5.6 Network Security Controls and Architecture

Defense-in-Depth and Trust Zones

No single control stops every attack, so secure networks apply defense-in-depth — overlapping layers so that a failure at one layer is caught by another. CEH frames the layers as physical, perimeter (network), host, application, and data, each with its own controls. The complementary principle is least privilege: every user, device, and service gets only the access it needs, shrinking the blast radius of any compromise.

Networks are divided into trust zones. A classic three-zone design has the untrusted Internet, a semi-trusted DMZ (screened subnet) hosting public-facing servers, and the trusted internal LAN. Firewalls enforce policy at each boundary; a bastion host is a hardened system deliberately exposed in the DMZ. VLANs logically separate segments on shared switches, and network segmentation/micro-segmentation confines lateral movement so that breaching one segment does not grant the whole network.

Access Control, NAC, and Zero Trust

Controlling who and what connects is foundational. Network Access Control (NAC) evaluates a device's posture (patch level, antivirus, configuration) before granting access, quarantining non-compliant endpoints. IEEE 802.1X provides port-based network access control: a supplicant authenticates to an authenticator (switch/AP) which checks credentials against a RADIUS server before opening the port. VPNs (IPsec, SSL/TLS) extend the trusted boundary securely across untrusted networks.

The modern direction is Zero Trust, which discards the old "hard shell, soft interior" assumption that the internal network is safe. Zero Trust principles: never trust, always verify; assume breach; authenticate and authorize every request based on identity, device health, and context; and enforce least-privilege micro-segmentation. Every control maps to the AAA framework — Authentication (who are you), Authorization (what may you do), and Accounting/Auditing (what did you do) — and to the CIA triad of Confidentiality, Integrity, and Availability that defines security goals.

When an exam item asks which property a control protects, trace it to CIA: encryption serves confidentiality, hashing/digital signatures serve integrity, and redundancy/anti-DDoS serves availability.

Detection, Monitoring, and Logging

Prevention is never perfect, so detection is mandatory. Network sensors (NIDS/NIPS, NGFWs), host agents (HIDS/EDR), and decoys (honeypots/honeytokens) generate events that flow into a Security Information and Event Management (SIEM) platform. The SIEM correlates logs across sources to surface multi-step attacks that any single device would miss, and supports alerting, dashboards, and forensic search.

Key monitoring controls and what they catch:

Logs must be centralized and tamper-resistant (attackers clear local logs to cover tracks — the fifth phase of the hacking methodology), time-synchronized via NTP, and retained per policy.

Hardening and Putting It Together

Beyond architecture, individual systems are hardened: disable unused services and ports, patch promptly, enforce strong authentication and MFA, remove default credentials, and apply secure baselines (CIS Benchmarks). At the network layer, defenders enforce egress filtering, disable IP source routing, secure switch ports against MAC flooding/ARP spoofing (port security, DHCP snooping, Dynamic ARP Inspection), and encrypt management traffic.

A layered perimeter for a typical enterprise combines, from outside in: an NGFW with integrated IPS at the edge, a DMZ for public services, NAC + 802.1X controlling internal access, segmentation/VLANs limiting lateral movement, honeypots as tripwires, and a SIEM correlating everything. Critically, these controls reinforce each other: the firewall blocks the obvious, the IDS/IPS catches what gets through, segmentation contains what is missed, the honeypot flags lateral movement, and logging/SIEM provides the evidence trail.

Layer-2 (switch) hardening deserves special attention because many attacks in this chapter begin there. MAC flooding overflows a switch's CAM table to force it to behave like a hub (flooding frames to all ports so the attacker can sniff) — port security limiting MACs per port stops it. ARP spoofing/poisoning underpins MITM and session hijacking; Dynamic ARP Inspection (DAI) validates ARP replies against a trusted DHCP snooping binding table. VLAN hopping (double-tagging or switch spoofing) is blocked by disabling Dynamic Trunking Protocol on access ports and never using the native VLAN for user traffic.

Rogue DHCP servers are blocked by trusting DHCP only on known uplink ports.

The exam-level synthesis: map every control to the CIA triad and AAA, prefer defense-in-depth with least privilege, segment aggressively, and assume breach (Zero Trust). No control is sufficient alone — security is the combination, tuned and monitored continuously, with detection and response assumed because prevention will eventually fail. CEH ties this back to the risk-management mindset: identify assets, apply controls proportionate to threat and value, and accept that residual risk is managed, never eliminated.

The perimeter is no longer a single wall but a series of reinforcing zones, each with prevention, detection, and a path to response.