Skip to content
Study CCNP

Describe

5.4 Describe the components of network security design

3 min read ENCOR 350-401 v1.2

Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.

On this page

Security design is layered. No single product or command solves the whole problem. ENCOR expects you to recognize the major components and understand where each one fits.

The big picture

ComponentMain job
Threat defenseDetect, block, and respond to malicious behavior across the network.
Endpoint securityProtect the user/server device and assess whether it should access the network.
Next-generation firewallEnforce stateful, app-aware, identity-aware, threat-aware policy.
TrustSecSegment access using security group tags and group-based policy.
MACsecEncrypt and protect Layer 2 links.

Do not confuse scope

  • An NGFW controls and inspects traffic crossing enforcement points.
  • Endpoint security protects hosts and can feed identity/posture into network policy.
  • TrustSec classifies users/devices into security groups and enforces group-based access.
  • MACsec protects link confidentiality and integrity at Layer 2.
  • Threat defense is broader: telemetry, detection, prevention, response, and operations.

Design example

A practical enterprise design might look like this:

Remote users
VPN/MFA -> NGFW -> data center apps
Campus users
802.1X/MAB -> SGT assignment -> SGACL enforcement
Switch uplinks
MACsec -> encrypted Layer 2 transport
Endpoints
EDR/posture -> identity context -> policy decision
Network/security telemetry
detection and response workflow

Each layer handles a different risk. If one layer fails, the others still reduce blast radius.

How to study 5.4

For each design component, know:

  1. What problem it solves.
  2. Where it is deployed.
  3. What information it needs.
  4. What it enforces.
  5. What it does not do.

Lab plan

You can build a mini design lab without owning every enterprise product.

  1. Use 802.1X/MAB-style access on a switchport to understand endpoint admission.
  2. Use ACLs or SGACL-like policies to model segmentation.
  3. Use a zone-based firewall or NGFW lab image to practice stateful policy thinking.
  4. Use MACsec configuration examples to understand link encryption concepts.
  5. Draw the enforcement points and label data plane, control plane, and management plane.

Exam traps

  • TrustSec is not encryption. It is identity/group-based segmentation.
  • MACsec is not user identity. It encrypts/protects Layer 2 links.
  • NGFW is not just an ACL. It can use application, user, threat, URL, and file context depending on platform and licenses.
  • Endpoint security is not only antivirus. It can include EDR, posture, host firewall, disk encryption, and compliance checks.
  • Threat defense is not one device. It is a design and operations function.

Quick check

  • Need Layer 2 link encryption? Think MACsec.
  • Need group-based segmentation tied to identity? Think TrustSec.
  • Need stateful app/threat policy at a boundary? Think NGFW.
  • Need to decide whether a laptop should join the network? Think endpoint security and network access control.
  • Need detection and response across telemetry sources? Think threat defense.

Objectives

  1. 5.4.a Threat defense
  2. 5.4.b Endpoint security
  3. 5.4.c Next-generation firewall
  4. 5.4.d TrustSec and MACsec