🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 11.17 - Secure Network Components (Part 1 of 5)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series maps the building blocks of a secure network from Domain 4. Because you cannot secure what you cannot picture, getting fluent in these zones, devices, and access controls lets you design deliberately, avoid single points of failure, and place defenses where they actually count.

What this episode covers

Watch the full episode above for the worked examples and step-by-step explanations of each concept.

Frequently Asked Questions

How do private network zones differ from one another?

Chiefly by who is allowed in. An intranet is a fully private network that hosts internal services like web pages, email, and file access for your own people only. An extranet is a carved-out section that behaves like an intranet internally but also serves specific outsiders such as chosen partners, suppliers, or a remote sales force. The dividing line is the audience: one is strictly internal, the other deliberately opens a controlled slice to trusted external parties.

What sits in the buffer between the public and the private?

A screened subnet, a special-purpose zone built for low-trust and unknown users, like the public reaching a web server, without letting them touch your internal network. You can build it with two firewalls, one facing the internet and one facing the intranet, so the subnet sits sandwiched between them, or use a single multi-homed firewall with three interfaces to the internet, the subnet, and the intranet. Either way it is a controlled reception area.

How does a screened host differ from that subnet?

It is a single hardened system placed just inside a network segment, acting as a gatekeeper. All inbound traffic routes to it first, and it serves as a proxy for the trusted systems behind it, filtering what comes in and hiding the identity of the internal machines. Where the screened subnet is a whole zone, the screened host is one chokepoint doing the guarding.

Which way does traffic actually flow inside your network?

In two directions worth naming. East-west traffic is the flow that stays within a network, data center, or cloud environment, moving between internal systems side to side. North-south traffic is the flow crossing the boundary, coming in from or going out to external systems. Knowing which is which shapes where you inspect and segment.

How does network access control keep unwanted machines out?

By enforcing your security policy automatically at the point of connection. Its job is to check that every device joining the network is patched, compliant, and authorized, and to keep the rest out. It can act before admission, demanding a device meet requirements before it may communicate, or after admission by judging ongoing activity, and it can run through an agent or agentlessly. Non-compliant machines can be quarantined to a remediation area until they are fixed.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 11.17 - Secure Network Components (Part 1 of 5).