Secure Enterprise Infrastructure
Place devices in the right zone, pick the right firewall, secure the right access path — from 802.1X at the jack to SASE at the cloud edge.
Secure infrastructure is an exercise in placement. Every device sees only the traffic its location allows — a WAF in front of a web server, an IPS inline with the traffic you must police, a jump server as the single controlled path into a sensitive zone. Choosing controls is 20% of the problem; putting them in the right place and configuring the right failure mode is the other 80%.
Four hinges drive most 3.2 answers: (1) which zone a system belongs in (DMZ, internal, management, OT, guest); (2) which firewall handles it (L4 stateful for port/protocol, L7/NGFW for application, WAF for HTTP only, UTM for SMB all-in-one); (3) what kind of tunnel carries its traffic (TLS at the session, IPSec at the network, SD-WAN/SASE at the edge); (4) who authenticates at the jack (802.1X with EAP for port-based network access control). When the scenario names the protocol, zone, or traffic type, the architecture almost writes itself.
Device placement and security zones. Placement defines capability. A firewall at the perimeter filters inbound traffic from untrusted networks; the same firewall inside a data center enforces zone boundaries. Common zones: perimeter/external, DMZ for internet-facing services, internal for business systems, management for admin access, OT for industrial/operational tech, and guest for visitor traffic. Each zone gets its own policy; a box in the wrong zone sees too much or too little traffic.
Attack surface. The aggregate of everything externally reachable. Reduce it by closing unused ports, disabling unused services, pruning exposed APIs, and removing default credentials. The smaller the surface, the less there is to patch, monitor, and defend.
Connectivity. Site-to-site VPN (usually IPSec) connects branch to HQ. MPLS is a carrier-managed private WAN. Direct-connect services (AWS Direct Connect, Azure ExpressRoute) give private low-latency links to cloud providers.
Failure modes. Fail-open means a device failure allows all traffic — availability first. Fail-closed means a device failure blocks all traffic — security first. Most enterprise firewalls fail closed. Some inline IPS deployments choose fail-open to keep the business running during an appliance fault.
Device attributes. Active devices modify or block traffic (firewall, IPS); passive devices only observe (IDS, network tap). Inline devices sit in the traffic path and can block; tap/monitor devices mirror traffic and can only alert. If a scenario says “must block” you need an inline active device; if it says “must observe without impact” you need a tap or SPAN.
Network appliances. A jump server (bastion host) is the single controlled path for admins to reach a sensitive zone — no direct admin connections from user workstations. Proxies come in two flavors: a forward proxy sits between clients and the internet (filtering, logging, caching); a reverse proxy sits in front of servers (TLS termination, load balancing, caching). IDS vs IPS: both detect; only IPS blocks. Load balancers distribute traffic across backend pools — L4 (TCP) or L7 (HTTP) — and often handle SSL offload and health checks. Sensors are taps, SPAN ports, and host agents feeding a SIEM.
Port security: 802.1X and EAP. 802.1X is port-based Network Access Control (NAC) — a device must authenticate before the switch grants network access. EAP (Extensible Authentication Protocol) is the framework used inside 802.1X. Common flavors: EAP-TLS (certificate-based, strong), PEAP (tunneled), EAP-TTLS. Wrong answer pattern on the exam: confusing 802.1X (port auth) with 802.11 (wireless).
Firewall types. Layer 4 (stateful packet) firewall — port/protocol based, tracks connection state. Layer 7 firewall / NGFW — application-aware, user-aware, can identify and block specific applications regardless of port; often integrates threat intel, IPS, and URL filtering. Web Application Firewall (WAF) — HTTP-only, blocks OWASP Top 10 patterns (SQLi, XSS, CSRF). Unified Threat Management (UTM) — all-in-one bundle (firewall + IDS + AV + URL + VPN) aimed at small/mid-size orgs. The exam tests matching the right tool to the scenario: HTTP app protection → WAF; broad enterprise L7 → NGFW; SMB one-box → UTM; port/protocol enforcement → L4.
Secure communication and access. VPN: site-to-site (branch-to-HQ, usually IPSec) and remote access (user-to-network, SSL VPN or IPSec). Remote access patterns include VPN, RDP gateway, and SSH bastion. TLS protects the session (HTTPS, SMTPS, modern VPNs); keys are session-scoped, authentication via certificates. IPSec protects the network layer; modes are transport (host-to-host; only payload encrypted) and tunnel (gateway-to-gateway; entire original packet encrypted). Components: AH (Authentication Header, integrity + origin auth, no confidentiality), ESP (Encapsulating Security Payload, confidentiality + integrity), and IKE (Internet Key Exchange) to negotiate keys.
SD-WAN and SASE. SD-WAN is a software-defined WAN overlay — vendor-managed policy routing across multiple underlying links (MPLS, broadband, LTE). SASE (Secure Access Service Edge) is the convergence of network and security as a cloud service: FWaaS, SWG (Secure Web Gateway), CASB (Cloud Access Security Broker), and ZTNA (Zero Trust Network Access) delivered from cloud edges close to users. SASE is a design pattern, not a single product.
Selection of effective controls. Map the threat/vulnerability (from Domain 2) to a control category (technical / administrative / physical) and a control type (preventive / detective / corrective / compensating). Consider residual risk, cost, operational burden, and whether the control sits where the attack actually crosses.
| Device | Layer | Strength | Use when |
|---|---|---|---|
| L4 stateful firewall | Transport (L4) | Fast, cheap, port/protocol | Coarse zone boundaries |
| NGFW | Application (L7) | App-aware, user-aware, threat intel | Enterprise perimeter & internal |
| WAF | HTTP (L7) | SQLi/XSS/OWASP Top 10 | In front of web apps only |
| UTM | Bundle | All-in-one firewall/IDS/AV/VPN | SMB, single-box deployments |
| IDS (passive) | Any | Detect + alert | Visibility without blocking risk |
| IPS (active, inline) | Any | Detect + block | Must stop the attack in real time |
| Forward proxy | Client-side | Filter user browsing | Egress control, DLP, SWG |
| Reverse proxy | Server-side | TLS term, LB, cache | Protect and scale a backend |
| Jump server | Admin path | Single controlled ingress to sensitive zone | Admins reaching DMZ/OT/prod DB |
| Tunnel | Layer | Modes | Typical use |
|---|---|---|---|
| TLS | Session | n/a | HTTPS, SMTPS, SSL VPN, modern RA |
| IPSec transport | Network | Payload only | Host-to-host |
| IPSec tunnel | Network | Whole packet | Gateway-to-gateway, site-to-site VPN |
| AH | Network | Integrity, origin | No confidentiality; rarely solo |
| ESP | Network | Confidentiality + integrity | Default choice inside IPSec |
| IKE | Network | Key negotiation | Sets up the SAs |
Placement + layer + failure mode solves most 3.2 questions. Match the control’s layer to the attack (HTTP → WAF, port → L4, app → NGFW), place it where the traffic actually crosses (perimeter, inline, management path), and pick a failure mode that matches business priority (fail-closed for security, fail-open for availability).
A regional water utility runs a SCADA network controlling pumps and valves. Leadership wants “intrusion prevention” after a compliance finding. The vendor suggests dropping an IPS inline in front of the SCADA network. The OT engineers panic — if the IPS drops a legitimate Modbus command, a pump stops and customers lose water pressure. The Network Admin proposes an IDS instead; the Security Architect builds a compromise.
Active vs Passive on a SCADA Segment
Water utility · SCADA · must not break ModbusInline vs tap is an availability decision. Inline blocks at real-time speed but a misconfigured rule can take down a business-critical system. On OT, medical, and trading floors, the safe pattern is: inline IPS on controlled boundaries with fail-open plus IDS taps in the sensitive interior. Compliance language rarely tells you which to pick — the operational tolerance for a dropped packet does.
“IDS or IPS” is almost always a false binary. Real networks run both: IPS at the chokepoints where you can afford to block, IDS where you need visibility without risk. The exam often forces a single-word answer; read for “must block” (IPS) versus “must not impact” (IDS) or “detect only” (IDS).
On the exam: “must not interfere with traffic” → IDS/tap. “must stop the attack in real time” → IPS/inline. “critical availability, limited risk appetite” → fail-open inline.
A financial services firm is launching a customer portal over HTTPS. The existing NGFW already sits at the perimeter. The CISO asks: should they rely on the NGFW or add a WAF in front of the portal?
Rely on the existing NGFW
NGFW is L7-aware and has IPS signatures. Adding a WAF is extra cost and overlapping capability.
Add a WAF in front of the portal
Dedicated HTTP-aware protection (SQLi, XSS, CSRF, session logic) in front of the app, behind the NGFW.
Option B fits — WAF + NGFW is defense in depth for web apps
Option B: NGFWs have broad L7 visibility, but WAFs are purpose-built for HTTP application attacks — SQL injection patterns, XSS encodings, session fixation, and OWASP Top 10 logic that a general NGFW signature set often misses. For a customer portal handling financial data, WAF in front of the app (not replacing, but layered with) the NGFW is the defense-in-depth pattern the exam expects.
Option A’s kernel of truth: An NGFW with strong IPS signatures catches a lot of web traffic attacks, and for non-critical apps it can be enough. But for a customer-facing financial portal, relying on a single general-purpose device is the cost-cutting answer the exam wants you to reject.
On the exam: “HTTP app” + “financial / PCI / regulated” + “defense in depth” → WAF in addition to NGFW. Pure internal services with no HTTP layer might not need the WAF.
3.2 questions usually give you a protocol, a zone, or a traffic type and ask for the right appliance or control. Match layer to problem: HTTP → WAF; L3/L4 port traffic → stateful firewall; user/app identification → NGFW; device-at-the-jack → 802.1X; admin into DMZ → jump server; branch to HQ → IPSec tunnel mode.
- A 802.11 WPA3
- B 802.1X with EAP
- C IPSec tunnel mode
- D TLS mutual authentication
Correct: B. 802.1X is port-based network access control using EAP as the authentication framework. It works on wired ports and wireless SSIDs.
A wrong: 802.11 WPA3 is wireless encryption, not port-based NAC for wired devices.
C wrong: IPSec tunnels encrypt between gateways; it does not authenticate device at the switch port.
D wrong: TLS mutual auth is an application-layer choice; it does not block the port before LAN access.
Source: CompTIA SY0-701 Objectives v5.0 — 3.2 Secure Infrastructure
- A Remote access SSL VPN per user
- B Site-to-site IPSec VPN in tunnel mode between branch and HQ gateways
- C TLS 1.3 between every user workstation and HQ
- D MPLS circuit managed by the ISP
Correct: B. Site-to-site IPSec in tunnel mode encrypts the entire original packet between two gateways — users behind each gateway see each other transparently.
A wrong: SSL VPN fits remote-user access, not a permanent branch-to-HQ link.
C wrong: TLS per workstation does not build the branch-to-HQ network the scenario requires.
D wrong: MPLS is a valid option but is carrier-managed private WAN, not “over the public internet.”
Source: CompTIA SY0-701 Objectives v5.0 — 3.2 Secure Infrastructure
- A Open RDP from admin laptops directly to each DB server
- B A jump server (bastion host) as the only path, with MFA and session logging
- C Peer-to-peer tunnels from each laptop to each DB
- D A WAF in front of the DB servers
Correct: B. A jump/bastion server is the classic single controlled path for admin access to a sensitive zone, with MFA and session logging for accountability.
A wrong: Direct RDP everywhere eliminates the single-path control the scenario requires.
C wrong: P2P tunnels multiply the attack surface; no single audit point.
D wrong: WAFs protect HTTP apps; databases and admin access are not the WAF use case.
Source: CompTIA SY0-701 Objectives v5.0 — 3.2 Secure Infrastructure