Lab Notes — October 31 2025

Overview

A full-spectrum Security+ review day emphasizing network architecture, protocol security, disaster-recovery terminology, and exam-scoring optimization. I practiced identifying subtle distinctions between overlapping Sec+ terms and validated understanding with numeric reasoning exercises.

. Network Architecture & Secure Design

Jump Server (Jump Box)

Scenario:

Brandon deploys a server in a VLAN used for IoT devices. Admins SSH to that server to manage systems in the protected network.

Answer: Jump Server

  • Acts as a controlled intermediary between secure and restricted network zones.
  • Provides segmentation and limits direct access to sensitive devices.
  • UTM (Unified Threat Management) is not correct here—UTMs filter traffic, they don’t broker administrative sessions.

Port Mirroring & TAPs

  • Port Mirroring (SPAN) is a switch feature, not a standalone device.
    • Duplicates packets from selected ports to a monitoring port (e.g., for NIDS/NIPS).
  • Network TAPs are hardware interceptors installed inline, forwarding traffic to analyzers.
    • Used when switch mirroring is unavailable or limited in throughput.

VLAN vs Network Segment

  • VLAN = logical segmentation within a single switch fabric.
  • Network Segment = broader concept (could include VLANs or separate physical networks).
    Security principle: each segment/VLAN defines a distinct broadcast and trust boundary.

2. IPSec and IKE Tunnel Sequence

Components in Order

  1. IKE (Internet Key Exchange) – negotiates security parameters and authenticates peers.
  2. SA (Security Association) – defines encryption/authentication algorithms.
  3. Mode Selection: Transport Mode (encrypts payload only) or Tunnel Mode (encrypts entire packet).
  4. IPSec Processing – uses ESP/AH with negotiated keys to protect traffic.

Tunnel Mode → gateway-to-gateway (common for VPNs)
Transport Mode → end-to-end (e.g., host-to-host comm).

Key Roles

| Component | Function | |————|———–| | IKE | Establishes key material & SA negotiation | | SA | Contains crypto parameters | | IPSec | Encrypts & authenticates packets | | ESP | Provides confidentiality & integrity | | AH | Integrity only (no encryption) |

5. Additional Concepts Reviewed

  • Checksum vs Hash: checksum = error detection; hash = integrity + auth binding.
  • Obfuscation: hides logic without encryption; distinct from confidentiality.
  • Geofencing: security apps enforcing location-based access.
  • Full vs Snapshot Backups: snapshots capture memory + storage; full = disk data only.

6. Reflection

The session balanced technical recall and self-analysis—bridging conceptual knowledge (IPSec flows, VLAN segmentation) with measurable performance metrics. You identified Section 5 (GRC) as the next area of attack and reinforced real-world sysadmin parallels like VLAN boundary enforcement and VPN tunnel negotiation.