The Security+ syllabus is updated every three years. Normally, the exam is denoted by a code consisting of a sequence of letters and numbers; for example, SY0-401 is the most recently outdated exam. During the revision, a number of changes are made from the previous to the most recent exam. This article covers the most recent changes leading to the current exam – the SY0-501. We shall be covering the changes related to the Installing and configuring of network components in order to support organizational security. We shall take a look at how this is covered in the new exam and how it differs from the previous exam.

Exam Changes Overview

Between the two exams SY0-401 and SY0-501, there is a significant overall change in the content. The new exam focuses on attacks, risk management and hands-on skills using technologies and tools. As a result, the domains have been re-named and re-ordered to reflect cyber security trends as determined in the Security+ SY0-501 Job Task Analysis (JTA).

Under the previous exam (SY0-401), the installation and configuration of network components was found under the Network Security domain, and specifically under section 1.2 Network Administration Principles. which covered 20% of the exam, but is currently found within the Technologies and Tools domain (22% of the overall exam) and under section 2.1 Security Components.

Compared to the previous exam, the most recent changes ensure that candidates are able to explain the learned concepts by translating them to real-life problems.

Exam Changes Comparison

The different malicious motives targeting many organizations today may include competitor companies that are out to obtain intellectual property from rival organizations (or execute espionage missions), rogue states that might sponsor attacks against certain industries that affect target organizations, or rogue employees who might want to cause havoc to a former employer. These and many other factors prompt security departments within organizations to take the strictest measures to ensure they do not fall victim to such attacks. Such measures include the installation and configuration of different security devices. We therefore will discuss how the new exam meets this challenge, comparing it against the previous exam.

SY0-401 Overview

This exam focused on security tools from a network hardening perspective with an intention of securing the network from any conventional attack. Installation and configuration of the following devices were covered in the recently outdated exam (SY0-401).

Routers, Firewalls and Switches – These were assessed in relation to the OSI layer. The emphasis was on the functionality and security based on the network installed on. The best routers for different networks were discussed as well as the different applications of routing and switching. Firewalls were also discussed in detail, with much effort placed in assessing the importance of filtering traffic from OSI layer 4 through layer 7. Building encryption tunnels between networks was also discussed in detail. Candidates were examined on their abilities to configure firewalls into proxies and perform different traffic encryption.

Load Balancers and Proxies – Candidates were examined on the methods of distributing network traffic evenly through a cluster of different servers using a load balancer without introducing vulnerabilities into the network. Proxies were covered as well, specifically the importance of the proxy on the network being discussed along with the security they provide. This was done by showing candidates how to configure applications to know how to communicate with proxies, along with discussing the different type of Proxies (anonymous, transparent, etc.).

Web Security Gateways and UTMs – Candidates were tested on Unified Threat Management devices or Web Security Gateways and their many different functions. The focus was on URL filtering and content inspection, malware inspection and spam filtering. Candidates needed to be able to perform integration with IDS and IPS, Switches, Routers and Firewalls.

VPN Concentrators – Here the exam previously focused on how configuration can be done on VPN concentrators to secure an organization’s network. Candidates were shown how to perform this encryption in a manner that secures the network from unauthorized external threats.

Intrusion Detection/Prevention Systems (IPS/IDS) – The focus here has been to understand the need and functionality of IPS and IDS infrastructure within the network and how to configure them to detect malicious activities such as exploit code, buffer overflows, cross-site scripting and other commonly known vulnerabilities. Candidates were taught to look at signature based shellcode and incorporate it within the IDS/IPS. Various configurations were tested, such as anomaly-based, behavior-based and heuristics malware identification.

Protocol Analyzers – Candidates were tested on their abilities to analyze protocols and network traffic for malicious activity. Packet sniffers such as Wireshark and TCP Dump were reviewed in detail.

Spam Filters – The importance of having a system in place to prevent malicious/spam emails from getting into the network was stressed. Candidates were tested on the different methods of assessing emails. Methods tested include using a cloud solution, whitelisting, SMTP standards checking, reverse DNS checking, tarpitting and recipient filtering.

Web Application Firewalls (WAFs) – Candidates were examined on the different rules that apply to WAFs with respect to the different possible injection techniques ranging from the obvious to the unknown.

SY0-501 Overview

The most recent exam focuses on security tools from an organization hardening perspective with an intention to secure the organization from the attacks plaguing most organizations today. These may include Ransomware attacks, Advanced Persistent Threats (APTs) and Spying for Intellectual Property theft. What follows are the most recent changes in relation to device security configurations and installations.

Firewalls – Firewalls are now covered with different objectives in mind within the new exam. The different states, firewall rule-set evaluation, and the different types of firewalls (such as host-based and application aware firewalls) are covered. Candidates are tested on their knowledge of controlling corporate inbound and outbound data (this involving filtering off inappropriate content and sensitive content using ACLs) within the organization.

Some firewalls allow administrators to filter off malware and spyware and these are also covered. Contrary to the previous exam, candidates here are required to master next-gen firewalls that filter traffic off applications.

VPN Concentrators – In this exam, VPNs are examined in more detail. For instance, the different technologies used to build and encrypt a VPN tunnel are examined. Take, for example, an SSL/TLS VPN. It uses TCP port 443, hence there are very few firewall issues encountered. That means that integration with devices other than firewalls too within the network happens with less errors. Candidates are thus required to understand not only the different technologies, as before, but how they function. Another instance could be where through a Full Tunnel (or even a Split Tunnel) the candidate is required to demonstrate the flow of traffic from an employee on the internet into the tunnel and to a third party and back into the tunnel and to the organization.

Network Intrusion Detection and Prevention – Candidates are now required to demonstrate the ability to configure passive monitoring for IDSs, where the IDS informs the administrator of the intrusion as soon as it discovers it. Other methods are examined, such as sending an out of band response to terminate the session between two clients within the network, or setting up inline monitoring, where the IPS is configured to drop intrusions before they hit the internal network. Candidates are now expected to be up to speed with the modern intrusion detection and prevention techniques such as signature-based, anomaly-based, behavior-based and heuristics.

Router and Switching Security – Routers are now examined from a security standpoint. Candidates need to know how routers can be used to allow or deny traffic by use of NAT, QoS etc., filter using the ingress or egress of an interface, evaluate port numbers and IP addresses. Different scenarios will also be examined to test the candidates’ abilities. They will be required to now read Access Control Lists to determine traffic flow within the network. Candidates are required to prevent malicious attacks such as man-in-the-middle and DDoS attacks. Methods such as Reverse Path Forwarding are examined.

Proxies – Candidates are now examined on their abilities to configure different firewalls for security. These include explicit, transparent, forward, application and reverse proxies and are required to know the security threats posed by open proxies to organizations.

Sec+ Training – Resources (InfoSec)

Load Balancers – Candidates are now tested on the methods that load balancers effectively handle traffic. Traffic can, for example, be distributed through multiple servers (web server farms) or database farms. Candidates are tested on their knowledge of how load balancers perform fault tolerance within the network. Scenarios will be provided and candidates expected to troubleshoot or suggest best configurations that may increase the efficiency of the load balancers. For instance, it will be necessary to understand the effects of performing TCP offloading (to deal with protocol overhead) and SSL offloading (to deal with encryption/decryption overhead), caching to ensure fast responses and prioritization for quality of service and content switching to ensure application centric balancing.


It can be concluded that the revised exam goes a step ahead to ensure that the content used to examine the capabilities of students has been refined to be more hands-on. Candidates are now tested on the most current technologies and are encouraged to go beyond simply understanding the theoretical aspect of things. Organizations will be attracted to this revision mainly because it prepares security personnel to anticipate attacks and ensures that the personnel are ready to harden networks against attacks.



Be Safe

Section Guide


View more articles from Lester

Earn your Sec+ the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide


View more articles from Lester