Lesson 9 Implementing Secure Network Designs

Vocabulary flashcards covering key terms from Lesson 9: Implementing Secure Network Designs.

CIA Triad

Confidentiality, Integrity, and Availability—the core properties guiding secure information systems and networks.

Secure Network Design

An architecture that provisions assets and services to meet CIA and reduces vulnerabilities in network topology.

PIN (Places in Network)

Cisco SAFE concept referring to types of network locations, such as campus networks, branch offices, data centers, and the cloud.

Cisco SAFE

Cisco's framework for secure network design using PINs and secure domains.

Internet Edge

Locations at the network boundary that connect to the Internet and untrusted networks.

WAN

Wide Area Network; connects distant locations beyond a single LAN.

Secure Domains

Categories of security controls in SAFE, including threat defense, segmentation, security intelligence, and management.

Single Point of Failure

A vulnerability where one component's failure can disrupt or stop the entire service.

Complex Dependencies

Situations where services rely on many systems; cascaded failures risk overall performance.

Availability over Confidentiality/Integrity

Shortcut temptation to quickly restore service, risking long-term security.

Documentation/Change Control

Procedures to document and authorize changes to network assets and configurations.

Perimeter Security

Security controls at the network edge; risk if networks are flat and unsegmented.

Flat Network

A network where any host can reach any other host, reducing segmentation.

VLAN

Virtual LAN; Layer 2 segmentation creating separate broadcast domains.

Layer 2

Data Link layer; switches forward frames using MAC addresses and VLANs.

MAC Address

48-bit hardware address assigned to a network interface, used at Layer 2.

Switch

Device that forwards frames between nodes at Layer 2, often creating VLANs.

Wireless Access Point (WAP)

Bridge between wired networks and wireless clients; operates at Layer 2.

Layer 3

Network layer; routing decisions based on IP addresses.

Router

Device that forwards packets between networks using IP addresses.

Firewall

Filters traffic with ACLs and policies, operating at Layer 3 or higher.

Load Balancer

Distributes traffic across servers or segments to improve performance and availability.

DNS

Domain Name System; resolves hostnames to IPs; a key name-resolution service.

ARP

Address Resolution Protocol; maps IP addresses to MAC addresses via requests/replies.

IPv4

32-bit IP addressing with dotted-decimal notation and subnet masks.

IPv6

128-bit IP addressing with hierarchical structure and a 64-bit host ID at the end.

Subnet

Subdivision of an IP network defined by a prefix or subnet mask.

Broadcast Domain

A network segment where broadcast frames are delivered; often per VLAN.

East-West Traffic

Data flows between servers within a data center or cloud environment.

DMZ

Demilitarized Zone; a network segment exposing Internet-facing services while isolating the internal network.

Bastion Host

A hardened host in a DMZ with minimal services, used as a proxy or gateway.

Intranet

Private, trusted network owned/controlled by the organization.

Extranet

Semi-trusted network for partners or customers requiring authentication.

Internet/Guest Zone

Zone permitting anonymous or mixed access by untrusted hosts.

Rogue Access Point

Unauthorized AP that can enable eavesdropping or MitM attacks.

Evil Twin

Rogue AP mimicking a legitimate AP to deceive users and capture credentials.

802.1X

Port-based network access control; authenticates devices before enabling a network port.

NAC (Network Access Control)

Framework for enforcing health/policy requirements before network access is granted.

Posture Assessment

Checking a device's health (antivirus, patches, firewall) against a policy.

PAC (Protected Access Credential)

Credential used by EAP-FAST to provision user credentials securely.

WPA2

Wi‑Fi Protected Access 2; uses AES-CCMP encryption for wireless security.

WPA3

Wi‑Fi Protected Access 3; SAE-based authentication and improved security features.

SAE (Simultaneous Authentication of Equals)

PAKE-based handshake used in WPA3 for secure key exchange.

WPS (Wi-Fi Protected Setup)

An easy setup method designed to simplify connecting devices to a wireless network, often by using an 8-digit PIN. However, it is highly vulnerable to brute-force attacks because its PIN verification is split into two halves, drastically reducing the number of possible combinations and making it susceptible to quick cracking. Due to this significant security flaw, WPS is strongly not recommended for enterprise or any secure network environments.

DPP / Easy Connect

Device Provisioning Protocol; uses QR/NFC for secure Wi‑Fi provisioning, replacing WPS in many cases.