NE-10

Network Security Fundamentals

Network+ / NE-10
< Network+ Hub

Learning Objectives

Defense in Depth

No single security measure is sufficient. Defense in depth layers multiple controls so that if one fails, others still protect the network. This military concept (from castle design -- moats, walls, guards, inner keep) maps directly to network architecture.

/* Defense in Depth Layers */ Physical: Locked server rooms, security cameras, cable locks Perimeter: Firewall, IDS/IPS, DMZ, VPN gateway Network: VLANs, ACLs, network segmentation, 802.1X Host: OS hardening, endpoint protection, host firewall Application: Input validation, WAF, secure coding, patching Data: Encryption (at rest + in transit), DLP, backups User: MFA, security awareness training, least privilege /* The goal: an attacker must defeat EVERY layer, not just one. Each layer increases cost of attack. */

Firewalls

A firewall controls traffic between networks based on rules. It is the primary perimeter defense. Firewalls can be hardware appliances, software on a host, or cloud-based services.

Packet Filter (Stateless) Examines each packet independently. Filters on source/destination IP, port, protocol. Fast but cannot track connections. Example: basic router ACLs.
Stateful Inspection Tracks connection state (new, established, related). Allows return traffic for established sessions automatically. The standard for modern firewalls.
Application Layer (Proxy) Inspects traffic at Layer 7. Can filter by URL, content type, or application. Breaks and re-establishes connections. Higher security, higher latency.
Next-Generation (NGFW) Combines stateful inspection, deep packet inspection, IPS, application awareness, and threat intelligence. Palo Alto, Fortinet, Cisco Firepower.

Access Control Lists (ACLs)

ACLs are ordered lists of permit/deny rules applied to router or firewall interfaces. They filter traffic based on source/destination IP, port, and protocol. Rules are processed top to bottom -- first match wins.

/* Standard ACL (filters on source IP only, 1-99) */ Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255 Router(config)# access-list 10 deny any /* Extended ACL (source, destination, port, protocol, 100-199) */ Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443 // Allow internal network to reach any host on HTTPS Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80 // Allow HTTP Router(config)# access-list 100 permit udp 192.168.1.0 0.0.0.255 host 8.8.8.8 eq 53 // Allow DNS queries to Google DNS only Router(config)# access-list 100 permit icmp 192.168.1.0 0.0.0.255 any // Allow ping Router(config)# access-list 100 deny ip any any log // Deny everything else and log it (implicit deny exists, but logging requires explicit) /* Apply ACL to interface */ Router(config)# interface gi0/0 Router(config-if)# ip access-group 100 in # filter inbound traffic
ACL Placement Rules:

Standard ACLs: place close to the destination (they only filter source IP, so placing them at the source blocks too much). Extended ACLs: place close to the source (they are specific enough to filter precisely).

IDS vs IPS

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic for malicious activity. The critical difference: IDS alerts but does not block; IPS actively blocks threats in real-time.

FeatureIDSIPS
DeploymentPassive -- monitors a copy of traffic (SPAN/TAP)Inline -- all traffic passes through it
ResponseAlert, log, notify adminBlock, drop, reset connection + alert
Latency ImpactNone (out of band)Minimal but present (inline processing)
RiskMissed attacks (no blocking)False positives block legitimate traffic
Use CaseMonitoring, compliance, forensicsActive threat prevention
Signature-Based Detection Matches traffic against known attack patterns (signatures). Accurate for known threats. Cannot detect zero-day attacks. Requires regular signature updates.
Anomaly-Based Detection Builds a baseline of "normal" traffic and alerts on deviations. Can detect unknown attacks. Higher false positive rate. Requires tuning period.

DMZ Architecture

A Demilitarized Zone (DMZ) is a network segment that sits between the internal (trusted) network and the internet (untrusted). Public-facing servers (web, email, DNS) live in the DMZ. This way, even if a DMZ server is compromised, the attacker still faces another firewall before reaching internal resources.

/* Classic DMZ with two firewalls */ Internet | [External Firewall] -- permits HTTP/HTTPS/SMTP inbound to DMZ | ---+--- DMZ Segment --- | Web Server (80/443) | | Mail Server (25) | | Public DNS (53) | ------------------------- | [Internal Firewall] -- strict rules: only specific ports from DMZ | Internal Network | Workstations | | DB Servers | | File Servers | /* Rules: External FW: allow internet -> DMZ (web ports only) deny internet -> internal (always) Internal FW: allow DMZ web server -> internal DB (port 3306 only) deny DMZ -> internal (everything else) allow internal -> DMZ (management) allow internal -> internet (outbound via NAT) */

Network Security Best Practices

Network Segmentation Use VLANs and firewalls to isolate departments, servers, IoT, and guest networks. An attacker who compromises one segment should not reach all others.
Least Privilege Users and services get only the access they need. Deny by default. ACLs should start with specific permits and end with explicit deny.
Port Security Limit the number of MAC addresses per switch port. Prevents unauthorized devices and MAC flooding attacks. Disable unused ports.
802.1X (NAC) Network Access Control. Devices must authenticate (certificate, credentials) before the switch port is activated. Prevents rogue devices from joining the network.
Encryption TLS/SSL for web traffic, IPsec or WireGuard for VPNs, SSH instead of Telnet, SFTP instead of FTP. Encrypt everything in transit.
Logging and Monitoring Centralized syslog, SIEM correlation, flow analysis (NetFlow). You cannot detect what you do not monitor. Retain logs per compliance requirements.

Common Network Attacks

AttackLayerDescriptionMitigation
ARP SpoofingL2Fake ARP replies redirect traffic to attackerDAI, static ARP entries
MAC FloodingL2Overwhelm switch CAM table; switch floods all trafficPort security, MAC limits
VLAN HoppingL2Double-tagging frames to reach other VLANsDisable DTP, change native VLAN
SYN FloodL4Half-open connections exhaust server resourcesSYN cookies, rate limiting, IPS
DNS PoisoningL7Insert fake DNS records to redirect usersDNSSEC, DNS over HTTPS
Man-in-the-MiddleL2-L7Intercept and relay communications between two partiesTLS, certificate pinning, 802.1X
DDoSL3-L7Overwhelm target with massive traffic volumeCDN, scrubbing service, rate limiting
Ethical Reminder:

Understanding attacks is essential for defense, but executing them without authorization is illegal. Always get written permission before testing. The difference between a penetration tester and a criminal is a signed contract.

VPN Fundamentals

A Virtual Private Network creates an encrypted tunnel over a public network, allowing secure remote access or site-to-site connectivity.

Site-to-Site VPN Connects two entire networks (e.g., headquarters to branch office). Uses IPsec. Always-on. Traffic between sites is automatically encrypted.
Remote Access VPN Individual users connect to the corporate network from anywhere. SSL/TLS-based (AnyConnect, OpenVPN) or IPsec (L2TP/IPsec). Client software required.
Split Tunneling Only corporate-bound traffic goes through the VPN; internet traffic goes direct. Reduces VPN bandwidth but bypasses corporate security controls.
Full Tunneling ALL traffic goes through the VPN, including internet browsing. More secure (traffic is inspected) but higher latency and bandwidth usage.

Key Takeaways