Domain 4: Communications and Network Security

Last updated: December 1, 2025 in CISSP Domains

Protecting Data in Motion

Domain 4 accounts for 13% of the CISSP exam. Networks move data between systems, users, and organizations. Every packet that crosses a network represents an opportunity for interception, modification, or disruption. This domain covers how networks work and how to secure them.

The OSI and TCP/IP models organize network functions into layers. Security controls operate at different layers depending on what they protect and how. Understanding which layer handles what function lets you select appropriate controls and recognize where vulnerabilities exist.

OSI MODEL 7 – Application 6 – Presentation 5 – Session 4 – Transport 3 – Network 2 – Data Link 1 – Physical TCP/IP MODEL Application Transport Internet Network Access WAF, IDS/IPS at upper layers | Firewalls at layers 3-4 | Switches at layer 2

Network Architecture Components

Routers operate at layer 3, making forwarding decisions based on IP addresses. They connect network segments and enforce routing policies. Access control lists on routers filter traffic based on source, destination, protocol, and port. Router security includes protecting management interfaces, updating firmware, and configuring appropriate logging.

Switches operate at layer 2, forwarding frames based on MAC addresses. Modern managed switches include security features: port security limits which MAC addresses can connect to specific ports, DHCP snooping prevents rogue DHCP servers from distributing malicious configurations, dynamic ARP inspection blocks ARP spoofing attacks. VLANs segment traffic logically without requiring separate physical infrastructure.

Firewalls filter traffic based on rules. Stateless firewalls examine individual packets against access control lists. Stateful firewalls track connection state, allowing return traffic for established sessions while blocking unsolicited inbound traffic. Next-generation firewalls add application awareness, inspecting traffic content to identify applications regardless of port. Web application firewalls specifically protect HTTP traffic, blocking common web attacks like SQL injection and cross-site scripting.

Network Segmentation and Zones

Segmentation limits blast radius. When attackers compromise one system, segmentation determines what else they can reach. Flat networks where everything can communicate with everything else give attackers free movement. Segmented networks force attackers to breach multiple control points.

  • DMZ (Demilitarized Zone) hosts systems that need internet exposure—web servers, email gateways, VPN concentrators. The DMZ sits between the internet and internal network, protected by firewalls on both sides. Systems in the DMZ should never initiate connections to internal networks. If attackers compromise a DMZ system, segmentation prevents direct access to internal resources.
  • Internal network zones separate systems by function and sensitivity. Production systems separate from development environments. Finance systems separate from general corporate networks. Each zone has defined trust levels and controlled access between zones. Zero trust architectures extend this principle, treating every network as potentially hostile.
  • Microsegmentation applies segmentation at the workload level. Instead of protecting network segments, policies control traffic between individual applications or containers. Software-defined networking enables microsegmentation without physical network changes. This approach limits lateral movement even within traditional network zones.
  • Air gaps provide physical isolation for highly sensitive systems. No network connection means no network-based attacks. Operational technology networks in industrial environments sometimes use air gaps to protect safety-critical systems. Air gaps complicate legitimate operations—data must move via physical media, creating different risks and operational challenges.

Internet Firewall DMZ Web Server Mail Server VPN Firewall Internal Network Corporate Systems Finance (Segmented) Production (Segmented)

Secure Network Protocols

TLS (Transport Layer Security) encrypts application layer traffic. HTTPS is HTTP over TLS. Modern TLS 1.3 improves performance and security over earlier versions—it completes handshakes faster and removes support for weak cipher suites. Certificate validation ensures clients connect to legitimate servers. Certificate transparency logs help detect misissued certificates. Organizations should monitor for certificates issued against their domains.

IPsec operates at the network layer, securing IP traffic regardless of application. Tunnel mode encrypts entire packets for site-to-site VPNs. Transport mode encrypts only payloads, used for host-to-host communication. Internet Key Exchange (IKE) negotiates security associations and manages keys. IPsec VPNs connect branch offices and remote workers to corporate networks.

SSH provides encrypted remote access and file transfer. It replaced unencrypted protocols like telnet and FTP for system administration. Key-based authentication is more secure than passwords—disable password authentication on servers exposed to the internet. SSH tunneling can encapsulate other protocols, though this capability can also bypass security controls.

DNS security has improved with DNSSEC, which adds cryptographic signatures to DNS responses. This prevents DNS spoofing attacks where attackers redirect traffic by providing false DNS answers. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries, preventing eavesdroppers from monitoring which sites users visit. These protocols create visibility challenges for organizations that inspect DNS traffic for security purposes.

Wireless Network Security

Wi-Fi security has evolved through multiple standards. WEP is completely broken—don’t use it. WPA improved security but has weaknesses. WPA2 with AES encryption provides adequate security for most environments when configured with strong pre-shared keys. WPA3 adds protection against offline dictionary attacks and provides forward secrecy.

Enterprise wireless uses 802.1X authentication, connecting to RADIUS servers that verify credentials against directory services. This eliminates shared pre-shared keys that every user knows. Certificates provide stronger authentication than passwords. Rogue access point detection identifies unauthorized wireless devices on the network.

Wireless attacks include evil twin attacks where attackers create fake access points mimicking legitimate networks, deauthentication attacks that disconnect users from legitimate networks, and eavesdropping on unencrypted traffic. Wireless intrusion prevention systems detect and respond to these attacks automatically.

Office A Gateway Encrypted Tunnel Gateway Office B Internet Site-to-Site VPN: IPsec tunnel protects traffic between locations

Network Attacks and Countermeasures

Denial of service attacks overwhelm systems or networks, preventing legitimate access. Volumetric attacks flood bandwidth. Protocol attacks exploit weaknesses in network protocols. Application layer attacks target specific services with requests that consume processing resources. DDoS mitigation services absorb attack traffic before it reaches target systems. Rate limiting and traffic shaping reduce impact of attacks that reach infrastructure.

Man-in-the-middle attacks intercept communications between parties. ARP spoofing enables MITM attacks on local networks by associating the attacker’s MAC address with legitimate IP addresses. DNS spoofing redirects traffic to attacker-controlled servers. TLS with proper certificate validation prevents successful MITM attacks—attackers can intercept traffic but cannot decrypt it or forge legitimate certificates.

Network reconnaissance provides attackers information about target networks. Port scanning identifies running services. OS fingerprinting determines operating systems. Vulnerability scanning identifies exploitable weaknesses. Intrusion detection systems identify reconnaissance activity. Network segmentation limits what attackers can discover from compromised systems.

Connecting to Other CISSP Domains

Network security implements architectural decisions from Domain 3. Firewalls, segmentation, and encryption all derive from defense-in-depth and least-privilege principles. Domain 7 covers monitoring and incident response for network security events. Domain 5 addresses authentication systems like RADIUS that secure network access.

Exam questions often test understanding of which control addresses which threat. Encryption protects confidentiality but not availability. Firewalls control access but don’t detect attacks within allowed traffic. IDS detects attacks but doesn’t prevent them. Knowing the capabilities and limitations of each control lets you select appropriate combinations.

The practice questions include scenarios requiring protocol selection, network design, and attack analysis. Understanding the OSI model helps—questions may describe behavior at one layer and ask about controls at another. Real network security requires integrating controls across layers.

Networks carry data between systems. Every byte of business communication, every transaction, every authentication credential traverses networks. Securing that traffic requires understanding how networks operate, what threats exist, and which controls address which risks. Domain 4 provides that foundation.

author avatar
Elias Ward
Elias is a deep coding specialist who has spent most of his career working in places most people never hear about. Starting with a background in secure systems and backend development, he eventually moved into roles that required quiet precision and the ability to build or fix technology in environments where reliability mattered more than recognition.
See Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *