Apply Enterprise Infrastructure Security for Security+ (SY0-701)
Learn how Security+ frames segmentation, secure access, communication paths, and control selection for enterprise infrastructure.
Security+ architecture questions often reduce to one design problem: how should communication and access be structured so compromise is harder, detection is easier, and operations still work. Strong answers usually rely on segmentation, clear trust boundaries, and narrow access paths rather than flat reachability.
DMZ: Demilitarized zone, a segmented network area that exposes public-facing services without placing them directly on the internal network.
WAF: Web application firewall, a control placed in front of web apps to inspect and filter HTTP or HTTPS traffic.
802.1X: A network access control standard used to authenticate devices or users before granting network access.
What the exam is really testing
CompTIA is usually testing whether you can match the control layer to the path being protected:
- internet-facing path -> DMZ, reverse proxy, WAF, controlled exposure
- remote-admin path -> VPN, MFA, narrow source path, strong logging
- internal east-west movement -> segmentation, ACLs, host controls, NAC
- wireless or edge admission -> WPA3,
802.1X, posture checks, rogue-device detection
The weak answer is often the one that secures one path well and leaves the more dangerous path wide open.
Infrastructure patterns CompTIA expects
| Pattern | Why it matters |
|---|---|
| Segmentation and microsegmentation | limit blast radius and lateral movement |
| DMZ or controlled public edge | separate public-facing systems from internal assets |
| VPN and secure remote access | protect remote connectivity and admin access |
| NAC and 802.1X | validate users or devices before network access |
| Secure wireless design | protect internal access paths and reduce rogue access risk |
| WAF and reverse proxy placement | protect exposed web applications at the right layer |
Simple enterprise-boundary model
flowchart LR
I["Internet"] --> W["WAF / reverse proxy"]
W --> D["DMZ or app tier"]
D --> A["Internal application zone"]
A --> B["Restricted data zone"]
What to notice:
- internet traffic does not go straight to the data zone
- each layer exists to narrow and inspect traffic differently
- Security+ often rewards layered paths over broad direct access
Infrastructure control chooser
| Requirement | Strongest first fit | Why |
|---|---|---|
| Protect a public web app from common web attacks | WAF in front of the app tier | The attack layer is HTTP and application behavior |
| Restrict remote administration | VPN plus MFA and narrow admin-path rules | Administrative exposure is often the highest-risk path |
| Keep unmanaged devices off the network | NAC or 802.1X |
Admission control happens before broader access is granted |
| Reduce blast radius inside the network | Segmentation or microsegmentation | Limits east-west spread after compromise |
| Separate public-facing services from sensitive internal systems | DMZ or controlled edge tier | Keeps direct internet traffic away from sensitive zones |
Secure admin path example
flowchart LR
A["Admin device"] --> B["VPN gateway with MFA"]
B --> C["Jump host or management subnet"]
C --> D["Restricted management interface"]
What to notice:
- the management path is narrower than the general user path
- MFA happens before deeper administrative reach
- Security+ often rewards a dedicated management path over broad open access
Operational example: narrow web tier access
1ufw allow 443/tcp
2ufw allow from 10.20.30.0/24 to any port 22 proto tcp
3ufw deny 22/tcp
What to notice:
- public HTTPS stays open for the web tier
- administrative SSH is limited to an approved source range
- the design separates service exposure from administrator exposure
Secure admin access matters more than people expect
Many scenario questions hide the real issue in administrative access:
- Is the admin path exposed publicly?
- Is MFA required?
- Is access narrowed to approved users or systems?
- Is the path logged?
If a solution secures customer traffic but leaves management traffic wide open, it is usually incomplete.
What strong answers usually do
- separate public user paths from management paths instead of treating both as normal traffic
- place controls at the layer where the risk actually lives, such as web protection for HTTP traffic and admission control for device access
- assume internal traffic can become hostile after compromise and design segmentation accordingly
- narrow exposure first before adding more generic security tooling
Harder scenario question
A company hosts a customer portal on the internet. Administrators also need remote management access to the application servers. Which design is strongest?
A. Expose both the customer portal and SSH management directly to the internet because TLS is enabled
B. Put the customer portal behind the right edge protection, keep application and data tiers segmented, and require a narrow MFA-protected admin path for management
C. Place the database in the same unrestricted zone as the public web server to reduce latency
D. Disable network segmentation because internal traffic is already trusted
Best answer: B. The strongest design separates customer traffic from administrative traffic and keeps sensitive internal systems behind layered controls.
Common traps
- equating “internal” with “trusted”
- exposing management services to the public internet because it is convenient
- using wireless or remote-access patterns that favor ease over identity assurance
- focusing only on north-south traffic and forgetting east-west movement
Quiz
Continue with 3.3 Data Protection & Classification to connect infrastructure design to what the organization is actually trying to protect.