What firewall types should I know for Security+?

Packet filtering (stateless, Layer 3/4), stateful inspection (tracks connections), application-layer/proxy (Layer 7 deep inspection), NGFW (stateful + IPS + application awareness), WAF (protects web apps from SQLi/XSS), and host-based (endpoint software firewalls).

What VPN protocols are tested on Security+?

IPsec (Layer 3, tunnel/transport modes), SSL/TLS VPN (browser-based, no client needed), WireGuard (modern, fast, minimal attack surface), L2TP/IPsec. Know split vs. full tunneling and site-to-site vs. remote access.

What is network segmentation and why does it matter?

Dividing networks into isolated zones to limit lateral movement. Methods: VLANs, subnets, DMZs, air gaps, microsegmentation. Key defense-in-depth strategy required by PCI-DSS and zero-trust architectures.

What secure protocols should I know for the exam?

HTTPS (port 443), SSH (port 22), SFTP (port 22), SNMPv3, LDAPS (port 636), DNSSEC, DoH/DoT. Always choose encrypted alternatives over plaintext versions.

CompTIA Security+ Network Security Practice Questions 2026

Network security is one of the most heavily tested areas on the CompTIA Security+ exam, spanning multiple domains and covering technologies that every security professional encounters daily. From configuring firewalls and VPNs to implementing network segmentation and secure protocols, this topic tests both your theoretical understanding of defense-in-depth strategies and your practical ability to select the right security controls for real-world scenarios.

Exam Weight: Tested across Domain 3 (Security Architecture, 18%) and Domain 4 (Security Operations, 28%)

What Is Network Security on the Security+ Exam?

Network security encompasses the technologies, protocols, and architectures that protect data in transit and defend network infrastructure from unauthorized access, attacks, and misuse. The exam tests your understanding of perimeter defense technologies including firewalls, intrusion detection and prevention systems, and network access control.

You'll encounter questions about secure communications through VPNs (IPsec, SSL/TLS, WireGuard), encrypted protocols (HTTPS, SSH, SFTP), and wireless security (WPA3, 802.1X, EAP). Network architecture questions cover segmentation strategies, DMZ design, zero-trust network access, and microsegmentation in cloud and virtualized environments.

Scenario-based questions are common. You might be asked to design a secure network architecture, select the appropriate VPN protocol, troubleshoot firewall rules, or identify the correct placement for an IDS versus IPS. Understanding how technologies work together as defense-in-depth layers is essential for success.

Why Network Security Matters for Security+

Network security questions appear in at least two major exam domains, making it one of the highest-yield study areas. Domain 3 tests your ability to design secure network topologies, while Domain 4 tests operational monitoring and threat detection. Together, these represent nearly half the exam content.

Despite the growth of cloud computing and zero-trust architectures, network security remains foundational. Every organization relies on network controls to segment resources, encrypt communications, detect intrusions, and enforce access policies. The technologies may evolve, but the underlying principles remain consistent.

The exam includes questions about software-defined networking (SDN), network function virtualization (NFV), cloud-native network controls, and zero-trust network access (ZTNA). Understanding both traditional and modern approaches ensures you can answer questions about legacy and cutting-edge architectures alike.

Key Network Security Concepts to Master

Firewall Types

Packet filtering (stateless, Layer 3/4 ACLs), stateful inspection (tracks connection state), proxy/application-layer (Layer 7 deep inspection), NGFW (stateful + IPS + application awareness + threat intelligence), WAF (web application protection from SQLi/XSS), host-based (endpoint software firewalls). Know capabilities and limitations.

IDS/IPS Systems

IDS monitors passively and alerts (out-of-band). IPS blocks threats actively (inline). Detection: signature-based (known patterns, fast, no zero-day), anomaly-based (baseline deviation, detects unknown, higher false positives), heuristic (behavioral analysis). NIDS/NIPS for network, HIDS/HIPS for hosts.

VPN Technologies

IPsec: Layer 3, tunnel mode (entire packet encrypted) vs. transport mode (payload only). SSL/TLS VPN: browser-based, ideal for remote users. WireGuard: modern, fast, minimal code. Split tunneling (only corporate traffic) vs. full tunneling (all traffic). Site-to-site vs. remote access deployment.

Network Segmentation

VLANs separate broadcast domains. Subnets create Layer 3 boundaries. DMZ isolates public-facing servers. Air gaps physically isolate critical systems. Microsegmentation applies granular policies in virtualized environments. Zero-trust treats every segment as untrusted.

Secure Protocols

HTTPS (HTTP + TLS, port 443), SSH (encrypted remote access, port 22), SFTP (SSH file transfer), SNMPv3 (encrypted management), LDAPS (LDAP + TLS, port 636), DNSSEC (authenticated DNS), DoH/DoT (encrypted DNS). Always choose the encrypted alternative.

Wireless Security

WPA3-Personal (SAE handshake), WPA3-Enterprise (802.1X + EAP + RADIUS), WPA2 (AES-CCMP, widely used), WEP (broken, never use). 802.1X provides port-based NAC. Know rogue AP detection, evil twin attacks, and wireless IDS/IPS as key exam topics.

Sample Network Security Questions

Question 1: Firewall Placement

A company hosts a public web server that must be accessible from the internet while protecting the internal network. Where should the web server be placed?

A) Internal network B) DMZ C) Directly on the internet D) VPN tunnel

Answer: B) DMZ — A DMZ sits between external and internal firewalls, allowing public access while preventing direct internal network access. If compromised, the internal firewall still protects core resources.

Question 2: IDS vs. IPS

A security team wants to automatically block malicious traffic entering the network. Which solution should they deploy?

A) NIDS B) HIDS C) NIPS D) Syslog server

Answer: C) NIPS — IPS systems deploy inline and actively block malicious traffic. IDS systems only detect and alert. A syslog server collects logs but doesn't analyze or block traffic.

Question 3: Secure Protocol Selection

An administrator needs to remotely manage network switches. Which protocol provides the MOST secure remote access?

A) Telnet B) SSH C) HTTP D) SNMP v1

Answer: B) SSH — SSH encrypts all traffic including credentials. Telnet, HTTP, and SNMP v1 transmit in plaintext. SSH is the standard for secure device management.

Question 4: VPN Mode Selection

Two branch offices need a permanent encrypted connection between their networks. Which VPN configuration is MOST appropriate?

A) SSL VPN with split tunneling B) IPsec site-to-site tunnel mode C) Remote access VPN D) WireGuard client VPN

Answer: B) IPsec site-to-site tunnel mode — Site-to-site VPN creates a permanent encrypted tunnel between two networks. Tunnel mode encrypts the entire packet for network-to-network communication. Remote access and client VPNs are for individual users, not branch connectivity.

Common Mistakes to Avoid

✗ Confusing IDS (detects/alerts only) with IPS (detects/blocks) — one of the most commonly tested distinctions on the exam
✗ Thinking a firewall alone provides complete security — defense-in-depth requires firewall + IPS + segmentation + monitoring
✗ Mixing up IPsec tunnel mode (encrypts entire packet) and transport mode (encrypts payload only)
✗ Forgetting WAF specifically protects web applications (Layer 7) — network firewalls don't stop SQLi or XSS
✗ Assuming VLANs provide security isolation — they separate broadcast domains but need ACLs/firewalls for actual security

Study Checklist for Network Security

☑ Compare all firewall types with deployment scenarios and limitations
☑ Differentiate IDS vs. IPS, NIDS vs. HIDS, signature vs. anomaly detection
☑ Explain IPsec components: AH, ESP, IKE, tunnel vs. transport mode
☑ Compare SSL/TLS VPN, IPsec VPN, and WireGuard with use cases
☑ Design a DMZ with dual-firewall architecture
☑ Map insecure protocols to secure alternatives with port numbers
☑ Explain 802.1X, EAP methods, and RADIUS in wireless authentication
☑ Understand network segmentation: VLANs, subnets, microsegmentation
☑ Review NAC solutions and endpoint compliance
☑ Study zero-trust network access principles

Frequently Asked Questions

How many network security questions are on the Security+ exam?

Network security spans Domain 3 (18%) and Domain 4 (28%). Combined, expect 15-20 questions on firewalls, VPNs, IDS/IPS, segmentation, and secure protocols.

What firewall types should I know?

Packet filtering, stateful, application-layer/proxy, NGFW, WAF, and host-based. Know capabilities and deployment scenarios for each.

What is the difference between IDS and IPS?

IDS passively monitors and alerts. IPS actively blocks inline. Both use signature and anomaly detection. IPS prevents; IDS reports.

What VPN protocols are tested?

IPsec (tunnel/transport), SSL/TLS VPN (browser-based), WireGuard (modern), L2TP/IPsec. Know split vs. full tunneling.

What is network segmentation?

Dividing networks into isolated zones (VLANs, DMZs, microsegmentation) to limit lateral movement. Required by PCI-DSS and zero-trust.

What secure protocols should I know?

HTTPS, SSH, SFTP, SNMPv3, LDAPS, DNSSEC, DoH/DoT. Always use encrypted alternatives. Know port numbers.

Practice Network Security Questions Now

Our Smart Practice practice tests generate unlimited network security questions tailored to the CompTIA Security+ exam. Get instant feedback with detailed explanations.

Start Free Practice Test →