Infrastructure Security
Placement, zones, and the attack surface
Security controls belong at the boundaries between zones, because a boundary is where trust changes and filtering finally has something to decide. A security zone is just a network segment grouped by trust level, for example an untrusted internet zone, a public-facing DMZ (screened subnet) holding internet-reachable servers, a trusted internal LAN, and a tightly restricted management zone, and the overview already framed placement as the first design decision; here that decision becomes concrete enough to say where a given control must sit. NIST's firewall guidance frames the firewall as the device that enforces policy at these boundaries and recommends a screened-subnet design that isolates internet-facing hosts from the internal network (NIST SP 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy[1]); the figure below is modeled on that screened-subnet topology.
Attack surface and connectivity
The attack surface is every reachable interface, open port, running service, and protocol an adversary could target. It grows with connectivity: every additional path, exposed service, or flat (un-segmented) link adds reachable targets. The structural reductions are:
- Segmentation into zones so a breach in the DMZ cannot reach the database tier directly.
- Port security to refuse unauthorized devices at the switch port.
- A single administrative entry point (a jump server) instead of management protocols exposed per-host.
Note the boundary of this subtopic: encrypting traffic that crosses an untrusted zone (VPN, TLS, IPSec, SD-WAN, SASE, tunneling) is the secure-access half of objective 3.2 and is covered in the sibling subtopic Secure Communication and Network Access. Design the placement and zones here, encrypt the links there.
Failure modes
Every inline control needs a defined behavior for when it fails:
| Failure mode | On device failure | Optimizes for | Typical fit |
|---|---|---|---|
| Fail-closed | Blocks all traffic | Confidentiality / integrity | Security chokepoint guarding sensitive or regulated data |
| Fail-open | Passes traffic unfiltered | Availability | Monitoring sensor, or an inline device whose outage must not sever the network |
The exam expects you to pick the mode from the protected asset: a control in front of regulated data fails closed; a device whose failure would halt a life-safety or always-on network may fail open, accepting reduced protection to preserve availability.
Network appliances and device attributes
CompTIA objective 3.2 names a specific set of infrastructure appliances and two pairs of device attributes that describe how each interacts with traffic (CompTIA Security+ SY0-701 exam objectives[2]).
Device attributes
- Active vs passive: an active device can modify or block traffic (drop a session, deny a flow); a passive device only observes and reports.
- Inline vs tap/monitor: inline means traffic physically transits the device, so it can act on it; tap/monitor (a network tap or switch SPAN/mirror port) hands the device a copy, so it can only observe.
These axes are independent and they pair predictably: blocking requires active + inline; non-disruptive visibility uses passive + tap/monitor.
The appliances
- Jump server (bastion host): a hardened single entry point into a protected zone (usually management). Admins authenticate to it, then reach internal hosts from it, so management protocols (SSH/RDP) are never exposed directly and every session is funneled through one audited choke point.
- Proxy server: mediates requests between clients and servers. A forward proxy sits between internal clients and the internet (filtering, caching, egress control); a reverse proxy sits in front of servers (offloading TLS, hiding origin, distributing load).
- IDS vs IPS: an Intrusion Detection System is passive/detective: it inspects a copy of traffic and alerts but cannot stop an attack. An Intrusion Prevention System is active/inline: positioned in the traffic path, it can drop or block the malicious session in real time. This detection-versus-prevention split is the core of NIST's IDPS guidance (NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)[3]).
- Load balancer: distributes incoming connections across a server pool for availability and scale; commonly also terminates TLS and runs health checks. It is active and inline in front of the pool.
- Sensors: distributed collection points (often passive, on taps/SPAN ports) that feed telemetry to monitoring or a SIEM.
Port security: 802.1X and EAP
Port security controls which devices may use a physical switch port. IEEE 802.1X is the port-based network access control standard: the device (supplicant) authenticates to the switch (authenticator), which relays credentials to an authentication server (typically RADIUS) before opening the port, the three-role supplicant/authenticator/authentication-server flow defined by the IEEE 802.1X standard, drawn below. The authentication conversation uses an EAP (Extensible Authentication Protocol) method. EAP is a framework, not a single method, so implementations choose a variant (for example EAP-TLS using certificates, or PEAP). Until authentication succeeds, the port passes no general traffic.
Firewall types: layer 4 vs layer 7, WAF, NGFW, UTM
Firewalls differ by what they can inspect, which follows the OSI/TCP-IP layer they operate at. NIST SP 800-41 Rev. 1 surveys these technologies and their relative strengths (NIST SP 800-41 Rev. 1[1]).
Layer 4 vs layer 7
- Layer 4 (transport) filtering decides on IP addresses, ports, protocol, and, for stateful inspection, connection state. It is fast and the backbone of perimeter filtering, but it is blind to payload content: it cannot tell a benign HTTP request from one carrying a SQL-injection string, because both ride an allowed port.
- Layer 7 (application) filtering inspects the actual payload, so it can match on HTTP methods, URLs, headers, and body content and block application-specific attacks.
The named firewall products
The figure below places each product on the inspection-layer span it covers: the layer-4 / stateful firewall in the L3–L4 band, the WAF up in the L7 band, and the NGFW and UTM stretching across the full L3–L7 span because they fold layer-4 filtering and layer-7 inspection into one engine.
| Type | Operates at | What it adds | Best fit |
|---|---|---|---|
| Layer 4 / stateful firewall | L3–L4 | IP/port/state filtering | Fast perimeter and inter-zone filtering |
| WAF (web application firewall) | L7 | HTTP/HTTPS payload inspection | Blocking web-app attacks (injection, XSS) on a public web tier |
| NGFW (next-generation firewall) | L3–L7 | App awareness, user identity, integrated IPS, deep inspection | Modern perimeter needing app- and identity-aware policy |
| UTM (unified threat management) | L3–L7 | Bundles firewall + IDS/IPS + antivirus + content/URL filter in one box | Small/branch sites where separate appliances are impractical |
A WAF is purpose-built for web (HTTP/HTTPS) attacks and is the right answer when the threat is an application-layer web exploit a port filter cannot see. An NGFW generalizes: stateful filtering plus application awareness, identity, and intrusion prevention in one engine. UTM trades best-of-breed depth for consolidation (one appliance, one console, multiple functions), which is why it shows up in small-office scenarios.
Exam-pattern recognition
Objective 3.2 items reward matching the capability to the requirement, not naming a brand:
- "Block SQL injection / web attack" → WAF or layer 7. A layer 4 firewall is the classic wrong answer: the attack rides an allowed port.
- "Detect and alert but do not disrupt traffic" → IDS, passive, on a tap/SPAN port. If the stem says block in real time, switch to IPS (active, inline); picking IDS to stop an attack is the trap.
- "Single secure entry for administrators" → jump server / bastion, not exposing RDP/SSH per host.
- "Only authenticated devices get a network port" → 802.1X with an EAP method, not MAC filtering alone.
- "Device guarding regulated data; what happens if it fails?" → fail-closed. If the stem stresses an always-on / life-safety link, fail-open may be intended; read the protected asset.
- "Consolidate firewall, IPS, AV, and filtering for a branch office" → UTM. If the stem stresses app- and identity-aware policy at an enterprise perimeter, that is NGFW.
- "Encrypt the link / remote access / site-to-site tunnel" → not this subtopic; that is Secure Communication and Network Access (VPN, TLS, IPSec, SD-WAN, SASE).
Infrastructure appliance → role → typical placement
| Appliance | Primary role | Active/passive | Typical placement |
|---|---|---|---|
| Jump server (bastion) | Single audited entry to a management zone | Active (gateway) | Edge of the management/admin subnet |
| Proxy server | Mediates and filters client→server requests | Active | Between internal clients and the internet (forward) or in front of servers (reverse) |
| IDS | Detect and alert on suspicious traffic | Passive | Tap/SPAN port, out-of-band on a monitored segment |
| IPS | Detect and block malicious traffic in real time | Active | Inline at a trust boundary |
| Load balancer | Distribute traffic; TLS/health/availability | Active | In front of a server pool / web tier |
| Sensor | Collect telemetry for monitoring/SIEM | Passive | Distributed across segments via tap/SPAN |
| WAF | Block layer 7 web-application attacks | Active | Inline in front of the public web tier |
| NGFW | Stateful + app-aware + IPS at the perimeter | Active | Inline at the network perimeter / between zones |
| UTM | All-in-one FW/IPS/AV/content filter | Active | Inline at a small-site perimeter |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- A control only acts on traffic that reaches it
Device placement is the first infrastructure-security decision, because a control can only inspect or block the traffic that physically passes it. Put filtering and inspection capabilities on the trust boundaries between security zones, where traffic crosses and trust changes; a powerful appliance off the data path sees nothing and protects nothing.
Trap Buying a high-end firewall or IPS but cabling it outside the actual traffic path, so it never inspects the flows it was meant to guard.
- Security zones group hosts by trust level
A security zone is a network segment of like trust: the untrusted internet, a public-facing screened subnet (DMZ) for internet-reachable servers, the trusted internal LAN, and a restricted management zone. Filtering controls live at the boundaries between zones, so a compromise in one zone does not flow freely into a more trusted one.
14 questions test this
- A security team discovers that malware on a compromised accounting workstation spread laterally to HR and engineering systems on the same…
- An organization hosts public-facing web servers and internal database servers on the same flat network. The security architect must allow…
- An organization places public-facing web servers on a screened subnet between an external and an internal firewall. Database servers reside…
- A security architect discovers that the web tier and database tier of a three-tier application share the same network segment, allowing…
- A security architect discovers that a compromised workstation in one department VLAN can freely communicate with servers in another…
- A security architect is designing a DMZ to host public-facing web and DNS servers. The design must ensure that a compromised DMZ server…
- A company hosts a public-facing web application. The architecture must ensure external users reach the web front-end but cannot directly…
- A security architect is designing a three-tier architecture where internet-facing web servers must be isolated from the internal database…
- An organization discovers that a compromised workstation in the accounting department scanned and accessed servers in the human resources…
- A security architect is redesigning the corporate network after malware spread laterally from the accounting department to HR across a flat…
- A company hosts internet-facing web servers and internal application servers. Web servers must be reachable from the internet, but…
- An organization hosts a public web application that queries an internal database. The security team must ensure external users reach only…
- A company hosts public-facing web servers and internal database servers on the same VLAN. A security audit finds that a compromised web…
- A penetration test reveals that a compromised workstation in the HR department can freely communicate with servers in the finance and…
- Attack surface = every reachable interface, port, service, protocol
The attack surface is the full set of boundary points an attacker can reach to enter, affect, or extract data from a system (open ports, running services, exposed protocols, and interfaces) and it grows with connectivity. The cheapest reduction is removing reachability: close unused ports, segment zones, and funnel admin access through one entry, rather than bolting on more appliances.
Trap Trying to shrink the attack surface by stacking on more security appliances, when the real reduction is removing reachability by closing unused ports and services.
- Fail-closed protects security; fail-open protects availability
An inline control's failure mode decides what survives an outage: fail-closed (fail-secure) blocks all traffic when the device dies, preserving confidentiality and integrity, while fail-open passes traffic unfiltered, preserving availability. Set a control guarding regulated or sensitive data to fail-closed; choose fail-open only where an outage must never sever a network whose uptime matters more than inspection.
Trap Defaulting an inline appliance to fail-open in front of regulated data, so a device crash silently lets unfiltered traffic straight through.
- Active blocks; passive only observes
An active device can modify or block traffic (drop a session, deny a flow) whereas a passive device only observes and reports. This attribute describes what the device is permitted to do and is independent of where it sits in the path, so blocking requires an active control regardless of placement.
Trap Conflating active/passive with inline/tap, when active versus passive describes what a device may do while inline versus tap describes where it sits in the path.
4 questions test this
- A security architect needs to deploy a network security appliance that can automatically drop malicious packets in real time before they…
- A security team is evaluating whether to deploy a network sensor in IDS mode or IPS mode. Which statement BEST describes the operational…
- A security architect needs to deploy a network appliance that can detect and automatically drop malicious packets before they reach…
- A security architect needs to deploy a network-based intrusion detection system (NIDS) to monitor traffic without affecting network…
- Inline transits traffic; tap/monitor sees a copy
Inline means traffic physically flows through the device, so it can act on each packet; tap/monitor means the device receives a copy through a network tap or switch SPAN/mirror port and can only observe. Blocking therefore needs active-plus-inline placement, while non-disruptive visibility (analysis that can never accidentally drop production traffic) comes from passive-plus-tap.
Trap Expecting a device on a tap or SPAN/mirror port to block traffic, when it only receives a copy and so can observe but never drop the live flow.
4 questions test this
- A security architect needs to deploy a network security appliance that can automatically drop malicious packets in real time before they…
- A security team is evaluating whether to deploy a network sensor in IDS mode or IPS mode. Which statement BEST describes the operational…
- A security architect needs to deploy a network appliance that can detect and automatically drop malicious packets before they reach…
- A security architect needs to deploy a network-based intrusion detection system (NIDS) to monitor traffic without affecting network…
- IDS detects and alerts; IPS blocks in real time
An IDS is passive and detective: it inspects a copied feed of traffic and raises alerts but cannot stop an attack in progress. An IPS has all of an IDS's detection ability plus the power to act: sitting inline, it drops or blocks the malicious session in real time. The deciding word is the verb: detect/alert points to an IDS, stop/block/prevent points to an IPS.
Trap Choosing an IDS to stop or block an active attack. It only watches a copy and alerts, so it can never sever the malicious flow.
3 questions test this
- A security architect needs to deploy a network security appliance that can automatically drop malicious packets in real time before they…
- A security team is evaluating whether to deploy a network sensor in IDS mode or IPS mode. Which statement BEST describes the operational…
- A security architect needs to deploy a network appliance that can detect and automatically drop malicious packets before they reach…
- Jump server = single hardened admin entry point
A jump server (bastion host) is the sole audited entry into a protected zone, usually management: admins authenticate to it and reach internal hosts from there, so SSH/RDP are never exposed per-host and every session funnels through one logged choke point. The jump server itself must be hardened and tightly scoped, since it becomes the single most valuable target.
Trap Exposing SSH/RDP directly on each internal host to ease access, which scatters management ports across the network instead of one audited gateway.
8 questions test this
- A security team mandates that administrators must not connect directly to production servers in a private subnet. Instead, all…
- An organization requires administrators to manage servers in a protected internal network zone. Direct connections from external networks…
- A security architect is designing a three-tier architecture where internet-facing web servers must be isolated from the internal database…
- An organization's security policy prohibits direct SSH connections from administrator workstations to production database servers in an…
- A security architect needs to allow administrators to manage web servers in the DMZ without exposing management ports directly to the…
- An organization requires all administrators to access production servers through a single hardened intermediary host in a dedicated…
- A company policy requires that administrators authenticate through an intermediary system before accessing production servers in a private…
- A security team deploys a hardened host in a dedicated management VLAN. Administrators must first authenticate to this host before…
- Proxy mediates requests; forward vs reverse differ by side
A proxy breaks the direct connection between client and server, accepting traffic on one side, processing it, and forwarding it on the other. A forward proxy sits between internal clients and the internet for egress filtering, caching, and content control; a reverse proxy sits in front of servers for TLS offload, hiding the origin, and distributing requests. Forward serves the clients; reverse serves the servers.
Trap Swapping the two and using a forward proxy to front and shield public servers, a job that belongs to a reverse proxy serving the server side.
- Load balancer distributes connections for availability and scale
A load balancer is active and inline in front of a server pool, spreading incoming connections across members so the service scales out and survives a member failure. It commonly also terminates TLS to offload encryption work and runs health checks, routing traffic only to members that pass them.
Trap Treating a load balancer as a security filtering control, when its job is distributing connections for availability and scale rather than inspecting or blocking attacks.
6 questions test this
- A company deploys a public-facing web application in the DMZ behind a load balancer. The security team wants to centralize TLS certificate…
- A company deploys public-facing web servers behind a load balancer. Security administrators want to reduce the TLS processing burden on the…
- A load balancer distributes traffic across four application servers. One server's web application crashes, but its operating system and…
- An organization deploys public-facing web servers behind a load balancer in its DMZ. To reduce CPU overhead on web servers while…
- An organization wants to centralize TLS certificate management and reduce the cryptographic processing burden on its backend web servers…
- An organization runs a public-facing web application across six backend servers, each maintaining its own TLS certificate. The security…
- Sensors are passive telemetry feeds for monitoring
Sensors are distributed collection points (typically passive, on taps or SPAN ports) that feed traffic telemetry to monitoring tools or a SIEM. They exist to observe and report, not to act: a sensor surfaces what is happening but does not block it, so the blocking decision belongs to an inline control downstream.
Trap Expecting a passive sensor to block or drop traffic, when its tap/SPAN copy lets it only see and report, never intervene.
- Layer 4 firewall is blind to payload content
A layer 4 (transport) firewall filters on IP address, port, protocol, and connection state (fast, but unconcerned with the content of packets). It cannot distinguish a benign HTTP request from one carrying a SQL-injection string, because both ride the same allowed port; stopping a payload-borne attack needs a layer 7 device that inspects the actual data.
Trap Reaching for a layer 4 / stateful firewall to stop SQL injection or other web-app payload attacks it physically cannot read.
- WAF is a layer 7 control for web-application attacks
A web application firewall inspects HTTP/HTTPS payloads (methods, URLs, headers, and body) to block application-layer exploits such as SQL injection and cross-site scripting, the attacks a port/IP filter cannot see. It is the right answer when the threat is a web-app payload attack; deploy it inline in front of the public web tier.
Trap Treating a WAF as a general network firewall. It specializes in HTTP/HTTPS web exploits, not broad IP/port segmentation.
- NGFW adds app awareness, identity, and IPS to stateful filtering
A next-generation firewall extends stateful layer 3–4 filtering with application awareness, user identity, deep packet inspection, and integrated intrusion prevention in a single engine. Choose it when the enterprise perimeter needs policy that decides on the actual application and user, not just IP and port, without stacking separate appliances.
Trap Picking a UTM for an app- and identity-aware enterprise perimeter, when its all-in-one branch focus lacks the deep application and identity policy an NGFW delivers.
- UTM bundles multiple security functions in one box
Unified threat management consolidates firewall, IDS/IPS, antivirus, and content/URL filtering into a single appliance and console, trading best-of-breed depth for simplicity. It fits small offices and branch sites where running and staffing separate appliances is impractical, accepting that one box doing everything is a single point of both failure and performance ceiling.
Trap Putting a single UTM at a high-throughput enterprise core, where its all-in-one inspection becomes the bottleneck and single point of failure.
- Firewall layer determines what it can decide on
Match the firewall to the decision the question demands: IP/port/state only points to a layer 4 (stateful) firewall; HTTP payload attacks point to a WAF or layer 7 device; an app- and identity-aware enterprise perimeter points to an NGFW; an all-in-one for a small or branch site points to a UTM. The layer a device reads bounds the policy it can enforce.
- Screened subnet (DMZ) isolates internet-facing hosts
A screened subnet (DMZ) is a buffer network inserted between the untrusted internet and the internal LAN, behind firewall policy, that holds internet-reachable servers like web and mail. It gives outside users restricted access to public services while shielding internal systems, so compromising a public host does not hand an attacker direct reach into the internal network.
Trap Placing internet-facing servers directly on the internal LAN, so one compromised public host opens a straight path to internal systems.
8 questions test this
- An organization hosts public-facing web servers and internal database servers on the same flat network. The security architect must allow…
- An organization places public-facing web servers on a screened subnet between an external and an internal firewall. Database servers reside…
- A security architect is designing a DMZ to host public-facing web and DNS servers. The design must ensure that a compromised DMZ server…
- A company hosts a public-facing web application. The architecture must ensure external users reach the web front-end but cannot directly…
- A security architect is designing a three-tier architecture where internet-facing web servers must be isolated from the internal database…
- A company hosts internet-facing web servers and internal application servers. Web servers must be reachable from the internet, but…
- An organization hosts a public web application that queries an internal database. The security team must ensure external users reach only…
- A company hosts public-facing web servers and internal database servers on the same VLAN. A security audit finds that a compromised web…
- Port security limits a switch port to approved MAC addresses
Port security is a layer 2 switch control that restricts which and how many MAC addresses may use a physical port, shutting down or restricting the port on a violation: the go-to control for keeping rogue devices in open wall jacks off the network. Because MAC addresses are easily spoofed, it is a basic safeguard rather than strong device authentication; 802.1X with EAP is the stronger answer when the requirement is to admit only authenticated devices.
Trap Relying on MAC-based port security as strong device authentication, when spoofing an allowed MAC defeats it. 802.1X is the real control.
5 questions test this
- A network administrator discovers that employees are connecting unauthorized personal laptops to open Ethernet wall jacks in conference…
- A network administrator discovers unauthorized laptops plugged into open switch ports in conference rooms gaining access to the internal…
- A network administrator discovers that unknown devices are being connected to open switch ports in common areas and gaining unauthorized…
- A network administrator discovers unauthorized personal devices connected to open Ethernet wall jacks in conference rooms. Which network…
- A network administrator discovers unauthorized personal devices connected to open switch ports in shared conference rooms. Which…