Network security is where a lot of Security+ candidates lose points they could have won. Not because the concepts are obscure — most of them are firewalls, IDS/IPS, VPNs, the usual suspects. The problem is that the exam almost never asks "what is an IPS." It asks which control stops a specific attack in a specific scenario. That's a different skill than memorizing definitions, and network security is where the gap shows up most.
This post covers the network security topics you actually need for the SY0-701 exam. Not all of them get equal space. Firewalls and IDS/IPS eat a disproportionate share of questions, so they get more room. Some of the other topics I'll move through quickly — if you've done any IT work at all, you already know half of what would fill those sections.
What the Exam Actually Tests
Security+ network questions lean on three things. You need to know which tool fits which threat (a WAF doesn't save you from a volumetric DDoS, and an IDS doesn't block anything). You need to recognize network design patterns that contain damage — segmentation, DMZs, zero trust. And you need to spot attack signatures when they're buried inside a scenario question.
One pattern I've noticed with people who fail Domain 3 questions: they pick the technically correct tool, but miss that the question was really about design intent. A question asking "what minimizes lateral movement after compromise" isn't about firewalls — it's about segmentation and zero trust principles. Learn to read the question before you reach for the answer.
Firewalls: Where Most People Lose Points
Firewalls show up constantly on Security+, usually in "which type would you use here" questions. Here's the working knowledge you need:
| Type | Operates At | What Makes It Different |
|---|---|---|
| Packet-filtering | Layer 3/4 | Stateless. Looks at headers only. Fast, dumb, still useful at the edge. |
| Stateful | Layer 3/4 + connection state | Tracks conversations. Inbound traffic has to match an established flow. |
| NGFW | Up to Layer 7 | Application-aware. Can block specific actions inside allowed protocols. |
| WAF | Layer 7, HTTP/HTTPS only | Sits in front of web apps. Catches SQL injection, XSS, command injection. |
The distinction between stateful and NGFW trips people up more than it should. A stateful firewall sees that traffic is HTTPS to port 443. An NGFW sees that the HTTPS traffic is a file upload to Google Drive specifically, and can block that while allowing HTTPS to other destinations. That's the difference — granularity at the application layer.
WAFs are where a lot of candidates stumble. A WAF is not a "better firewall." It's a specialized tool that only understands web traffic. It won't help you against a volumetric DDoS, won't protect non-HTTP services, and won't replace your perimeter firewall. On the exam, if the question mentions SQL injection, XSS, or web app protection specifically, the answer is almost always WAF.
Expect scenario questions like: "An organization wants to block employees from uploading files to personal cloud storage without blocking cloud storage entirely." That's an NGFW question — stateful can't do that, WAF is the wrong scope.
IDS vs IPS
If you only memorize one distinction for the exam, make it this one. IDS detects and alerts. IPS detects and blocks.
An IDS sits off to the side (typically getting a copy of traffic through a SPAN port or network tap). It watches, it logs, it fires alerts. It does not drop packets. An IPS sits inline — traffic flows through it — so it can actually stop an attack while it's happening.
That inline placement matters for the scenario questions. "An attack just happened and we need to know which control would have prevented it" — that's IPS. "We want visibility without any risk of breaking production traffic" — that's IDS. A common trap: the question describes an IDS detecting an attack that then succeeded, and asks what went wrong. The answer isn't "the IDS was broken." The IDS did its job. You needed an IPS to block.
Both systems use the same two detection methods: signature-based (fast and accurate for known threats, blind to new ones) and anomaly-based (catches unknowns but generates false positives). HIDS vs NIDS is worth knowing at a surface level — host-based watches one system, network-based watches the wire — but the signature vs anomaly distinction shows up more often on the test.
VPNs, Briefly
You probably already know what a VPN does. What the exam cares about is which type fits the scenario and whether you know IPSec modes.
Remote access VPN connects a single user's device to the corporate network. Site-to-site connects two networks — typically a branch to HQ, or a corporate network to a cloud VPC. Remote access often uses SSL/TLS VPN (browser-friendly, punches through most firewalls) or IPSec. Site-to-site almost always uses IPSec.
The IPSec modes question comes up a lot. Tunnel mode encrypts the entire packet, including the original header, and wraps it in a new header. That's what you want for site-to-site, because the original IP addresses are private and shouldn't be routable on the internet. Transport mode encrypts only the payload, leaving the original header visible. That's for host-to-host encryption where routing still needs to work normally. Mix these up on the exam and you'll lose a question you should have won.
Segmentation and Zero Trust
This is the section I'd spend the most time on if I were preparing today. Segmentation and zero trust questions are scenario-heavy, and the exam keeps adding weight here because the industry has.
Network segmentation is the "don't put everything on one flat network" principle. VLANs, DMZs, and air gaps are the classic tools. VLANs are logical separation on shared hardware — a finance VLAN and a manufacturing VLAN can coexist on the same switches but can't talk to each other without going through a Layer 3 device you control. A DMZ is the zone you put public-facing stuff in, so a compromised web server doesn't give the attacker a direct path to your internal file shares. Air gaps are physical isolation — no network connection at all. Rare in practice, but they come up for industrial control systems and classified environments.
Zero trust is a different mental model. Traditional network security assumed "inside the firewall = trusted." Zero trust assumes nothing is trusted, ever, even if it's already inside. Every access request gets verified. Every user, device, and session is checked continuously, not just at login.
The pieces that make zero trust work:
- Identity-based access, not network-location-based
- Microsegmentation (granular zones, often per-workload)
- Continuous authentication and device posture checking
- Encryption everywhere, including east-west traffic inside the network
- Heavy logging and monitoring, because you're assuming breach
Here's the scenario pattern to watch for: "An attacker compromises an employee laptop. What prevents them from pivoting to the database server?" If the answer options include "firewall rules based on source IP," that's the trap. The zero trust answer is continuous verification plus microsegmentation plus device compliance checks. An attacker on a compromised-but-authenticated laptop still fails the device posture check and still can't reach resources they aren't explicitly authorized for.
If this is new to you, it's worth reading our guide to the Security+ exam domains for where zero trust sits in the broader objectives — it shows up in both Domain 3 (architecture) and Domain 4 (operations).
Network Access Control (NAC)
NAC is the gatekeeper that checks devices before they're allowed on the network. 802.1X is the standard — it authenticates the device (and often the user) at the port level before any traffic flows. Plug an unauthorized laptop into a conference room jack and 802.1X keeps it in a quarantine VLAN or refuses connection entirely.
Agent-based NAC puts software on the endpoint, which reports patch status, AV state, disk encryption, and so on. Agentless NAC only does authentication — cheaper to deploy, less visibility. Pair NAC with segmentation and you've got the backbone of a zero trust network control plane.
Network Attacks You'll See on the Exam
The attack list is long, but the patterns are recognizable once you've seen them a few times.
On-path attacks (the exam's preferred term, replacing "man-in-the-middle") include ARP poisoning on local networks and SSL stripping on web traffic. ARP poisoning works because the protocol has no authentication — attackers just claim to be the gateway and traffic flows their way. Defense is dynamic ARP inspection on your switches. SSL stripping downgrades HTTPS to HTTP between victim and attacker; HSTS prevents it by making browsers refuse the downgrade.
DNS attacks show up in three main forms. DNS poisoning injects bad records into a resolver's cache. DNS amplification spoofs the victim's IP in queries to open DNS servers, which then flood the victim with large responses — that's a DDoS technique, not an availability issue for DNS itself. Domain hijacking is registrar-level and usually involves compromised registrar credentials rather than DNS protocol attacks. DNSSEC addresses poisoning by signing records; it doesn't help with amplification or hijacking.
DDoS comes in three flavors you should be able to distinguish:
- Volumetric — raw bandwidth exhaustion. UDP floods, ICMP floods, DNS amplification. Needs upstream filtering or a scrubbing service.
- Protocol — exploits state handling. SYN floods are the classic. Defenses are at the network stack and firewall.
- Application-layer — looks like legitimate traffic. HTTP floods, Slowloris. WAFs and rate limiting matter here; upstream bandwidth filtering won't help.
Matching attack type to defense is a common exam pattern. A volumetric attack isn't stopped by a WAF. An application-layer attack isn't stopped by upstream scrubbing.
Wireless attacks cluster around rogue infrastructure and deauth frames. Evil twin APs impersonate legitimate networks (same SSID, stronger signal) and grab credentials or run on-path attacks. Rogue APs are unauthorized access points inside your network — someone plugged a consumer router into a conference room jack. Deauth attacks kick users off legitimate APs so they reconnect to the evil twin. WPA3, wireless IDS, and 802.1X authentication are the main defenses.
Protocols: Know the Insecure Ones
The exam likes to ask you to pick a secure replacement for an insecure protocol. Memorize this short list:
| Don't Use | Use Instead | Why |
|---|---|---|
| Telnet | SSH | Telnet sends credentials in plaintext. |
| HTTP | HTTPS | No encryption, no authentication. |
| FTP | SFTP or FTPS | Plaintext credentials and data. |
| SNMP v1/v2c | SNMP v3 | v1 and v2c use cleartext community strings. |
That's most of what the exam tests here. If a scenario mentions sniffing credentials off the wire or transmitting sensitive data, and one of the insecure protocols is in the question, that's your answer.
Email Authentication: SPF, DKIM, DMARC
Email spoofing is everywhere, and the exam wants you to know the three protocols that work together to stop it.
SPF is a DNS record listing which IPs are allowed to send mail for your domain. Cheap to set up, easy to break (it fails on forwarded mail), doesn't provide any cryptographic guarantees — just a source check.
DKIM signs outgoing mail with a private key. The recipient fetches the public key from your DNS and verifies the signature. This proves the mail actually came from your domain and wasn't modified in transit. Stronger than SPF, but on its own it doesn't tell receivers what to do with mail that fails.
DMARC is the policy layer on top. It tells receiving servers how to handle mail that fails SPF or DKIM — none (monitor), quarantine, or reject. It also sends aggregate reports back to you so you can see who's spoofing your domain.
On the exam: if the question is about proving an email wasn't tampered with, DKIM. If it's about which servers are allowed to send, SPF. If it's about enforcing policy and getting reports, DMARC.
How to Study This for the Exam
Reading about these concepts isn't enough. What actually works:
Draw the network. Sit down with a blank page and sketch a corporate network with internet edge, DMZ, internal VLANs, and a database segment. Mark where the firewall goes. Mark where an IDS would sit. Mark where a WAF would sit. When you see a scenario question, you're mentally overlaying it on your drawing.
Practice with scenarios, not flashcards. Flashcards will teach you that an IPS blocks threats. They won't teach you to spot the question that's really testing whether you understand why an IPS solves a specific problem an IDS can't. Work through scenario-style practice questions and pay attention to why the right answer is right. Our post on Security+ practice questions goes deeper on that approach.
Don't try to memorize the protocol table. Learn the shape of the replacement — insecure versions transmit credentials in cleartext, secure versions encrypt. You'll get the specific mappings right by understanding the pattern.
And if you haven't already built a study schedule, network security is a domain that rewards spaced repetition more than cramming. The week-by-week Security+ study plan has a structure that gives these topics their own block instead of burying them inside a generic review week.
Where to Start
If you're not sure whether you're actually weak on this domain or just feel uncertain because it's a lot of material, don't guess. A diagnostic will tell you in about 15 minutes — where you're fine, where you need real work, and whether network security is actually your biggest gap or whether something else (cryptography, IAM, risk) is going to hurt you more.
LearnZapp has a free one, no signup: Security+ diagnostic test. You get a per-domain breakdown at the end, which is usually more useful than another hour of reading.