Designing a Secure Network – CompTIA Security+ Lesson 8

This lesson is about security topology of networks. Factor access methods, security and technologies into the physical layer and create a secure network.

Primary areas of concern on this topic are the following:

  • Demilitarized zones (DMZs)
  • Subnetting
  • VLANs
  • Remote access
  • NAT
  • Telephony
  • NACs

Demilitarized Zones

A DMZ is an area where you place public servers for people you wouldn’t necessarily trust. They can then access everything within the DMZ but not you local network. But you on the other hand can access the DMZ from your network. You can create a DMZ with firewalls like this one.

A typical example for a server in a DMZ is a webserver.


This is the art of dividing a network into small subnetworks by using the subnet mask value. It gives you more networks, but fewer hosts on each.

The main reasons to use subnetting are:

  • Network is manageable
  • Network is more secure
  • IP addresses are used more effectively

If you use subnetting, the traffic is directed onto the subnets it has to go and reducing overall network traffic. Also it creates more broadcasts domains, which reduces the range of a single broadcast.

You wont need to be an expert at subnetting to pass the test, however you should know the basics. I recommend this tutorial to learn them.

Virtual Local Area Networks

It’s kinda similar to subnetting since it’s used to segmentate networks. But with virtualization instead of subnetting and hardware:

Remote access

Remote access has grown since many want to work from home. Solutions like Ultra VNC or PC Anywhere offer the oportunity to take full control of a remote machine. As if you were sitting in front of it. Which creates a little issue… You’re leaving a door wide open that anyone may stumble upon.

It is highly recommended that you configure the services carefully and only launch it when needed.

Network Address Translation

NAT translates each private IP Address of your network as the same one to the public. An intruder will only know one IP and not be able to see behind the curtains of your network.

Imagine if you’re using the range – for the clients in your network. The outside world will only see the public IP of your whole network, no matter which client accesses a website for example.

If you were to open behind a NAT you wont see the address you get when you check with ipconfig/ ifconfig on your local machine.


One of my readers (Jackie H) recommended an other tool for ip lookups.


Telephony is the name of telephone technology mixed with IT. Basically it’s VoIP.

As part of the network you should treat VoIP just like any other part and not think to go easy on it because it’s just phones. It can easily be sniffed by tools like Cain & Abel.

Best practices on securing IP telephony can be found here. But it’s basically involving this steps (quoted from the article):

  • Keeping up-to-date with operating system and third-party service packs to eliminate well-known security holes
  • Implementing critical support patches on servers and Cisco® devices when appropriate
  • Subscribing to mailing lists that publicize urgent vulnerabilities and critical patches
  • Updating anti-virus definitions to protect against well-known worms and viruses
  • Performing daily backups of servers with periodic data recovery tests

Network Access Control

NAC is basically a set of standards defined by the network. These standards are for clients attempting to access the network. They have to meet the required standards in otder to enter the network. Like beeing virus free for example.