SSCP Domain 6: Network and Communications Security Study Guide

If you’re preparing for the ISC2 SSCP exam, Network and Communications Security is one of the most technically demanding domains you’ll encounter — and at 16% of the exam, it’s tied for the largest domain on the test. Domain 6 doesn’t just ask you to define networking terms; it expects you to understand how to design, defend, and troubleshoot real network environments. From OSI model mechanics to VPN architectures and IoT security, this guide breaks down exactly what the SSCP exam tests so you can walk in confident and ready.

What the SSCP Exam Expects You to Know

The SSCP is delivered as a Computerized Adaptive Test (CAT) with 125 questions (100 scored, 25 unscored pretest), a 180-minute time limit, and a passing score of 700/1000. Because the format adapts to your performance, you can’t afford weak spots — the exam will find them. Domain 6 covers a broad technical landscape, so let’s map it out clearly.

OSI and TCP/IP Models: More Than Just Memorization

Understanding the OSI and TCP/IP models isn’t about reciting layer names — it’s about knowing what happens at each layer and which security controls apply where. The SSCP exam regularly tests this in the context of real tools and protocols.

• Layer 2 (Data Link): MAC address filtering, VLANs, ARP poisoning attacks
• Layer 3 (Network): IP addressing, routing, IPsec VPNs, packet filtering firewalls
• Layer 4 (Transport): TCP vs. UDP, port numbers, stateful inspection
• Layer 7 (Application): HTTP/HTTPS, DNS, SMTP, web application firewalls

When a question asks where a VPN concentrator using IPsec operates, the answer is Layer 3 — because IPsec encrypts and authenticates IP packets at the Network layer, protecting all traffic transparently regardless of the application above it. SSL/TLS-based VPNs, by contrast, operate at the Transport and Session layers. This distinction is exactly the kind of nuance the SSCP tests.

Firewalls, IDS/IPS, and Web Application Firewalls

Network security architecture relies on layered defenses, and the SSCP expects you to know which tool solves which problem.

Packet Filtering vs. Stateful Firewalls

Packet filtering firewalls inspect individual packets against a ruleset based on source/destination IP and port numbers. Stateful firewalls go further — they track the state of active connections and can recognize whether a packet is part of an established session. For most enterprise environments, stateful inspection is the baseline expectation.

Web Application Firewalls (WAFs)

A WAF operates at Layer 7 and inspects HTTP/HTTPS traffic specifically. Its job is to detect and block application-layer attacks — think SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other vulnerabilities from the OWASP Top 10. A WAF cannot stop a volumetric DDoS at the network layer, and it won’t prevent physical breaches — it’s purpose-built for web traffic threats. Knowing the precise scope of each tool is critical for scenario-based questions.

IDS vs. IPS

An Intrusion Detection System (IDS) monitors and alerts. An Intrusion Prevention System (IPS) monitors, alerts, and blocks. The SSCP will test whether you can choose the right tool for a given scenario — passive detection vs. active prevention. Know whether the system sits inline with traffic (IPS) or monitors a copy of traffic via a tap or SPAN port (IDS).

VPNs and Encrypted Tunneling

Virtual Private Networks create secure, encrypted tunnels across untrusted networks. The SSCP tests both the conceptual and implementation-level details.

• IPsec VPN: Operates at Layer 3. Uses two main protocols — AH (Authentication Header) for integrity and ESP (Encapsulating Security Payload) for encryption. Can run in Transport mode (encrypts payload only) or Tunnel mode (encrypts the entire IP packet).
• SSL/TLS VPN: Operates at Layers 4-5. Often used for clientless remote access via a browser. More firewall-friendly since it uses port 443.
• Split tunneling: Only routes traffic destined for the corporate network through the VPN. Reduces bandwidth load but introduces risk if the local network is compromised.

Wireless Security

Wireless networks are a persistent attack surface. The exam expects you to know the evolution of wireless security protocols and their weaknesses.

• WEP: Broken and obsolete. Never use it.
• WPA2 with AES (CCMP): The current standard for enterprise wireless. Uses 802.1X for authentication in enterprise mode.
• WPA3: Introduces Simultaneous Authentication of Equals (SAE), which replaces the PSK handshake and is resistant to offline dictionary attacks.

Rogue access points, evil twin attacks, and war driving are also fair game. The SSCP tests your ability to recognize attack vectors, not just configure defenses.

Network Segmentation and IoT Security

Segmentation is one of the most effective network security controls. By dividing a network into isolated zones — using VLANs, DMZs, or microsegmentation — you limit lateral movement if an attacker gains a foothold. The SSCP tests this directly in the context of IoT environments, which are notoriously difficult to secure.

IoT devices often ship with default credentials, run outdated firmware, and can’t support traditional endpoint security agents. The correct approach combines two controls: regular firmware updates to patch known vulnerabilities, and network isolation (placing IoT devices on their own VLAN) to limit the blast radius if a device is compromised. Default credentials should always be changed, and unnecessary services should be disabled at deployment.

Test Your Knowledge

Q1: Your organization has deployed dozens of smart building sensors. Which combination of practices best reduces the security risk these devices introduce to the broader network?

1. Connect all sensors to the main corporate network for centralized monitoring
2. Keep default credentials in place to avoid lockout risks
3. Apply regular firmware updates and isolate the devices on a dedicated VLAN
4. Disable all logging on IoT devices to reduce data overhead

Answer: C. Firmware updates patch known CVEs, and VLAN isolation ensures that if one device is compromised, the attacker can’t pivot to your workstation network. Default credentials are a primary attack vector and must always be changed.

Q2: A security engineer is reviewing firewall architecture and needs to choose a control that specifically blocks SQL injection attempts against a customer-facing web portal. What is the most appropriate solution?

1. A stateful inspection firewall at the network perimeter
2. A Web Application Firewall (WAF) deployed in front of the web server
3. An IDS configured to send alerts on suspicious traffic
4. A VPN concentrator to encrypt traffic to the portal

Answer: B. A WAF inspects HTTP/HTTPS traffic at Layer 7 and is specifically designed to detect and block application-layer attacks including SQL injection, XSS, and CSRF. A network firewall can’t inspect the content of web requests at this level.

Want more practice? Certcy has 110+ questions like these — download free and start studying today.

Key Study Tips for Domain 6

• Know your layers: Always connect protocols and tools to their OSI layer. The exam will test this repeatedly in scenario format.
• Understand scope, not just definitions: Know what each control cannot do — WAFs don’t stop DDoS, IDS doesn’t block, IPsec doesn’t operate at Layer 7.
• Practice scenario questions: Domain 6 is heavy on situational questions. You won’t be asked to define a VLAN — you’ll be asked which network design best limits the spread of a compromised IoT device.
• Review secure protocols: Know the port numbers and use cases for SSH (22), HTTPS (443), SFTP (22), DNSSEC, and SNMP v3. The exam tests protocol selection in context.

Frequently Asked Questions

How much of the SSCP exam is Domain 6?

Network and Communications Security accounts for 16% of the SSCP exam, making it one of the two largest domains alongside Security Concepts and Practices. With 100 scored questions on the exam, you can expect roughly 16 questions directly tied to this domain — enough to significantly impact your score.

What’s the difference between an IDS and an IPS on the SSCP exam?

An IDS (Intrusion Detection System) is passive — it monitors traffic and generates alerts but takes no action to stop an attack. An IPS (Intrusion Prevention System) is active — it sits inline with traffic and can block malicious packets in real time. The SSCP will present scenarios where you need to choose between them based on whether the requirement is detection, prevention, or both.

Do I need hands-on networking experience to pass Domain 6?

The SSCP requires at least one year of cumulative paid work experience in one or more of its seven domains. Domain 6 is implementation-focused, so real-world networking or security experience genuinely helps. That said, structured practice with scenario-based questions can bridge knowledge gaps even if your background is in a different domain. The key is understanding why controls are applied, not just what they’re called.

What networking protocols should I prioritize for the SSCP?

Focus on protocols with direct security implications: IPsec (Layer 3 VPNs), TLS/SSL (secure transport), SSH (secure remote access on port 22), HTTPS (port 443), DNSSEC (DNS integrity), and SNMPv3 (secure network monitoring). Also understand legacy insecure protocols — Telnet, FTP, HTTP, SNMPv1/v2 — and why they’ve been replaced. The exam will test your ability to choose the secure alternative in a given scenario.

Ready to put this knowledge to the test? Try free SSCP practice questions on Certcy and find out exactly where you stand across all 7 domains. With AI-personalized study plans, spaced-repetition flashcards, and gamified quizzes, Certcy adapts to your weak areas so you’re spending study time where it counts most. Download Certcy free today and start building the confidence to pass.