System and Network Security

Intermediate

System and network security is the discipline of protecting computer systems, network infrastructure, and the data that flows across them from unauthorized access, misuse, and disruption. At its foundation, network security relies on layered defense strategies that combine hardware appliances such as firewalls and intrusion detection systems with software-based controls including access control lists, authentication protocols, and encryption. Understanding the OSI and TCP/IP models is essential because each layer presents unique vulnerabilities and requires distinct countermeasures, from physical security at the lowest layers to application-level filtering at the highest.

Key technologies in network security include firewalls, which filter traffic based on predefined rules; intrusion detection and prevention systems (IDS/IPS), which monitor network traffic for suspicious activity; virtual private networks (VPNs), which create encrypted tunnels for secure remote communication; and network segmentation strategies such as VLANs and DMZs that isolate critical assets from less trusted zones. Security protocols like TLS/SSL ensure confidentiality and integrity of data in transit, while wireless security standards such as WPA3 protect against eavesdropping on Wi-Fi networks. Together, these technologies form a defense-in-depth approach where multiple overlapping controls compensate for each other's weaknesses.

Modern network security extends beyond perimeter defense to include zero-trust architectures, network access control (NAC), security information and event management (SIEM), and continuous monitoring. Practitioners must understand not only how to deploy these technologies but also how to configure them correctly, interpret alerts, respond to incidents, and maintain compliance with regulatory frameworks. Whether defending a small business network or an enterprise spanning multiple data centers and cloud environments, system and network security requires a blend of theoretical knowledge, practical skills, and a mindset of continuous vigilance.

Practice a little. See where you stand.

Part of:AP Cybersecurity AP Cybersecurity

Ready to practice?5 minutes. No pressure.

Take the Quiz Learn First

Quiz

Reveal what you know — and what needs work

Adaptive Learn

Responds to how you reason, with real-time hints

Start here

Flashcards

Build recall through spaced, active review

Cheat Sheet

The essentials at a glance — exam-ready

Glossary

Master the vocabulary that unlocks understanding

Learning Roadmap

A structured path from foundations to mastery

Book

Deep-dive guide with worked examples

Role-play

Think like an expert — no grading

Key Concepts

A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls can be stateless (examining individual packets) or stateful (tracking connection states), and next-generation firewalls (NGFW) add deep packet inspection, application awareness, and integrated intrusion prevention.

Example

A stateful firewall allows outbound HTTP requests from an internal workstation and permits only the corresponding return traffic, while blocking unsolicited inbound connections to that workstation.

IDS monitors network traffic or system activities for malicious behavior and generates alerts, while IPS takes active measures to block or prevent detected threats. Both can use signature-based detection (matching known attack patterns) or anomaly-based detection (identifying deviations from normal behavior). IDS is passive and observes; IPS is inline and can drop or modify malicious packets.

Example

A network IDS detects a SQL injection attempt in an HTTP request by matching it against known attack signatures and sends an alert to the security operations center (SOC). An IPS in the same position would drop the malicious packet before it reaches the web server.

A VPN creates an encrypted tunnel between two endpoints over a public network, ensuring confidentiality, integrity, and authentication of the transmitted data. Common VPN protocols include IPsec, which operates at the network layer, and OpenVPN or WireGuard, which can operate at various layers. VPNs are used for secure remote access and site-to-site connectivity.

Example

A remote employee connects to the corporate network via an IPsec VPN tunnel, which encrypts all traffic between their laptop and the company's VPN gateway, preventing eavesdroppers on the public Wi-Fi from reading the data.

Network segmentation divides a larger network into smaller, isolated subnetworks (segments or zones) to limit the blast radius of a security breach and control traffic flow between segments. Common techniques include VLANs, subnetting, and creating demilitarized zones (DMZs). Micro-segmentation extends this concept to individual workloads in virtualized and cloud environments.

Example

A company places its public-facing web servers in a DMZ separated from the internal network by two firewalls. Even if an attacker compromises a web server, they cannot directly access the internal database servers.

Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are cryptographic protocols that provide secure communication over a network. TLS uses a combination of asymmetric encryption for key exchange and symmetric encryption for bulk data transfer, along with digital certificates to authenticate server identity. TLS 1.3 is the current standard, offering improved security and performance over earlier versions.

Example

When you visit a website with HTTPS, your browser and the server perform a TLS handshake: the server presents its digital certificate, they agree on cipher suites, exchange keys, and then all subsequent data is encrypted with a symmetric session key.

Access control is the process of granting or denying specific requests to obtain and use information and related processing services. Models include Discretionary Access Control (DAC), where resource owners set permissions; Mandatory Access Control (MAC), where a central authority enforces policies based on classifications; and Role-Based Access Control (RBAC), where permissions are assigned to roles rather than individual users.

Example

In an RBAC system, a hospital assigns the 'Nurse' role read access to patient records and the 'Doctor' role both read and write access. A new nurse is simply assigned the Nurse role rather than configuring individual permissions.

WPA3 (Wi-Fi Protected Access 3) is the latest wireless security standard, addressing vulnerabilities in WPA2. It uses Simultaneous Authentication of Equals (SAE), which replaces the Pre-Shared Key (PSK) exchange and provides protection against offline dictionary attacks. WPA3 also offers forward secrecy, ensuring that captured traffic cannot be decrypted later if the password is compromised.

Example

Even if an attacker captures encrypted Wi-Fi frames from a WPA3 network and later obtains the network password, they cannot decrypt previously captured sessions because each session uses a unique encryption key derived through SAE.

Zero trust is a security model based on the principle of 'never trust, always verify.' Unlike traditional perimeter-based security, zero trust assumes that threats exist both inside and outside the network and requires continuous verification of every user, device, and application before granting access. Key components include micro-segmentation, least-privilege access, multi-factor authentication, and continuous monitoring.

Example

In a zero-trust environment, even an employee connected to the corporate LAN must authenticate with MFA and have their device posture checked before accessing an internal application, rather than being trusted automatically because they are 'inside' the network.

Defense in depth is a cybersecurity strategy that employs multiple layers of security controls throughout an information system. The idea is that if one layer fails, additional layers continue to provide protection. Layers typically include physical security, network security, host security, application security, and data security, along with policies, procedures, and user awareness training.

Example

An organization protects its web application with a WAF (application layer), firewall rules (network layer), host-based antivirus (host layer), encrypted database (data layer), and security awareness training (human layer). An attacker must defeat all layers to succeed.

One concept at a time.

Explore your way

Choose a different way to engage with this topic — no grading, just richer thinking.

Explore your way — choose one:

Explore with AI →

Curriculum alignment— Standards-aligned

Grade level

Grades 9-12College+

Learning objectives

•Explain the differences between stateless, stateful, and next-generation firewalls and their roles in network defense
•Distinguish between IDS and IPS in terms of deployment, function, and response capabilities
•Describe how VPNs create secure communication channels using IPsec and TLS protocols
•Implement network segmentation strategies using VLANs, DMZs, and micro-segmentation
•Analyze the TLS handshake process and the role of digital certificates in server authentication
•Compare access control models (DAC, MAC, RBAC, ABAC) and apply them to real-world scenarios
•Evaluate the principles of zero-trust architecture and contrast it with perimeter-based security
•Design a defense-in-depth strategy that layers multiple security controls across the technology stack

System and Network Security

Quiz

Adaptive Learn

Flashcards

Cheat Sheet

Glossary

Learning Roadmap

Book

Role-play

Key Concepts

Firewalls

Intrusion Detection and Prevention Systems (IDS/IPS)

Virtual Private Networks (VPNs)

Network Segmentation

TLS/SSL Protocols

Access Control

Wireless Security (WPA3)

Zero Trust Architecture

Defense in Depth

Explore your way

Grade level

Learning objectives