Network Security N10-009

Slide 1 of 10  |  N10-009 Obj 4.1 – 4.4  |  Security
Network Security
Defense, Detection, Hardening
Attacks are automated. Defenses must be deliberate.
Monday morning. Your SIEM alerts: 3,000 failed login attempts from an IP in Eastern Europe. A user reports ransomware. Your firewall shows outbound traffic to a known C2 server. Welcome to network security.
10 Slides N10-009 Obj 4.1 – 4.4 CIA Triad to Zero Trust Concepts + Defenses
Slide 2 of 10
The Foundation: CIA Triad + Defense in Depth
Every security control maps back to one of these three goals.
C
Confidentiality
Only authorized parties can read data. Encryption, access controls, and need-to-know enforce this.
I
Integrity
Data is accurate and unaltered. Hashes, digital signatures, and audit logs protect this.
A
Availability
Systems are accessible when needed. Redundancy, failover, and DDoS mitigation defend this.
Defense in Depth — Layered Controls
Perimeter Firewall, IPS, DMZ — first line of resistance against external threats
Network VLAN segmentation, ACLs, 802.1X — limit lateral movement if perimeter fails
Host Endpoint AV, host firewall, patch management — defense at the device level
Application Input validation, WAF, secure coding — application-layer controls
Data Encryption at rest, DLP, classification — protect the data itself
No single layer is sufficient. The SIEM alert this morning fired because the perimeter let traffic in. The ransomware spread because host controls were weak. Depth means every layer catches what the layer above missed.
Slide 3 of 10
Firewalls: Stateless vs Stateful vs NGFW
Every packet that enters or exits your network passes a decision point.
Stateless
Inspects each packet independently — source IP, destination IP, port. No memory of previous packets. Fast, simple, limited. Cannot distinguish a reply packet from a spoofed attack packet.
Stateful
Tracks TCP session state. Knows the difference between an established reply and a spoofed mid-stream packet. Blocks SYN floods and session hijacking. Standard in modern networks.
NGFW (Next-Gen)
Deep Packet Inspection. App-layer awareness — blocks Tor even on port 443. Integrated IPS, TLS inspection, URL filtering, identity-based rules. The C2 traffic this morning would be caught here.
DMZ Architecture
A DMZ sits between two firewalls. Public-facing servers (web, mail, DNS) live there. If one is compromised, the inner firewall still protects the internal network. Dual-homed firewall or a separate physical firewall pair — both are valid designs.
Scenario Connection
Your firewall shows outbound C2 traffic on port 443. A stateless firewall won't catch it. An NGFW with TLS inspection and threat intelligence feeds flags the destination IP as a known C2 endpoint and drops the connection.
Slide 4 of 10
IDS vs IPS: Detection vs Prevention
One watches and alerts. The other watches and blocks.
IDS — Intrusion Detection System
Passive — out-of-band. Traffic is mirrored via SPAN port to the IDS. Cannot block — only alert. Zero impact on throughput. Good for visibility without the risk of false-positive blocking.

Detection methods:
Signature-based: matches known attack patterns
Anomaly-based: deviation from a learned baseline
Heuristic: behavioral rules for unknown threats
IPS — Intrusion Prevention System
Inline — in-band. Traffic flows through the IPS. It can drop, reset, or modify packets in real time. A false positive blocks legitimate traffic.

Placement is critical — typically between the firewall and the internal network, or between the DMZ and the core. The 3,000 login attempts should trigger an IPS auto-block on the source IP.
SIEM Integration
A SIEM aggregates logs from firewalls, IDS/IPS, endpoints, and servers. Correlation rules fire alerts when multiple events match an attack pattern. 3,000 failed logins from one IP in 10 minutes is a classic brute force rule.
Exam Points
IDS = passive = out-of-band = alerts only.
IPS = inline = active = blocks traffic.
HIDS = host-based (monitors one system).
NIDS = network-based (monitors a segment).
CompTIA frequently tests the passive/inline distinction.
Slide 5 of 10
ACLs + 802.1X / NAC
Control who can reach what — at the network layer and at the port.
ACL — Access Control List
Ordered list of permit/deny rules on a router or firewall. Rules evaluate top-to-bottom. First match wins. Implicit deny at the end blocks everything not explicitly permitted.
# Action Source Dest Port
10PERMIT10.0.1.0/24any443
20PERMIT10.0.1.0/24any80
30DENY203.0.113.0/24anyany
--DENYanyanyany  (implicit)
802.1X / NAC
802.1X is port-based network access control. A device must authenticate before the switch port forwards any traffic.

Supplicant: the device trying to connect
Authenticator: the switch or wireless access point
Auth Server: RADIUS validates the credentials

NAC extends this with posture checking — is the endpoint patched, running AV, compliant with policy? Non-compliant devices get quarantined to a remediation VLAN.

802.1X would have prevented the compromised workstation from connecting without valid credentials in the first place.
Slide 6 of 10
Encryption + PKI
Without encryption, your network is a broadcast of plaintext secrets.
Symmetric Encryption
Same key encrypts and decrypts. Fast. Key distribution is the problem — how do you securely share the key before the session begins?
AES-128/256 — current standard, used for bulk data.
DES/3DES — legacy, avoid.
Asymmetric Encryption
Public/private key pair. Encrypt with public key, decrypt with private key. Solves key distribution — share the public key freely. Slow for bulk data; used for key exchange and digital signatures.
RSA — widely used. ECC — smaller keys, equivalent strength.
How TLS Uses Both
Handshake = asymmetric (RSA/ECC) to exchange a session key. Bulk data = symmetric (AES) using that session key. Secure key exchange at handshake speed, fast encryption at data transfer speed.
PKI — Public Key Infrastructure
CA: issues and signs certificates
Certificate: binds a public key to an identity
CRL / OCSP: revocation — invalidates compromised certs
Chain of Trust: Root CA signs Intermediate CA signs server cert
The C2 traffic was on port 443. NGFW TLS inspection terminates the connection, inspects plaintext, then re-encrypts outbound. Breaks the attacker's ability to hide inside encrypted traffic.
Slide 7 of 10
Common Network Attacks
Know the attack to understand the defense.
DoS / DDoS
Flood a target until it cannot serve legitimate requests. DDoS uses a botnet — thousands of simultaneous sources. Attacks availability directly.
Defend: rate limiting, blackhole routing, upstream scrubbing, null routes on ISP
ARP Poisoning
Attacker sends fake ARP replies, associating their MAC with a legitimate IP. Traffic redirects through the attacker (man-in-the-middle). Layer 2.
Defend: Dynamic ARP Inspection (DAI), static ARP entries, private VLANs
VLAN Hopping
Switch spoofing or double-tagging allows traffic to jump between VLANs that should be isolated. Bypasses segmentation controls entirely.
Defend: disable DTP, set native VLAN to an unused VLAN, restrict trunk ports
Brute Force
Your 3,000 failed login attempts. Automated credential guessing. Dictionary attacks use common passwords. Credential stuffing uses leaked lists from breaches.
Defend: account lockout, MFA, IPS auto-block on threshold, geofencing
Social Engineering
Phishing, pretexting, vishing. Bypasses technical controls by targeting humans. Often the initial vector in ransomware campaigns — including this morning's.
Defend: user training, email filtering, DMARC/DKIM/SPF, link sandboxing
C2 (Command & Control)
Infected host calls home to attacker's server. Your firewall is already seeing this. Ransomware typically exfiltrates data before encrypting files.
Defend: NGFW with threat intel, DNS sinkholing, egress filtering, SIEM correlation
Three alerts, one chain: phishing email infected a host, which connects to the C2 server while the attacker brute-forces other accounts. Recognize the pattern — respond to the chain, not the alerts.
Slide 8 of 10
Device Hardening
Reduce the attack surface before attackers find it for you.
Disable Unused Services
Every open port is a potential entry point. Disable Telnet (use SSH), HTTP (use HTTPS), SNMPv1/v2 (use SNMPv3). Shut down unused switch ports. Remove default services that shipped enabled.
Change Defaults
Default credentials are public knowledge. admin/admin, admin/password, cisco/cisco — all in published default password lists. Rename or delete default admin accounts before deployment. Change every default password.
Patch Firmware
Unpatched routers and switches are exploited automatically by vulnerability scanners. Schedule firmware updates. Subscribe to vendor security advisories. Test in a lab before pushing to production.
Physical Security
Lock the server room. Console port access gives full device control with no authentication if physical access is available. Disable USB ports on servers. Cable locks on workstations. Cameras in the IDF/MDF.
Configuration Baseline
Document a hardened configuration template. Apply it to every device at deployment. Use CIS benchmarks as a starting point. Any deviation from baseline should trigger a change management review.
The ransomware spread because endpoints were not patched. The C2 traffic was allowed because egress filtering was not configured. Both are hardening failures discovered the worst possible way.
Slide 9 of 10
Zero Trust Architecture
Never trust, always verify. The perimeter is dead.
The Problem with Castle-and-Moat
Traditional security assumed everything inside the network was trusted. One compromised endpoint inside the firewall had access to everything. Your SIEM alerts this morning prove the point — the attacker is already inside, moving laterally, and your internal controls did not stop it.
Zero Trust Principles
1. Verify explicitly: every access request requires authentication, regardless of location
2. Least privilege: users and devices get minimum access required for the task
3. Assume breach: segment networks, limit blast radius, log everything

Access decisions are made per-request, not per-session.
Identity
MFA on every account. Identity is the new perimeter.
Device
Posture checks before access. Is the endpoint compliant?
Network
Microsegmentation. East-west traffic is also untrusted.
Zero Trust vs Traditional
Traditional: get past the firewall, move freely inside.
Zero Trust: even inside the network, every resource requires authentication, authorization, and continuous validation. A compromised laptop cannot reach the database server unless explicitly permitted by policy.
Exam note: Zero Trust is a model, not a product. Supporting technologies include MFA, 802.1X, NAC, microsegmentation, SASE, and ZTNA.
Slide 10 of 10  |  N10-009 Obj 4.1 – 4.4
The Incident Explained
Monday morning. Three SIEM alerts. Here is what happened: A phishing email (social engineering) delivered a macro that executed on an unpatched endpoint (hardening failure). The malware connected to a C2 server over port 443 — the NGFW missed it because TLS inspection was not configured. The C2 server pushed ransomware, which spread laterally because the internal network was flat — no segmentation, no Zero Trust. The brute force from Eastern Europe is separate: an automated scanner hitting your public-facing login page.

Four failures, one incident: no email filtering, no patching, no TLS inspection, no segmentation. The CIA Triad was violated on all three axes. This is exactly why defense in depth exists.
5 Facts to Carry Out of This Presentation
1 CIA Triad: Confidentiality (encryption, ACLs) | Integrity (hashes, signatures) | Availability (redundancy, DDoS mitigation)
2 IDS = passive / out-of-band / alerts only. IPS = inline / active / blocks. NGFW adds DPI and app-layer awareness with TLS inspection.
3 ACLs: top-down, first match wins, implicit deny at end. 802.1X: supplicant / authenticator / RADIUS auth server — port-based access control.
4 ARP Poisoning (Layer 2 MITM) → defended by Dynamic ARP Inspection. VLAN hopping → defended by disabling DTP, unused native VLAN.
5 Zero Trust: never trust, always verify. Per-request authentication. Least privilege. Assume breach. Microsegmentation limits blast radius.