CompTIA Security+: Network Components

I’m back from lots of travel, and am diving back into my Security+ studying.  The first chapter in section two of CompTIA’s Security+ study guide is about network components.  As with all the other chapters, it’s a questionably organized whirlwind tour.  I’ll leave the topics in the order that they appear, which is by component, with bunch of sub-topics per component.

This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.


A firewall is hardware or software (or a combo of the two) used to enforce network security policies across network connections.  The network administrator(s) will determine security policies:  what traffic is allowed, and what traffic to block or deny.  These rules can be very nuanced and specific to different ports, machines, applications, users, and so on.  Firewalls can be specific to an application or (sub) network but at a minimum, your org should have a firewall between your network and the internet.  They’re meant to block attacks before they reach the target (web servers, mail servers, DNS servers, databases, etc).

Firewalls, how do they work


A VPN concentrator is a way of managing multiple VPN conversations on a network while keeping them isolated from each other.

VPNs can be remote-access or site-to-site.  Site-to-site connects machines between two networks on an ongoing basis (you don’t have to go through setup each time).  Remote-access is more temporary[]  and allows remote hosts to connect to a network.


Here, the book starts a long section on IPSec details.  It seems like the book sections got mixed around because it references “AH” and “ESP” before they are defined/discussed.  Anyway…

IPSec is a set protocols for securely exchanging packets at the network layer (layer 3).  IPSec is used in VPN connections for establishing connections.  The chapter does not discuss SSL-based VPNs.


NIDS stands for a network-based intrusion detection system.  These detect, log and respond to unauthorized network usage.  This can be in real-time or after the fact.

The unfortunately acronym’d “NIPS” stands for network-based intrusion prevention systems.  NIPS are like NIDS but can take automated action to block an attack, as determined by pre-set rules.

An intrusion detection system (IDS) doesn’t need to be network-based.  It could be host-based instead.  An IDS usually contains the following components:

An IDS can be signature-based, meaning it detects intrusion based on known signature definitions.  Alternatively, it can be heuristic- or behavioral-based.  This means that “normal” behavior is defined, and behavior that is outside of those bounds is considered malicious or bad.  This can have a high false-positive rate.  Anomaly-based is similar and looks for traffic that is anomalous based on known “normal” behavior.  The type of NIDS/NIPS system you have will determine the complexity of the rules (book provides the example of Snort to Bayesian)

IDS can be inline, meaning it monitors data as it flows through the device, or passive, meaning that it copies off the data and examines it offline.

It can be in-band, meaning that it examines data and can take actions within that system (if something looks bad, don’t send it along).  Out-of-band cannot.


Routers are “network traffic management devices used to connect different network segments together.”  Routers are located at gateways where two or more networks connect.  They look at each packet and its destination address, and then determine optimal paths across a network.

Remote access is often a necessity, especially for big organizations with routers spread all over the globe.  Unauthorized access is bad a thing, so avoid mishaps like:  leaving the default password, sending passwords in cleartext, or using Telnet (or other insecure/deprecated protocols; use SSH instead).

Routers use access control lists (ACL) to determine if a packet should be allowed to enter a network, based on its source address.  Apparently, if you have a fancy router you can configure it to examine packets in a stateful way.

Routers have insight into expected source IP addresses, so they can check the stated source IP address, which might be spoofed.  If they don’t match, the router should drop the packet as an anti-spoofing measure.


Routers operate at the network layer (layer 3) of the OSI model.  Switches operate at the data link layer (layer 2).  Switches connect together devices on a network.  They pose a security risk because access means that an attacker can eavesdrop on all communications.  Similar to routers, switches also have insecure methods of access (notably Telnet or older versions of SNMP, use SNMPv3 instead).

As switches move packets from inbound connections to outbound connections, it’s possible for them to inspect the packet headers.  Port security means that switches can control which devices connect on each port via allowed MAC addresses (still, they can be spoofed).  Port security can be configured to assign a specific MAC address to a port (static learning), to allow switches to “learn” acceptable MAC addresses (dynamic learning) or to persist accepted MAC addresses (sticky learning).

Switches use Open Shortest Path First (OSPF) to route traffic and the Spanning Tree Protocol (STP) to avoid loops.  Switches also commonly have flood guards to protect against flooding attacks.


Proxy servers are a way of filtering traffic and can be used to further the security goals of an organization.  A proxy intercepts requests from a client and either forwards them to their intended destination.

Proxies can be forward, meaning that they intercept a request and then forward them to the destination.  They can be reverse, meaning that they’re installed on the server-side of a connection and intercept incoming requests.

They can be transparent, meaning they examine the request and pass it along (or not).  Alternatively, they can alter requests.

Anonymizing proxies hide information about the client making the request.  Caching proxies store local copies of content to help with performance.  Content-filtering proxies compares requests to an acceptable use policy (AUP) and filters out the bad stuff.  Open proxies are proxies available to any internet user.  A web proxy is used to handle web traffic (also called a web cache).

Load Balancers

Load balancers move loads across several resources.  This helps to avoid overloading a server and helps increase fault tolerance.  Load balancing is easiest in stateless systems.

Access Points

Wireless access points (APs) are “the point of entry and exit for radio-based network signals into and out of a network.”


SIEM stands for security information and event management.  SIEM systems are hardware and software meant to analyze aggregated security data.  They rely on a few different concepts:


Aaand we’ve jumped from SIEMs to data loss prevention (DLP).  I told you the order of topics was a little wonky.

Here, DLP refers to methods of detecting and preventing unauthorized transfers of data across an organization.


Large organizations can have a LOT of connected workstations and servers.  Managing these connections at scale is difficult.  Network access control (NAC) is a case-by-case management methodology.  Network Access Protection (NAP) is the Microsoft option, Network Admission Control (NAC) is the Cisco option.

Microsoft’s NAP measures system health of connecting machines.  Metrics include operating system patch level, antivirus protection and system policies.  NAP has been around since Windows XP SP3.

Cisco’s NAC enforces policies based on the network admin, and verifies policy settings, software updates, and so on.

Neither of these systems are widely adopted.  Both run health checks on a host before letting it connect to the network.

NAP or NAC related agents can be permanent deployed to a host.  They an also be dissolvable, meaning that they are used (and discarded) on an as-needed basis.  They can be agent-based, meaning that there’s code stored and activated on a host machine.  They can also be agentless, if the code resides on the network and doesn’t persist in the host machine’s memory after use.

Mail Gateways

Mail gateways are machines that process email packets on a network.  They also filter spam, manage data loss and handle encryption.


Somehow, we’re back to bridges.  Bridges work at the layer 2 level and connect two separate network segments.  This can play into security concerns because traffic separation can keep sensitive information more sequestered.


I’m throwing the remaining categories here, since they seem like they were thrown at the end of the chapter as an afterthought.