SSCP Domain 6: Network and Communications Security Study Guide

SSCP Domain 6: Network and Communications Security carries 16% of your exam weight — making it one of the highest-weighted domains on the ISC2 SSCP. If you’re preparing for the SSCP’s 125-question computerized adaptive test, you cannot afford to treat this domain as an afterthought. The exam expects you to know not just what these technologies are, but how and why they’re deployed in real environments. Let’s break this down so you walk into that exam room confident.

What Does Domain 6 Actually Cover?

Domain 6 spans the full landscape of network defense and secure communications. The ISC2 SSCP exam blueprint groups this domain around several core competency areas:

• Network architecture and design — OSI and TCP/IP models, segmentation, DMZs, VLANs
• Firewalls, IDS/IPS, and WAFs — types, placement, and how they differ
• VPNs and secure remote access — IPSec, SSL/TLS, tunneling protocols
• Wireless security — WPA2/WPA3, rogue access points, 802.1X
• Secure protocols — HTTPS, SSH, SFTP, DNSSEC, TACACS+, RADIUS
• IoT and emerging network threats — device hardening, isolation strategies

The SSCP is more technical than the ISC2 CC. It requires implementation-level thinking, not just conceptual awareness. That means exam questions will often present you with a scenario and ask you to choose the most appropriate control — not just identify that a control exists.

Network Segmentation: Defense in Depth Starts Here

One of the most fundamental concepts in Domain 6 is network segmentation. Rather than treating your entire network as a flat, trusted environment, segmentation divides it into zones with controlled traffic flow between them.

VLANs and DMZs

A VLAN (Virtual Local Area Network) logically separates network traffic at Layer 2 without requiring physical separation. This is critical for limiting lateral movement — if an attacker compromises one device, they shouldn’t automatically have access to everything else on the network.

A DMZ (Demilitarized Zone) is a network segment that sits between your internal trusted network and the untrusted internet. Public-facing servers like web servers and mail servers live here, separated from internal systems by firewalls on both sides. The exam expects you to know that a DMZ uses a dual-firewall architecture for strongest protection.

Zero Trust Architecture

Zero Trust is increasingly tested on modern exams. The principle is simple: never trust, always verify. Even users and devices inside the network perimeter must authenticate and be authorized before accessing resources. This model directly challenges older perimeter-based security thinking.

Firewalls, IDS/IPS, and WAFs: Know the Differences

A common exam trap is treating these three as interchangeable. They’re not — each operates at a different layer and serves a different purpose.

• Packet-filtering firewalls operate at Layer 3/4 and inspect source/destination IP addresses and ports. They’re fast but lack contextual awareness.
• Stateful inspection firewalls track active connection states, providing better security than simple packet filtering.
• Next-generation firewalls (NGFW) add deep packet inspection, application awareness, and integrated IPS functionality.
• IDS (Intrusion Detection System) monitors traffic and alerts on suspicious activity — it does not block traffic.
• IPS (Intrusion Prevention System) sits inline and actively blocks detected threats in real time.
• WAF (Web Application Firewall) operates at Layer 7 and is purpose-built for web application threats.

Secure Protocols You Must Know

Domain 6 tests your ability to select the right protocol for the right job. Here are the ones that appear most frequently:

• SSH (port 22) — Secure remote shell access, replacing insecure Telnet
• HTTPS (port 443) — HTTP over TLS/SSL for encrypted web traffic
• SFTP / FTPS — Secure file transfer; SFTP runs over SSH, FTPS adds TLS to FTP
• IPSec — Secures IP communications; used in VPN tunnels, operates in tunnel or transport mode
• DNSSEC — Adds cryptographic signatures to DNS responses to prevent DNS spoofing
• TACACS+ — Centralized AAA (Authentication, Authorization, Accounting) for network device management
• RADIUS — Common AAA protocol for network access, often used with 802.1X for wireless

Test Your Knowledge

Question 1: Authentication Protocols

An organization wants to implement centralized authentication and detailed command-level authorization for managing its routers and switches. Which protocol is the best fit, and why?

1. RADIUS, because it uses UDP and is widely supported
2. TACACS+, because it uses TCP, encrypts the full packet, and separates authentication from authorization
3. SNMP, because it was designed for network device management
4. LDAP, because it integrates with Active Directory

Answer: B — TACACS+. While RADIUS is commonly used for network access authentication (especially wireless), TACACS+ is the preferred choice for network device administration. It uses TCP port 49 for reliable delivery, encrypts the entire packet body (not just the password field like RADIUS), and cleanly separates the authentication, authorization, and accounting functions. This granularity allows administrators to define exactly which commands a user can execute on a device.

Question 2: Web Application Security

Your organization hosts a customer-facing web application and wants to protect it from SQL injection and cross-site scripting (XSS) attacks. Which control addresses this most directly?

1. A network-layer firewall blocking inbound traffic on port 80
2. A Web Application Firewall (WAF) inspecting HTTP/HTTPS traffic
3. An IDS monitoring for unusual outbound data transfers
4. A VPN requiring all users to authenticate before accessing the site

Answer: B — A WAF. SQL injection and XSS are both application-layer (Layer 7) attacks. A traditional network firewall operates at Layers 3 and 4 and has no visibility into the content of HTTP requests. A WAF is specifically designed to inspect, filter, and block malicious web traffic — including the OWASP Top 10 vulnerabilities. It understands HTTP context and can distinguish between legitimate requests and attack payloads.

Want more practice? Certcy has 110+ questions like these — download free and start practicing today.

IoT Security in Network Environments

IoT devices are a growing exam topic and a real-world headache for security practitioners. These devices — smart sensors, cameras, industrial controllers — often ship with weak default credentials, minimal patch support, and no built-in security controls.

The SSCP exam tests your ability to apply compensating controls when you can’t rely on the device itself. The two most critical practices are:

• Regular firmware updates — IoT firmware patches address known CVEs. Unpatched devices become easy entry points for attackers.
• Network isolation via VLANs — Place IoT devices on a separate network segment, away from workstations and servers. If a device is compromised, segmentation limits the blast radius significantly.

Always change default credentials and disable unnecessary services. These seem obvious, but the exam will present scenarios where organizations haven’t done this — and expect you to identify the resulting risk.

Study Tips for Domain 6

• Draw the OSI model and map each control to its layer. Know that WAFs work at Layer 7, firewalls at 3-4, and switches at Layer 2. This prevents exam confusion.
• Understand VPN protocols at a functional level. Know that IPSec can operate in tunnel mode (gateway-to-gateway) or transport mode (host-to-host), and that SSL VPNs are clientless and easier for remote access.
• Practice scenario-based questions. Domain 6 questions often describe an attack or business need and ask you to choose the best control. Pure memorization won’t get you to 700/1000.
• Review wireless security standards. Know that WPA3 is the current standard, WPA2 with AES/CCMP is still widely deployed, and WEP is completely broken and should never be used.

Frequently Asked Questions

How much of the SSCP exam is Domain 6?

Domain 6: Network and Communications Security accounts for 16% of the SSCP exam — tied for the highest weight alongside Domain 1 (Security Concepts and Practices) and Domain 6 itself. Given the SSCP uses Computerized Adaptive Testing (CAT) with 125 questions (100 scored), that’s a significant portion of your score. Strong performance here can meaningfully impact whether you clear the 700/1000 passing threshold.

What’s the difference between IDS and IPS on the SSCP exam?

This is one of the most commonly tested distinctions in Domain 6. An IDS (Intrusion Detection System) is a passive control — it monitors traffic and generates alerts, but does not block anything. An IPS (Intrusion Prevention System) is an active, inline control that can block or reject traffic in real time. The exam may present scenarios where you need to choose between detection and prevention based on the organization’s risk tolerance and network architecture.

Is TACACS+ or RADIUS more important to know for the SSCP?

Both are tested, and you need to know their differences clearly. RADIUS (Remote Authentication Dial-In User Service) uses UDP, encrypts only the password, and is commonly used for network access control and wireless 802.1X authentication. TACACS+ uses TCP port 49, encrypts the entire packet, and separates AAA functions — making it the preferred choice for network device administration. The exam will present scenarios that distinguish these use cases, so understand when each is appropriate, not just what they are.

How hard is the SSCP compared to CompTIA Security+?

The SSCP is generally considered more technical and experience-focused than Security+. It requires one year of paid work experience in at least one SSCP domain (or a qualifying credential waiver), and the exam tests implementation-level knowledge across all seven domains. Security+ is broader and more entry-level. If you’re studying for the SSCP, you should be comfortable reading network diagrams, understanding protocol behaviors, and reasoning through real-world security scenarios — not just matching terms to definitions.

Ready to put this knowledge to the test? Practice SSCP Domain 6 with Certcy’s free exam-style questions — complete with spaced repetition, XP tracking, and an AI study plan that targets your weak spots. Download Certcy free and start building the confidence you need to hit 700 and earn your SSCP.