TTechclick ⚡ XP 0% All lessons
ISC2 · CISSP Domain 4 · Network SecurityInteractive · L1 / L2 / L3

CISSP Domain 4: Communication and Network Security Guide — Secure the Wire

Master CISSP Domain 4, Communication and Network Security — the 13% slice where secure-by-design networks, zero trust, and crypto-in-transit decide whether you pass and whether your traffic survives the real world.

📅 2026-06-03 · ⏱ 14 min · 1 interactive demo · 5 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

CISSP Domain 4: Communication and Network Security (13%). Learn secure network design, zero trust segmentation, TLS 1.3/IPsec, and network attack defenses — exam-ready.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Models & secure design

Match every control to its OSI layer — the layer dictates what it can inspect and block.

 2

Segmentation & zero trust

SASE/ZTNA controls entry; only microsegmentation stops east-west lateral movement.

 3

Secure protocols & crypto in transit

Encrypt in transit with TLS 1.3 and ESP-tunnel IPsec; retire Telnet/FTP/SNMPv1.

 4

Attacks & network defenses

Match each network attack to its specific control: ARP→DAI, DNS→DNSSEC, MITM→IPS, rogue device→802.1X NAC.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Which model layer does TLS primarily operate at, and what does it protect?

Answered in Models & secure design.

2. In NIST SP 800-207 zero trust, what makes the actual allow/deny decision?

Answered in Secure protocols & crypto in transit.

3. Why is DNS especially vulnerable to spoofing and cache poisoning?

Answered in Segmentation & zero trust.

Most engineers think…

"If my internal network sits behind a firewall, traffic inside it is trusted and safe."

That castle-and-moat assumption is exactly what zero trust dismantles. NIST SP 800-207 treats network location as irrelevant to trust — every request is authenticated and authorized per-resource. Once an attacker breaches the perimeter, a flat "trusted" interior is a free highway for lateral movement, which is why microsegmentation now cuts successful spoofing and lateral attacks by up to 90%.

Domain 4, Communication and Network Security, is 13% of the CISSP exam and the most hands-on of the eight domains — it is where architecture meets the packet. You will reason about secure network design (OSI/TCP-IP models, defense-in-depth, IPv6, SDN, VoIP convergence), then carve that network into trust zones with VLANs, microsegmentation, and NIST SP 800-207 zero trust. You will choose crypto for data in motion — TLS 1.3, IPsec, SSH, SFTP — and retire the weak protocols auditors now flag. Finally you will defend the wire against DDoS, DNS spoofing, ARP poisoning, and on-path attacks. In a real SOC or network-security role, these are the decisions that keep traffic confidential, authentic, and available every single day.

Figure 1 — Domain 4 in the CBK
Where Domain 4 sits inside the eight-domain CISSP Common Body of Knowledge.The eight CISSP domains as tiles with their exam weights; Domain 4 (Network Security) is highlighted to show its place in the wider certification.Domain 4 in the bigger picture1Security & Risk Mgmt16% of the exam2Asset Security10% of the exam3Architecture & Eng13% of the exam4Network Security13% of the exam · YOU ARE HERE5IAM13% of the exam6Assessment & Testing12% of the exam7Security Operations13% of the exam8Software Dev Security10% of the exam
Domain 4 is undefined of the CISSP exam. This deep dive is one of eight — the others are linked at the bottom.
Colour key:active / key steppass / allowedcautionfail / attacker
Figure 2 — The four areas of Domain 4
The four areas that make up CISSP Domain 4: Communication and Network Security.Domain 4 broken into its four study areas — Models & secure design, Segmentation & zero trust, Secure protocols & crypto in transit, Attacks & network defenses — each with its single most important takeaway.The four areas of Domain 41Models & secure designMatch every control to its OSI layer — thelayer dictates what it can inspect and bl2Segmentation & zero trustSASE/ZTNA controls entry; onlymicrosegmentation stops east-west lateralmovement.3Secure protocols & crypto in transitEncrypt in transit with TLS 1.3 andESP-tunnel IPsec; retire Telnet/FTP/SNMPv1.4Attacks & network defensesMatch each network attack to its specificcontrol: ARP→DAI, DNS→DNSSEC, MITM→IPS, ro
This blog walks all four areas in order. Tap the path cards above to jump to any one.

Domain 4 at a glance

Flip each card for the one-line essence of each area before you dive in.

🧩
Models & secure design
tap to flip

Match every control to its OSI layer — the layer dictates what it can inspect and block.

🔎
Segmentation & zero trust
tap to flip

SASE/ZTNA controls entry; only microsegmentation stops east-west lateral movement.

🛠
Secure protocols & crypto in transit
tap to flip

Encrypt in transit with TLS 1.3 and ESP-tunnel IPsec; retire Telnet/FTP/SNMPv1.

🧠
Attacks & network defenses
tap to flip

Match each network attack to its specific control: ARP→DAI, DNS→DNSSEC, MITM→IPS, rogue device→802.1X NAC.

Models & secure design

Think of the OSI model like the postal system: your letter passes through the writer, the envelope, the sorting office, the truck, and the road — each stage has its own way of going wrong, and its own guard. CISSP Domain 4 (13% of the exam) asks you to map controls precisely to OSI layers, because the layer decides which control even works.

Walk the stack bottom-up. Layer 1 (Physical) — cable shielding, port security, locked patch panels; threats are wiretaps and jamming. Layer 2 (Data Link) — MAC filtering, 802.1X, DHCP snooping, dynamic ARP inspection; threats are MAC flooding and ARP poisoning. Layer 3 (Network) — IP firewalls, ACLs, and IPsec; this is where routing and addressing live. Layer 4 (Transport) — stateful firewalls and TLS over TCP. Layers 5–7 — proxies, WAFs, and application gateways that read HTTP methods and URLs. A packet filter cannot block an SQL injection; only a Layer-7 control sees the payload.

The TCP/IP model collapses OSI into four layers (Link, Internet, Transport, Application) — same idea, fewer boxes. For IPv4 vs IPv6, know the four cast types ISC2 lists: unicast, multicast, anycast, and (IPv4-only) broadcast — IPv6 replaces broadcast with multicast. IPsec is optional in IPv4 but a native architectural feature of IPv6.

Secure architecture layers these into defense in depth: perimeter firewalls, VLAN segmentation, micro-segmentation, and zero trust where every flow is verified, never trusted by location.

Exam tip

If a question gives you a control and asks "which OSI layer?", match by what the control inspects: MAC=L2, IP=L3, ports/sessions=L4, URLs/payload=L7.

Priya at Infosys faces this

Her team bought a Layer-3 firewall to stop a credential-stuffing attack on the login API, but the attacks keep landing.

Likely cause

The L3 firewall only sees IPs and ports (10.20.4.0/24:443) — it cannot read the HTTP body or rate-limit per-user, so the application-layer abuse slips through.

CISSP move

Add a Layer-7 control — a WAF or reverse proxy — that inspects HTTP and applies per-account throttling, sitting above the firewall in defense in depth.

Quick check · Q1 of 10

At which OSI layer does an Encapsulating Security Payload (ESP) header from IPsec operate?

Correct: a. IPsec (AH and ESP) secures traffic at the Network layer (Layer 3), where IP addressing and routing occur — which is why it can protect any upper-layer protocol transparently.

Pause & Predict

In one line, what is the single most important idea in "Models & secure design"? Type your guess.

Answer: Re-read the recap box above — if you can say it in one sentence, you own it.

Segmentation & zero trust

Think of a ship: one open hold floods the whole vessel, but watertight compartments contain the breach. Network segmentation builds those compartments. The old "castle-and-moat" model trusted everyone inside the perimeter, so one phished laptop let an attacker roam freely. Lateral movement is exactly that roaming, and segmentation is how you stop it.

VLANs and subnetting are the classic coarse controls. A VLAN logically groups ports into a broadcast domain, so HR and Finance share switches but never see each other's frames. Subnetting splits an IP range (say 10.20.0.0/16 into /24s) so routers and ACLs can filter between zones. These work, but they are wide: any host inside a VLAN can usually talk to its neighbours unfiltered.

Microsegmentation tightens this to the individual workload. Identity-aware, host-level firewall policies allow only sanctioned flows, for example "web tier may reach app tier on 8443, nothing else." This shrinks the blast radius dramatically.

The industry has shifted from the perimeter to Zero Trust Network Access (ZTNA): never trust, always verify, grant least privilege per session. ZTNA connects a verified user to one named application, not the whole LAN, so a stolen credential cannot pivot. SASE and its security-only subset SSE deliver these controls from the cloud edge.

Exam tip

Gartner's current guidance: SASE/ZTNA secures the way users get IN, but assumes trust once authenticated. It does NOT stop east-west lateral movement. Full Zero Trust = ZTNA plus microsegmentation. Expect a question where "deploy SASE" is the tempting-but-incomplete answer.

Priya at HDFC faces this

A contractor's VPN account is phished, and within hours the attacker reaches a database server two subnets away.

Likely cause

Flat VLAN trust: the VPN dropped the user onto the corporate /16 with open east-west reachability to 10.20.30.0/24.

CISSP move

Replace VPN with ZTNA (per-app, no network placement) and microsegment the DB tier so only the app server's identity can connect.

Quick check · Q2 of 10

A bank deploys SASE with ZTNA so remote staff reach only the apps they need. Months later, malware on one authenticated finance laptop spreads to other servers in the same data-center subnet. Which control should the architect add to directly stop this?

Correct: c. ZTNA/SASE secures user-to-app entry but trusts authenticated sessions and does not police east-west traffic. Microsegmentation enforces workload-level least privilege, stopping lateral spread. MFA and SWG address access and web egress, not internal movement; a larger subnet widens, not narrows, reachability.
Figure 3 — The TLS 1.3 handshake (simplified)
The TLS 1.3 handshake (simplified) — the ordered steps, where step 2 is the decisive one.The TLS 1.3 handshake (simplified): ClientHello + key share → ServerHello + certificate → Client verifies the certificate → Both derive session keys → Encrypted application data.The TLS 1.3 handshake (simplified)1ClientHello + keyshare2ServerHello +certificate3Client verifiesthe certificate4Both derivesession keys5Encryptedapplication data
The TLS 1.3 handshake (simplified) — examiners test the ORDER, so learn it as a sequence, not a list.

▶ The TLS 1.3 handshake (simplified)

Press Play to step through it, then Break it to see how it fails.

① Step 1ClientHello + key share
② Step 2ServerHello + certificate
③ Step 3Client verifies the certificate
④ Step 4Both derive session keys
Press Play to walk the healthy path. Then press Break it.

Secure protocols & crypto in transit

Think of secure transit protocols like sealed, tamper-proof courier bags: anyone can see a bag moving, but no one can read or swap the contents in transit. CISSP Domain 4 (objective 4.1.3) expects you to pick the right "bag" for each flow and to retire the leaky envelopes.

TLS 1.3 is now the baseline for application-layer encryption. It mandates forward secrecy on every connection via ephemeral Diffie-Hellman, drops weak ciphers (RC4, 3DES, static RSA key exchange), and completes its handshake in one round trip (1-RTT). TLS 1.0 and 1.1 are deprecated; treat them as findings in any audit. For the exam, remember TLS 1.3 also encrypts more handshake metadata than 1.2.

IPsec secures traffic at the network layer. AH gives integrity and authentication only, while ESP adds confidentiality. IKE (usually IKEv2) negotiates keys and builds the security associations. Transport mode protects only the payload between two hosts; tunnel mode wraps the entire original packet and is what site-to-site and remote-access VPNs use.

Exam tip

If a question wants confidentiality across untrusted networks, the answer is ESP in tunnel mode — never AH, because AH encrypts nothing.

Secure DNS splits into two goals. DNSSEC signs records to guarantee authenticity and stop cache poisoning, but it does not encrypt queries. DoH and DoT encrypt the query channel itself, blocking eavesdropping and on-path tampering. Finally, replace insecure protocols: Telnet → SSH, FTP → SFTP/FTPS, and SNMPv1/v2c → SNMPv3 (which adds authentication and encryption).

Karthik at HDFC faces this

A pentest report flags that core switches still accept Telnet on 10.20.5.0/24 and that DNS answers can be spoofed on the branch network.

Likely cause

Legacy management plane uses cleartext Telnet and SNMPv1, and resolvers trust unsigned, unencrypted DNS responses.

CISSP move

Disable Telnet, enforce SSH and SNMPv3, validate DNSSEC at resolvers, and add DoT so branch queries stay confidential.

Quick check · Q3 of 10

Priya at Infosys must secure a site-to-site VPN between two data centres over the public internet, with full confidentiality of the original IP headers and payload. Which IPsec configuration should she deploy?

Correct: b. ESP provides confidentiality (AH does not encrypt), and tunnel mode encapsulates the entire original packet including its headers — exactly what a site-to-site VPN over an untrusted network needs. Transport mode would expose the original IP header.
Figure 4 — Legacy VPN vs ZTNA
Legacy VPN vs ZTNA — side by side so the trade-off is obvious.A comparison of Legacy VPN versus ZTNA across Trusts, Grants, Lateral movement, Model.Legacy VPN vs ZTNALegacy VPNZTNATrustsThe networkPer-app identity + deviceGrantsFull subnet accessOne applicationLateral movementEasy once insideBlocked by defaultModelPerimeterZero Trust
Legacy VPN vs ZTNA — most domain questions hinge on telling these apart.

Pause & Predict

Without scrolling up: name the biggest difference in "Legacy VPN vs ZTNA". Type your guess.

Answer: If it didn't come instantly, that comparison is your highest-value revision target.

Attacks & network defenses

Think of your network like a busy Mumbai apartment society: attackers either jam the gate (DDoS), pose as the watchman (MITM), or quietly rewrite the visitor register (DNS poisoning). Domain 4 expects you to know both the break-ins and the guards you post against them.

The attacks. A DDoS attack floods a target from thousands of bots, exhausting bandwidth, connection tables, or application threads. Defend in layers: upstream scrubbing, rate-limiting, SYN cookies, and anycast to spread load. A MITM attack inserts the attacker into the conversation, usually via ARP spoofing on the LAN. The attacker sends forged ARP replies, so victims map the gateway IP to the attacker's MAC, and traffic now flows through them. Counter it with Dynamic ARP Inspection, DHCP snooping, and port security. DNS attacks include cache poisoning, where a forged response plants a fake A-record, and DNS hijacking. DNSSEC validates origin and integrity, while DoH and DoT encrypt the query path.

Wireless: WPA3. WPA3 replaces WPA2's PSK 4-way handshake with SAE (the Dragonfly handshake), killing offline dictionary attacks and adding forward secrecy. WPA3-Enterprise offers an optional 192-bit mode (GCMP-256). Avoid Transition Mode in high-security zones; it re-opens WPA2 weaknesses.

The defenses. Firewalls progress from packet-filtering (Layer 3/4 ACLs) to stateful (tracks connection state) to application-layer/proxy and NGFW (adds IPS, app-ID, TLS inspection). An IDS only alerts; an IPS sits inline and blocks. NAC with 802.1X authenticates the device at the switch port (supplicant → authenticator → RADIUS) before any IP is issued. Proxies broker traffic, hiding clients and enabling content inspection.

Exam tip

IDS detects and alerts; IPS detects and blocks inline. If the question stresses "prevent" or "drop the packet in real time," choose IPS, not IDS.

Priya at HDFC faces this

Several branch laptops suddenly route their gateway traffic through one unknown MAC on VLAN 20, and TLS warnings spike.

Likely cause

ARP spoofing: a rogue host floods forged ARP replies (10.20.0.1 → attacker MAC), enabling an on-path MITM.

CISSP move

Enable Dynamic ARP Inspection plus DHCP snooping on the access switches, and enforce 802.1X NAC so unknown devices never reach VLAN 20.

Quick check · Q4 of 10

A SOC analyst at TCS sees a switch where multiple hosts report the default gateway IP mapped to one unexpected MAC, and intercepted sessions show altered TLS certificates. Which control most directly addresses the root technique being used?

Correct: d. One gateway IP mapping to a rogue MAC is classic ARP spoofing enabling MITM; Dynamic ARP Inspection (with DHCP snooping for the trusted binding table) drops forged ARP replies at the port. DNSSEC addresses DNS forgery, WPA3 addresses wireless cracking, and a proxy inspects content but does not stop Layer-2 ARP poisoning.

Domain 4 in the AI era (2026)

CISSP Domain 4 has always been about secure channels — but in 2025/2026 the wire is patrolled by machine learning on both sides. Modern Network Detection and Response (NDR) no longer relies on static signatures; it baselines "normal" behaviour across users, devices and applications, then flags deviations (odd file transfers, beaconing on non-standard ports, abnormal east-west flows) and contains them at machine speed. This same AI engine now lives inside SASE platforms, where it powers ZTNA ("never trust, always verify") by scoring every session on context, risk and intent. Gartner's 2025 SASE Magic Quadrant (Fortinet, Netskope as Leaders; Cloudflare a Visionary) projects single-vendor SASE to jump from 30% to 50% of new deployments — convergence is the direction of travel.

The reason defenders need AI is that attackers already have it. AI-linked phishing surged 1,265% in 2025; roughly 82% of phishing emails now contain AI-generated content, and over 90% of polymorphic malware leans on LLMs to rewrite itself per target. On the network layer, AI-fuelled DDoS crossed record volumes — a 31.4 Tbps peak in December 2025 — and increasingly blends reconnaissance and adaptive evasion with the flood, so legitimate demand is hard to separate from attack traffic. This is why a CISSP must defend the channel, not just the perimeter.

Anjali Menon, a network security lead at a Bengaluru fintech, watched her SASE/NDR console flag a "low-and-slow" data exfil her old IDS missed — the model spotted a server beaconing to a rare ASN at 3 a.m. Her teammate Rohit Deshpande then tuned ZTNA risk-scoring so a compromised contractor laptop was step-up challenged before it reached the payments VLAN.

Strengths tip: if you think in baselines and exceptions, you'll grasp NDR fast — frame every "alert" as "what is this flow's distance from normal?"

The AI-era angle, in four cards

What 2026 adds to this domain — flip to see why each matters.

🧠
Behavioural Baseline
tap to flip

NDR learns each network's 'normal,' then scores deviations. So you catch zero-day beaconing and low-and-slow exfil that signature IDS silently misses.

🔐
ZTNA in SASE
tap to flip

ZTNA grants per-app access after continuous identity + risk checks. So a stolen contractor laptop is step-up challenged before it touches the payments VLAN.

🎣
Polymorphic Phishing
tap to flip

LLMs rewrite each lure so filters never see the same payload twice — AI phishing rose 1,265% in 2025. So channel defences (DMARC/DKIM/SPF, NDR) beat user training alone.

🌊
Adaptive DDoS
tap to flip

AI floods now probe defences and mimic real users, peaking at 31.4 Tbps in 2025. So static thresholds fail; only ML traffic models separate real demand from attack.

Pause & Predict

Name one thing AI changes about Domain 4 — and one fundamental it does NOT change. Type your guess.

Answer: AI shifts the tooling and widens the attack surface, but the four areas above still decide the right answer. Tools change; principles don't.

🎯 Prove it — your Domain 4 practice exam

You have read the theory. Now do the reps. This is the free, timed Techclick assessment built for exactly this domain, with full reasoning on every question — plus the full-length mock for when you are close to your exam date.

📝 Domain 4 assessment → Full CISSP mock → 8-week roadmap →

Part of the 8-part series · start from the CISSP overview → · all assessments live on exam.techclick.in (sign in with your Techclick account).

Figure 5 — Domain 4 on one card
Domain 4 on one card: the four areas plus the two things examiners love to test.A one-glance revision card for CISSP Domain 4 with each area's key takeaway and the core comparison and process to memorize.📌 Domain 4: Network Security — one-card recapArea 1 · Models & secure designMatch every control to its OSI layer — the layerdictates what it can inspect and block.Area 2 · Segmentation & zero trustSASE/ZTNA controls entry; only microsegmentationstops east-west lateral movement.Area 3 · Secure protocols & crypto in transitEncrypt in transit with TLS 1.3 and ESP-tunnelIPsec; retire Telnet/FTP/SNMPv1.Area 4 · Attacks & network defensesMatch each network attack to its specificcontrol: ARP→DAI, DNS→DNSSEC, MITM→IPS, roguedevice→802.1X NAC.RememberLegacy VPN vs ZTNA: know the trade-off cold.RememberThe TLS 1.3 handshake (simplified) — memorize theorder.
Print this for the night before. Everything in Domain 4 on a single page.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from ISC2 docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Analyze

A bank's network team must stop attackers from moving laterally between workloads inside the same data-center subnet, even after one host is compromised. Which design choice best addresses this?

Correct: c. Lateral movement happens east-west, inside the perimeter. A perimeter firewall only guards north-south traffic, and Layer-1/cast-type changes do not segment workloads. Micro-segmentation with zero trust verifies every internal flow, containing a compromised host.
Q6 · Analyze

An auditor reviews two designs. Design A uses VLANs and subnet ACLs only. Design B adds ZTNA plus per-workload microsegmentation. Analyzing blast radius after one host compromise, which conclusion is most defensible?

Correct: b. VLAN/subnet controls are coarse, so hosts inside a zone usually reach neighbours unfiltered, leaving a large blast radius. Design B grants least-privilege per session and per workload, confining a compromise to explicitly allowed flows. Fewer policies do not equal safer, and edge components do not enlarge internal blast radius.
Q7 · Evaluate

Aditya at Wipro deploys DNSSEC across all resolvers and declares that branch DNS traffic is now private and tamper-proof. A reviewer pushes back. Which evaluation of Aditya's claim is most accurate?

Correct: a. DNSSEC signs records to prevent spoofing and cache poisoning, but it sends data in cleartext, so queries remain readable. Achieving confidentiality requires DoH or DoT. The reviewer is right that the privacy claim is unsupported by DNSSEC alone.
Q8 · Apply

Aditya, a network engineer at Infosys, must ensure that any unknown laptop plugged into a conference-room jack is blocked from receiving an IP or reaching internal VLANs until the device proves its identity. Which control should he implement?

Correct: d. Blocking a device at the switch port before it gets network access is exactly 802.1X NAC: the supplicant authenticates to a RADIUS server via the authenticator before the port opens. A firewall acts after IP assignment, an IPS inspects traffic flows rather than gating port admission, and DoT only encrypts DNS queries.
Q9 · Analyze

A bank's NDR flags a payroll server making small, regular HTTPS connections to a rarely-seen overseas ASN at 3 a.m., though no signature matched and the traffic volume is tiny. The legacy IPS saw nothing. Which capability of AI-driven NDR best explains why it caught this when the IPS did not?

Correct: b. The detection had no signature and low volume, so signature feeds (C) and bandwidth thresholds (D) would not trigger; TLS payload inspection (A) is not what flagged it. NDR's value is anomaly detection — measuring how far a flow's behaviour (rare ASN, odd hour, beaconing cadence) sits from the learned baseline, which is exactly the low-and-slow pattern signature tools miss.
Q10 · Evaluate

A CISO must choose a defensive posture against AI-crafted phishing and adaptive DDoS for a SASE rollout. Which approach is the MOST defensible, and why?

Correct: a. AI lures defeat grammar filters and training (A, B), and static thresholds are exactly what adaptive DDoS learns around (B). Fully autonomous auto-block (D) ignores adversarial-ML risk and false positives on critical paths. The strongest posture layers continuous identity/risk verification, behavioural DDoS modelling and channel authentication while keeping humans over high-impact decisions — defence-in-depth matched to dual-use AI threats.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: Explain, in your own words, why "zero trust" is fundamentally different from a traditional perimeter firewall — and give one concrete network control for each model. Then compare to the expert version.

Expert version: A perimeter firewall draws ONE trust boundary at the network edge: anything inside is implicitly trusted, so a single breach lets an attacker move laterally across a flat interior. Concrete control: a north-south firewall ruleset filtering ingress/egress at the gateway. Zero trust (NIST SP 800-207) removes implicit trust entirely — trust is never granted by network location. Every request is authenticated, authorized, and continuously evaluated per-resource by a Policy Engine (decision), Policy Administrator (action), and Policy Enforcement Point (enforcement). Concrete control: east-west microsegmentation, where host-based agents or SDN isolate each workload so even an insider or compromised host must re-prove identity to reach the next service — collapsing the lateral-movement blast radius.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

IPsec
IP-layer (L3) security suite; AH provides authentication and integrity, ESP adds encryption. Optional in IPv4, native to IPv6.
Defense in depth
Layering multiple independent controls across OSI layers so one failure does not expose the asset.
Micro-segmentation
Fine-grained zoning (distributed firewalls, overlays, zero trust) that limits lateral movement between workloads.
Microsegmentation
Workload-level, identity-aware firewall policy that allows only explicitly sanctioned flows between hosts, blocking lateral movement.
ZTNA
Zero Trust Network Access: verifies identity and context per session, then grants access to one specific application instead of the whole network.
SSE
Security Service Edge: the cloud-delivered security half of SASE (ZTNA, SWG, CASB, FWaaS) without the SD-WAN networking part.
Forward secrecy
Each session uses a throwaway key, so compromising the server's long-term key can't decrypt previously captured traffic.
ESP (Encapsulating Security Payload)
The IPsec protocol that provides confidentiality plus integrity; AH provides integrity only, no encryption.
DNSSEC vs DoH/DoT
DNSSEC signs records for authenticity (no encryption); DoH/DoT encrypt the query channel against eavesdropping.
ARP spoofing
Sending forged ARP replies so victims send gateway traffic to the attacker, enabling a man-in-the-middle position on the LAN.
SAE (WPA3)
Simultaneous Authentication of Equals, WPA3's Dragonfly handshake that blocks offline password cracking and adds forward secrecy.
802.1X NAC
Port-based Network Access Control where a device must authenticate via supplicant-authenticator-RADIUS before getting LAN access.
NDR (Network Detection and Response)
Security tooling that uses ML to baseline normal network behaviour, detect anomalies (beaconing, odd east-west flows, rare destinations) without signatures, and automatically respond at machine speed.
ZTNA (Zero Trust Network Access)
The zero-trust access component of SASE: grants per-application access only after continuously verifying identity, device posture and session risk — replacing flat, trust-everything VPNs.
Adaptive DDoS
An AI-driven denial-of-service attack that adds reconnaissance and real-time evasion — probing active defences, rotating vectors and mimicking legitimate traffic — instead of a single static flood.

📚 Sources

  1. ISC2 — CISSP Certification Exam Outline (April 2024, Domain 4 = 13%). isc2.org
  2. NIST — SP 800-207: Zero Trust Architecture. csrc.nist.gov
  3. NIST — SP 800-207A: A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments. csrc.nist.gov
  4. NIST — SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations. csrc.nist.gov
  5. IETF — RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3. datatracker.ietf.org
  6. NIST — SP 800-77 Rev. 1: Guide to IPsec VPNs. csrc.nist.gov
  7. OWASP — Transport Layer Security Cheat Sheet. cheatsheetseries.owasp.org
  8. CISA / Microsoft Security — SOHO Router Compromise: DNS Hijacking and Adversary-in-the-Middle (2025–2026). microsoft.com

What's next?

Domain 4 done. Keep the momentum — next is Domain 5: IAM.

Next · Domain 5: IAM → Practice on exam.techclick.in →