5.5. Reflection Checkpoint

Key Takeaways

• OSI layer determines both the attack surface and the applicable control. ARP attacks are Layer 2 (DAI defends). IP spoofing is Layer 3 (BCP38 defends). SYN floods are Layer 4 (SYN cookies defend). Application attacks are Layer 7 (WAF defends). Match control to layer.
• IPv6 security requires equal rigor to IPv4 — dual-stack systems with IPv4-only controls have an unmonitored IPv6 attack surface.
• BGP hijacking is an internet-scale threat; RPKI provides cryptographic route origin validation.
• NGFW = stateful inspection + application awareness + user identity + IPS + SSL inspection. Choose firewall type based on inspection depth required.
• VLANs isolate broadcast domains; they don't encrypt. Micro-segmentation applies policies to workloads, not subnets.
• WPA3 with 802.1X + EAP-TLS is the wireless gold standard. WEP is completely broken. WPA2-Personal vulnerable to offline dictionary attacks on captured 4-way handshake.
• DNSSEC validates DNS record origin and integrity; DoH/DoT encrypts DNS queries. Both are needed for comprehensive DNS security.
• SYN flood → SYN cookies. ARP spoofing → DAI. Rainbow tables → salted hashes. SSL stripping → HSTS. All MITM attacks → mutual authentication.
• NetFlow = metadata only. Full packet capture = content visibility. SIEM = correlated detection across sources. None alone is sufficient.

Connecting Forward

Phase 6 (Domain 5 — Identity and Access Management) builds on the network access control concepts from this phase. NAC, 802.1X, and RADIUS are authentication infrastructure concepts that bridge Domain 4 and Domain 5 — they use the network as the enforcement point for identity-based access decisions. The Kerberos protocol, SSO architectures, and federated identity concepts in Domain 5 all operate over the network infrastructure designed in Domain 4. Zero Trust Network Access (ZTNA) from Section 5.2.2 is the architectural expression of Domain 5's identity-first access control philosophy.

Self-Check Questions

• A security architect is designing a new branch office connection. The branch hosts 30 employees and an industrial control system that must access manufacturing systems at headquarters. Both types of traffic will traverse the same physical WAN link. What two architectural decisions should the architect make to ensure the ICS traffic is isolated from employee traffic, and why is this isolation important beyond simple performance?
• Your SIEM generates 2,000 alerts per day. Your security team has three analysts who can investigate 150 alerts per day. You are not meeting your SLA for incident response time. What are the two most impactful changes you could make to the SIEM configuration, and what metric would you use to measure whether the changes were successful without introducing blind spots?