DEV Community

TiltedLunar123
TiltedLunar123

Posted on

Every Security+ segmentation question is really asking how far the blast goes

Most people study the Domain 3 architecture material as a vocabulary list. VLAN. Screened subnet. Air gap. SD-WAN. SASE. You memorize a one-line definition for each, then the exam hands you a scenario containing none of those words and you stall out.

Here is the shift that fixed it for me. SY0-701 almost never asks what a VLAN is; it asks what happens after someone gets in. Every segmentation question is blast radius wearing a costume.

Start with why any of this exists

An attacker phishes one laptop in accounting. That part is boring. The interesting part is what that laptop can reach.

On a flat network, the answer is everything. The file server. The domain controller. That badge system nobody has logged into since 2019. Nothing in the design says no, so the attacker walks sideways until something worth stealing turns up. That sideways walk is lateral movement, and segmentation exists to make it expensive.

So when a stem describes someone hopping from a workstation to a domain controller, what is it really asking? Why there was a path at all.

The ladder of separation

Rank the options by how hard each one is to defeat. Why bother ranking? That ordering carries a surprising amount of the exam.

VLANs. Logical segmentation. Some switch interfaces belong to one VLAN, others belong to a different VLAN, and now you have separate broadcast domains sharing the same physical hardware. Cheap and flexible, reconfigurable from a chair.

Screened subnet. A buffer segment. Traffic arrives from the internet zone, lands in a screened zone, and the inside zone sits behind that. Your public web server lives in the middle. Anyone who owns that web server has owned a machine sitting in a room you already treated as hostile.

Physical isolation. Different switch entirely. Messer puts it plainly: an attacker who gets access to switch A has no way to also reach switch B.

Air gap. No connection. Nothing to route or misconfigure at 2am. This is where the SCADA gear that has not been patched since 2009 goes to live out its retirement.

Walk down that list and cost climbs while convenience drops. That tradeoff answers a lot of "which control should the organization implement" questions, because CompTIA keeps rewarding the option that fits the stated requirement over the strongest option on the page.

The trap that catches people

Separation is only real if something enforces it.

A VLAN splits broadcast domains, and that is the whole of what it does; permissions are somebody else's job. Traffic crossing between VLANs goes through a router or a firewall, and when the rule sitting there permits any-to-any, congratulations, you built a diagram. The VLAN tag is a label. The ACL is the security.

Ask what enforces this. Every time. That question separates two answer choices that both look correct.

Zones keep the rules readable

Security zones group devices logically by use or trust level. Inside. Internet. Servers. Databases. The screened buffer. Just trusted and untrusted at the crude end.

Why bother? Firewall rules get written zone to zone instead of address by address. A rule saying the screened zone may reach the database zone on 1433 and nothing else survives a subnet renumbering. A rule listing fourteen individual hosts survives nothing.

SD-WAN and SASE are not twins

These two get mashed together constantly. They answer different questions.

SD-WAN is software defined networking applied to a wide area network. Branch offices get efficient access to cloud applications instead of dragging every packet back through a central data center first. It is about the path.

SASE, Secure Access Service Edge, moves the security stack into the cloud next to the services themselves, with a client on the device. Messer frames it as the next generation VPN. It is about the inspection.

SD-WAN answers how the traffic gets there. SASE answers what checks it on the way. A stem griping that branch traffic hairpins through headquarters and users hate the latency? That points at SD-WAN. A stem about remote users needing inspected access to cloud apps without a data center detour points at SASE.

A decoder for exam day

Read the stem. Name the problem. Then pick.

  • Someone moved from one internal host to a juicier one, so lateral movement, so segmentation
  • Public service must stay reachable while internal data must not, so screened subnet
  • Legacy system nobody can patch or replace, so isolation, and air gap when the requirement is absolute
  • Branch offices backhauling cloud traffic through HQ, so SD-WAN
  • Remote users needing inspected access to cloud apps, so SASE
  • Two networks technically separated while the firewall permits everything, so the separation is cosmetic

How to actually drill this

Draw it. Boxes and arrows on paper; takes a minute.

Sketch a tiny network. A web server. A database. One workstation. Drop a boundary somewhere. Then ask the only question that matters: an attacker owns this box, so what do they reach next? Move the boundary. Ask again.

That exercise builds the instinct the scenario questions are testing, and the instinct is reasoning about paths rather than recall.

If you want practice questions written in that scenario shape rather than the definition shape, that is what I have been building at SecPlus Mastery. There is a free diagnostic if you want to find out which domain is genuinely your weak one before sinking three weeks into the wrong material.

Top comments (0)