1.1 System and Network Architecture Concepts
Network architecture
📘CompTIA CySA+ (CS0-003)
Network Segmentation, Zero Trust, SASE, and SDN.
These concepts strengthen security by controlling access, reducing attack surfaces, and improving monitoring.
1. Network Segmentation
What is Network Segmentation?
Network segmentation means dividing a large network into smaller, isolated sections.
Instead of having all systems connected together, the network is broken into separate parts to control traffic and limit unauthorized access.
Why is Segmentation Important for Security?
- Limits attacker movement inside the network
- Protects critical systems by separating them from general traffic
- Helps enforce access control
- Makes monitoring easier
- Reduces the impact of a breach
- Supports compliance requirements (e.g., separating sensitive data zones)
Common Types of Network Segmentation
1. Physical Segmentation
- Uses separate hardware (switches, routers, cables).
- Provides strong isolation but can be complex and expensive.
2. Logical Segmentation (VLANs)
- Creates separate virtual networks using the same physical hardware.
- VLANs isolate traffic by using different VLAN IDs.
- Common in enterprise networks and frequently tested on CySA+.
3. Subnet Segmentation
- Divides networks into different IP subnets.
- Helps enforce routing rules and firewall policies.
4. Microsegmentation
- Very fine-grained segmentation within virtualized or cloud environments.
- Each workload or application can have its own isolated security policy.
- Often implemented using software-defined networking (SDN).
Security Controls Used in Segmentation
- Firewalls
- Access Control Lists (ACLs)
- VLAN tagging
- Routing rules
- Network Access Control (NAC)
- Identity-based access
2. Zero Trust Architecture (ZTA)
What is Zero Trust?
Zero Trust is a security model based on the idea:
“Never trust, always verify.”
This means:
- Every user, device, and application must be authenticated and authorized
- No one automatically gets access, even if they are inside the network
- Continuous monitoring is required
Core Principles of Zero Trust
1. Verify Explicitly
- Always confirm identity using authentication (MFA, certificates, device checks).
2. Least Privilege Access
- Users/devices only get the minimum access required.
3. Assume Breach
- Networks are designed as if attackers are already inside.
- Security controls limit what an attacker can do.
4. Microsegmentation
- Breaks the network into many small zones, preventing lateral movement.
5. Continuous Monitoring
- Logs, access control, and behavior analytics help detect suspicious activity.
Zero Trust Technologies
- Identity and Access Management (IAM)
- Multi-Factor Authentication (MFA)
- Network Access Control (NAC)
- Conditional Access Policies
- Endpoint Detection and Response (EDR)
- Microsegmentation tools
- Identity-based firewalls
3. SASE (Secure Access Service Edge)
What is SASE?
SASE (pronounced “sassy”) is a cloud-based architecture that combines networking and security into one unified service delivered from the cloud.
It is heavily used when users access applications from many locations.
Why SASE Matters
Enterprises use cloud applications and remote users. SASE provides:
- Consistent security everywhere
- Centralized policy management
- Lower complexity
- Reduced dependency on physical firewalls
Key Components of SASE
1. SD-WAN (Software-Defined WAN)
- Optimizes and manages network traffic.
- Uses software control to route traffic efficiently.
2. Cloud-Delivered Security
Security tools integrated into SASE include:
- Secure Web Gateway (SWG)
- Cloud Access Security Broker (CASB)
- Firewall-as-a-Service (FWaaS)
- Zero Trust Network Access (ZTNA)
3. ZTNA (Zero Trust Network Access) as part of SASE
- Replaces VPNs
- Grants access only to specific applications
- Enforces Zero Trust “never trust, always verify”
4. Central Policy Control
- All user traffic goes through cloud security before connecting to apps.
- Ensures consistent inspection and logging.
What the Exam Wants You to Know
- SASE combines networking + security in cloud services
- It uses SD-WAN for traffic optimization
- It includes ZTNA, CASB, SWG, and FWaaS
- It simplifies remote and cloud access security
4. SDN (Software-Defined Networking)
What is SDN?
SDN is a networking approach where control is handled by software, not by manual configuration of physical devices.
Traditional networks rely on:
- Hardware-based routers/switches
- Manual configuration on each device
SDN separates the network into three layers:
1. Application Layer
- Applications ask the network to perform tasks (e.g., prioritize traffic).
2. Control Layer (Controller)
- The “brain” of SDN
- Makes decisions about traffic flow
- Provides a central place to manage policies
3. Data Layer (Forwarding Layer)
- Consists of switches/routers that forward packets based on instructions from the controller.
Benefits of SDN
- Centralized management
- Faster deployment
- Automation of network tasks
- Easier segmentation and microsegmentation
- Greater visibility into traffic
- Dynamic policies based on real-time conditions
SDN Security Considerations
SDN adds security benefits but also new risks:
Benefits
- Central control simplifies monitoring
- Automated responses to threats
- Microsegmentation becomes easy
Risks
- SDN controller is a high-value target
- Poor configuration can cause widespread issues
- APIs must be secured
How These Concepts Work Together
| Concept | Purpose | Key Exam Ideas |
|---|---|---|
| Network Segmentation | Divides network to reduce attack surface | VLANs, microsegmentation, ACLs |
| Zero Trust | No automatic trust; verify everything | Least privilege, continuous monitoring, assume breach |
| SASE | Cloud-delivered networking + security | SD-WAN, ZTNA, CASB, SWG, FWaaS |
| SDN | Software-controlled network | Controller, automation, separation of layers |
All four concepts support modern security frameworks and help limit lateral movement, enforce access control, and improve threat detection.
Exam Tips (Must-Know for CySA+ CS0-003)
- Segmentation reduces attackers’ ability to move inside the network.
- Zero Trust relies on strict identity checks and least privilege.
- SASE pushes security services into the cloud and includes ZTNA.
- SDN uses a central controller and supports automation and microsegmentation.
- The CySA+ exam expects you to understand how these architectures enhance security visibility and control.
