Domain 3 of 5 · Chapter 2 of 5

Infrastructure Security

Placement, zones, and the attack surface

Security controls belong at the boundaries between zones, because a boundary is where trust changes and filtering finally has something to decide. A security zone is just a network segment grouped by trust level, for example an untrusted internet zone, a public-facing DMZ (screened subnet) holding internet-reachable servers, a trusted internal LAN, and a tightly restricted management zone, and the overview already framed placement as the first design decision; here that decision becomes concrete enough to say where a given control must sit. NIST's firewall guidance frames the firewall as the device that enforces policy at these boundaries and recommends a screened-subnet design that isolates internet-facing hosts from the internal network (NIST SP 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy[1]); the figure below is modeled on that screened-subnet topology.

Attack surface and connectivity

The attack surface is every reachable interface, open port, running service, and protocol an adversary could target. It grows with connectivity: every additional path, exposed service, or flat (un-segmented) link adds reachable targets. The structural reductions are:

  • Segmentation into zones so a breach in the DMZ cannot reach the database tier directly.
  • Port security to refuse unauthorized devices at the switch port.
  • A single administrative entry point (a jump server) instead of management protocols exposed per-host.

Note the boundary of this subtopic: encrypting traffic that crosses an untrusted zone (VPN, TLS, IPSec, SD-WAN, SASE, tunneling) is the secure-access half of objective 3.2 and is covered in the sibling subtopic Secure Communication and Network Access. Design the placement and zones here, encrypt the links there.

Failure modes

Every inline control needs a defined behavior for when it fails:

Failure mode On device failure Optimizes for Typical fit
Fail-closed Blocks all traffic Confidentiality / integrity Security chokepoint guarding sensitive or regulated data
Fail-open Passes traffic unfiltered Availability Monitoring sensor, or an inline device whose outage must not sever the network

The exam expects you to pick the mode from the protected asset: a control in front of regulated data fails closed; a device whose failure would halt a life-safety or always-on network may fail open, accepting reduced protection to preserve availability.

Untrusted internet external firewall DMZ screened subnet: internet-facing servers internal firewall Trusted internal LAN database / app tier Management zone restricted, via jump server
Trust rises left to right: the internet reaches the DMZ via an external firewall, the DMZ reaches the internal LAN via an internal firewall, and the management zone sits apart.

Network appliances and device attributes

CompTIA objective 3.2 names a specific set of infrastructure appliances and two pairs of device attributes that describe how each interacts with traffic (CompTIA Security+ SY0-701 exam objectives[2]).

Device attributes

  • Active vs passive: an active device can modify or block traffic (drop a session, deny a flow); a passive device only observes and reports.
  • Inline vs tap/monitor: inline means traffic physically transits the device, so it can act on it; tap/monitor (a network tap or switch SPAN/mirror port) hands the device a copy, so it can only observe.

These axes are independent and they pair predictably: blocking requires active + inline; non-disruptive visibility uses passive + tap/monitor.

The appliances

  • Jump server (bastion host): a hardened single entry point into a protected zone (usually management). Admins authenticate to it, then reach internal hosts from it, so management protocols (SSH/RDP) are never exposed directly and every session is funneled through one audited choke point.
  • Proxy server: mediates requests between clients and servers. A forward proxy sits between internal clients and the internet (filtering, caching, egress control); a reverse proxy sits in front of servers (offloading TLS, hiding origin, distributing load).
  • IDS vs IPS: an Intrusion Detection System is passive/detective: it inspects a copy of traffic and alerts but cannot stop an attack. An Intrusion Prevention System is active/inline: positioned in the traffic path, it can drop or block the malicious session in real time. This detection-versus-prevention split is the core of NIST's IDPS guidance (NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)[3]).
  • Load balancer: distributes incoming connections across a server pool for availability and scale; commonly also terminates TLS and runs health checks. It is active and inline in front of the pool.
  • Sensors: distributed collection points (often passive, on taps/SPAN ports) that feed telemetry to monitoring or a SIEM.

Port security: 802.1X and EAP

Port security controls which devices may use a physical switch port. IEEE 802.1X is the port-based network access control standard: the device (supplicant) authenticates to the switch (authenticator), which relays credentials to an authentication server (typically RADIUS) before opening the port, the three-role supplicant/authenticator/authentication-server flow defined by the IEEE 802.1X standard, drawn below. The authentication conversation uses an EAP (Extensible Authentication Protocol) method. EAP is a framework, not a single method, so implementations choose a variant (for example EAP-TLS using certificates, or PEAP). Until authentication succeeds, the port passes no general traffic.

Supplicant device requesting the port EAP method Authenticator switch (the port) relays credentials Authentication server typically RADIUS On success: port opens authenticated
An 802.1X port stays closed to general traffic until the supplicant authenticates through the authenticator switch to the authentication server using an EAP method.

Firewall types: layer 4 vs layer 7, WAF, NGFW, UTM

Firewalls differ by what they can inspect, which follows the OSI/TCP-IP layer they operate at. NIST SP 800-41 Rev. 1 surveys these technologies and their relative strengths (NIST SP 800-41 Rev. 1[1]).

Layer 4 vs layer 7

  • Layer 4 (transport) filtering decides on IP addresses, ports, protocol, and, for stateful inspection, connection state. It is fast and the backbone of perimeter filtering, but it is blind to payload content: it cannot tell a benign HTTP request from one carrying a SQL-injection string, because both ride an allowed port.
  • Layer 7 (application) filtering inspects the actual payload, so it can match on HTTP methods, URLs, headers, and body content and block application-specific attacks.

The named firewall products

The figure below places each product on the inspection-layer span it covers: the layer-4 / stateful firewall in the L3–L4 band, the WAF up in the L7 band, and the NGFW and UTM stretching across the full L3–L7 span because they fold layer-4 filtering and layer-7 inspection into one engine.

Type Operates at What it adds Best fit
Layer 4 / stateful firewall L3–L4 IP/port/state filtering Fast perimeter and inter-zone filtering
WAF (web application firewall) L7 HTTP/HTTPS payload inspection Blocking web-app attacks (injection, XSS) on a public web tier
NGFW (next-generation firewall) L3–L7 App awareness, user identity, integrated IPS, deep inspection Modern perimeter needing app- and identity-aware policy
UTM (unified threat management) L3–L7 Bundles firewall + IDS/IPS + antivirus + content/URL filter in one box Small/branch sites where separate appliances are impractical

A WAF is purpose-built for web (HTTP/HTTPS) attacks and is the right answer when the threat is an application-layer web exploit a port filter cannot see. An NGFW generalizes: stateful filtering plus application awareness, identity, and intrusion prevention in one engine. UTM trades best-of-breed depth for consolidation (one appliance, one console, multiple functions), which is why it shows up in small-office scenarios.

Exam-pattern recognition

Objective 3.2 items reward matching the capability to the requirement, not naming a brand:

  • "Block SQL injection / web attack" → WAF or layer 7. A layer 4 firewall is the classic wrong answer: the attack rides an allowed port.
  • "Detect and alert but do not disrupt traffic" → IDS, passive, on a tap/SPAN port. If the stem says block in real time, switch to IPS (active, inline); picking IDS to stop an attack is the trap.
  • "Single secure entry for administrators" → jump server / bastion, not exposing RDP/SSH per host.
  • "Only authenticated devices get a network port" → 802.1X with an EAP method, not MAC filtering alone.
  • "Device guarding regulated data; what happens if it fails?" → fail-closed. If the stem stresses an always-on / life-safety link, fail-open may be intended; read the protected asset.
  • "Consolidate firewall, IPS, AV, and filtering for a branch office" → UTM. If the stem stresses app- and identity-aware policy at an enterprise perimeter, that is NGFW.
  • "Encrypt the link / remote access / site-to-site tunnel" → not this subtopic; that is Secure Communication and Network Access (VPN, TLS, IPSec, SD-WAN, SASE).
L7 application inspects payload L3–L4 transport IP / port / state Layer 4 / stateful L3–L4 only WAF L7 only NGFW spans L3–L7 UTM spans L3–L7
Firewall types by inspection layer: L4/stateful in L3–L4, WAF in L7, NGFW and UTM spanning the full L3–L7 range.

Infrastructure appliance → role → typical placement

AppliancePrimary roleActive/passiveTypical placement
Jump server (bastion)Single audited entry to a management zoneActive (gateway)Edge of the management/admin subnet
Proxy serverMediates and filters client→server requestsActiveBetween internal clients and the internet (forward) or in front of servers (reverse)
IDSDetect and alert on suspicious trafficPassiveTap/SPAN port, out-of-band on a monitored segment
IPSDetect and block malicious traffic in real timeActiveInline at a trust boundary
Load balancerDistribute traffic; TLS/health/availabilityActiveIn front of a server pool / web tier
SensorCollect telemetry for monitoring/SIEMPassiveDistributed across segments via tap/SPAN
WAFBlock layer 7 web-application attacksActiveInline in front of the public web tier
NGFWStateful + app-aware + IPS at the perimeterActiveInline at the network perimeter / between zones
UTMAll-in-one FW/IPS/AV/content filterActiveInline at a small-site perimeter

Decision tree

What does the requirement need? (filter / inspect / control access) Web-app payload attack Inspect HTTP payload? Act on traffic flow Block in real time? Restrict access Admin entry, or device on a port? Yes (L7) WAF layer 7, inline No (IP/port) Layer 4 / NGFW stateful; NGFW adds app/IPS Yes IPS active + inline No, just alert IDS / sensor passive, tap/SPAN Admin entry Jump server hardened bastion Port admit 802.1X + EAP method Always: place each control at the zone boundary, set the failure mode from the asset fail-closed to protect regulated data; encrypting the link is the secure-communication subtopic, not here

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A control only acts on traffic that reaches it

Device placement is the first infrastructure-security decision, because a control can only inspect or block the traffic that physically passes it. Put filtering and inspection capabilities on the trust boundaries between security zones, where traffic crosses and trust changes; a powerful appliance off the data path sees nothing and protects nothing.

Trap Buying a high-end firewall or IPS but cabling it outside the actual traffic path, so it never inspects the flows it was meant to guard.

Security zones group hosts by trust level

A security zone is a network segment of like trust: the untrusted internet, a public-facing screened subnet (DMZ) for internet-reachable servers, the trusted internal LAN, and a restricted management zone. Filtering controls live at the boundaries between zones, so a compromise in one zone does not flow freely into a more trusted one.

14 questions test this
Attack surface = every reachable interface, port, service, protocol

The attack surface is the full set of boundary points an attacker can reach to enter, affect, or extract data from a system (open ports, running services, exposed protocols, and interfaces) and it grows with connectivity. The cheapest reduction is removing reachability: close unused ports, segment zones, and funnel admin access through one entry, rather than bolting on more appliances.

Trap Trying to shrink the attack surface by stacking on more security appliances, when the real reduction is removing reachability by closing unused ports and services.

2 questions test this
Fail-closed protects security; fail-open protects availability

An inline control's failure mode decides what survives an outage: fail-closed (fail-secure) blocks all traffic when the device dies, preserving confidentiality and integrity, while fail-open passes traffic unfiltered, preserving availability. Set a control guarding regulated or sensitive data to fail-closed; choose fail-open only where an outage must never sever a network whose uptime matters more than inspection.

Trap Defaulting an inline appliance to fail-open in front of regulated data, so a device crash silently lets unfiltered traffic straight through.

Active blocks; passive only observes

An active device can modify or block traffic (drop a session, deny a flow) whereas a passive device only observes and reports. This attribute describes what the device is permitted to do and is independent of where it sits in the path, so blocking requires an active control regardless of placement.

Trap Conflating active/passive with inline/tap, when active versus passive describes what a device may do while inline versus tap describes where it sits in the path.

4 questions test this
Inline transits traffic; tap/monitor sees a copy

Inline means traffic physically flows through the device, so it can act on each packet; tap/monitor means the device receives a copy through a network tap or switch SPAN/mirror port and can only observe. Blocking therefore needs active-plus-inline placement, while non-disruptive visibility (analysis that can never accidentally drop production traffic) comes from passive-plus-tap.

Trap Expecting a device on a tap or SPAN/mirror port to block traffic, when it only receives a copy and so can observe but never drop the live flow.

4 questions test this
IDS detects and alerts; IPS blocks in real time

An IDS is passive and detective: it inspects a copied feed of traffic and raises alerts but cannot stop an attack in progress. An IPS has all of an IDS's detection ability plus the power to act: sitting inline, it drops or blocks the malicious session in real time. The deciding word is the verb: detect/alert points to an IDS, stop/block/prevent points to an IPS.

Trap Choosing an IDS to stop or block an active attack. It only watches a copy and alerts, so it can never sever the malicious flow.

3 questions test this
Jump server = single hardened admin entry point

A jump server (bastion host) is the sole audited entry into a protected zone, usually management: admins authenticate to it and reach internal hosts from there, so SSH/RDP are never exposed per-host and every session funnels through one logged choke point. The jump server itself must be hardened and tightly scoped, since it becomes the single most valuable target.

Trap Exposing SSH/RDP directly on each internal host to ease access, which scatters management ports across the network instead of one audited gateway.

8 questions test this
Proxy mediates requests; forward vs reverse differ by side

A proxy breaks the direct connection between client and server, accepting traffic on one side, processing it, and forwarding it on the other. A forward proxy sits between internal clients and the internet for egress filtering, caching, and content control; a reverse proxy sits in front of servers for TLS offload, hiding the origin, and distributing requests. Forward serves the clients; reverse serves the servers.

Trap Swapping the two and using a forward proxy to front and shield public servers, a job that belongs to a reverse proxy serving the server side.

2 questions test this
Load balancer distributes connections for availability and scale

A load balancer is active and inline in front of a server pool, spreading incoming connections across members so the service scales out and survives a member failure. It commonly also terminates TLS to offload encryption work and runs health checks, routing traffic only to members that pass them.

Trap Treating a load balancer as a security filtering control, when its job is distributing connections for availability and scale rather than inspecting or blocking attacks.

6 questions test this
Sensors are passive telemetry feeds for monitoring

Sensors are distributed collection points (typically passive, on taps or SPAN ports) that feed traffic telemetry to monitoring tools or a SIEM. They exist to observe and report, not to act: a sensor surfaces what is happening but does not block it, so the blocking decision belongs to an inline control downstream.

Trap Expecting a passive sensor to block or drop traffic, when its tap/SPAN copy lets it only see and report, never intervene.

Layer 4 firewall is blind to payload content

A layer 4 (transport) firewall filters on IP address, port, protocol, and connection state (fast, but unconcerned with the content of packets). It cannot distinguish a benign HTTP request from one carrying a SQL-injection string, because both ride the same allowed port; stopping a payload-borne attack needs a layer 7 device that inspects the actual data.

Trap Reaching for a layer 4 / stateful firewall to stop SQL injection or other web-app payload attacks it physically cannot read.

WAF is a layer 7 control for web-application attacks

A web application firewall inspects HTTP/HTTPS payloads (methods, URLs, headers, and body) to block application-layer exploits such as SQL injection and cross-site scripting, the attacks a port/IP filter cannot see. It is the right answer when the threat is a web-app payload attack; deploy it inline in front of the public web tier.

Trap Treating a WAF as a general network firewall. It specializes in HTTP/HTTPS web exploits, not broad IP/port segmentation.

NGFW adds app awareness, identity, and IPS to stateful filtering

A next-generation firewall extends stateful layer 3–4 filtering with application awareness, user identity, deep packet inspection, and integrated intrusion prevention in a single engine. Choose it when the enterprise perimeter needs policy that decides on the actual application and user, not just IP and port, without stacking separate appliances.

Trap Picking a UTM for an app- and identity-aware enterprise perimeter, when its all-in-one branch focus lacks the deep application and identity policy an NGFW delivers.

UTM bundles multiple security functions in one box

Unified threat management consolidates firewall, IDS/IPS, antivirus, and content/URL filtering into a single appliance and console, trading best-of-breed depth for simplicity. It fits small offices and branch sites where running and staffing separate appliances is impractical, accepting that one box doing everything is a single point of both failure and performance ceiling.

Trap Putting a single UTM at a high-throughput enterprise core, where its all-in-one inspection becomes the bottleneck and single point of failure.

Firewall layer determines what it can decide on

Match the firewall to the decision the question demands: IP/port/state only points to a layer 4 (stateful) firewall; HTTP payload attacks point to a WAF or layer 7 device; an app- and identity-aware enterprise perimeter points to an NGFW; an all-in-one for a small or branch site points to a UTM. The layer a device reads bounds the policy it can enforce.

Screened subnet (DMZ) isolates internet-facing hosts

A screened subnet (DMZ) is a buffer network inserted between the untrusted internet and the internal LAN, behind firewall policy, that holds internet-reachable servers like web and mail. It gives outside users restricted access to public services while shielding internal systems, so compromising a public host does not hand an attacker direct reach into the internal network.

Trap Placing internet-facing servers directly on the internal LAN, so one compromised public host opens a straight path to internal systems.

8 questions test this
Port security limits a switch port to approved MAC addresses

Port security is a layer 2 switch control that restricts which and how many MAC addresses may use a physical port, shutting down or restricting the port on a violation: the go-to control for keeping rogue devices in open wall jacks off the network. Because MAC addresses are easily spoofed, it is a basic safeguard rather than strong device authentication; 802.1X with EAP is the stronger answer when the requirement is to admit only authenticated devices.

Trap Relying on MAC-based port security as strong device authentication, when spoofing an allowed MAC defeats it. 802.1X is the real control.

5 questions test this

Also tested in

References

  1. Guidelines on Firewalls and Firewall Policy (SP 800-41 Rev. 1)
  2. CompTIA Security+ (SY0-701) certification
  3. Guide to Intrusion Detection and Prevention Systems (IDPS) (SP 800-94)