CISSP Study Guide · Domain 4
CISSP Domain 4 Explained: Communication and Network Security
Domain 4 (~13%) covers secure network architecture, protocols, and the controls that defend traffic end to end.
A practical guide with free practice questions · by Domain8
The CISSP — Certified Information Systems Security Professional — is ISC2’s globally recognized cybersecurity certification, organized into eight domains.
Communication and Network Security spans the OSI and TCP/IP models, addressing, network devices, segmentation, and modern architectures like zero trust. Know each layer's role and where each control belongs.
Want to drill Domain 4? Domain8 has adaptive quizzes, a 700-question bank, and a diagnostic that finds your weak spots. Domain 8 is free to try, no card.
Study free at Domain8 →1. Network models and layers
Map functions to layers:
- The OSI 7 layers and the TCP/IP stack; know which layer a protocol or device operates at.
- Encapsulation adds headers down the stack and strips them up.
- Security controls exist at every layer (e.g., IPsec at L3, TLS at the transport/session boundary).
2. Addressing and protocols
Core building blocks:
- IPv4/IPv6, ports, and common protocols (and their secure variants: HTTPS, SSH, SFTP).
- DNS, DHCP, and routing fundamentals — and how each is abused.
- Replace insecure protocols (Telnet, FTP) with encrypted equivalents.
3. Devices and segmentation
Right device, right job:
- Switches (L2), routers (L3), and the role of VLANs and subnets.
- Segmentation limits blast radius and contains breaches.
- Microsegmentation enforces least privilege between workloads.
4. Perimeter and detection
Defend and detect:
- Firewall types: packet-filter, stateful, proxy, next-gen.
- IDS detects; IPS detects and blocks inline.
- Place controls based on the traffic you must inspect.
5. Modern network security
Where the field is heading:
- Zero trust: never trust, always verify; authenticate and authorize every request regardless of network location.
- VPNs / ZTNA for remote access; ZTNA grants least-privilege app access rather than full network access.
- Wireless and mobile risks require strong authentication and encryption.
Free practice questions
Try these in the exam's "best answer" style, then expand for the explanation.
1. An organization replaces its flat network with isolated segments so a compromise in one area cannot reach the others. What benefit does this BEST provide?
- Faster internet speed
- Reduced blast radius and breach containment
- Lower licensing cost
- Simpler IP addressing
Show answer
B. Segmentation limits how far an attacker can move laterally, containing a breach and reducing its blast radius.
2. Which statement BEST captures the zero-trust principle?
- Trust everything inside the corporate network
- Authenticate and authorize every request regardless of network location
- Use one strong perimeter firewall and trust the inside
- Disable logging to improve performance
Show answer
B. Zero trust assumes no implicit trust based on network location and verifies every request's identity and authorization continuously.
3. A device sits inline and can both detect and actively block malicious traffic. What is it?
- An IDS
- A passive tap
- An IPS
- A syslog server
Show answer
C. An IPS (intrusion prevention system) operates inline and can block traffic, whereas an IDS only detects and alerts.
Like these? Get a full adaptive quiz engine and a diagnostic that scores you by difficulty and question style. All of Domain 8 is free to try.
Study free at Domain8 →Frequently asked questions
Do I need to memorize every port number?
Know the common ones and their secure variants, but the exam emphasizes concepts, layering, and where controls belong over rote port memorization.
What is the modern focus in Domain 4?
Zero trust and segmentation. Expect questions that reward least-privilege, verify-everything answers.
More CISSP domain guides
D1 · D2 · D3 · D5 · D6 · D7 · D8 · All guides