2026 · JUL 08 · Networking
CISSP Domain 4 Revision: Communication and Network Security
Domain 4 tends to expose candidates whose background is stronger in policy than in networking itself. This is a revision walk through architecture, protocols, segmentation and secure communication channels, the working knowledge the exam assumes you already have.
By Vishal Vashisht
Domain 4 is the domain most likely to expose a candidate who has spent their career in security governance rather than in networking itself. The questions assume a working familiarity with how packets actually move, not just an awareness that networks exist and need protecting. If your background is heavier on policy than on infrastructure, this is the domain to give the most raw study time.
Secure design principles in network architecture
This objective is broad enough to function almost as its own mini-domain, so it helps to break it into groups.
The OSI and TCP/IP models remain the backbone of network vocabulary on the exam. Learn the seven OSI layers and be able to map an attack or a protocol to the correct one without hesitation: a MAC flooding attack sits at layer 2, IP spoofing at layer 3, session hijacking at layer 5. TCP/IP condenses this into four layers, and the exam sometimes tests the ability to translate between the two models rather than treating them as entirely separate systems.
IPv4 and IPv6 need to be understood beyond address format. Know the addressing types: unicast (one to one), broadcast (one to all, IPv4 only), multicast (one to many, a defined group), and anycast (one to nearest, used heavily in CDN and DNS infrastructure). IPv6 removed broadcast entirely in favour of multicast, which is a detail the exam likes to probe.
Secure protocols are worth knowing by what they actually secure. IPSec operates at the network layer and is the basis for most site-to-site VPNs. SSH secures remote administrative access and file transfer. SSL and its successor TLS secure application-layer traffic, most visibly HTTPS, though SSL itself is now considered obsolete and TLS 1.2 or above is the expected standard.
Multilayer protocols raise a genuine security concern the exam wants you to reason through: a protocol that operates across multiple OSI layers can carry data in a way that bypasses controls designed for a single layer, since a filter watching layer 3 traffic might miss something encapsulated and executed higher up.
Converged protocols blend traditionally separate types of traffic onto common infrastructure. iSCSI carries storage traffic over standard IP networks rather than dedicated storage fabric. VoIP carries voice over data networks. InfiniBand over Ethernet and Compute Express Link extend this convergence into high-performance computing interconnects. The shared risk across all of them is that convergence increases the blast radius of a single network compromise, since one previously isolated function now shares infrastructure with everything else.
Transport architecture covers how traffic actually moves through a network. Know the separation between the data plane (the traffic itself), the control plane (the logic deciding how traffic is routed), and the management plane (the administrative access used to configure devices). This separation matters because compromising the control plane can affect traffic across an entire network even if the data plane itself was never directly attacked. Cut-through switching forwards a frame as soon as the destination address is read, favouring speed. Store-and-forward waits for the complete frame before forwarding, favouring accuracy and error checking.
Performance metrics worth knowing precisely: bandwidth is capacity, throughput is what's actually achieved, latency is delay, jitter is variation in that delay, and signal-to-noise ratio measures signal quality against background interference. A question describing choppy video calls with inconsistent delay is pointing at jitter, not raw bandwidth.
Traffic flows split into north-south (traffic entering or leaving a data centre, client to server) and east-west (traffic moving laterally between servers inside a data centre). Modern architecture, particularly with microservices, has shifted the dominant traffic pattern toward east-west, which is part of the argument for micro-segmentation rather than relying purely on a perimeter facing north-south.
Physical segmentation includes in-band management (using the production network itself to manage devices), out-of-band management (a physically separate path for administrative access, more resilient if the production network goes down), and air-gapped systems (no network connection at all, the strongest but least flexible form of isolation).
Logical segmentation covers VLANs (separating broadcast domains logically on shared physical infrastructure), VPNs (secure tunnels across untrusted networks), virtual routing and forwarding (multiple isolated routing tables on shared hardware), and virtual domains (logical partitioning within a single network device, often seen in enterprise firewalls).
Micro-segmentation takes logical segmentation further, applying granular policy down to individual workloads rather than broad network segments, typically through network overlays and encapsulation, distributed firewalls, and per-workload IDS and IPS. It's the practical network expression of zero trust: nothing is trusted by default simply because it sits on the same segment as something else.
Edge networks deal with ingress and egress traffic at the boundary of an organisation's network, and peering, where separate networks interconnect directly to exchange traffic rather than routing through a third party.
Wireless networks cover a wider range than most candidates expect: Bluetooth (short range, device pairing risk), Wi-Fi (know WPA3 as the current standard over WPA2 and the long-deprecated WEP), Zigbee (low-power mesh networking common in IoT), and satellite (higher latency, and increasingly relevant given the growth of low earth orbit satellite internet).
Cellular and mobile networks need to be understood at the level of generational difference: 4G LTE versus 5G, with 5G's lower latency and network slicing capability being the security-relevant distinction, since slicing allows logically separated virtual networks to run over shared physical infrastructure.
Content Distribution Networks (CDN) cache content geographically closer to users, improving performance, but they also introduce a security consideration: content served from a CDN edge node is a step removed from the origin server, which matters for both availability (CDNs absorb DDoS traffic effectively) and integrity (cached content needs to be kept consistent with the origin).
Software Defined Networking (SDN) separates the control plane from the data plane in a more formal, centralised way than traditional networking, exposing that control through APIs. SD-WAN applies this concept across wide area network links, and network functions virtualisation replaces dedicated hardware appliances with software running on general purpose infrastructure. The security trade-off is centralisation: an SDN controller becomes a high-value target, since compromising it could affect the entire network's routing behaviour.
Virtual Private Cloud (VPC) provides logically isolated network space within a public cloud provider's infrastructure, and understanding VPC peering, security groups and network access control lists sits close to the shared responsibility principle from Domain 3.
Monitoring and management closes the objective: network observability, traffic shaping, capacity management and fault detection are the operational disciplines that keep a designed architecture behaving the way it was intended to once it's actually running.
Securing network components
This objective moves from design to the physical and operational reality of network infrastructure.
Operation of infrastructure covers unglamorous but exam-relevant detail: redundant power feeding network equipment, vendor warranty and support agreements affecting how quickly a failed component can be replaced, and the availability risk introduced when support contracts lapse.
Transmission media security depends on the medium itself. Fibre optic cable is harder to tap than copper and doesn't radiate electromagnetic signal the way copper does, which is why sensitive environments often specify fibre for that reason alone rather than purely for bandwidth.
Network Access Control (NAC) systems, in both physical and virtual form, enforce policy before a device is allowed onto the network at all, checking posture, patch level, or certificate validity as a precondition of connection.
Endpoint security, particularly host-based controls, extends protection to the device itself, useful because network-level controls alone can't see what's happening once traffic reaches an endpoint's local processes.
Implementing secure communication channels
The final objective applies everything above to specific communication types.
Voice, video and collaboration platforms, conferencing tools and virtual meeting rooms among them, need the same encryption and access control discipline as any other data channel, and the exam has increasingly reflected the real-world security incidents around unauthorised access to video conferences.
Remote access, particularly for network administrative functions, deserves tighter control than general user remote access, since compromising an administrator's remote session can hand an attacker control over infrastructure rather than just data.
Data communications covering backhaul networks and satellite links introduce distinct risk: backhaul often carries aggregated traffic from many users or sites, making it a high-value interception target, and satellite links carry both higher latency and, depending on the provider and encryption used, potential interception risk over the air segment.
Third-party connectivity, telecom providers and hardware support vendors among them, extends the security perimeter beyond the organisation's direct control, which is why contractual security requirements from Domain 1's supply chain objective apply here just as directly as they do to software suppliers.
Where AI now sits in Domain 4
Network security picks up AI mostly through the sheer scale and sensitivity of the traffic AI workloads generate. Training runs move enormous datasets between distributed nodes, and that traffic needs the same segmentation discipline covered earlier in this domain, applied specifically to isolate AI training environments from the rest of the network. Micro-segmentation and zero trust architecture do real work here: if an AI interface is compromised, tight isolation limits how far an attacker can move laterally from that point.
AI also shows up on the defensive side of the network. AI-driven network detection and response tools pick up anomalous traffic patterns that traditional signature-based systems tend to miss, extending the intrusion detection concepts from earlier in the domain rather than replacing them. And as inference increasingly happens at the edge, close to where data is generated rather than in a central data centre, the communication channels carrying that inference traffic need the same confidentiality and availability protection as any other sensitive data path.
Final thought for revision
Domain 4 tests whether abstract network concepts translate into a working mental model of how traffic actually moves and where it can be intercepted, filtered or misdirected. Candidates who try to memorise definitions in isolation tend to struggle with the scenario-based questions this domain favours. Trace an example packet through a design in your head, client to server, across a WAN, into a segmented data centre, and most of the objectives above start to connect rather than sitting as separate facts.