Class 9: Network Security Capabilities, Access Control, and Monitoring

Secure baseline versus hardening

A secure baseline defines the approved minimum configuration for an asset type, while hardening applies and strengthens secure settings to reduce vulnerabilities and attack surface.

Example: A server baseline requires logging and disabled unused services, and administrators implement those settings during deployment.

Memory trick: Baseline is the standard; hardening is the action.

Trick question tip: Asked what settings should exist means baseline. Asked how exposure is reduced means hardening.

Secure baseline purpose and scope

Baselines create consistent requirements across similar systems and may cover operating systems, network devices, applications, passwords, updates, encryption, logging, and endpoint protection.

Example: All managed workstations use the same approved authentication, update, and monitoring requirements.

Memory trick: Same asset type, same minimum rules.

Trick question tip: One universal baseline may not fit assets with different functions, versions, and risks.

CIS Benchmark versus STIG

CIS Benchmarks provide broadly used secure-configuration recommendations, while Security Technical Implementation Guides are DISA-developed configuration requirements for United States Department of Defense environments.

Example: A private organization uses CIS guidance, while a defense system follows an applicable STIG.

Memory trick: CIS is broad guidance; STIG is defense-focused.

Trick question tip: General industry best practices point to CIS. DISA or defense requirements point to STIG.

Configuration management and drift

Configuration-management tools deploy and maintain approved settings, while configuration drift occurs when actual settings gradually differ from the baseline.

Example: Automation restores an approved setting after an undocumented troubleshooting change.

Memory trick: Management applies the standard; drift wanders away.

Trick question tip: Automated correction is stronger than merely reporting noncompliance.

Configuration deployment versus compliance assessment

Deployment tools apply approved configurations, while compliance-assessment tools inspect systems to determine whether required settings are present.

Example: One platform configures a server, and another checks it against machine-readable baseline content.

Memory trick: Deployment sets; assessment checks.

Trick question tip: Do not confuse enforcing a baseline with measuring adherence to it.

SCAP, OpenSCAP, CIS-CAT, and SCC

SCAP is a standards framework for automated security assessment and reporting. OpenSCAP evaluates SCAP content, CIS-CAT checks CIS Benchmarks, and SCC measures compliance with STIG guidance.

Example: An organization chooses the assessment tool that matches the baseline it must evaluate.

Memory trick: OpenSCAP for SCAP, CIS-CAT for CIS, SCC for STIG.

Trick question tip: SCAP is not one scanner; it is a collection of standards used by compatible tools.

Hardening activities

Hardening includes changing default credentials, applying patches, disabling unnecessary services and interfaces, restricting permissions, using secure protocols, enabling logs, and physically protecting equipment.

Example: A new router receives a unique administrator credential, encrypted management, disabled unused ports, and centralized logging.

Memory trick: Change, patch, disable, restrict, log.

Trick question tip: Hardening is ongoing because settings, software, threats, and business requirements change.

Network-device versus server hardening

Network-device hardening emphasizes protected management, ACLs, disabled interfaces, port security, and logging, while server hardening emphasizes service reduction, patching, host firewalls, endpoint protection, and strong account controls.

Example: A switch restricts its management plane, while a server removes an unnecessary application service.

Memory trick: Network devices control traffic; servers protect hosted services.

Trick question tip: Both require secure baselines, changed defaults, least privilege, monitoring, and physical security.

Secure management protocols

Administrative traffic should use encrypted protocols such as SSH and HTTPS instead of plaintext alternatives such as Telnet and HTTP.

Example: A router permits encrypted command-line and browser management only from an approved administrator network.

Memory trick: Protect the path used to manage the system.

Trick question tip: SSH replaces Telnet, and HTTPS replaces HTTP for secure remote management.

Management-plane restriction

Management-plane restriction limits administrative access to approved identities, devices, interfaces, and networks.

Example: Only hardened administrator workstations on a management segment can configure a core switch.

Memory trick: Only trusted systems manage the device.

Trick question tip: Restricting normal user traffic is data-plane control; restricting device administration protects the management plane.

Wireless site survey and heat map

A site survey measures coverage, signal strength, interference, channel use, and environmental conditions, while a heat map visually displays those measurements across a floor plan.

Example: Measurements reveal a weak conference-room signal behind a dense wall, leading to access-point relocation.

Memory trick: Survey measures; heat map shows.

Trick question tip: Use a site survey before placement and after installation to validate the design.

Wireless coverage and cell overlap

Wireless coverage is the area with a usable authorized signal. Controlled overlap supports roaming, too little overlap creates dead zones, and too much overlap can increase interference.

Example: Adjacent access points overlap enough for a mobile device to transition without losing connectivity.

Memory trick: Some overlap roams; too little gaps; too much interferes.

Trick question tip: The goal is controlled overlap, not zero overlap or maximum power everywhere.

Wireless bands

The 2.4 GHz band generally offers greater range and compatibility but more interference, while 5 GHz and 6 GHz offer more channel capacity with shorter effective range and stricter compatibility.

Example: Older or distant devices use 2.4 GHz while modern high-capacity clients use higher bands.

Memory trick: Lower travels farther; higher has more space.

Trick question tip: Microwave appliances and many consumer devices can interfere with 2.4 GHz.

Wireless channel interference

Co-channel interference occurs when nearby devices compete on the same channel, while adjacent-channel interference occurs when partially overlapping channels disrupt each other.

Example: Nearby access points are assigned separated channels based on site-survey measurements.

Memory trick: Same channel competes; overlapping channels collide.

Trick question tip: Proper channel reuse addresses co-channel congestion, while nonoverlapping selection addresses adjacent-channel interference.

Channel bonding

Channel bonding combines channel space to create a wider channel and increase potential throughput, but it consumes more spectrum and can increase interference.

Example: A wide channel performs well in an uncrowded area but causes congestion in a dense office.

Memory trick: Wider lane, fewer lanes for everyone else.

Trick question tip: More bandwidth is not automatically better in a crowded wireless environment.

Wireless interference sources

Dense walls, metal, elevators, reflective surfaces, motors, microwave appliances, and other radio equipment can weaken, reflect, or disrupt wireless signals.

Example: Wireless performance drops during lunch when a nearby microwave appliance is heavily used.

Memory trick: Physical objects block; electronics create radio noise.

Trick question tip: A problem occurring only at a certain time may point to an environmental interference source rather than a configuration failure.

SSID versus BSSID

The SSID is the human-readable wireless network name, while the BSSID is the MAC address identifying a specific access-point radio.

Example: Several access points broadcast one company SSID but each uses a different BSSID.

Memory trick: SSID names the network; BSSID identifies the radio.

Trick question tip: Roaming commonly uses one SSID across multiple BSSIDs.

Rogue access point versus evil twin

A rogue access point is an unauthorized wireless access point, while an evil twin deliberately imitates a trusted network name to trick users into connecting.

Example: Monitoring discovers an unapproved access point broadcasting the same name as the corporate network.

Memory trick: Rogue does not belong; evil twin pretends to belong.

Trick question tip: A stronger deceptive signal using a familiar SSID strongly suggests an evil twin.

Wireless monitoring

Wireless monitoring detects unauthorized access points, suspicious clients, interference, policy violations, and unusual radio activity.

Example: A monitoring system alerts administrators to a new BSSID inside the facility.

Memory trick: Watch the airwaves.

Trick question tip: Monitoring is detective; encryption and authentication are preventive.

WEP, WPA, WPA2, and WPA3

WEP is insecure, WPA with TKIP is obsolete, WPA2 commonly uses AES with CCMP, and WPA3 provides stronger modern protection using features such as SAE.

Example: An organization disables WEP and WPA and configures supported devices for WPA3.

Memory trick: WEP broken, WPA temporary, WPA2 strong, WPA3 stronger.

Trick question tip: Choose WPA3 when asked for the strongest supported modern wireless security option.

RC4, TKIP, CCMP, and GCMP

WEP and early WPA relied on RC4, WPA added TKIP as a temporary improvement, WPA2 standardized AES-CCMP, and WPA3 can use stronger modern protection including GCMP.

Example: A wireless upgrade removes RC4 and TKIP support and uses an approved AES-based mode.

Memory trick: RC4 and TKIP are old; CCMP and GCMP are modern.

Trick question tip: TKIP is not considered an acceptable modern wireless-security choice.

WPS versus DPP or Wi-Fi Easy Connect

WPS simplifies device enrollment but PIN-based WPS is vulnerable to brute-force attacks. Device Provisioning Protocol, marketed as Wi-Fi Easy Connect, uses QR codes or NFC for safer provisioning.

Example: A headless connected device is enrolled by scanning its approved QR code instead of using a WPS PIN.

Memory trick: WPS PIN is weak; Easy Connect uses modern provisioning.

Trick question tip: Disabling WPS reduces attack surface, especially when the PIN method is enabled.

PSK versus SAE

A pre-shared key uses one shared wireless secret, while Simultaneous Authentication of Equals is a password-authenticated key exchange used by WPA3-Personal that resists offline guessing and supports forward secrecy.

Example: A home network upgrades from WPA2-Personal with a shared key to WPA3-Personal with SAE.

Memory trick: PSK shares one secret; SAE proves the password without exposing a reusable verifier.

Trick question tip: WPA2-Personal points to PSK, while WPA3-Personal points to SAE.

WPA3 transition mode

Transition mode permits both WPA2 and WPA3 clients for compatibility, while WPA3-only mode provides stronger security by removing legacy negotiation.

Example: An organization temporarily supports older devices but plans to remove transition mode.

Memory trick: Transition helps compatibility but permits downgrade risk.

Trick question tip: When all devices support WPA3, WPA3-only mode is the stronger choice.

Open Wi-Fi versus Enhanced Open

Ordinary open Wi-Fi provides no shared authentication secret and normally no link encryption, while Enhanced Open uses Opportunistic Wireless Encryption to encrypt each client's traffic without a password.

Example: A public guest network provides encrypted wireless sessions without requiring a shared passphrase.

Memory trick: Open is unprotected; Enhanced Open encrypts without login.

Trick question tip: Enhanced Open provides encryption but does not authenticate the network or user like enterprise Wi-Fi.

Personal versus enterprise Wi-Fi

Personal mode uses a shared passphrase, while enterprise mode uses individual user or device credentials with 802.1X, EAP, and centralized RADIUS authentication.

Example: A household shares one wireless secret, while each employee signs in with a unique credential.

Memory trick: Personal shares; enterprise identifies each user.

Trick question tip: Individual accountability and dynamic per-session keys point to enterprise mode.

802.1X roles

In 802.1X, the supplicant requests access, the authenticator controls the switch port or wireless connection, and the authentication server validates credentials.

Example: A laptop authenticates through a wireless access point to a RADIUS server.

Memory trick: Supplicant asks, authenticator guards, server checks.

Trick question tip: The access point or switch is the authenticator, not usually the server that verifies the user's credential.

EAP and EAPoL

EAP is an authentication framework supporting multiple methods, and EAP over LAN carries EAP messages between the supplicant and authenticator before normal network access is allowed.

Example: An access point passes authentication exchanges to a central service while blocking ordinary traffic.

Memory trick: EAP defines the method; EAPoL carries it on the local network.

Trick question tip: 802.1X uses EAP, but EAP is not one specific credential type.

EAP-TLS versus PEAP and EAP-TTLS

EAP-TLS uses certificates for mutual authentication, while PEAP and EAP-TTLS create a protected outer tunnel and authenticate the user inside it.

Example: A high-security network issues client certificates for EAP-TLS, while another uses protected username authentication.

Memory trick: EAP-TLS certificates both sides; PEAP and TTLS tunnel inner credentials.

Trick question tip: EAP-TLS is commonly the strongest choice but requires certificate deployment and lifecycle management.

RADIUS and AAA

RADIUS provides centralized authentication, authorization, and accounting for network access. The network device acts as the RADIUS client and passes requests to the server.

Example: A wireless controller forwards an employee's authentication request and later sends session records.

Memory trick: RADIUS checks, permits, and records.

Trick question tip: RADIUS commonly uses port 1812 for authentication and authorization and 1813 for accounting.

RADIUS messages

Access-Request begins authentication, Access-Challenge requests more proof, Access-Accept permits access with attributes, and Access-Reject denies access.

Example: A server requests an additional factor before returning an acceptance decision.

Memory trick: Request, challenge, accept, reject.

Trick question tip: The RADIUS server makes the decision; the network device enforces the returned result.

PAP, CHAP, and EAP

PAP sends reusable credentials with weak protection, CHAP uses a challenge-response process, and EAP is an extensible framework that can support stronger certificate or tunneled methods.

Example: An enterprise wireless design selects an approved EAP method rather than legacy PAP.

Memory trick: PAP is plain, CHAP challenges, EAP extends.

Trick question tip: Modern enterprise wireless authentication generally favors strong EAP methods.

Network Access Control (NAC)

NAC identifies users and devices, evaluates security posture, and grants, restricts, redirects, quarantines, or denies network access according to policy.

Example: A laptop missing required updates receives only remediation access.

Memory trick: NAC checks who, what, and how healthy.

Trick question tip: A user may authenticate successfully but still receive limited access because the device is noncompliant.

NAC posture assessment

Posture assessment checks conditions such as operating-system version, patch level, endpoint protection, encryption, management status, and required security software.

Example: A connecting device must show current patches and active endpoint protection before full access.

Memory trick: Posture asks whether the device is healthy enough.

Trick question tip: Authentication checks identity; posture assessment checks security condition.

NAC enforcement outcomes

NAC may allow full access, assign restricted access, deny connection, or place the device in a quarantine or remediation network.

Example: A suspicious device is isolated where it can obtain approved updates but cannot reach business systems.

Memory trick: Healthy enters; unhealthy repairs; dangerous stays out.

Trick question tip: A guest VLAN provides intentionally limited visitor access, while a quarantine VLAN isolates noncompliant devices for remediation.

Dynamic VLAN assignment

NAC can place a device into a VLAN dynamically based on identity, device type, posture, location, or role.

Example: A managed employee laptop enters the corporate VLAN while an approved guest device enters the guest VLAN.

Memory trick: NAC decides the segment at connection time.

Trick question tip: Static assignment is manually fixed; dynamic assignment changes according to policy.

Agent-based versus agentless NAC

Agent-based NAC uses software on the endpoint for deeper and continuous posture visibility, while agentless NAC uses network observation or remote checks without installing an endpoint agent.

Example: Managed laptops use persistent agents, while unmanaged guest devices are identified through network methods.

Memory trick: Agent sees deeper; agentless deploys easier.

Trick question tip: Agent-based NAC offers detail but increases deployment effort; agentless NAC has broader compatibility but less endpoint visibility.

Persistent versus nonpersistent NAC agent

A persistent agent remains installed for ongoing monitoring, while a nonpersistent or dissolvable agent runs temporarily during assessment and then is removed.

Example: Corporate devices use continuous agents, while a temporary contractor device runs a one-time posture check.

Memory trick: Persistent stays; nonpersistent checks and leaves.

Trick question tip: Continuous reauthorization and posture monitoring favor persistent agents.

Agentless NAC discovery methods

Agentless NAC can use DHCP fingerprinting, network scanning, device profiling, WMI or remote queries, vulnerability-scanner integration, and log analysis.

Example: The system classifies a connected device from its network behavior and management information.

Memory trick: Observe, query, and profile without installing software.

Trick question tip: Agentless methods may misclassify devices and should be validated with multiple signals.

Continuous NAC monitoring

NAC can monitor devices after admission and reauthorize, restrict, or quarantine them when identity, behavior, or compliance changes.

Example: A laptop loses full access after its endpoint protection becomes disabled.

Memory trick: Check before and watch after.

Trick question tip: NAC is not limited to a one-time connection decision.

Access Control List (ACL)

A network ACL is an ordered set of permit or deny rules that filters traffic using fields such as source, destination, protocol, and ports.

Example: A router permits management connections only from an approved administration segment.

Memory trick: ACL = ordered traffic permission list.

Trick question tip: A firewall may use ACL-style rules, but advanced firewalls can also track state and inspect applications.

Network five-tuple

The five-tuple consists of source address, destination address, source port, destination port, and protocol.

Example: A rule matches traffic from one client address and source port to a server address and destination service over TCP.

Memory trick: Source, destination, two ports, protocol.

Trick question tip: The five-tuple describes a network flow and is a common basis for firewall and ACL decisions.

ACL order and first-match processing

ACLs commonly process rules from top to bottom and apply the first matching rule, so specific rules should precede broader rules.

Example: A narrow management permit appears before a general deny rule.

Memory trick: Specific first; first match wins.

Trick question tip: A broad earlier rule can shadow a later rule and make it ineffective.

Implicit deny and default-deny policy

An implicit deny blocks traffic that matches no permit rule, while an explicit final deny documents and may log the same default-deny policy.

Example: Required traffic is permitted and all unmatched traffic is blocked.

Memory trick: Allow what is needed; deny the rest.

Trick question tip: Default deny is safer than default allow because new or forgotten traffic is blocked automatically.

Ingress versus egress filtering

Ingress filtering controls traffic entering a network or zone, while egress filtering controls traffic leaving it.

Example: A firewall blocks spoofed inbound private addresses and prevents servers from sending unauthorized outbound mail.

Memory trick: Ingress comes in; egress exits.

Trick question tip: Egress filtering helps detect malware communication, data exfiltration, and policy violations.

Anti-spoofing rules

Anti-spoofing rules reject traffic whose source address is impossible or inappropriate for the interface or direction where it appears.

Example: An internet-facing interface drops inbound packets claiming to originate from an internal private address.

Memory trick: Source address must make sense for where it arrived.

Trick question tip: Private internal addresses arriving from an external network strongly indicate spoofing.

Screened subnet

A screened subnet, also called a DMZ or perimeter network, isolates public-facing services from the internal network through controlled firewall boundaries.

Example: A public web server is placed between external and internal security controls with only required connections allowed.

Memory trick: Public services stay in a buffer zone.

Trick question tip: Internet-facing systems should not be placed directly on the trusted internal network.

IDS versus IPS

An IDS passively detects and alerts on suspicious activity, while an IPS is inline and can actively block, drop, reset, or otherwise disrupt malicious traffic.

Example: A mirrored sensor reports an attack, while an inline device terminates the connection.

Memory trick: IDS barks; IPS bites.

Trick question tip: Alert only means IDS. Automatic blocking or connection reset means IPS.

IDS and IPS placement

An IDS normally receives copied traffic from a TAP or mirror port, while an IPS must be inline so traffic passes through it.

Example: A network sensor analyzes mirrored packets without delaying production traffic, while an IPS examines every packet before forwarding it.

Memory trick: IDS watches beside the road; IPS stands in the road.

Trick question tip: Inline IPS protection can become a bottleneck or single point of failure without resilient design.

Host-based versus network-based IDS and IPS

Host-based tools monitor files, processes, logs, local authentication, and configuration on one endpoint, while network-based tools observe traffic patterns across monitored segments.

Example: A host sensor detects a registry change and a network sensor detects scanning across many systems.

Memory trick: Host is deep and narrow; network is wide and less detailed.

Trick question tip: Encrypted traffic and local-only activity limit network sensors, while host tools require deployment on each protected endpoint.

HIDS capabilities

A HIDS can perform file-integrity monitoring, registry or configuration monitoring, process analysis, local-login review, rootkit detection, and log analysis.

Example: A host sensor alerts when a protected system file changes unexpectedly.

Memory trick: HIDS watches what happens inside the host.

Trick question tip: Activity that generates no network traffic is best detected by host-based monitoring.

Signature, anomaly, and protocol detection

Signature detection matches known attack patterns, anomaly or behavioral detection finds deviations from a learned baseline, and protocol detection identifies traffic that violates expected protocol rules.

Example: One rule matches a known exploit, another flags unusual data transfer, and another detects malformed protocol fields.

Memory trick: Known pattern, unusual behavior, broken protocol.

Trick question tip: Signatures are precise for known threats; anomaly methods can detect unknown threats but often create more false positives.

False positive versus false negative

A false positive labels legitimate activity as malicious, while a false negative fails to detect real malicious activity.

Example: A tuned rule stops alerting on an approved scanner while preserving detection of actual attacks.

Memory trick: False positive cries wolf; false negative misses danger.

Trick question tip: IPS false positives can block legitimate traffic, while false negatives create a false sense of security.

IDS and IPS ruleset management

Rules must be updated from trusted sources, transmitted securely, tested, tuned, documented, and reviewed to balance detection with availability.

Example: A new signature is staged and validated before deployment to inline prevention systems.

Memory trick: Update, test, tune, trust.

Trick question tip: Untested IPS rules can cause outages, while stale rules may miss current attacks.

IDS and IPS analysis components

Sensors collect traffic or events, the analysis engine interprets the data, and the ruleset defines conditions and responses.

Example: A sensor forwards packet details, the engine matches them to a rule, and the system creates an alert.

Memory trick: Sensor sees, engine thinks, rules guide.

Trick question tip: Collection and interpretation are separate functions even when one appliance performs both.

IDS and IPS response options

An IDS may ignore, log, or alert, while an IPS can also block packets, reset connections, or temporarily block a source.

Example: Low-priority activity is logged, suspicious traffic alerts analysts, and confirmed malicious traffic is blocked.

Memory trick: Ignore, log, alert, block.

Trick question tip: An alert needs investigation; it is not automatic proof that an attack succeeded.

Snort, Suricata, OSSEC, and Security Onion

Snort and Suricata are network IDS or IPS engines, OSSEC is primarily host-based monitoring, and Security Onion integrates multiple monitoring and analysis tools into one platform.

Example: An organization uses a network engine for packet detection, host agents for file changes, and a central platform for correlation.

Memory trick: Snort and Suricata watch networks; OSSEC watches hosts; Security Onion combines views.

Trick question tip: Suricata supports high-performance multithreaded analysis and can use many Snort-compatible rules.

NBAD, UEBA, and NTA

Network Behavior and Anomaly Detection models normal network behavior, User and Entity Behavior Analytics correlates user and entity activity across sources, and Network Traffic Analysis focuses on traffic patterns and communications.

Example: Analytics flags an account logging in from distant locations and transferring unusual amounts of data.

Memory trick: NBAD learns the network, UEBA learns users and entities, NTA studies traffic.

Trick question tip: UEBA commonly combines authentication, logs, IDS, and SIEM data rather than relying on one sensor.

Behavioral model limitations

Behavior-based tools require training, tuning, and periodic updates because legitimate behavior changes over time and attackers may attempt baseline poisoning.

Example: A new business process initially creates alerts until the model learns the approved pattern.

Memory trick: A baseline must learn and keep learning.

Trick question tip: Training periods and behavior drift can produce false positives or false negatives.

Trend analysis and alert fatigue

Trend analysis reviews repeated alerts and changes over time to identify increasing attacks, frequently targeted systems, rule problems, and resource needs. Alert fatigue occurs when excessive low-value alerts reduce analyst attention.

Example: A rising pattern of reconnaissance alerts leads to rule tuning and additional protection for one service.

Memory trick: Trends reveal patterns; too many alerts hide them.

Trick question tip: Tune noisy rules and prioritize actionable alerts rather than simply generating more notifications.

Web filtering

Web filtering controls access to online content using destination, category, content, file type, reputation, and organizational policy.

Example: A company blocks known malicious content and prohibited categories while allowing approved business use.

Memory trick: Web filter decides which online content may be reached.

Trick question tip: Web filtering reduces risk but does not replace endpoint protection, email security, training, or incident response.

Agent-based versus centralized web filtering

Agent-based filtering runs on the endpoint and can protect off-network devices, while centralized proxy filtering applies policy at a shared network control point.

Example: Managed laptops remain filtered remotely, while office traffic passes through a company proxy.

Memory trick: Agent follows the device; proxy controls the shared path.

Trick question tip: Agent-based controls improve roaming coverage but require endpoint deployment and management.

Web-filter criteria

Web filters can use URL allowlists and blocklists, categories, domains, IP addresses, keywords, file types, content inspection, and reputation scores.

Example: A policy blocks newly registered malicious destinations and executable downloads.

Memory trick: Name, category, content, file, reputation.

Trick question tip: Reputation-based filtering can respond to newly identified threats faster than static lists alone.

Web filtering and DLP

Web filtering can support Data Loss Prevention by blocking uploads, posts, or access to destinations commonly used for unauthorized data transfer.

Example: A policy prevents sensitive records from being uploaded to an unapproved hosted service.

Memory trick: Filter what leaves as well as what enters.

Trick question tip: Blocking malicious downloads protects endpoints; blocking sensitive uploads protects data confidentiality.

HTTPS inspection

HTTPS inspection decrypts approved encrypted sessions at a trusted security control, examines the content, and re-encrypts it before forwarding.

Example: A company proxy inspects protected web traffic for malware using an organization-trusted inspection certificate.

Memory trick: Decrypt, inspect, re-encrypt.

Trick question tip: HTTPS inspection creates privacy, performance, certificate-management, and trust risks and should follow policy and legal requirements.

Overblocking versus underblocking

Overblocking prevents legitimate content and creates false positives, while underblocking permits prohibited or malicious content and creates false negatives.

Example: A policy is tuned after it blocks an approved research resource but misses a newly malicious destination.

Memory trick: Overblocking blocks too much; underblocking blocks too little.

Trick question tip: Exceptions should be documented and reviewed so they do not create permanent security gaps.

DNS filtering versus web filtering versus firewall filtering

DNS filtering blocks name resolution, web filtering evaluates destinations and content, and firewall filtering primarily controls network connections and services.

Example: DNS blocks a known malicious name, a web filter blocks a harmful download, and a firewall permits only approved secure-web traffic.

Memory trick: DNS blocks the name, web filtering judges the content, firewall controls the connection.

Trick question tip: Allowing secure-web traffic through a firewall does not mean every destination or download should be trusted.

Network security defense in depth

Secure baselines, hardening, wireless protection, NAC, ACLs, firewalls, IDS or IPS, analytics, and web filtering provide complementary layers.

Example: A device uses approved configuration, authenticates through enterprise Wi-Fi, passes NAC posture checks, and remains monitored after admission.

Memory trick: Standardize, restrict, authenticate, inspect, monitor.

Trick question tip: No single network-security capability provides complete prevention, detection, and response.