Network diagram PBQs test your ability to analyze network architecture and identify security weaknesses. This guide teaches you how to spot misconfigurations, understand proper network segmentation, and recognize secure versus insecure designs.
Interactive simulation — no account required
Network diagram PBQs present you with a visual representation of a network—servers, firewalls, switches, routers, and connections—and ask you to identify security problems or place components correctly. Unlike multiple choice questions that test definitions, these questions test whether you can apply security principles to real network designs.
You might be asked to:
Every network diagram question is fundamentally about zones and trust boundaries. Internet traffic is untrusted. DMZ is semi-trusted. Internal network is trusted. Data should flow through security controls when crossing zone boundaries.
Approach network diagrams systematically rather than trying to see everything at once:
Understanding proper device placement is critical. Here's where common components should live:
Public-facing servers that need internet access but must be isolated from internal resources.
Web servers, email gateways, DNS servers, reverse proxies, VPN concentratorsSensitive systems that should never be directly accessible from the internet.
Database servers, file servers, domain controllers, application servers, user workstationsIsolated segment for administrative access to infrastructure.
Jump boxes, admin workstations, monitoring servers, backup systemsIsolated segment for untrusted devices that need internet but not internal access.
Guest WiFi, printers, cameras, IoT devices, contractor laptopsThe exam repeatedly tests these architectural mistakes. Train yourself to spot them immediately:
Database in the DMZ — Databases contain sensitive data and should never be directly exposed. They belong in the internal network, accessed only by application servers in the DMZ.
No firewall between zones — Every zone boundary needs a firewall. A switch connecting the DMZ directly to the internal network is a critical vulnerability.
Flat network — If everything is on one subnet with no segmentation, that's a problem. Compromising one system gives access to everything.
Management interfaces exposed — Router and switch management interfaces accessible from user networks or the internet is a severe misconfiguration.
Missing IDS/IPS — While not always required, traffic from the internet should typically pass through an intrusion detection/prevention system before reaching servers.
Single point of failure — One firewall protecting everything means if it fails, everything is exposed. Critical infrastructure should have redundancy.
Let's analyze a network architecture and identify the security issues. This diagram represents a typical Security+ PBQ where you must identify misconfigurations:
Issue 1: Database server in DMZ. The database contains sensitive data (customer records, credentials) and is directly exposed to potential attacks from the internet. In the diagram above, it's highlighted in red because it should be in the Internal Network zone, not the DMZ. Web servers should query the database through a firewall.
Issue 2: No firewall between DMZ and Internal. Notice the dashed red line between Switch A (DMZ) and Switch B (Internal)—there's no firewall controlling traffic between zones. If an attacker compromises the web server, they have a direct path to the domain controller and file server.
Issue 3: Missing IDS/IPS. While traffic passes through a router, there's no intrusion detection system monitoring traffic for malicious patterns before it reaches the DMZ servers.
The fix: Add a firewall between Switch A and Switch B. Move the database server to the internal network (10.0.2.x subnet). Place an IDS/IPS between the router and the DMZ switch to inspect incoming traffic.
Identify security issues in interactive network topology scenarios.
Know where each security device belongs in the network:
Beyond static placement, understand how traffic should flow through a secure network:
Inbound web request: Internet → Firewall → IDS/IPS → Load Balancer → Web Server → Firewall → Database Server. Notice the second firewall between web tier and data tier.
Outbound user browsing: Workstation → Internal Firewall → Proxy Server → Perimeter Firewall → Internet. Users don't connect directly to the internet; traffic is inspected and logged.
Remote admin access: Internet → VPN Concentrator → Firewall → Jump Box → Target Server. Admins authenticate to VPN, then to jump box, then to the actual system. No direct RDP/SSH from internet.
Email flow: Internet → Firewall → Email Gateway (scans for malware/spam) → Firewall → Internal Mail Server. Email is inspected in the DMZ before reaching internal systems.
When analyzing a diagram, trace these flows and verify that appropriate security controls exist at each step.
A network diagram PBQ shows you a visual network topology and asks you to identify security issues, place devices correctly, or fix misconfigurations. You might drag-and-drop components, select misconfigured connections, or identify which devices are in the wrong network zone.
A DMZ (Demilitarized Zone) is a network segment that sits between the internet and your internal network. It hosts public-facing servers like web and email servers. The DMZ allows external access to these services while preventing direct access to internal resources. Traffic from the internet reaches the DMZ, but must pass through another firewall to reach the internal network.
Database servers contain sensitive data (customer information, credentials, financial records) and should never be directly exposed to internet traffic. Placing a database in the DMZ means an attacker who compromises the DMZ has direct access to your most sensitive data. Databases belong in the internal network, accessible only by application servers through a firewall.
An IDS (Intrusion Detection System) monitors traffic and alerts when it detects malicious patterns, but doesn't block traffic. An IPS (Intrusion Prevention System) actively blocks detected threats. IDS is passive (detection only), IPS is active (detection plus prevention). Most modern deployments use IPS inline to stop attacks in real-time.
Apply these concepts with an interactive Network Diagrams simulation.