CISSP Domain 4, Communication and Network Security, is one of the largest domains on the exam (13%) and the most familiar territory for candidates from a network-engineering background. That familiarity is the trap. Domain 4 questions look like CCNP-style technical items, but the right answers are written from a security-architect perspective. The exam wants you to reason about networks the way attackers do - and to design for containment when, not if, an attacker gets in.
This guide collects the 14 in-depth Domain 4 articles on Threat on the Wire into one structured reference. Use it as a study path or a topic index. Every article assumes you know the basics of networking and want clarity on how the (ISC)² CBK expects you to apply security thinking on top.
What Domain 4 is really testing
CISSP lens: the right answer designs for containment. Choose the option that segments, monitors, and limits blast radius - not the one that adds another perimeter device.
Domain 4 has two big themes. First, the architectural one: how to design networks that contain attacks instead of spreading them. Second, the operational one: how to choose, configure, and monitor the controls (firewalls, IDS/IPS, NAC, VPN) that defend traffic in motion.
You will be tested on:
- Network security fundamentals: OSI/TCP-IP layering, common protocols, attacker reconnaissance.
- Secure network design: segmentation, micro-segmentation, defence-in-depth zones.
- Firewalls, proxies, and gateways: choosing the right type for the job.
- IDS/IPS and traffic analysis: signature, anomaly, and behavioural detection.
- Routing and switching hardening on infrastructure devices.
- Secure protocols: TLS, IPsec, SSH, S/MIME, DNSSEC.
- Wireless security: WPA3, EAP, rogue APs.
- VoIP and real-time communications.
- Network access control and remote connectivity (VPN, SASE).
- Cloud and hybrid network connectivity.
- Network attacks and the controls that stop them.
- Network operations and change management.
How Domain 4 fits into the rest of the CBK
Domain 4 sits between the engineering principles of Domain 3 and the operational practices of Domain 7. The cryptography you learn in Domain 3 powers the secure protocols here. The monitoring and incident-response material in Domain 7 starts with the network telemetry described in Domain 4.
If a Domain 7 incident-response question hinges on what your IDS captured, you are answering it with Domain 4 reasoning. The lines between the domains blur in scenario questions; that is intentional.
Core concepts at a glance
| Concept | What it is | Why it matters on the exam |
|---|---|---|
| Defence in depth | Layered network controls (perimeter, segment, host, application) | The default architectural answer in Domain 4 |
| Segmentation | Splitting the network so an attacker cannot move freely | Tested in containment scenarios; preferred over flat networks |
| Stateful firewall | Tracks connection state to allow return traffic | The default firewall type for most use cases |
| NGFW | Adds application awareness, IPS, threat intel to a firewall | Tested as the modern enterprise perimeter device |
| IDS | Detects suspicious traffic, alerts on it | Read-only; informs without blocking |
| IPS | Detects and blocks suspicious traffic in line | Higher risk of false positives causing outages |
| TLS / IPsec / SSH | Confidentiality and integrity for traffic | Each fits a different layer; the exam tests the choice |
| NAC | Network Access Control: identity-aware policy at the port | 802.1X is the standard; tested with onboarding scenarios |
| VPN | Encrypted tunnel for remote or site-to-site access | Site-to-site = IPsec. Remote access = SSL/TLS or IPsec |
| Zero Trust | "Never trust, always verify"; no implicit network trust | The architectural direction the exam increasingly favours |
| SASE | Secure Access Service Edge: cloud-delivered network security | Tested in modern remote-work scenarios |
Network fundamentals and the attacker view
Every Domain 4 answer is shaped by how an attacker would view the same network. Network Security Fundamentals: Seeing Your Network the Way Attackers Do is the foundation: layers, protocols, common port footprints, and the reconnaissance patterns that turn a stranger into an insider.
Then read Network Attacks and Countermeasures: From Scanning to Man in the Middle. The exam tests both ends of the chain: the attack vocabulary (DoS, MITM, ARP spoofing, DNS poisoning, session hijacking) and the controls that stop each one.
Secure network design and segmentation
Segmentation is the single most-tested architectural concept in Domain 4. The exam wants you to default to "split the network into zones with controlled boundaries" rather than "add another firewall to the existing flat network." The reasoning is containment: a flat network is one ransomware infection away from full compromise; a well-segmented network gives defenders time and visibility to respond.
Read Secure Network Design and Segmentation: Containing Attacks Before They Spread. Pair it with Secure Routing, Switching, and Network Services for the device-level hardening that makes segmentation actually enforceable.
Segmentation quick rules
- Separate by trust level. Internet-facing, partner-facing, internal, and management traffic each deserve their own segments.
- Separate by data classification. Restricted data lives behind stricter boundaries than internal data.
- Separate by function. User workstations, servers, OT/ICS systems, and IoT devices each behave differently and threaten differently.
- Default deny between segments. Allow only the connections that are documented and required.
- Inspect at the boundaries. Each inter-segment boundary is a chokepoint where you can monitor and block.
Firewalls, proxies, and network gateways
The exam tests firewall taxonomy more than most candidates expect. Firewalls, Proxies, and Network Gateways: Choosing the Right Gatekeeper for the Job walks through the family tree: packet filter, stateful inspection, application proxy, NGFW, WAF, web proxy, email gateway, and where each fits.
Picking the right gatekeeper
| Situation | Right gatekeeper | Why |
|---|---|---|
| Internet edge, general traffic | NGFW | Application awareness + IPS in one device |
| Web app behind the perimeter | WAF | Inspects HTTP semantics; stops OWASP-style attacks |
| Web browsing outbound | Web proxy / SWG | Inspects URL category, file content, malware |
| Inbound email | Email gateway / Secure email | Anti-phishing, attachment sandboxing, DMARC |
| Inter-segment internal traffic | Internal stateful firewall | Lower throughput, stricter rules, segment-aware |
| Cloud workload | Native cloud firewall + NGFW VM | Native = identity-aware; NGFW = consistency with on-prem |
IDS, IPS, and traffic analysis
IDS and IPS are the eyes of the network defence stack. The exam tests three things: the difference between detection and prevention modes, the detection methods (signature, anomaly, heuristic), and the placement decisions that determine whether you see attacks at all.
Network Monitoring, IDS/IPS, and Traffic Analysis: Seeing Attacks in Motion covers the topic in depth. Expect at least one Domain 4 question that hinges on "the IDS detected the attack but did not block it" - which is correct behaviour, because IDS is detection, not prevention.
Secure protocols and encrypted communications
The exam expects fluency with the modern secure-protocol stack. Secure Protocols and Encrypted Communications: Choosing TLS, IPsec, SSH, and More is the reference for which protocol fits which job.
Picking the right protocol
| Goal | Use | Why |
|---|---|---|
| Web traffic confidentiality | TLS 1.2 or 1.3 | The web's encryption layer; mature and widely supported |
| Site-to-site VPN | IPsec | Layer-3 tunnel; standard for office-to-office or office-to-cloud |
| Remote-access VPN | SSL/TLS VPN or IPsec | SSL/TLS through firewalls more easily; IPsec for full network-layer access |
| Remote shell management | SSH | Encrypted shell with strong identity and key auth |
| Email confidentiality + auth | S/MIME or PGP | Per-message; works end-to-end |
| DNS integrity | DNSSEC | Authenticates DNS responses; does not provide confidentiality |
| DNS confidentiality | DNS-over-HTTPS / DNS-over-TLS | Hides DNS queries from on-path observers |
Wireless, VoIP, and real-time communications
Wireless networks have to balance convenience with control. Wireless Network Security: Keeping the Convenience Without Losing Control covers WPA3, enterprise authentication via 802.1X / EAP, rogue AP detection, and the wireless-specific attack patterns (deauth, evil twin, KARMA).
Real-time communications - VoIP, video conferencing, SIP-based telephony - have their own threat model: eavesdropping, toll fraud, denial of service. VoIP, Real-Time Communications, and Secure Collaboration covers the controls (SRTP, ZRTP, signalling protection) and the architectural choices that stop most attacks.
NAC, VPN, and remote connectivity
Letting people in safely is its own subdomain. Network Access Control, VPNs, and Remote Connectivity: Letting People In Safely covers 802.1X-based NAC, posture assessment, VPN architectures, and the modern Zero-Trust-Network-Access (ZTNA) approaches that increasingly replace blanket VPN.
The infrastructure devices that enforce these controls also need protecting. Securing Network Infrastructure Devices: Routers, Switches, and Load Balancers as Security Assets covers device hardening, management-plane separation, and the credential and configuration controls that prevent the network itself from becoming the attack surface.
Cloud and hybrid network connectivity
Cloud and Hybrid Network Connectivity: Extending Your Network Without Extending Your Risk covers the architectures that connect on-premise networks to cloud providers: VPN, dedicated interconnect (Direct Connect, ExpressRoute, Cloud Interconnect), and SASE. The exam tests the trade-offs - cost, latency, security, complexity - and increasingly favours SASE-style designs for new deployments.
Network operations and change management
The most common cause of network outages is a misconfigured change pushed without enough review. Network Security Operations and Change Management: Keeping the Lights On Without Opening Holes ties Domain 4 to the operational discipline of Domain 7. Change windows, peer review, rollback plans, and post-change verification are tested as both Domain 4 and Domain 7 topics.
Real-world architect scenarios
A network architect is asked to design connectivity for a new SaaS platform. The technical instinct is to set up an IPsec VPN to AWS and call it done. The architect instinct is layered. First, identify the data classifications crossing the link and what each requires. Second, decide between site-to-site VPN, dedicated interconnect (Direct Connect or ExpressRoute), and SASE - each has different trade-offs. Third, define segmentation: what goes through the link and what stays in the cloud-only zone. Fourth, design monitoring: how do you see suspicious traffic in the new path? Fifth, plan failure: what happens when the link goes down at 2am on a Sunday? Domain 4 questions reward this layered, lifecycle-aware design.
A second example: an architect is reviewing a flat /16 corporate network with 3,000 endpoints. The technical instinct is to push for VLANs everywhere. The architect instinct starts with the threat model: what are we trying to contain? Lateral movement during a ransomware event. From there, segmentation maps to threat classes - user workstations one zone, servers another, OT/ICS isolated, management traffic on a separate plane. Then VLANs, ACLs, and microsegmentation tools become implementation choices. The right answer to "we just had a ransomware incident, what next" is rarely "buy NGFW"; it is "segment the network so this cannot happen again."
Common exam traps in Domain 4
- Picking IDS when the question wants prevention. IDS detects; IPS prevents. Read the question carefully.
- Confusing TLS and IPsec layers. TLS works at the transport layer (per-app); IPsec works at the network layer (per-device or per-tunnel). The right one depends on what you are trying to protect.
- Choosing site-to-site VPN for remote-user access. Site-to-site = office to office. Remote access = user to office. The exam will offer the wrong VPN type as a distractor.
- Calling a NGFW a stateful firewall. NGFW is application-aware; a stateful firewall is layer 3-4. Both inspect state, but the question may hinge on the application-awareness layer.
- Ignoring management-plane security. Out-of-band management, ACLs on the management interface, and credential separation are common Domain 4 answers when the question is about device hardening.
- Treating Zero Trust as a product. Zero Trust is an architectural philosophy. ZTNA, micro-segmentation, identity-aware proxies, and SASE are implementations of it. The exam tests the philosophy and the implementations separately.
The full Domain 4 reading order
Network fundamentals and attacks
Design and segmentation
- Secure Network Design and Segmentation
- Secure Routing, Switching, and Network Services
- Securing Network Infrastructure Devices
Perimeter and traffic inspection
Protocols and encryption
Access and remote connectivity
Wireless and real-time
Cloud and hybrid
Operations and change management
Exam scenario practice
Related CISSP domains
Threat on the Wire publishes a long-form pillar for every CISSP domain. The eight domains are interlocked - mastering any one of them is easier when you can see how it connects to the others. Here's how this domain relates to the other seven, with a one-line summary of the relationship and a link to the pillar.
| Pillar | How it relates to this domain |
|---|---|
| Domain 1: Security and Risk Management | Network design choices flow from the risk decisions made in Domain 1. |
| Domain 2: Asset Security | Data classification dictates segmentation requirements covered here. |
| Domain 3: Security Architecture and Engineering | Cryptography from Domain 3 powers the secure protocols used in the network. |
| Domain 5: Identity and Access Management | NAC and 802.1X bridge the network layer to identity in Domain 5. |
| Domain 6: Security Assessment and Testing | Network testing - vulnerability scans, penetration tests - is a Domain 6 activity. |
| Domain 7: Security Operations | Network monitoring telemetry feeds Domain 7 detection and response. |
| Domain 8: Software Development Security | Application network design integrates with the SDLC in Domain 8. |
For the full CISSP overview, exam structure, and 12-week study plan, see the CISSP Study Hub.
Frequently asked questions
How much of the CISSP exam covers Domain 4?
Domain 4 is weighted at 13% of the exam. Out of roughly 100-150 items, expect 13-20 from Domain 4. The architectural reasoning bleeds into Domain 7 questions about operations and Domain 3 questions about cryptography, so the practical exam footprint is larger than the headline weight suggests.
When should I pick IDS over IPS?
Pick IDS when the question emphasises detection without disruption: high-availability environments, networks where false positives carry real cost, or scenarios where forensic capture matters more than blocking. Pick IPS when the question emphasises stopping the attack before it reaches the asset: internet-edge enterprise networks, hardened DMZs, segments where the cost of a successful attack outweighs occasional false-positive blocking. Many real environments deploy both, with IPS at the perimeter and IDS deeper inside.
Is segmentation the same as adding a firewall?
No. A firewall is a control point. Segmentation is the architectural practice of splitting a network into zones, between which firewalls (or ACLs, or microsegmentation tools) enforce boundaries. Adding a firewall to a flat network does not segment it - it just adds another control point at the perimeter. The exam tests this distinction in scenario questions about lateral movement.
What is the difference between SSL/TLS VPN and IPsec VPN for remote access?
SSL/TLS VPNs run over standard HTTPS ports and tunnel application traffic, often via a browser or thin client. They are easier to deploy through firewalls and intermediate networks and well-suited to specific-application access (web apps, RDP gateways). IPsec VPNs operate at the network layer and give the user a full IP-level connection to the corporate network - useful when the user needs broad access (file shares, internal subnets) but harder to deploy through restrictive networks.
Is Zero Trust the same as SASE?
No. Zero Trust is an architectural philosophy: never trust based on network location, always verify identity and device posture for each request. SASE (Secure Access Service Edge) is a cloud-delivered architecture that combines network and security functions (SD-WAN, SWG, CASB, ZTNA, FWaaS) at the edge. SASE is one way to implement Zero Trust at scale, but Zero Trust can also be implemented with on-premise tools, identity-aware proxies, or microsegmentation. The exam will test the relationship between the two.
Key takeaways
- Domain 4 is the network-security domain. Its right answers favour containment, segmentation, and identity-aware design over more perimeter devices.
- Segmentation is the most-tested architectural concept. Default to "split the network into zones with controlled boundaries."
- Firewall taxonomy matters: packet filter, stateful, NGFW, WAF, web proxy, email gateway each fit different jobs. The exam tests the choice.
- IDS detects; IPS prevents. Read each question carefully to decide which the scenario calls for.
- Secure protocols pair to jobs: TLS for web, IPsec for site-to-site, SSH for shell, S/MIME or PGP for email, DNSSEC and DoH/DoT for DNS.
- Zero Trust is a philosophy; SASE, ZTNA, and microsegmentation are implementations. The exam tests the difference.
- Network operations matter as much as design. Change management, monitoring, and post-change verification are tested as Domain 4 topics.
If you take one thing away from Domain 4, take this: design the network for the day an attacker is already inside it, and the exam answers tend to write themselves.