Network Segmentation and Operations Triage Lab

Where Network Security Meets Operations

Network Security is 24 percent of the CC exam and Security Operations is 18 percent, so combined they are the largest scoring territory. Questions blend technical clues with business priority: VLANs, firewalls, ports, malware symptoms, alerts, and incident-response choices in one scenario. The best answer narrows scope, protects critical assets, and avoids overreacting to weak evidence.

Lab Scenario

A company runs a flat network where workstations, printers, servers, point-of-sale (POS) systems, guest Wi-Fi, and security cameras all communicate freely. A monitoring alert shows one guest device scanning internal addresses on TCP 445. Minutes later, a file server shows unusual failed logons. The help desk also reports one printer offline. The operations lead asks what to do first.

The printer outage may be ordinary troubleshooting. The guest device scanning internal file-sharing ports plus failed logons against a file server are stronger security indicators. The flat network enlarges blast radius because a guest device should never reach internal file services at all. TCP 445 is Server Message Block (SMB), a file-sharing service heavily abused for lateral movement.

Segmentation Decision Table

Segmentation is more than a diagram. It must be enforced with switch configuration, firewall rules, routing controls, identity controls, and monitoring. A VLAN without access rules may separate broadcast traffic yet still allow routed access. A firewall rule of "any any allow" defeats the whole purpose.

Threat Identification Drill

Operations Triage

Triage asks what matters most right now. Weigh severity, scope, confidence, criticality, and whether containment is time-sensitive. If an alert involves a critical server with active lateral movement, escalate fast. If a single endpoint shows a low-confidence alert with no business impact, gather more evidence. If a user reports a phishing email and clicked the link, reset credentials and review sign-ins. If a user reports a suspicious email but did not interact, capture the message and tune filtering.

Do not confuse first response with final remediation. Blocking guest-to-internal access contains the immediate risk, but the full fix includes redesigning segmentation, reviewing firewall rules, scanning affected systems, checking file-server logs, and updating procedures.

Multi-Domain Review and Traps

This lab touches every domain. Security principles explain the confidentiality, integrity, and availability impact. Business continuity asks whether critical services must keep running during containment. Access control asks whether accounts and privileges are being abused. Network security asks which paths should exist. Security operations asks how to prioritize alerts, preserve evidence, and escalate.

Ports, Protocols, and Defense Layers

A handful of ports recur in CC scenarios, and recognizing them lets you read traffic clues quickly:

• TCP 445 (SMB) and TCP 139 (NetBIOS) — file sharing; common in lateral movement and ransomware spread.
• TCP 3389 (RDP) — remote desktop; dangerous when exposed to the internet.
• TCP 22 (SSH) and TCP 23 (Telnet) — remote administration; Telnet is plaintext and should be avoided.
• TCP 443 (HTTPS) and TCP 80 (HTTP) — web traffic; high volume from many sources may signal a DDoS.
• UDP 53 (DNS) — name resolution; queries to known-malicious domains suggest a compromised host.

Layer the defenses rather than relying on one. A firewall filters by source, destination, protocol, and port. An intrusion detection system (IDS) alerts on suspicious patterns, while an intrusion prevention system (IPS) can also block them. Network access control (NAC) checks device posture before admitting a host. A demilitarized zone (DMZ) isolates internet-facing services from the internal network. Defense in depth means an attacker who passes one control still meets others, which is exactly why a flat network is risky: one bypass exposes everything.

Common Traps

In a PBQ item, expect distractors that are technically real but poorly prioritized: replacing the offline printer, buying more bandwidth, giving the guest device an internal address, or emailing all employees. None of those address the active guest-to-file-server path. Beware answers that add a tool without enforcement (a VLAN with no access rules) or that disable logging. Start with the evidence that shows likely harm and choose the segmentation or containment control that reduces that harm most directly.