4.1 Basic Network Security Concepts
Network security encompasses both logical and physical protection mechanisms to ensure confidentiality, integrity, and availability of network resources and data.
Logical Security
Encryption
Data in Transit: Protecting data while moving across networks
- TLS/SSL: Web traffic encryption (HTTPS)
- IPSec: Network layer encryption for VPNs
- SSH: Secure remote access and file transfers
- WPA3: Wireless network encryption
Data at Rest: Protecting stored data
- Disk encryption: Full disk or file-level
- Database encryption: Column or table-level
- Key management: Secure key storage and rotation
Digital Certificates
PKI (Public Key Infrastructure): Comprehensive certificate management system
- Certificate Authority (CA): Issues and manages certificates
- Registration Authority (RA): Verifies certificate requests
- Certificate Repository: Stores and distributes certificates
- Certificate Revocation List (CRL): Lists revoked certificates
Self-signed Certificates: Created without CA validation
- Use cases: Internal systems, testing environments
- Limitations: No third-party validation, browser warnings
Identity and Access Management (IAM)
Authentication Methods
Authentication Factors:
- Something you know: Passwords, PINs
- Something you have: Tokens, smart cards
- Something you are: Biometrics
Multifactor Authentication (MFA): Combines multiple factors for enhanced security
Time-based Authentication: TOTP (Time-based One-Time Password) tokens
Single Sign-On (SSO)
Allows users to authenticate once and access multiple systems:
- Benefits: Improved user experience, reduced password fatigue
- Protocols: SAML, OAuth, OpenID Connect
- Considerations: Single point of failure risk
Authentication Protocols
RADIUS
Remote Authentication Dial-in User Service
- Function: Centralized authentication, authorization, accounting (AAA)
- Protocol: UDP-based (ports 1812/1813)
- Use cases: Network access control, VPN authentication
- Security: Shared secret between client and server
LDAP
Lightweight Directory Access Protocol
- Function: Directory service for user/group information
- Protocol: TCP port 389 (LDAPS: 636)
- Structure: Hierarchical tree structure (DN, OU, CN)
- Integration: Active Directory, OpenLDAP
SAML
Security Assertion Markup Language
- Function: XML-based SSO standard
- Components: Identity Provider (IdP), Service Provider (SP)
- Use cases: Web-based SSO, federated identity
- Assertions: Authentication, authorization, attribute statements
TACACS+
Terminal Access Controller Access Control System Plus
- Function: Cisco proprietary AAA protocol
- Protocol: TCP port 49 (full encryption)
- Advantage: Separates authentication and authorization
- Use cases: Network device management, granular control
Authorization & Access Control
Access Control Principles
Authorization: Determining what authenticated users can access
Least Privilege: Users receive minimum necessary permissions
Role-Based Access Control (RBAC): Permissions assigned based on job roles
• Simplified management
• Consistent permissions
• Easier compliance auditing
• Reduced human error
Geofencing
Location-based access control using GPS or network-based positioning:
- Function: Restricts access based on physical location
- Methods: IP geolocation, GPS coordinates, Wi-Fi/cellular positioning
- Use cases: Prevent unauthorized access from foreign countries
- Considerations: VPN bypass, accuracy limitations
Physical Security
Physical Access Controls
Cameras: Surveillance and monitoring systems
- Types: Fixed, PTZ (pan-tilt-zoom), thermal
- Features: Motion detection, night vision, facial recognition
- Storage: Local NVR/DVR, cloud-based
Locks: Physical barriers to unauthorized access
- Mechanical: Key-based, combination locks
- Electronic: Card readers, biometric scanners
- Smart locks: Mobile app control, audit trails
Deception Technologies
Honeypot
Decoy system designed to attract and analyze attackers:
- Purpose: Early attack detection, threat intelligence
- Types: Low-interaction (limited services), high-interaction (full systems)
- Deployment: Internal or external network placement
- Benefits: Distract attackers, gather attack methods
Honeynet
Network of interconnected honeypots simulating real network environment:
- Complexity: Multiple systems with realistic interactions
- Research: Advanced threat analysis and malware study
- Monitoring: Comprehensive logging and traffic analysis
Security Terminology & CIA Triad
Core Security Terms
Risk: Potential for loss or damage from threat exploitation
Vulnerability: Weakness that can be exploited by threats
Exploit: Method used to take advantage of vulnerability
Threat: Potential danger that could harm system/data
Risk = Threat × Vulnerability × Impact
CIA Triad
Confidentiality: Protecting information from unauthorized disclosure
- Encryption, access controls, classification
Integrity: Ensuring data accuracy and preventing unauthorized modification
- Checksums, digital signatures, version control
Availability: Ensuring systems and data are accessible when needed
- Redundancy, fault tolerance, disaster recovery
Compliance & Regulatory Requirements
Data Locality
Requirements for data to reside within specific geographic boundaries:
- Data sovereignty: National laws governing data storage
- Compliance: Meeting regional regulatory requirements
- Cloud considerations: Selecting appropriate data center locations
PCI DSS
Payment Card Industry Data Security Standards
- Scope: Organizations handling credit card data
- Requirements: 12 main requirements covering network security
- Compliance levels: Based on transaction volume
- Network security: Firewalls, encryption, access controls
GDPR
General Data Protection Regulation
- Scope: EU personal data protection
- Rights: Data portability, erasure, breach notification
- Technical measures: Encryption, pseudonymization
- Penalties: Up to 4% of annual revenue
Network Segmentation Enforcement
IoT & IIoT Security
IoT (Internet of Things): Consumer connected devices
IIoT (Industrial IoT): Industrial connected systems
- Challenges: Weak authentication, unencrypted communications
- Segmentation: Isolated VLANs, micro-segmentation
- Monitoring: Behavior analysis, anomaly detection
Industrial Control Systems
SCADA: Supervisory Control and Data Acquisition
ICS: Industrial Control Systems
OT: Operational Technology
- Air-gapping: Physical network isolation
- DMZ deployment: Secured connection to corporate networks
- Protocol security: Modbus, DNP3, industrial Ethernet
Guest & BYOD Networks
Guest Networks: Isolated access for visitors
- Isolation: Separate VLAN with limited access
- Captive portal: Terms acceptance and registration
- Bandwidth limits: Quality of service controls
BYOD (Bring Your Own Device): Personal device corporate access
- Mobile Device Management (MDM): Policy enforcement
- Containerization: Separate work and personal data
- Certificate-based authentication: Device identity verification
4.2 Attack Types & Network Impact
Denial of Service Attacks
DoS (Denial of Service)
Attacks from single source to overwhelm target resources:
- Volumetric: Bandwidth exhaustion attacks
- Protocol: Exploit protocol weaknesses (SYN flood)
- Application layer: Target specific services
- Impact: Service unavailability, performance degradation
DDoS (Distributed Denial of Service)
Coordinated attacks from multiple sources (botnet):
- Amplification: DNS, NTP reflection attacks
- Botnet: Compromised devices under attacker control
- Mitigation: Rate limiting, traffic filtering, CDN protection
- Scale: Can reach hundreds of Gbps
Layer 2 Attacks
VLAN Hopping
Techniques to access unauthorized VLANs:
- Double tagging: Exploiting 802.1Q tag processing
- Switch spoofing: Mimicking trunk port behavior
- Mitigation: Disable unused ports, explicit VLAN assignment
- Impact: Unauthorized network access, data exposure
MAC Flooding
Overwhelming switch MAC address table:
- Method: Sending frames with many fake MAC addresses
- Result: Switch enters fail-open mode (hub behavior)
- Impact: Network traffic becomes visible to all ports
- Mitigation: Port security, MAC address limits
ARP Poisoning/Spoofing
Manipulating ARP tables for man-in-the-middle attacks:
- ARP Poisoning: Corrupting ARP cache entries
- ARP Spoofing: Impersonating another device's MAC address
- Impact: Traffic interception, session hijacking
- Mitigation: Static ARP entries, ARP inspection
DNS Attacks
DNS Poisoning
Corrupting DNS resolver cache with false information:
- Cache poisoning: Injecting malicious DNS records
- Impact: Users redirected to malicious websites
- Persistence: False entries cached until TTL expires
- Mitigation: DNSSEC, DNS filtering, secure resolvers
DNS Spoofing
Impersonating legitimate DNS responses:
- Method: Racing to respond before legitimate DNS server
- Tools: DNS spoofing frameworks, packet injection
- Impact: Traffic redirection, credential harvesting
- Detection: DNS query monitoring, anomaly detection
Rogue Services & Evil Twin Attacks
Rogue DHCP Server
Unauthorized DHCP server providing malicious network configuration:
- Attack vector: Faster DHCP response than legitimate server
- Malicious config: Attacker's DNS server, default gateway
- Impact: Traffic interception, DNS manipulation
- Mitigation: DHCP snooping, port security
Rogue Access Point
Unauthorized wireless access point on corporate network:
- Types: Employee-installed, attacker-deployed
- Risks: Bypass security controls, unauthorized access
- Detection: Wireless surveys, WIDS/WIPS systems
- Mitigation: Network access control, port security
Evil Twin
Malicious wireless access point mimicking legitimate network:
- Method: Same SSID as legitimate network
- Attraction: Stronger signal or open authentication
- Impact: Credential harvesting, traffic interception
- Mitigation: Certificate-based authentication, user education
Advanced Attack Methods
On-Path Attack (MITM)
Attacker intercepts communication between two parties:
- Active: Modifying communications in real-time
- Passive: Eavesdropping without modification
- Methods: ARP spoofing, DNS hijacking, SSL stripping
- Mitigation: End-to-end encryption, certificate pinning
Malware
Malicious software designed to damage or gain unauthorized access:
- Virus: Self-replicating code attached to files
- Worm: Self-propagating across networks
- Trojan: Disguised as legitimate software
- Ransomware: Encrypts data for monetary demands
- Botnet: Network of compromised devices
Social Engineering Attacks
Phishing
Fraudulent attempts to obtain sensitive information:
- Email phishing: Malicious emails with fake links
- Spear phishing: Targeted attacks on specific individuals
- Whaling: Targeting high-profile executives
- Vishing: Voice-based phishing attacks
- Smishing: SMS-based phishing attacks
Physical Social Engineering
Dumpster Diving: Searching discarded materials for sensitive information
Shoulder Surfing: Observing users entering passwords or PIN codes
Tailgating: Following authorized person through secured entrance
• Security awareness training
• Proper document disposal
• Physical access controls
• Privacy screens and shields
4.3 Network Security Defense Solutions
Device Hardening
Security Hardening Practices
Disable Unused Ports and Services:
- Network ports: Shutdown unused switch ports
- Services: Disable unnecessary network services
- Benefits: Reduced attack surface, improved performance
Protocols: Remove insecure protocols (Telnet, HTTP)
Change Default Passwords:
- Default credentials: Well-known and easily exploited
- Strong passwords: Complex, unique passwords
- Regular rotation: Periodic password changes
- Documentation: Secure password management
Network Access Control (NAC)
Port Security
Controls access to individual switch ports:
- MAC address limiting: Restrict number of MAC addresses per port
- Static MAC binding: Associate specific MAC with port
- Violation actions: Shutdown, restrict, or protect mode
- Aging: Automatic MAC address aging timers
802.1X Port-Based Authentication
Network access control using authentication before network access:
MAC Filtering
Allow or deny access based on MAC addresses:
- Whitelist: Only approved MAC addresses allowed
- Blacklist: Specific MAC addresses denied
- Limitations: MAC addresses can be spoofed
- Use cases: IoT devices, legacy equipment
Key Management
Cryptographic Key Management
Secure generation, distribution, storage, and rotation of encryption keys:
- Key generation: Hardware Security Modules (HSMs)
- Key distribution: Secure channels, out-of-band methods
- Key storage: Protected key stores, hardware tokens
- Key rotation: Regular key updates and lifecycle management
- Key escrow: Secure backup for key recovery
• Separate encryption and signing keys
• Implement key versioning
• Secure key backup and recovery
• Regular security audits
Security Rules & Filtering
Access Control Lists (ACLs)
Rules defining permitted and denied network traffic:
- Standard ACLs: Filter based on source IP address
- Extended ACLs: Filter on source, destination, ports, protocols
- Placement: Close to source (deny) or destination (permit)
- Order matters: First match wins, implicit deny at end
deny tcp any host 192.168.1.100 eq 23
permit tcp 192.168.1.0 0.0.0.255 any eq 80
URL Filtering
Controls web access based on website categories or specific URLs:
- Category-based: Block by content type (social media, gaming)
- Reputation-based: Block known malicious sites
- Time-based: Restrict access during specific hours
- User/group-based: Different policies for different users
Content Filtering
Deep packet inspection to block specific content types:
- Application control: Block specific applications
- File type filtering: Block dangerous file extensions
- Keyword filtering: Block content containing specific terms
- Data Loss Prevention (DLP): Prevent sensitive data exfiltration
Network Zones & Segmentation
Security Zones
Trusted Zone: Internal corporate network with high trust level
Untrusted Zone: External networks (Internet) with no trust
Benefits:
- Clear security boundaries
- Consistent policy application
- Simplified rule management
- Defense in depth
Screened Subnet (DMZ)
Network segment between trusted and untrusted networks:
- Purpose: Host public-facing services securely
- Services: Web servers, email servers, DNS
- Protection: Firewalls on both sides
- Access control: Limited communication with internal network
Internet ↔ Firewall ↔ DMZ ↔ Firewall ↔ Internal Network
Advanced Defense Techniques
| Defense Technique | Purpose | Implementation | Effectiveness |
|---|---|---|---|
| Network Segmentation | Isolate network resources | VLANs, firewalls, routers | 🟢 High |
| Micro-segmentation | Granular access control | Software-defined perimeters | 🟢 Very High |
| Zero Trust | Never trust, always verify | Identity-based access control | 🟢 Very High |
| Intrusion Prevention | Block malicious traffic | IPS appliances, signatures | 🟡 Medium-High |
| Behavior Analysis | Detect anomalies | ML-based monitoring | 🟡 Medium-High |
• Multiple layers of security controls
• Physical, network, application, and data protection
• Administrative, technical, and physical controls
• Assume any single control can fail
• Regular testing and validation of defenses