniques: VM detection, timing attacks, user interaction requirements

✓

ExamKnow DDoS attack types: volumetric, protocol (SYN flood), application layer

✓

ExamUnderstand SYN cookies — how they eliminate half-open connection state table exhaustion

✓

ConceptExplain web proxy SSL inspection mechanism (corporate CA MITM — both TLS sessions)

✓

ExamKnow SPF, DKIM, DMARC — what each validates, DNS record type, and DMARC policy values

✓

ConceptUnderstand NGFW application-layer inspection vs traditional stateful firewall

✓

ExamKnow IPsec components: IKEv2 vs v1, AH vs ESP, tunnel mode vs transport mode

✓

ConceptExplain split tunneling risks and why always-on VPN prevents security control bypass

✓

ExamKnow jump box requirements: MFA, session recording, dedicated VLAN, minimal software

✓

PracticeLab: Deploy Suricata/Zeek on Security Onion and review generated logs

✓

ConceptUnderstand RTBH (black hole routing) — stops attack traffic but also legitimate traffic

✓

ExamKnow network tap vs SPAN port trade-offs — reliability under load

✓

PracticeConfigure NGFW zone-based policy with implicit deny all

✓

ExamUnderstand PAM tools for jump box session management: CyberArk, BeyondTrust, Teleport

Quick Reference

Tables, comparisons, and code snippets for rapid exam review.

NIDS vs NIPS Comparison

Attribute	NIDS	NIPS
Placement	Out-of-band (SPAN port or tap)	Inline between network segments
Mode	Passive — does not touch traffic	Active — processes all inline traffic
Blocking capability	No — alerts only	Yes — can block/drop malicious traffic
Traffic impact	Zero latency impact	Adds latency; failure can disrupt traffic
Fail mode	Stops detecting — no traffic impact	Fail-open (bypass) vs fail-closed (block all)
Primary use case	Detection, forensics, threat hunting	Active blocking at segment boundaries
Examples	Zeek, passive Suricata	Inline Suricata, Cisco FTD, Palo Alto IPS

DDoS Attack Types and Mitigations

Type	Mechanism	Example Attacks	Primary Mitigation
Volumetric	Flood and consume bandwidth	UDP flood, DNS amplification, ICMP flood	Upstream scrubbing, Anycast diffusion
Protocol	Exhaust stateful device tables	SYN flood, Ping of Death, Smurf	SYN cookies, rate limiting, scrubbing
Application (L7)	Exhaust app server resources	HTTP flood, Slowloris, DNS query flood	WAF, CAPTCHA, behavioral analysis

Email Authentication: SPF / DKIM / DMARC

Standard	Mechanism	What It Validates	DNS Record Type	Limitation
SPF	Authorized sending IPs listed in DNS	Sending mail server IP is authorized	TXT (_spf.domain.com)	Doesn't protect header From:, fails on forwarding
DKIM	Cryptographic signature on headers/body	Message integrity and sender authorization	TXT (selector._domainkey)	Doesn't prevent lookalike domains, key management burden
DMARC	Policy enforcement + reporting	SPF/DKIM alignment with header From:	TXT (_dmarc.domain.com)	Only protects exact domain, not lookalikes; p=none has no effect

VPN Protocol Comparison

Protocol	Preferred Crypto	Key Feature	Weakness
IPsec IKEv2	AES-256-GCM / SHA-256 / DH Group 20+	MOBIKE (IP mobility), fast re-auth, strong crypto	Complex configuration, blocked by some ISPs
IPsec IKEv1	AES-256 / SHA-1 (legacy)	Widely supported (legacy)	Aggressive mode vulnerability, weaker DH options
SSL/TLS VPN	TLS 1.2/1.3	Works through firewalls/NAT, clientless option	Lower performance, requires TLS inspection to audit
WireGuard	ChaCha20 / Poly1305 / Curve25519	Simple, high performance, modern crypto	Less mature in enterprise environments

NGFW vs Traditional Stateful Firewall

Feature	Traditional Stateful FW	NGFW
Inspection layer	Layers 3-4 (IP/Port/Protocol)	Layers 3-7 (up to application)
Application awareness	Port-based assumption only	App ID via DPI regardless of port
User identity	None	AD/LDAP integration — user-based policies
IPS	Separate appliance required	Integrated IPS engine
SSL inspection	No	Yes — full TLS MITM inspection
Threat intel	None	IP/URL reputation feeds, C2 blocking
URL filtering	No	Yes — category-based and reputation-based

Suricata Rule Syntax and Zeek Log Fields

# Suricata Rule Syntax
alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"ET MALWARE Suspicious User-Agent";
  flow:established,to_server;
  http.user_agent; content:"MalwareUA/1.0";
  classtype:trojan-activity;
  sid:2000001; rev:1;
)

# Zeek conn.log Key Fields
# ts         - timestamp
# uid        - unique connection ID
# id.orig_h  - source IP
# id.orig_p  - source port
# id.resp_h  - destination IP
# id.resp_p  - destination port
# proto      - protocol (tcp/udp/icmp)
# duration   - connection duration
# orig_bytes - bytes sent by originator
# resp_bytes - bytes sent by responder
# conn_state - connection state (SF=normal, S0=SYN no response, REJ=RST)
# service    - detected protocol (http, dns, ssl, etc.)

# Zeek DNS log fields
# query      - DNS query name
# qtype_name - query type (A, AAAA, MX, TXT)
# answers    - DNS answers returned

Practice Quiz — Network Defense Controls

Test your knowledge with scenario-based questions. Select an answer to see the explanation.

Q1. Your IDS generates 800 alerts daily, with security analysts estimating 90% are false positives from internal web servers. What is the most likely root cause of the high false positive rate?

Anomaly-based detection builds a baseline of "normal" traffic. Internal web servers with dynamic traffic patterns (batch jobs, backups, patching windows) frequently deviate from their baseline — each deviation triggers an alert. Signature-based detection has lower FP rates for known threats. The fix is to whitelist or tune the anomaly baseline for known-good traffic patterns.

Q2. Malware on a workstation establishes a C2 channel over HTTPS to a cloud service provider's IP. Which single control most likely both detects AND blocks this communication?

The web proxy with SSL inspection decrypts the HTTPS connection (revealing the C2 content), applies URL and IP reputation filtering (blocking known C2 infrastructure), and logs all connections for forensics. NIDS cannot inspect encrypted HTTPS without SSL inspection. DNS blacklisting is evaded by IP-direct C2. The host-based firewall allows port 443 outbound by default.

Q3. An organization wants to eliminate SYN flood vulnerability on their border without deploying upstream scrubbing services. Which control specifically addresses SYN floods?

SYN cookies specifically eliminate the state table exhaustion problem caused by SYN floods. The server encodes connection state into the TCP Initial Sequence Number, eliminating the need to maintain half-open connections in memory. Rate limiting helps but doesn't eliminate the vulnerability against large distributed SYN floods. RTBH stops all traffic (including legitimate). NIPS doesn't specifically mitigate SYN floods.

Q4. An attacker uses Dropbox on TCP port 443 to exfiltrate sensitive files. The traditional stateful firewall allows port 443 outbound. Which technology can detect and block this?

NGFW uses Deep Packet Inspection (DPI) to identify the Dropbox application protocol regardless of port. Even if Dropbox changes IPs (hard to block by IP), the NGFW identifies it by application behavior. User-based policies can block "Dropbox" for specific users/groups while allowing other HTTPS. Traditional firewalls and NIDS without SSL inspection can't distinguish Dropbox from other HTTPS.

Q5. An attacker sends a phishing email with From: ceo@yourcompany.com from an external mail server that your company does not own. Which DNS record type would cause most receiving mail servers to reject this email?

SPF with -all (hard fail) tells receiving servers to reject email from any IP not listed in the SPF record. The attacker's mail server IP is not in your authorized list, so -all causes rejection. DKIM validates message integrity but requires the attacker to have access to the private key — not applicable here. DMARC (not listed) ties SPF/DKIM to the From: header and would reinforce rejection, but SPF -all is the direct answer.

Q6. An administrator needs to SSH into 50 production servers. Which architecture provides the best audit trail and prevents credential theft on the admin's workstation?

The jump box centralizes all privileged access: admin workstation never holds production SSH keys, all sessions are MFA-protected and session-recorded, command logging provides complete audit trail. SSH agent forwarding (option C) is a significant security risk — a compromised intermediary can steal forwarded credentials. Per-server keys on the laptop still leave credentials on the endpoint, accessible if the laptop is compromised.

2-Week Study Plan

Structured daily plan covering all Domain 3 topics with hands-on labs.

Week 1 — Detection and Monitoring

Days 1–3

NIDS/NIPS and NSM — Deploy Security Onion in a VM, generate test traffic with nmap and basic attack tools, analyze Zeek conn.log and dns.log, tune Suricata rules to reduce false positives, practice distinguishing SPAN vs tap output

Days 4–5

Sandboxing and DDoS — Lab with Cuckoo sandbox (submit a test file, review behavioral report), study DDoS mitigation architectures, configure SYN cookies on a Linux system (net.ipv4.tcp_syncookies=1), understand RTBH vs upstream scrubbing trade-offs

Week 2 — Proxies, Email Security, Firewalls, Remote Access

Days 1–3

Proxies and Email Security — Deploy Squid proxy with SSL Bump (SSL inspection), configure PAC file for browser auto-configuration, set up SPF/DKIM/DMARC records for a test domain, use mail-tester.com to verify email authentication

Days 4–5

NGFWs and Remote Access — Configure zone-based policies on pfSense or OPNsense (DMZ/LAN/WAN zones with implicit deny), set up IPsec IKEv2 VPN, configure a jump server with fail2ban and session recording, complete 40+ practice questions from GDSA question banks

Recommended Resources

Books and Documentation

The Practice of Network Security Monitoring — Bejtlich
Security Onion Documentation (securityonion.net)
Zeek Documentation (docs.zeek.org)
Suricata Rules Documentation

Online Labs

Security Onion VM (free download)
Try Hack Me — Network rooms
DVWA (Damn Vulnerable Web App) for proxy testing
MXToolbox — SPF/DKIM/DMARC verification

Common Exam Mistakes

These misconceptions frequently appear on the GDSA exam. Know how to avoid them.

1

Confusing IDS and IPS placement. IDS is passive (out-of-band via SPAN or tap) and CANNOT block traffic — it only alerts. IPS is inline and can block but adds latency. Saying an IDS "blocked" traffic is always wrong. The exam will test this placement distinction directly.

2

Forgetting SSL inspection is required to catch HTTPS threats. Any control that doesn't perform SSL/TLS inspection (NIDS without inline decryption, traditional firewall) is blind to encrypted traffic. C2 channels, data exfiltration, and malware downloads increasingly use HTTPS. Web proxy with SSL inspection is the primary control for encrypted outbound threats.

3

Thinking DMARC alone prevents all phishing. DMARC with p=reject prevents spoofing of your exact domain. Attackers regularly use lookalike domains (your-company.com, yourcompany.net, yourcompány.com) that DMARC cannot protect. User training and suspicious domain blocking are required for lookalike defense.

4

Using split tunneling "for performance" without understanding the security gap. With split tunneling, non-corporate internet traffic bypasses the web proxy, firewall, DLP, and all outbound security controls. Malware C2 callbacks and data exfiltration over direct internet connections are completely invisible to corporate monitoring.

5

Treating jump boxes as optional or inconvenient. Without a jump box, admin credentials must exist on admin workstations, session recording is impossible, and privileged access cannot be centrally audited. The jump box is architecturally required for defensible privileged access management. No jump box = no reliable audit trail for privileged actions.

Frequently Asked Questions

Answers to common Domain 3 questions.

When should you use a network tap vs a SPAN port for NSM?+

Use a hardware network tap for production, high-traffic, or forensically sensitive networks. Taps provide 100% of traffic with no packet loss regardless of switch load — essential for incident response. SPAN ports are software-configured and may drop packets when the switch is under high load (ASIC priority goes to forwarding, not mirroring). SPAN is acceptable for lower-traffic segments or dev environments where 100% capture is not required. Full-duplex taps produce two output streams (one per direction) that NSM tools must recombine.

Why is IKEv2 preferred over IKEv1 for VPN deployments?+

IKEv2 (RFC 7296) improves on IKEv1 in multiple ways: (1) Shorter handshake — IKEv2 requires fewer messages to establish SA compared to IKEv1 Main Mode. (2) MOBIKE support — IKEv2 handles mobile clients that change IP addresses (cellular ↔ WiFi) without dropping the VPN. (3) Better cryptographic options — supports stronger DH groups (ECDH), IKEv1 aggressive mode had known vulnerabilities. (4) EAP authentication built-in. (5) Built-in NAT traversal. For GDSA exam: always recommend IKEv2 over IKEv1; know that AES-256/SHA-256 and DH Group 20+ are appropriate choices.

What is the difference between SSL inspection and deep packet inspection?+

SSL/TLS inspection (also called SSL interception or SSL MITM) is specifically about decrypting encrypted HTTPS/TLS traffic for security inspection. The proxy or NGFW acts as a man-in-the-middle — terminating the client's TLS session and establishing a new TLS session to the server. Deep Packet Inspection (DPI) is the broader concept of inspecting packet contents beyond the header (Layer 3-4) to examine application-layer data. DPI is used in NGFWs for application identification, IPS signature matching, and URL filtering. SSL inspection is a prerequisite for DPI to work on encrypted traffic. All SSL inspection uses DPI, but not all DPI involves SSL inspection.

How does DMARC enforcement work step by step?+

1. Sending domain publishes DMARC record: _dmarc.domain.com TXT "v=DMARC1; p=reject; rua=mailto:reports@domain.com". 2. Receiving mail server gets email from someone claiming to be from domain.com. 3. Receiver performs SPF check (is sending IP in domain.com's SPF record?). 4. Receiver performs DKIM check (is there a valid DKIM signature for domain.com?). 5. DMARC alignment check: at least one of SPF or DKIM must pass AND the domain in the result must align with the From: header. 6. If both SPF and DKIM fail (or misalign), DMARC policy is applied: none=deliver and report, quarantine=send to spam folder, reject=refuse the email. 7. Receiving server sends aggregate reports (rua) back to the domain owner daily. Start with p=none for monitoring, then progress to p=quarantine, then p=reject.

What is a transparent proxy and how does it differ from an explicit proxy?+

Transparent proxy: Network equipment (firewall or router) intercepts HTTP/HTTPS traffic using policy-based routing or WCCP (Web Cache Communication Protocol) and redirects it to the proxy. Client applications don't need any configuration — they don't know traffic is being proxied. Pros: no client configuration required, works with all applications. Cons: some applications behave differently when proxied, SSL inspection requires certificate injection via MDM/GPO to avoid certificate errors. Explicit proxy: Clients are configured with the proxy's IP:port (manually or via PAC file auto-discovery). Applications that support proxy settings use it; others may bypass. WPAD (Web Proxy Auto-Discovery) can distribute PAC file location automatically. Pros: clients know they're proxied, application-aware. Cons: applications without proxy support may bypass; PAC file must be maintained.

Why does sandboxing fail to detect some malware?+

Sandbox-aware malware uses multiple evasion techniques: (1) VM detection — check CPUID hypervisor flag, disk size (sandboxes often <100GB), check for sandbox-specific processes, check for common sandbox artifacts (VirtualBox guest additions registry keys). (2) Timing attacks — sleep() for longer than analysis window (30-60s), then execute payload after sandbox analysis completes. (3) User interaction requirements — wait for mouse movement, specific user click, or environment that looks like a real user session. (4) Environment fingerprinting — check number of running processes (sandboxes often have few), screen resolution, locale/language, specific software installed. (5) C2-dependent execution — malware fetches payload from C2 server at runtime; sandbox with no internet access can't retrieve payload. Defense: extend analysis window, simulate user interaction, enable internet access in sandboxes, use multiple analysis systems.

What logs should NSM capture for effective incident response?+

Essential NSM log sources: (1) Full Packet Capture — complete forensic record; retrieve payload for any suspicious connection (high storage cost). (2) NetFlow/IPFIX — all connection metadata without payload; essential for lateral movement and anomaly detection. (3) Zeek logs — conn.log (all connections), dns.log (all DNS queries/responses), http.log (HTTP headers, URIs, user-agents), ssl.log (TLS certificates, JA3/JA3S fingerprints), files.log (transferred files with hashes), notice.log (Zeek-generated alerts). (4) Suricata alerts — signature matches from Emerging Threats and other rulesets. (5) DHCP logs — IP-to-MAC-to-hostname mapping for attribution. (6) DNS logs — both recursive resolver and authoritative; critical for detecting DNS C2 and exfiltration. Retention: 90 days minimum hot storage for active investigation; flow data 1+ year for trend analysis.

How does always-on VPN differ from traditional VPN?+

Traditional VPN: User manually connects when needed, can disconnect at will. Split tunneling common. Enforced only when connected. Always-on VPN (e.g., GlobalProtect, Cisco AnyConnect with enforced mode, Intune Always-on VPN): VPN connects automatically before user login, cannot be disconnected by user, all traffic forced through corporate infrastructure (no split tunneling). Benefits: endpoint is always under corporate security controls regardless of location, web proxy/filtering always active, DLP always in path, no gap in monitoring when user works from home. Implementation: MDM/GPO deploys VPN profile with pre-logon authentication. Device certificates used for machine authentication before user credentials. Limitation: adds latency for all traffic; cloud-direct access patterns may require split-tunneling exceptions for performance — which re-creates the security gap.

GIAC GDSA — Network Defense Controls