πŸ” CompTIA Security+ SY0-701 Β· Domain 3

Network Security Architecture
Firewalls Β· Segmentation Β· IDS/IPS Β· Secure Access

Master firewall types, network segmentation strategies, intrusion detection vs. prevention, and secure remote access β€” with scenario-based quizzes and a design selector tool built for SY0-701.

🎯 Take the Practice Quiz
Network Security Architecture

Domain 3 (Security Architecture) is 18% of the SY0-701 exam. It focuses on where controls are placed in the network and why β€” using layered defense to limit the blast radius of a breach.

πŸ›οΈ
Defense in depth: No single control is sufficient. Network security architecture layers firewalls, segmentation, detection, and access controls so that even if one layer fails, others remain. SY0-701 scenario questions frequently ask you to choose the most appropriate control for a given context.
πŸ”₯
Firewalls

Traffic Filtering

Control which traffic is allowed between network zones. Classified by what they inspect and which OSI layers they operate on.

Packet filter: Layer 3/4, stateless, headers only Stateful: Tracks connection state NGFW: Deep inspection, app-aware WAF: Layer 7, HTTP/HTTPS only
πŸ—ΊοΈ
Network Segmentation

Divide & Isolate

Splits networks into zones to contain breaches, limit lateral movement, and apply different security policies per zone.

DMZ: Public-facing servers, screened subnet VLAN: Layer 2 logical segmentation Air gap: Physically isolated network Microsegmentation: Zero trust enabler
πŸ‘οΈ
IDS / IPS

Detect & Prevent

Monitor network or host traffic for malicious activity. IDS alerts; IPS actively blocks. Placement and detection method are key exam topics.

IDS: Passive, alerts only β€” does not block IPS: Inline, actively blocks threats Signature: Known threats, low false positives Anomaly: Deviation detection, finds zero-days
πŸ”‘
Secure Access

Control Who Gets In

Ensures only authorized, authenticated users and devices access network resources β€” both remotely and on-premises.

VPN: Encrypted tunnel, site-to-site or remote Zero Trust: Never trust, always verify 802.1X / NAC: Port-based authentication Jump server: Hardened admin access point

The SY0-701 Architecture Mindset

The exam asks you to match the right control to the right problem. An IDS monitors but doesn't stop attacks. A WAF protects web apps but not internal traffic. A VLAN isolates but doesn't encrypt. Know what each control does β€” and more importantly, what it doesn't do.

πŸ’‘
OSI Layer mapping helps: Packet filter = Layer 3/4 Β· Stateful = Layer 4 Β· NGFW/WAF = Layer 7 Β· VLANs = Layer 2 Β· VPN (IPSec) = Layer 3 Β· SSL VPN = Layer 4–7. Exam questions often embed the answer in a layer reference.
Take the Quiz β†’
Deep Dive: Each Control Explained

The distinguishing attributes, placement logic, and exam traps for each network security control category.

πŸ”₯ Firewalls Traffic Filtering

Packet Filtering (Stateless)
Examines IP headers only β€” source/destination IP, port, protocol. No awareness of connection state or session context. Fast but easy to spoof.
Layer 3/4 Β· ACLs
Stateful Inspection
Tracks the state of active connections in a state table. Knows if a packet is part of an established session. More secure than packet filtering β€” blocks out-of-state packets.
Layer 4 Β· Session-aware
Next-Generation Firewall (NGFW)
Adds deep packet inspection (DPI), application awareness (identifies apps regardless of port), integrated IPS, TLS/SSL inspection, and user identity tracking to stateful inspection.
Layer 7 Β· App-aware
Web Application Firewall (WAF)
Operates at Layer 7, specifically protecting HTTP/HTTPS web applications. Filters SQL injection, XSS, CSRF, and other OWASP Top 10 attacks. Positioned in front of web servers β€” not a general-purpose firewall.
Layer 7 Β· HTTP only
Unified Threat Management (UTM)
All-in-one appliance combining firewall, IPS, antivirus, VPN, content filtering, and more. Easier to manage; single point of failure. Common in SMB environments.
Multi-layer Β· All-in-one
Implicit Deny
The foundational firewall rule: deny all traffic by default, then explicitly permit what is required. Any traffic not matching an allow rule is automatically blocked. Default posture for secure configurations.
Policy Β· Default deny
⚠️
Exam trap β€” WAF vs. NGFW: A WAF only inspects HTTP/HTTPS traffic to protect web applications. An NGFW inspects all traffic at Layer 7. If the question says "protect a web application from SQL injection" = WAF. If it says "inspect all outbound application traffic" = NGFW.
Exam keyword mapping "Blocks based on port/IP only, no state" = Packet filtering Β· "Tracks connection state" = Stateful Β· "Application-aware, DPI" = NGFW Β· "SQL injection, XSS, web app" = WAF Β· "All-in-one SMB appliance" = UTM

πŸ—ΊοΈ Network Segmentation Divide & Isolate

πŸ—οΈ
Why segment? Segmentation limits lateral movement β€” if an attacker compromises one zone, they cannot freely move to others. It also allows different security policies per zone (e.g., strict controls on financial data, looser controls on guest Wi-Fi).
DMZ / Screened Subnet Architecture
🌐 Internet
β†’
Firewall 1
β†’
πŸ“§ DMZ
Web/Mail/DNS
β†’
Firewall 2
β†’
🏒 Internal
LAN
Public-facing servers in DMZ Β· Internal servers never directly exposed to internet
DMZ / Screened Subnet
A buffer network zone between the untrusted internet and the trusted internal LAN. Houses public-facing servers (web, mail, DNS). Two firewalls: one between internet and DMZ, one between DMZ and internal.
Layer 3 Β· Zone-based
VLAN (Virtual LAN)
Logical Layer 2 segmentation on a switch β€” separates broadcast domains without physical cables. Traffic between VLANs requires a router or Layer 3 switch. Common use: separate guest, employee, IoT, and voice traffic on the same physical infrastructure.
Layer 2 Β· Switch-based
Air Gap
Complete physical isolation β€” no network connection whatsoever to other systems or the internet. Used for most sensitive environments: ICS/SCADA, nuclear facilities, classified government systems. Data transfer via physical media only.
Physical isolation
Microsegmentation
Fine-grained segmentation at the individual workload or VM level β€” often implemented via SDN (Software-Defined Networking). Key enabler of Zero Trust: each workload is isolated and must authenticate. Controls east-west (lateral) traffic within data centers.
SDN Β· Zero Trust enabler
Extranet
A controlled private network segment accessible to external trusted parties (partners, vendors, contractors) but not the general public. Separate from the internal LAN with access controls limiting what partners can reach.
Controlled external access
East-West vs. North-South Traffic
North-South: Traffic in/out of the data center (to/from internet). East-West: Lateral traffic between servers/workloads inside the data center. Traditional firewalls only inspect north-south β€” microsegmentation addresses east-west threats (lateral movement).
Traffic direction concept
πŸ’‘
Screened subnet = DMZ on the exam. CompTIA uses "screened subnet" as its preferred term in SY0-701. Both mean the same thing: a buffer zone between internet and internal network containing public-facing servers.

πŸ‘οΈ IDS / IPS Detect & Prevent

IDS β€” Intrusion Detection System
Passive monitoring β€” receives a copy of traffic (via SPAN port or TAP) and generates alerts. Does NOT block traffic. Out-of-band deployment. Lower latency impact. Risk: attacker traffic still reaches destination.
Passive Β· Out-of-band Β· Alerts only
IPS β€” Intrusion Prevention System
Active, inline deployment β€” sits in the traffic path and can drop malicious packets in real time. Blocks threats before they reach targets. Risk: false positives can block legitimate traffic; single point of failure if it goes down.
Inline Β· Active blocking
NIDS / NIPS (Network-based)
Monitors network traffic at a strategic choke point (e.g., perimeter, between zones). Sees all traffic passing through that segment. Doesn't see encrypted traffic unless TLS inspection is also deployed.
Network scope
HIDS / HIPS (Host-based)
Runs as an agent on individual endpoints. Monitors system calls, file changes, registry activity, and local traffic. Sees encrypted traffic after decryption. Higher overhead; better for detecting insider threats and fileless malware.
Host scope Β· Endpoint agent
Signature-Based Detection
Compares traffic/activity against a database of known attack patterns (signatures). Low false positive rate for known threats. Cannot detect zero-days or novel attack variants. Signatures must be kept up to date.
Known threats only
Anomaly / Behavior-Based Detection
Establishes a baseline of normal behavior and flags deviations. Can detect zero-days and unknown threats. Higher false positive rate. Requires a learning period to establish the baseline accurately.
Zero-days Β· Higher false positives
⚠️
The critical IDS vs. IPS distinction: An IDS is passive β€” it cannot stop an attack in progress. An IPS is inline β€” it can drop packets before they reach the destination. If the exam says "the security team wants to stop the attack, not just be notified" β†’ IPS. If it says "monitor without impacting traffic flow" β†’ IDS.
πŸ’‘
False positive vs. false negative: A false positive = IDS/IPS flags legitimate traffic as malicious (annoying, may block good traffic). A false negative = IDS/IPS misses an actual attack (dangerous). Anomaly-based = more false positives. Signature-based = more false negatives for novel attacks.

πŸ”‘ Secure Access Control Who Gets In

VPN β€” Site-to-Site
Connects two entire networks over the internet using a permanent encrypted tunnel (typically IPSec). Users on either network communicate as if on the same LAN. Always-on; managed by routers/gateways, not individual users.
Network-to-network Β· IPSec
VPN β€” Remote Access
Individual users connect to the corporate network from outside. Can use IPSec (Layer 3) or SSL/TLS (Layer 4–7, port 443). SSL VPNs work through a browser with no client required (clientless). More common for mobile/hybrid workers.
User-to-network Β· SSL/TLS or IPSec
Split Tunneling
Only corporate-bound traffic is routed through the VPN tunnel; internet traffic goes directly to the internet. Reduces VPN load but creates a security risk β€” compromised endpoint has direct internet access while also connected to corporate network.
⚠️ Security risk
Zero Trust Architecture
"Never trust, always verify" β€” no implicit trust based on network location. Every access request requires authentication, authorization, and continuous verification regardless of whether the user is inside or outside the network perimeter. Microsegmentation is the technical implementation.
Identity-centric Β· Always verify
802.1X / NAC
802.1X: IEEE port-based authentication standard β€” requires authentication (via RADIUS) before a device is granted network access. NAC (Network Access Control): enforces security posture checks (patch level, AV status) before granting access. Quarantine VLAN for non-compliant devices.
Layer 2 Β· Port authentication
Jump Server / Bastion Host
A hardened, dedicated server that acts as a secure intermediary for administrative access to systems in a protected network segment. Admins must first connect to the jump server, then access internal systems from there. Creates a single audited access point.
Admin access control Β· Audit trail
πŸ“
IPSec modes: Tunnel mode encrypts the entire original IP packet (including header) and adds a new outer IP header. Used for site-to-site VPNs. Transport mode encrypts only the payload, leaving the original IP header intact. Used for host-to-host communication. The exam may test this distinction.
πŸ’‘
Proxy types: A forward proxy sits between clients and the internet (clients route through it β€” used for content filtering and anonymity). A reverse proxy sits in front of servers (internet routes to it first β€” used for load balancing, WAF, and hiding server IPs). Transparent proxies intercept traffic without client configuration.
Side-by-Side Comparison

Filter by control category or view all together. Focus on what each control does vs. what it doesn't do β€” the most common exam trap.

Criterion πŸ”₯ Firewalls πŸ—ΊοΈ Segmentation πŸ‘οΈ IDS/IPS πŸ”‘ Secure Access
Primary Function Control traffic flow between zones based on rules Divide the network into isolated zones to contain breaches Monitor traffic for malicious activity; IPS blocks it Authenticate and authorize users/devices before granting network access
Active Blocking? βœ… Yes β€” drops packets per rules βœ… Partially β€” traffic between zones is blocked by design IDS: ❌ No Β· IPS: βœ… Yes βœ… Yes β€” unauthenticated devices denied access
OSI Layer Packet filter: L3/4 Β· Stateful: L4 Β· NGFW/WAF: L7 VLAN: L2 Β· DMZ/subnets: L3 Β· Microseg: L3–7 NIDS/NIPS: L3–7 Β· HIDS/HIPS: All layers on host 802.1X: L2 Β· VPN IPSec: L3 Β· SSL VPN: L4–7
Addresses Lateral Movement? ⚠️ Partially β€” if internal zones have firewalls between them βœ… Yes β€” microsegmentation directly targets east-west traffic βœ… Yes (IPS) β€” detects and blocks lateral movement patterns βœ… Yes β€” Zero Trust requires re-auth for every lateral move
Detects Zero-Days? ❌ No β€” rules are manually defined ❌ No β€” limits blast radius but doesn't detect Signature: ❌ No Β· Anomaly: βœ… Yes ❌ No β€” controls access, not attack detection
Key Limitation WAF: only HTTP Β· Packet filter: no state Β· NGFW: complex, expensive VLAN: doesn't encrypt Β· Air gap: inconvenient Β· DMZ: doesn't help east-west IDS: can't stop attacks Β· Anomaly: false positives Β· Signature: misses new attacks Split tunneling: security risk Β· VPN: perimeter-only (vs. Zero Trust)
Exam Keyword "SQL injection protection" = WAF Β· "Application-aware" = NGFW Β· "Stateless" = packet filter "Public-facing servers" = DMZ Β· "Separate broadcast domains" = VLAN Β· "No network connection" = air gap "Alerts only, doesn't block" = IDS Β· "Inline, blocks traffic" = IPS Β· "Zero-day detection" = anomaly-based "Never trust, always verify" = Zero Trust Β· "Port authentication" = 802.1X Β· "Admin access intermediary" = jump server
Typical Placement Network perimeter, between zones, in front of web servers (WAF) Entire network architecture β€” DMZ at edge, VLANs throughout, air gap at most sensitive systems IDS: on a SPAN/TAP port Β· IPS: inline between zones or at perimeter VPN: perimeter Β· 802.1X: switch/access point ports Β· Jump server: inside restricted segment
Exam-Style Vignettes

Read each scenario and identify the correct control before checking the breakdown β€” mirrors the SY0-701 scenario question format.

πŸ”₯ FirewallChoosing the Right Firewall
"A company hosts a customer-facing web application that has been targeted by SQL injection and cross-site scripting attacks. The security team wants to add a control specifically to filter malicious HTTP requests before they reach the web server, without replacing the existing network firewall."
Correct ControlWAF (Web Application Firewall) β€” specifically inspects HTTP/HTTPS at Layer 7 for OWASP attacks
Why Not NGFW?NGFW inspects all traffic broadly; a WAF is specifically designed for web application protection (SQL injection, XSS)
Why Not IPS?An IPS can detect these attacks but a WAF is the purpose-built, most appropriate answer for web app protection
Exam Trigger"Web application," "SQL injection," "XSS," "HTTP requests" β†’ WAF is always the answer
πŸ—ΊοΈ SegmentationContaining a Breach
"After a ransomware infection on a workstation in the accounting department, the malware spread to 40 other machines within 2 hours. The CISO wants to redesign the network so that a future infection in one department cannot reach other departments or critical servers."
Correct ControlNetwork segmentation β€” VLANs per department + microsegmentation for critical servers limits lateral (east-west) movement
Key ConceptEast-west traffic (lateral movement within the network) is what allowed the ransomware to spread β€” segmentation is the direct answer
Supporting ControlsIPS to detect/block the spread + firewall rules between segments + NAC to check device health
Exam Key"Spread within network," "limit lateral movement," "contain breaches" β†’ Segmentation (VLANs, microsegmentation)
πŸ‘οΈ IDS/IPSMonitor vs. Block
"A security analyst notices unusual outbound DNS queries from an internal server β€” short queries to many different random-looking domains at regular intervals, suggesting DNS tunneling. The team wants to detect and investigate this behavior without yet modifying traffic flow, to gather forensic data."
Correct ControlNIDS (Network IDS) β€” passive monitoring, generates alerts and logs without blocking traffic, preserving forensic evidence
Why Not IPS?The team specifically does not want to modify traffic flow β€” IPS is inline and would block the traffic before full investigation
Detection MethodAnomaly-based IDS is best here β€” DNS tunneling doesn't match known signatures; it's a behavioral deviation from normal DNS patterns
Exam Key"Monitor without blocking," "gather forensic data," "don't affect traffic" β†’ IDS (not IPS)
πŸ”‘ Secure AccessZero Trust in Practice
"A financial services company wants to move away from the traditional perimeter-based security model where users inside the corporate network are automatically trusted. They want every access request to a resource β€” even from internal users β€” to be authenticated, authorized, and logged, regardless of network location."
ArchitectureZero Trust β€” "never trust, always verify" replaces the implicit trust of the traditional castle-and-moat model
Technical ImplementationMicrosegmentation + identity-based access control + continuous verification + least privilege
Why Not VPN?A VPN creates a trusted tunnel β€” once inside, users get broad network access. Zero Trust is the opposite philosophy.
Exam Key"Never trust, always verify," "regardless of network location," "every request authenticated" β†’ Zero Trust Architecture
⚠️
Common exam traps: (1) IDS cannot block attacks β€” if the question wants to stop an attack, it's IPS. (2) VLANs separate traffic at Layer 2 but do NOT encrypt it β€” VLAN hopping is a real attack. (3) "Screened subnet" and "DMZ" mean the same thing on the exam. (4) Split tunneling with VPN is a security risk β€” not a best practice. (5) 802.1X is not the same as NAC β€” 802.1X is the authentication protocol; NAC is the broader posture enforcement system that may use 802.1X.
Practice Quiz

10 scenario-based questions with per-category breakdown β€” built around actual SY0-701 scenario question patterns.

Question 1 of 10

Firewalls
β€”
Segmentation
β€”
IDS/IPS
β€”
Secure Access
β€”
Design Selector Tool

Answer 2–3 questions to identify the most appropriate network security control for your scenario.

What is the primary security goal?
Think about what problem you're trying to solve in the network.
What type of traffic are you trying to filter?
What kind of isolation do you need?
Should the system actively block attacks, or just alert?
Are you protecting a specific host or the entire network segment?
Are you monitoring the network or a specific host?
What type of access are you securing?
Is this connecting two networks or individual users?
Memory Hooks & Mnemonics

Click each card to flip it and reveal the mnemonic.

πŸ‘† Tap a card to flip

πŸ”₯
Firewalls
How do you remember the firewall hierarchy?
Packet β†’ Stateful β†’ NGFW β†’ WAF
More layers = more inspection
Each generation adds a layer of awareness: headers only β†’ state β†’ application β†’ web-specific. WAF is not a replacement for a firewall β€” it's an addition for web apps.
🌐
WAF
When do you use a WAF vs. a NGFW?
"SQL injection + XSS + web app" = WAF.
Everything else = NGFW.
WAF is Layer 7 HTTP/HTTPS ONLY. NGFW is Layer 7 for all traffic. If the exam says web application + OWASP attacks = WAF. General traffic inspection = NGFW.
πŸ—ΊοΈ
DMZ
What is the DMZ / screened subnet for?
"Public servers live in the DMZ.
Internal servers never face the internet."
DMZ = screened subnet on the exam. Web servers, mail servers, and DNS servers go in the DMZ. Internal databases and HR systems stay behind the second firewall in the internal LAN.
πŸ”€
VLAN
What does a VLAN do β€” and what doesn't it do?
VLAN separates. VLAN does NOT encrypt.
VLANs create logical broadcast domain separation at Layer 2. They reduce the attack surface but they do NOT encrypt traffic between VLANs. VLAN hopping is a real attack β€” inter-VLAN routing via a firewall adds proper security.
πŸ‘οΈ
IDS vs IPS
IDS or IPS β€” which one blocks?
IDS = "I'll tell you." IPS = "I'll stop it."
IDS is passive β€” it receives a copy of traffic and alerts. IPS is inline β€” it sits in the path and can drop packets. "Monitor without blocking" = IDS. "Stop the attack in real time" = IPS.
🎯
Detection Methods
Signature vs. anomaly-based IDS/IPS?
Signature = known. Anomaly = new.
Signature-based: low false positives, can't detect zero-days. Anomaly-based: detects novel/zero-day attacks, higher false positives (needs a baseline). Exam: "detect zero-day" = anomaly. "Known attack patterns" = signature.
πŸ›οΈ
Zero Trust
What is Zero Trust and how does it differ from VPN?
"VPN = trust the tunnel. Zero Trust = trust nothing, verify everything."
VPN creates a trusted perimeter β€” once inside, broad access. Zero Trust gives no implicit trust based on location. Every request must be authenticated, authorized, and verified β€” even from inside the network.
πŸ”Œ
802.1X
What is 802.1X and where is it used?
"Plug in β†’ Authenticate FIRST β†’ then get access."
802.1X is port-based NAC. When a device connects to a switch port or Wi-Fi, it must authenticate via RADIUS before traffic is allowed. The port stays in an unauthorized state until authentication succeeds. Prevents rogue device access.

SY0-701 Quick-Recall Cheat Sheet

If the exam says…Key detailAnswer
"Protect web app from SQL injection / XSS"HTTP/HTTPS only, Layer 7WAF
"Application-aware, DPI, user identity tracking"All traffic, Layer 7NGFW
"Tracks connection state, blocks out-of-state packets"State table, Layer 4Stateful Firewall
"Public-facing servers," "buffer zone between internet and LAN"Screened subnet = DMZDMZ / Screened Subnet
"Separate broadcast domains," "logical separation on a switch"Layer 2 logicalVLAN
"No network connection," "SCADA," "nuclear," "classified"Physical isolationAir Gap
"Lateral movement," "east-west traffic," "workload isolation"Fine-grained, SDNMicrosegmentation
"Alerts only," "does not block," "monitor for forensics"Passive, out-of-bandIDS (NIDS/HIDS)
"Inline," "blocks in real time," "drops malicious packets"Active, in-pathIPS (NIPS/HIPS)
"Detects zero-days," "behavioral baseline," "more false positives"Deviation from normalAnomaly-based IDS/IPS
"Never trust, always verify," "no implicit trust by location"Identity-centric modelZero Trust Architecture
"Port authentication," "device must authenticate before LAN access"IEEE standard, RADIUS802.1X / NAC
"Admin access intermediary," "jump to internal systems"Single audited access pointJump Server / Bastion Host
"Split tunneling" (in a security context)Risk: direct internet + VPN⚠️ Security Risk β€” avoid
πŸŽ“ Security+ Exam Prep Platform

Ready to Pass Security+?
Get Everything You Need in One Place.

These concept pages are just the start. FlashGenius gives you a complete Security+ prep toolkit β€” practice tests, flashcard decks, domain cheat sheets, and scenario quizzes built for SY0-701.

🎯 Practice Tests
πŸƒ Flashcard Decks
πŸ“„ Domain Cheat Sheets
πŸ“Š Scenario Quizzes
🧠 Memory Hooks
πŸ” All 5 Domains
πŸš€ Start Free on FlashGenius View All Security+ Resources β†’
Free to register Β· No credit card required Β· Trusted by Security+ candidates