CompTIA Network+ N10-008: Explain Common Security Concepts
1. Introduction: Why Security Concepts Matter in Networking
Security isn’t something you just tack on after the network’s already built. Honestly, security is baked into the way access gets granted, traffic gets allowed or blocked, and devices get managed every day. If you’re touching a switch port, rolling out a VPN, standing up Wi-Fi, or handing someone admin access to a firewall, you’re making security calls whether it feels like it or not. That’s exactly why Network+ wants you to explain common security concepts in practical terms, not just parrot definitions.
Quick exam note: I saw this show up a lot on Network+ N10-008, and the same core ideas still keep showing up in newer Network+ versions too. Honestly, the wording might change a bit from one exam version to the next, but the core ideas and design logic still hold up.
2. The CIA triad — confidentiality, integrity, and availability — is the framework I always come back to when I’m thinking through security.
The CIA triad is really the starting point for security thinking.
Confidentiality means preventing unauthorized disclosure of data. In networking terms, that’s things like HTTPS for web access, SSH for device management, IPsec or TLS VPNs for remote access, and ACLs or firewalls that limit who can reach sensitive systems.
Integrity means data has not been altered improperly. Hashes, digital signatures, configuration change control, and file verification all help protect integrity. If you obtain a firewall image for installation, verify its hash before deployment. If a config backup changes unexpectedly, integrity controls help detect that.
Availability means systems and services remain accessible when needed. Redundant firewalls, clustered VPN gateways, dual ISPs, UPS power, monitoring, backups, and patching all support that goal.
Here’s the thing: in real networks, these goals can absolutely compete with each other. MFA helps confidentiality, but if the identity provider goes down and there’s no fallback, availability takes a hit. Deeper inspection gives you better visibility into what’s going on, but yeah, it can also introduce some latency. Strong segmentation definitely helps confidentiality and integrity, but if you lock it down too tightly, application access can turn into a real pain. On the exam, I’d always trace the question back to the main goal: privacy usually points to confidentiality, tamper prevention points to integrity, and uptime points to availability.
3. Core Security Principles
Least privilege means users and systems get only the access required. A help desk technician may reset passwords but should not edit router configs.
Need to know limits exposure to only the information required for a task. A contractor may need one application, not your full network diagram and shared admin documentation.
Zero trust is a security model, not a product. The practical idea is: verify explicitly, enforce least privilege, and assume breach. A device on the internal LAN should not be trusted automatically just because it is “inside.”
Defense in depth means using multiple layers: segmentation, MFA, endpoint protection, secure protocols, logging, and firewalls together.
Implicit deny means traffic or access is blocked unless explicitly allowed. This is the safest baseline for ACLs and firewall policy.
Separation of duties means one person should not control an entire critical process. For example, one admin might request a firewall change, another approves it, and the logs show exactly who actually made the change.
You’ll see these principles reflected in real controls all the time: NAC and 802.1X enforce access at the edge, RBAC limits what people can do after they log in, firewalls enforce implicit deny between zones, and change control plus logging back up separation of duties.
4. Threats, vulnerabilities, risk, exploits, and attack surface
| Term | Meaning | Example |
|---|---|---|
| Threat | A threat is basically a potential source of harm. | Internet attacker targeting a VPN portal |
| Vulnerability | Weakness that can be abused | Unpatched firewall or weak password policy |
| Exploit | Method used to abuse a vulnerability | Password spraying or crafted malicious input |
| Risk | Potential for loss based on likelihood and impact | High if the exposed VPN grants broad internal access |
| Attack surface | All reachable points an attacker may target | Open ports, exposed admin pages, SSIDs, flat VLANs |
Risk analysis starts with the asset, then asks what threat could exploit which vulnerability, and what the impact would be. A public VPN with MFA and a tight access policy is a lot lower risk than one that relies on passwords alone and drops users into broad internal access. Reducing attack surface is basically about shrinking the number of entry points an attacker can poke at. In practice, that means closing unused ports, removing old services, tightening management access, segmenting the network, and turning off SSIDs or interfaces you don’t actually need.
5. Identity, access, and AAA
AAA stands for authentication, authorization, and accounting:
- Authentication: Who are you?
- Authorization: What are you allowed to do?
- Accounting: What did you do?
This distinction matters. A user can authenticate successfully and still be denied access because authorization is separate.
RADIUS is commonly used for network access control such as 802.1X, Wi-Fi, and VPN. TACACS+ is commonly preferred for administrative access to network devices because it supports more granular command authorization and accounting. Local accounts really should be saved for tightly controlled break-glass access. They need to be documented, rotated, and kept out of day-to-day admin work, because shared local admin accounts make accountability turn into a mess pretty quickly.
802.1X flow is worth knowing at a high level: the client is the supplicant, the switch or AP is the authenticator, and the RADIUS server is the authentication server. Until authentication succeeds, the port or SSID can stay restricted. Some environments lean on MAB for devices that can’t support 802.1X, and yeah, I’ve seen that work as a practical fallback. Honestly, it’s not as strong as certificate-based or credential-based 802.1X, so I’d treat it as a fallback option rather than my first choice.
IAM covers the full identity lifecycle: provisioning, role assignment, access reviews, and deprovisioning. MFA combines factors such as something you know, have, or are. Two passwords are not MFA. RBAC assigns permissions by role, which supports least privilege. ABAC goes a step further by checking attributes such as device posture, time of day, or location before it decides whether access should be granted. So it’s not just asking who the user is — it’s also checking what device they’re using and whether the whole situation looks appropriate.
6. Security Control Categories
Network+ may describe controls by function, not just by product name.
- Preventive: firewalls, MFA, 802.1X, locked closets
- Detective: IDS, syslog alerts, cameras
- Corrective: restoring configs, patching, failover
- Deterrent: warning banners, visible cameras
- Compensating: extra monitoring when a preferred control cannot be deployed
- Administrative: policies, change control, access reviews
- Technical/logical: ACLs, encryption, VLANs
- Physical: badges, locks, cages, mantraps
Good security design usually mixes categories. A locked rack is physical and preventive. Syslog to a SIEM is technical and detective. A documented approval workflow is an administrative control, and it supports separation of duties.
7. Segmentation, isolation, DMZs, and security zones
Segmentation breaks a network into smaller trust boundaries. VLANs and subnets shrink the broadcast scope, which helps both performance and control. ACLs and firewalls control traffic between segments, which helps slow lateral movement and limit the damage if something gets compromised. Isolation goes a step further and may allow very little direct communication — or sometimes none at all.
Common zones include user, server, management, guest, voice, IoT, and DMZ. A DMZ is a separate zone for public-facing services such as web servers or VPN gateways. A public web server should not sit directly on the internal user LAN. Inbound access should be tightly limited, and you should control outbound access from the DMZ too.
Example mapping:
- For example, user devices might live in VLAN 10 on the 10.10.10.0/24 subnet.
- Servers might sit in VLAN 20 using the 10.10.20.0/24 subnet.
- Guest access could be placed in VLAN 30 on the 10.10.30.0/24 subnet.
- Management traffic might be isolated in VLAN 99 on the 10.10.99.0/24 subnet.
Then apply policy like this: guest goes to the internet only, users can reach only the web and app ports they need on servers, there’s no direct user access to management, and admins can reach devices only from the management network or a jump host. And here’s a classic exam trap: a VLAN by itself isn’t security if inter-VLAN routing is wide open.
8. Traffic Control and Secure Management
ACLs are typically stateless packet-filtering rules. Firewalls are commonly stateful and may inspect sessions, applications, users, or content. Rule order matters, and implicit deny is usually the final baseline.
Here’s a simple vendor-neutral example:
- Allow SSH from 10.10.99.0/24 to network devices only.
- Permit HTTPS from users to web server in DMZ
- Deny guest VLAN to internal private subnets
- Deny all else and log where appropriate
IDS detects and alerts. IPS detects and can block. An IDS is usually out of band, so it’s watching and alerting without sitting directly in the traffic path. An IPS is often inline, which is a big part of why it can actually block traffic instead of just raising an alarm. That’s why an IPS can stop traffic in real time — but it also means a false positive can accidentally block something legitimate if the rules or signatures aren’t tuned well. Signature-based detection works really well when you’re looking for known threats. Anomaly-based or behavior-based detection can catch unusual activity, but it usually needs baselining and a lot more tuning.
For management security, prefer SSH, HTTPS, and SNMPv3. Disable Telnet and HTTP. Lock management services down by source IP, use a management VLAN or an out-of-band network, integrate AAA, and forward logs to a centralized collector. SNMPv1 and SNMPv2c community strings go across the wire in cleartext, while SNMPv3 supports authentication and privacy, which is a much better operational choice. At a high level, auth/noPriv provides authentication without encryption, while authPriv provides both authentication and encryption.
9. Secure Protocols and Legacy Technologies to Replace
| Preferred | Legacy/Insecure | Why |
|---|---|---|
| HTTPS | HTTP | Encrypts web traffic |
| SSH | Telnet | Protects admin sessions |
| SFTP or SCP | FTP | Secures file transfer and credentials |
| SNMPv3 | SNMPv1/v2c | Adds authentication and privacy |
| WPA2/WPA3 | WEP | WEP is broken due to RC4/IV weaknesses |
WPA2 remains common, but configuration matters. WPA2/WPA3-Personal use a shared passphrase. WPA2/WPA3-Enterprise use 802.1X and RADIUS for per-user or per-device authentication and are operationally stronger. WPA3 is the stronger option when your equipment supports it, but older gear and legacy clients can definitely slow the rollout. In the real world, you usually need a migration plan, not just a flip-the-switch upgrade.
For VPNs, know the difference between site-to-site and remote-access. Site-to-site VPNs connect one network to another through an encrypted tunnel, so both locations can communicate like they’re part of the same private environment. Remote-access VPNs bring individual users or devices back into the environment, which is especially common when someone’s working from home or on the road. IPsec is a widely used standards-based way to secure VPN traffic, especially for site-to-site links and some remote-access designs. SSL/TLS VPNs are also common for remote users, mainly because they can offer a simpler client experience.
10. PKI, certificates, encryption, hashing, and digital signatures are the core pieces of the trust model you really need to get comfortable with, because once these click, a lot of other security topics start making a lot more sense.
Symmetric encryption uses one shared key and is efficient for bulk data. Asymmetric encryption uses a public/private key pair and supports key exchange, authentication, and certificates.
PKI is the trust system behind certificates. PKI includes a root CA, often one or more intermediate CAs, and the processes for issuing, renewing, and revoking certificates. That whole structure is what helps devices decide what they can trust. Certificates carry identity information, a public key, validity dates, and issuer or signature details that help establish trust between systems.
Hashing supports integrity. If a file changes, the hash changes too. Hashes aren’t decrypted. For passwords, secure systems use salted password hashing rather than plain general-purpose hashing alone.
Digital signatures support integrity and authenticity, and can support non-repudiation when key protection, identity proofing, and process controls are strong.
Common certificate problems include expired certificates, hostname mismatches, an untrusted CA, revoked certificates checked through CRL or OCSP, and clock skew between systems. I’ve seen all of those create headaches in production, and more often than not, the root cause is something simple that got missed. The troubleshooting steps are usually pretty straightforward: check system time, inspect the certificate chain, confirm the service name matches, review trust stores, and verify that the certificate hasn’t expired or been revoked. It’s not flashy, but it absolutely gets the job done.
11. Wireless security fundamentals are worth taking seriously because wireless changes the exposure model quite a bit.
Wireless pushes the network beyond the physical walls, so security matters even more out there. Use WPA2 or WPA3 instead of WEP, and for business networks, enterprise authentication is usually the better call.
Enterprise Wi-Fi commonly uses 802.1X with RADIUS working behind the scenes. Personal mode uses a shared passphrase, which is easy to deploy but harder to rotate and way easier to leak. WPA3-Personal uses SAE, which is stronger than the older PSK approach. Guest wireless should be isolated with separate VLANs or policies, internet-only access, and optionally AP/client isolation. Client isolation blocks peer-to-peer communication on the same SSID, but it doesn’t replace firewall isolation from internal resources, and that’s an important distinction.
Keep an eye out for rogue APs and evil twins, because they’re a classic wireless problem. A rogue AP is basically an unauthorized access point. An evil twin copies a legitimate SSID to trick users into connecting to the wrong network. Mitigations include controller monitoring, wireless scanning, strong onboarding, certificate validation in enterprise deployments, and user awareness.
12. Hardening, Logging, Monitoring, and Management Plane Protection
Hardening reduces attack surface. Good network hardening really comes down to trimming away anything you don’t need. That means disabling unused services, changing default settings, shutting down or securing unused switch ports, using port security where it makes sense, turning on protections like DHCP snooping when the platform supports them, restricting management access, backing up configs, and validating firmware before upgrades.
The management plane deserves special protection, because if attackers get there, they can usually take the whole network with them. I’d use a dedicated management VLAN or VRF, a jump host or bastion, SSH/HTTPS/SNMPv3 only, source-IP restrictions, centralized AAA, config backups, and audit logs. If the management interface is reachable from every user subnet, you’ve expanded the attack surface for basically no real benefit.
Logs should be centralized, kept in sync with NTP, and protected from tampering wherever possible. Otherwise, you end up with incomplete timelines and a lot of guesswork when something goes wrong. Typical log sources include firewalls, VPN gateways, switches, wireless controllers, AAA servers, and other core network systems.rvers, and IDS/IPS tools. A SIEM helps pull those events together, correlate them, and alert on patterns across the environment, and that’s where the real value starts to show up. really starts to show up. Logging helps both security and troubleshooting, but it also comes with costs like storage, alert noise, and the time it takes to review everything.
And availability matters here too. Centralized AAA, MFA providers, VPN concentrators, and logging systems can become dependencies. Use redundancy where possible and test failover regularly.
13. Basic security troubleshooting
A compact troubleshooting mindset goes a long way on both the exam and the job, honestly.
- User can log in but cannot open the app: authentication succeeded, so check authorization, ACLs, firewall rules, and segmentation policy.
- VPN connects but internal resources fail: check routes, split-tunnel policy, DNS, firewall rules, and whether the user is assigned the correct access group.
- Guest SSID reaches printers or file shares: verify VLAN assignment, inter-VLAN policy, client isolation, and default gateway/firewall rules.
- Admin cannot SSH to a switch: confirm source IP restrictions, ACLs, AAA reachability, local fallback account status, and whether Telnet was disabled before SSH was verified.
- Alert seen but traffic still passes: likely IDS, not IPS.
Always separate authentication failure, authorization failure, and availability failure. That one habit solves a lot of exam questions quickly.
14. Applied Scenarios
Scenario 1: securing a flat office network Set up separate VLANs for users, servers, guest, IoT, and management. Then apply inter-VLAN policy so users can reach only the server ports they actually need, guest traffic goes to the internet only, and management stays restricted to admin workstations. Validate with ping, traceroute, and firewall rule-hit counters.
Scenario 2: Protect the management plane. Move device management to a management VLAN, allow SSH only from the admin subnet, disable Telnet and HTTP, use TACACS+ or RADIUS-backed AAA, enable syslog, and verify NTP. Keep a documented break-glass local account in case AAA is unavailable.
Scenario 3: Enterprise wireless with guest access. Use WPA2/WPA3-Enterprise with 802.1X and RADIUS for staff. Put guest on a separate SSID and VLAN with internet-only access. If a contractor needs temporary access to one internal application, do not place them on the general internal SSID; use role-based policy and logging.
15. Exam Tips and Final Review
Use this decision process on scenario questions: identify the asset, identify the risk, match the control, eliminate distractors.
- Successful login but limited access = authorization, not authentication
- Prevent tampering = integrity
- Detect suspicious traffic = IDS
- Block malicious traffic automatically = IPS
- Internet-only guest access = segmentation plus firewall isolation
- Encryption = confidentiality; hashing = integrity
- VLAN alone is not enough without filtering
The big picture is simple: secure networks rely on layered controls. Use identity controls such as AAA, IAM, MFA, and RBAC; reduce exposure with hardening and secure protocols; limit movement with segmentation and DMZs; protect trust with PKI and certificates; and support operations with logging, monitoring, backups, and tested redundancy. If you can look at a scenario and decide what is being protected, what the real risk is, and which control fits best, you are thinking like a network professional.