CC Domain 4 — Network Security

Types of Networks

LAN (Local Area Network): Limited geographic area — a floor, building, or campus
WAN (Wide Area Network): Long-distance connections between geographically separated networks
WLAN (Wireless LAN): A LAN using wireless connections (Wi-Fi)
VPN (Virtual Private Network): A secure point-to-point connection over an untrusted network
MAN (Metropolitan Area Network): Covers a city or metropolitan region
PAN (Personal Area Network): Very short range — Bluetooth devices around a person
SAN (Storage Area Network): High-speed network dedicated to storage devices

Network Devices

Hubs: Broadcast all traffic to every connected device. Inefficient and a security liability. Rarely used in modern environments.
Switches: Send traffic only to the intended recipient via MAC address. Can create VLANs. More efficient and more secure than hubs.
Routers: Connect different networks and determine the most efficient path for traffic. Operate at Layer 3 (Network Layer) of the OSI model.
Firewalls: Filter traffic based on defined rules. Deployed at the perimeter and internally to segment network zones.
Servers: Provide services to other network devices — web, email, database, file servers.
Endpoints: The end devices — desktops, laptops, tablets, mobile phones. Often the primary attack surface.

The OSI Model

The OSI model divides network communication into 7 distinct layers. As data moves down the stack, each layer adds a header — this is encapsulation. As data moves back up at the receiving end, each layer removes its header — this is de-encapsulation.

Application

Interface for users and apps

HTTP, FTP, SMTP, DNS

All

Presentation

Data formatting, encryption

JPEG, SSL/TLS

People

Session

Managing sessions

NetBIOS, RPC

Seem

Transport

End-to-end communication

TCP, UDP

To

Network

Routing packets

IP, ICMP

Need

Data Link

Framing, MAC addressing

Ethernet, Wi-Fi

Data

Physical

Raw bit transmission

Cables, switches

Processing

Mnemonic (top to bottom): All People Seem To Need Data Processing

The TCP/IP Model

TCP/IP uses four layers. TCP is connection-oriented, provides error checking and guaranteed delivery. UDP is connectionless, faster but no delivery guarantee — used when speed matters more than reliability (streaming, DNS, VoIP).

IPv4 vs IPv6

IPv4: 32-bit address space (~4.3 billion addresses, now exhausted). Private ranges: 10.x.x.x, 172.16.x.x, 192.168.x.x. Loopback: 127.0.0.1.
IPv6: 128-bit address space (340 undecillion addresses). IPsec is mandatory. Improved QoS. Simplified header. Effectively unlimited for foreseeable needs.

Wireless (Wi-Fi) Security

Unlike wired networks, wireless signals can be intercepted at a distance. Key requirement: use WPA2 or WPA3 for encryption of wireless traffic. Earlier standards (WEP, WPA) have known vulnerabilities and should not be used.

Network Threats and Attack Types

DoS / DDoS: Overwhelming a target with requests until it can no longer serve legitimate users. DDoS uses a botnet of many compromised machines.
Fragment Attack: Attacker fragments traffic in a way the receiving system cannot reassemble correctly.
Oversized Packet Attack: Sending a packet larger than the receiving system can handle.
Spoofing: Faking the sending address of a transmission to disguise identity or gain unauthorized entry.
MITM / On-Path Attack: Attacker positions between two parties, intercepting and potentially modifying traffic. Encryption is the primary defense.
Virus: Malicious code that attaches to legitimate programs and replicates.
Worm: Self-replicating malware that spreads without needing a host program.
Trojan: Malicious code disguised as legitimate software.
Rootkit: Malware that hides itself deep within the operating system.
Phishing: Deceptive emails or sites designed to trick users into revealing credentials.
Side-channel attack: Exploiting information leaked by the physical implementation (power consumption, timing) rather than the algorithm.

Ports and Protocols — Insecure vs Secure

If a protocol transmits data in cleartext, it is susceptible to network sniffing. The secure alternative typically adds TLS/SSL encryption.

FTP

22 – SFTP

Credentials in plaintext

Telnet

22 – SSH

All data in plaintext

SMTP

587 – SMTP/TLS

Unencrypted email

DNS

853 – DoT

Queries can be intercepted

HTTP

443 – HTTPS

Unencrypted web traffic

143

IMAP

993 – IMAPS

Unencrypted email retrieval

161/162

SNMP v1/v2

SNMPv3

Weak authentication

389

LDAP

636 – LDAPS

Directory lookups in plaintext

Identifying and Preventing Threats

IDS (Intrusion Detection System): A passive monitoring tool that analyzes traffic and alerts on suspicious activity. It detects and reports but does not block.
NIDS: Network-based IDS — monitors traffic across an entire network segment.
HIDS: Host-based IDS — monitors activity on a specific individual machine.
IPS (Intrusion Prevention System): Unlike IDS, an IPS is placed inline with traffic and can actively block threats before they reach their target. All traffic passes through the IPS.
SIEM: Collects and correlates log data from many sources into a centralized platform. Provides comprehensive visibility and enables faster detection of threats spanning multiple systems.
Firewalls: Traditional firewalls control traffic at Layer 4. Modern NGFWs operate at Layers 2, 3, and 7 with IPS, deep packet inspection, and application awareness.

On-Premises Data Centers

Power: Backup systems (batteries, generators) must be sized for the critical load and tested regularly.
HVAC: Recommended operating range 18°C–27°C. Temperature sensors at top, middle, and bottom of server racks.
Fire Suppression: Gas-based systems are better for equipment (displace oxygen) but can be toxic to humans. Water damages electronics.
Redundancy: Duplicate components ensure a single failure does not take down operations. MOU/MOA with other organizations can also provide DR capability.

Cloud Computing

Cloud service models differ by the level of control the consumer has:

SaaS (Software as a Service): Provider delivers complete applications. Consumer has no control over underlying infrastructure. Examples: Gmail, Microsoft 365.
PaaS (Platform as a Service): Provider delivers a platform (OS, middleware, runtime). Consumer builds and deploys applications but does not manage infrastructure.
IaaS (Infrastructure as a Service): Provider delivers raw compute resources. Consumer installs OS, middleware, and applications. Most control, most responsibility.

Cloud deployment models:

Public Cloud: Shared infrastructure operated by a third party. Lowest cost, least control.
Private Cloud: Dedicated to a single organization. Highest control, highest cost.
Hybrid Cloud: Combination — sensitive workloads on private, less critical on public.
Community Cloud: Shared by organizations with common concerns (compliance, mission).

An SLA (Service Level Agreement) is the contractual agreement defining minimum service levels, availability guarantees, security standards, data ownership, and remedies for failures.

Secure Network Design

Network Segmentation / DMZ: A DMZ (Demilitarized Zone) is a segment accessible from the internet while isolated from the internal network. Public-facing servers are placed in the DMZ.
VLAN: Virtual Local Area Network — logical segments within a physical network using switches. Reduces broadcast traffic and limits scope of attacks. Note: VLAN hopping attacks exist.
VPN: Creates a secure tunnel over an untrusted network. Note that VPN is not inherently encrypted — security depends on the protocols configured.
Zero Trust: Removes the assumption that anything inside the network perimeter is trusted. "Never trust, always verify" — every access request must be authenticated and authorized regardless of origin. Microsegmentation with re-authentication at every lateral movement.
NAC (Network Access Control): Enforces security policy compliance at the point of network connection. Checks antivirus, patches, and configuration before allowing access. Essential for BYOD and IoT.