Domain 4 of 5 · Chapter 5 of 9

Enterprise Network Security

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Configuring filtering: firewall, web, DNS, and the OS
  • Email security: SPF, DKIM, DMARC, and the gateway
  • Endpoint and data controls: FIM, DLP, NAC, EDR/XDR, UBA

Email authentication: what each record checks

MechanismWhat it authenticatesWhere publishedChecks which identityFailure-handling role
SPFWhich sending-MTA IPs are authorized for the domainDNS TXT recordEnvelope-From / MAIL FROM (RFC5321) domainPass/fail of source IP; no action of its own
DKIMCryptographic signature over headers + body (integrity + signing domain)DNS TXT record (selector holds public key)Signing domain in the DKIM d= tagPass/fail of signature; no action of its own
DMARCAlignment of an SPF- or DKIM-passing domain with the visible FromDNS TXT record (_dmarc subdomain)Header From (RFC5322) domain, must alignSets policy none / quarantine / reject + reporting

Decision tree

What does the need call for? (block traffic / stop spoofing / watch host) Block destinations / content By name, or by page/content? (else: by port/protocol) Stop spoofing of our email domain Authenticate sending domain Watch host / data / user What is the signal source? Domain name DNS filtering block bad domains Page/URL/content Web filter proxy/agent, categories IP/port Firewall rule least-privilege ACL Spoofing SPF + DKIM + DMARC align + reject; at the gateway Host / files EDR / FIM behavior + integrity Data / user DLP / UBA data leaks / anomalies Always: signatures catch the known; pair with trend/behavioral (IDS/IPS, EDR/XDR, UBA) for novel threats choosing the appliance/placement or encrypting the link is Infrastructure / Secure Communication, not 4.5

Cheat sheet

  • Objective 4.5 is config and tuning, not appliance placement
  • Firewall ACLs evaluate top-down, first match wins
  • Firewall rules match the 5-tuple; an implicit deny ends the list
  • A screened subnet (DMZ) is enforced by firewall rules, not a box
  • Signature detection is blind to the unknown; anomaly catches novelty
  • A web filter inspects content; a DNS filter inspects only the name
  • DNS filtering stops C2 and phishing links before a connection opens
  • Group Policy centralizes Windows hardening across the domain
  • SELinux enforces mandatory access control beneath Unix permissions
  • SPF authorizes sending IPs for the envelope-from domain only
  • DKIM signs the message and proves it wasn't altered
  • DMARC adds From-header alignment, policy, and reporting on top of SPF/DKIM
  • Roll DMARC out as none, then quarantine, then reject
  • SPF passes but phishing still lands? The gap is DMARC alignment
  • The secure email gateway enforces email controls inline
  • FIM detects file tampering; it does not prevent it
  • DLP guards data in use, in motion, and at rest
  • NAC admits only authenticated, posture-compliant devices
  • EDR works one host; XDR correlates across layers
  • UBA catches the valid-credential threat
  • Domain authentication is not message-sender authentication
  • Inline IPS blocks; a passive IDS on a TAP/SPAN only watches

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Guidelines on Firewalls and Firewall Policy (SP 800-41 Rev. 1)
  2. Guide to Intrusion Detection and Prevention Systems (IDPS) (SP 800-94)
  3. Trustworthy Email (SP 800-177 Rev. 1)