NETWORK SECURITY

5.1 Securing Network Devices

This module provides a comprehensive guide to securing the fundamental components of any
network infrastructure. We'll delve into the roles of routers, switches, and firewalls, and learn
how to implement robust security measures to protect them.

Overview of Network Infrastructure Components

Network security begins with understanding the devices that form the backbone of a network.
●​ Routers: As layer 3 devices, routers are responsible for forwarding data packets between
different computer networks. They make decisions based on IP addresses, acting as the
primary gateway between an internal network and the outside world.
●​ Switches: Operating at layer 2, switches connect devices within a single network
segment. They learn the MAC addresses of connected devices and forward traffic only to
the intended recipient, which is a significant improvement over hubs.
●​ Firewalls: A firewall is a critical security device that monitors and controls incoming and
outgoing network traffic. It acts as a barrier, using a set of rules to determine which traffic
should be allowed or blocked.

Configuration Best Practices for Network Devices

Securing network devices goes beyond simple password protection.

●​ Change Default Credentials: The first step in securing any device is to change the
default username and password. Attackers often use automated scripts to try default
credentials.
●​ Disable Unused Services: Many network devices come with pre-enabled services (e.g.,
Telnet, HTTP) that are not necessary for operation. Disabling them reduces the attack
surface.
●​ Implement Secure Management Protocols: Use SSH (Secure Shell) instead of Telnet
for command-line access. Use HTTPS instead of HTTP for web-based management. This
ensures all management traffic is encrypted.
●​ Regularly Update Firmware: Firmware updates often include critical security patches
 for known vulnerabilities.
●​ Physical Security: Ensure all network devices are housed in a secure, locked server
room or cabinet to prevent unauthorized physical access.

Access Control Lists (ACLs) and Firewall Rules

Access Control Lists (ACLs) are a foundational element of network security. They are a set
of rules that control which traffic is permitted or denied on a network.
●​ Standard ACLs: Filter traffic based on the source IP address. They are less granular and
are typically placed close to the destination.
●​ Extended ACLs: Filter traffic based on source IP, destination IP, port numbers, and
protocol types (e.g., TCP, UDP, ICMP). These are more flexible and are usually placed
closer to the source of the traffic.
●​ Firewall Rules: Firewalls use a similar concept to ACLs but with more advanced features,
such as stateful inspection. Stateful firewalls track the state of active connections,
allowing them to make more intelligent decisions about traffic flow. For example, they can
automatically allow return traffic for a connection that was initiated from the internal
network.

Network Segmentation and Zoning

Network segmentation is the practice of dividing a network into smaller, isolated

subnetworks. This strategy is essential for containing security breaches. If one segment is
compromised, the attacker cannot easily move laterally to other parts of the network.
●​ Virtual LANs (VLANs): The most common method of segmentation, VLANs logically
group devices on the same switch, allowing for separation of different departments or
device types (e.g., separating guest Wi-Fi from the corporate network).
●​ Zoning: A logical grouping of network segments with similar security requirements.
Common zones include:
○​ Internal Zone: The core of the network, containing sensitive data and applications.
○​ Demilitarized Zone (DMZ): A perimeter network that contains public-facing services
like web servers and email servers. The DMZ is isolated from both the internal
network and the public internet.
○​ External Zone: The public internet.
5.2 Intrusion Detection and Prevention Systems
(IDS/IPS)

This module explores IDS/IPS, which are proactive security technologies used to monitor and
protect networks from malicious activity.

Introduction to IDS/IPS Technologies

●​ Intrusion Detection System (IDS): An IDS is a passive monitoring tool. It watches

network traffic for signs of suspicious activity and logs or alerts administrators when it
finds a potential threat. An IDS does not actively block or interfere with the traffic.
●​ Intrusion Prevention System (IPS): An IPS is an active, inline security device. It not only
detects malicious activity but also takes immediate action to block it. This can include
dropping malicious packets, resetting a connection, or blocking the source IP address.

Types of Detection Methods

●​ Signature-based Detection: This is the most common method. The IDS/IPS maintains a
database of known attack signatures, which are patterns of bytes or traffic that indicate
a specific attack. When traffic matches a signature, it is flagged as malicious. This
method is highly accurate for known threats but is ineffective against new or modified
attacks.
●​ Anomaly-based Detection: This method involves first establishing a baseline of
"normal" network behavior. The system then uses machine learning to identify any
significant deviations from this baseline. Anomalies could include an unusual volume of
traffic, a user accessing a resource they've never accessed before, or a port scan. This
method is effective at detecting zero-day attacks but can also produce a higher number
of false positives.
Configuring and Deploying IDS/IPS Solutions

Proper deployment and configuration are critical for the effectiveness of an IDS/IPS.
●​ Placement: An IDS is often deployed in a "tap" or SPAN port configuration, where it
receives a copy of the network traffic. An IPS, however, must be placed inline with the
traffic flow so it can actively block threats.
●​ Tuning Signatures: Most IDS/IPS solutions come with thousands of signatures. It is
crucial to tune them to your specific network environment to reduce false positives and
ensure you're detecting the most relevant threats.
●​ Policy and Rules: Configure policies to define how the system should react to different
threats. An IPS policy might specify that low-severity alerts are logged, while
high-severity alerts trigger an immediate block.

Incident Response Procedures for Detected Intrusions

When an IDS/IPS detects a threat, a formal incident response plan is essential.

1.​ Preparation: Have a plan in place before an incident occurs. This includes defining roles,
responsibilities, and communication channels.
2.​ Identification: Once an alert is received, verify that it's a legitimate threat and not a
false positive.
3.​ Containment: Take steps to limit the damage. This could involve isolating the
compromised host from the network or blocking the attacker's IP address at the firewall.
4.​ Eradication: Remove the cause of the incident. This could mean removing malware,
patching a vulnerable system, or changing a compromised password.
5.​ Recovery: Restore the affected systems to a secure state.
6.​ Lessons Learned: Conduct a post-incident review to understand what happened,
identify why the security controls failed, and improve processes to prevent future
incidents.

5.3 Virtual Private Networks (VPNs) 🌐

This module explores VPNs, which provide a secure and encrypted way to connect to a
private network over a public, untrusted network like the internet.
Overview of VPN Technologies and Protocols

A VPN works by creating an encrypted tunnel between two endpoints. All data passing
through this tunnel is encrypted, ensuring confidentiality and integrity. The core components
are:
●​ Encryption: The process of scrambling data so it can only be read by authorized parties.
Common encryption algorithms include AES (Advanced Encryption Standard).
●​ Authentication: Verifying the identity of the user or device attempting to connect.
●​ Tunneling: Encapsulating data packets within another packet, which is then encrypted
and sent through the public network.

VPN Architectures

There are two primary types of VPN architectures:

●​ Site-to-Site VPN: This architecture securely connects two or more separate networks,
such as a company's head office to a branch office. It creates a seamless, encrypted
tunnel between the routers at each location, making the networks appear as one.
●​ Remote Access VPN: This is for individual users who need to connect securely to a
 private network from a remote location. A common use case is a remote employee
accessing company resources. The user's device acts as one endpoint, and a VPN
concentrator or firewall on the corporate network acts as the other.

Configuring VPNs for Secure Remote Connectivity

Configuring a VPN involves several key steps:

●​ Endpoint Definition: Specify the IP addresses of the endpoints that will form the tunnel.
●​ Authentication Method: Choose how the endpoints will authenticate with each other.
This can be a pre-shared key (PSK), a simple password shared between the devices, or
digital certificates, which are more secure and scalable for larger deployments.
●​ Protocol Selection: Choose the tunneling protocol to be used (e.g., IPsec, SSL/TLS).
●​ Encryption and Hashing: Define the encryption algorithms (AES, 3DES) and hashing
algorithms (SHA-1, SHA-256) for securing the data and ensuring its integrity.

VPN Tunneling Protocols: IPSec and SSL/TLS VPNs

●​ IPsec (Internet Protocol Security): A suite of protocols used to secure IP

communications. It can operate in two modes:
○​ Transport Mode: Secures communication between two hosts (e.g., a client and a
server).
○​ Tunnel Mode: Secures communication between two networks or between a host and
a network (the primary mode for most VPNs).
●​ SSL/TLS VPNs: These use the same protocols as secure web browsing (HTTPS). They
are popular for remote access because they are highly flexible and don't always require
dedicated client software. Users can often connect using just a web browser.
5.4 Wireless Network Security 📶
This module covers the unique vulnerabilities of wireless networks and the best practices for
securing them.

Understanding Wireless Network Vulnerabilities

Wireless networks, by their nature, broadcast data through the air, making them susceptible
to various attacks.
●​ Eavesdropping: An attacker can use a wireless network adapter to listen to unencrypted
traffic, capturing sensitive information.
●​ Rogue Access Points: An unauthorized access point connected to a network. An
attacker can set one up to bypass existing security controls and gain access to the
internal network.
●​ Evil Twin: A type of rogue access point that mimics a legitimate network's name (SSID).
An attacker can trick users into connecting to the evil twin, where all their traffic can be
intercepted.
●​ Deauthentication Attacks: An attacker sends deauthentication packets to a client,
forcing it to disconnect from the legitimate access point. The client then often
automatically reconnects, providing the attacker with an opportunity to perform other
attacks.

Wi-Fi Security Standards: WEP, WPA, WPA2, WPA3

The evolution of Wi-Fi security standards reflects the continuous effort to counter new
threats.
●​ WEP (Wired Equivalent Privacy): The first standard. It is now completely insecure and
should never be used.
●​ WPA (Wi-Fi Protected Access): An improvement on WEP, it was introduced as a
stop-gap measure. While better, it still has known vulnerabilities.
●​ WPA2: The long-standing standard. It uses the Advanced Encryption Standard (AES)
for robust encryption and is considered secure.
●​ WPA3: The latest standard, providing enhanced security features such as Simultaneous
Authentication of Equals (SAE), which offers better protection against password
guessing attacks.
Implementing Wi-Fi Protected Access (WPA) Protocols

Implementing WPA protocols correctly is the most important step in securing a wireless
network.
●​ WPA2-Personal (PSK): For home and small office networks. Use a strong, unique
passphrase that is difficult to guess.
●​ WPA2-Enterprise: For corporate networks. This method uses a RADIUS server for
centralized user authentication. Each user has their own unique credentials, providing
granular access control.

Securing Wireless LANs with Encryption and Authentication

Mechanisms

Beyond WPA protocols, other security measures are crucial.

●​ Disable SSID Broadcast: Hiding the network name makes it slightly harder for a casual
attacker to find your network.
●​ MAC Address Filtering: Allow only specific devices (by their MAC address) to connect to
the network. While this can be bypassed by spoofing a MAC address, it provides an
additional layer of security against casual intruders.
●​ Guest Network Isolation: Create a separate network for guests that is isolated from the
main corporate network. This prevents guests from accessing internal resources.