NETWORK SECURITY ARCHITECTURE

Network security is a broad term that covers a multitude of technologies, devices, and processes. It is a set of rules and configurations designed to protect the integrity, confidentiality, and accessibility of computer networks and data using both software and hardware technologies.

The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to communicate over a network. Each layer has specific security risks: 1. **Physical**: Physical theft, wiretapping. 2. **Data Link**: MAC spoofing, ARP poisoning. 3. **Network**: IP spoofing, DDoS. 4. **Transport**: SYN flood, port scanning. 5. **Session**: Session hijacking. 6. **Presentation**: Format manipulation. 7. **Application**: SQLi, XSS, Malware.

- **TCP**: Reliable and connection-oriented. Vulnerable to SYN flood attacks due to the three-way handshake. - **UDP**: Connectionless and faster. Vulnerable to amplification and reflection attacks because there is no handshake to verify the source IP.

It's the process used in a TCP/IP network to make a connection between a client and a server: 1. **SYN**: Client sends a synchronize packet. 2. **SYN-ACK**: Server acknowledges and sends its own sync. 3. **ACK**: Client acknowledges the server's sync. Attackers exploit this by sending many SYNs and never sending the final ACK (SYN Flood).

DNSSEC (Domain Name System Security Extensions) adds a layer of security to the DNS process by attaching digital signatures to DNS records. This prevents attackers from redirecting users to malicious websites via DNS spoofing or cache poisoning.

- **HTTP**: Data is sent in plain text. Vulnerable to sniffing. - **HTTPS**: HTTP over SSL/TLS. Data is encrypted, ensuring confidentiality and integrity between the user's browser and the server.

The TLS handshake is the process by which a client and server establish an encrypted connection. It involves negotiating the TLS version, choosing cipher suites, and verifying the server's identity via a digital certificate.

An IP address is a unique identifier for a device on a network. IP spoofing is a technique where an attacker sends IP packets with a forged source IP address to conceal their identity or impersonate another computer system.

A MAC address is a unique physical address assigned to a network interface controller (NIC). MAC spoofing involves changing the assigned MAC address to bypass access control lists (ACLs) on routers or switches.

ARP is used to map an IP address to a physical MAC address on a local area network. Since ARP doesn't verify the legitimacy of replies, it's vulnerable to 'ARP Poisoning' where an attacker maps their MAC to a target's IP.

DHCP automatically assigns IP addresses to devices. DHCP Snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers, preventing 'Rogue DHCP' attacks.

ICMP (Internet Control Message Protocol) is used for network diagnostics (e.g., Ping). Attackers use it for network mapping ('Ping Sweeps') and DDoS attacks ('Smurf attack').

Port 445 is used for SMB (Server Message Block) over TCP. It is high risk because it's frequently used for file sharing and has had many critical vulnerabilities (e.g., EternalBlue used by WannaCry).

Well-known ports are those from 0 to 1023. They are reserved for standard services like FTP (21), SSH (22), DNS (53), and HTTP (80).

IPv6 was designed with IPsec (encryption/authentication) as a mandatory requirement, whereas it was optional in IPv4. IPv6 also eliminates the need for NAT, though it introduces new complexities in firewalling.

SNMP (Simple Network Management Protocol) is used to manage network devices. Older versions (v1, v2c) send community strings (passwords) in plain text. SNMPv3 is the secure version as it supports encryption.

MTU is the largest size packet that can be transmitted over a network. Fragile networks can be attacked by sending packets just over the MTU size to force fragmentation and overhead (Teardrop attack).

BGP is the protocol that routes traffic between large networks (Autonomous Systems). BGP hijacking occurs when an attacker falsely advertises ownership of IP prefixes to redirect internet traffic to their own network.

TTL is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. It prevents packets from looping infinitely.

SSH (Secure Shell) provides a secure, encrypted channel over an unsecure network. Telnet sends all data, including passwords, in clear text, making it insecure.

- **FTP**: Unencrypted, uses two ports (20, 21). - **SFTP**: Secure FTP over SSH. Single port (22), fully encrypted.

A port scan is a reconnaissance technique used to identify which ports on a network are open and what services are running. Tools like Nmap are commonly used.

NAT allows a single device, such as a router, to act as an agent between the Internet and a local network, which means that only a single, unique IP address is required to represent an entire group of computers.

- **Hub**: Broadcasts traffic to all ports (Insecure). - **Switch**: Sends traffic only to the specific MAC address (More secure). - **Router**: Connects different networks and makes routing decisions based on IP addresses.

Flow control is the process of managing the rate of data transmission between two nodes to prevent a fast sender from overwhelming a slow receiver.

A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. It acts as a barrier between a trusted internal network and an untrusted external network, like the Internet.

1. **Packet Filtering**: Inspects individual packets (IP, Port). 2. **Stateful Inspection**: Keeps track of the state of active connections. 3. **Application Layer (Proxy)**: Inspects specific application data (HTTP, FTP). 4. **Next-Generation Firewall (NGFW)**: Includes deep packet inspection (DPI), IPS, and identity awareness.

A DMZ is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet. It adds an extra layer of security to an organization's local area network (LAN).

- **IDS (Intrusion Detection System)**: A passive system that identifies and alerts for suspicious activity (e.g., Snort). - **IPS (Intrusion Prevention System)**: An active system that detects and blocks threats in real-time.

Defense in Depth is an information assurance concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails.

A load balancer distributes network or application traffic across a number of servers. Security benefits include DDoS mitigation, SSL offloading (centralized certificates), and health checks that shield unhealthy servers.

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application or process, for example, a proxy server or SSH gateway.

A WAF is a specific type of firewall that filters, monitors, and blocks HTTP traffic to and from a web application. It protects against attacks such as SQL injection, cross-site scripting (XSS), and file inclusion.

SIEM is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

A honeypot is a network-attached system set up as a decoy to lure cyberattackers and to detect, deflect, or study hacking attempts in order to gain information about how cybercriminals operate.

An air gap is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public internet.

- **Forward Proxy**: Sits in front of a group of client machines to regulate their outbound traffic. - **Reverse Proxy**: Sits in front of a group of web servers to regulate their inbound traffic and provide load balancing/security.

Network segmentation is the practice of splitting a network into multiple distinct sub-networks (segments), each being its own separate network. This limits the 'blast radius' if one segment is compromised.

VLANs allow a single physical switch to host multiple logical networks. Security involves preventing 'VLAN hopping' attacks through proper port configuration and tagging.

Zero Trust is a security framework requiring all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data.

- **RADIUS**: Uses UDP, encrypts only the password. Better for network access (WiFi). - **TACACS+**: Uses TCP, encrypts the entire packet. Better for device administration (CISCO routers).

Split tunneling is a computer networking concept which allows a mobile user to access dissimilar security domains like a public network and a local LAN or WAN at the same time, using the same or different network connections.

DPI is an advanced method of packet filtering that examines the data part (payload) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, or intrusions.

Port security is a Layer 2 traffic control feature on Cisco switches that enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses to communicate on that port.

Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. It represents a significant security risk for data leakage.

Log management involves the collective processes and policies used to administer and facilitate the generation, transmission, analysis, storage, archiving and ultimate disposal of the large volumes of log data created within an information system.

An ACL is a list of permissions attached to an object. In networking, ACLs are filters that enable a router or switch to control which packets are allowed to enter or exit a network interface.

Endpoint security or endpoint protection is an approach to protection of computer networks that are remotely bridged to client devices. The connection of laptops, tablets, mobile phones and other wireless devices to corporate networks creates attack paths.

BYOD security involves managing and securing the laptops, smartphones, and tablets that employees bring to work. It often requires Mobile Device Management (MDM) solutions.

A hub broadcasts all traffic, allowing any connected device to sniff all data. A switch maintains a MAC table and directs traffic only to the destination port, preventing basic sniffing, though sophisticated attacks like ARP spoofing can still work.

A Virtual Private Network (VPN) creates a secure tunnel over an insecure network. Key components include encryption (e.g., AES), authentication (certificates/passwords), and tunneling protocols (e.g., IPsec, SSL).

IPsec (Internet Protocol Security) is a suite of protocols to secure IP communications. Two modes: 1. **Transport Mode**: Only the payload is encrypted (Used for end-to-end communication). 2. **Tunnel Mode**: The entire IP packet is encrypted and encapsulated with a new header (Used for Site-to-Site VPNs).

A SSL VPN (Secure Sockets Layer VPN) is a type of virtual private network (VPN) that uses the Secure Sockets Layer (SSL) protocol—or, more accurately, the Transport Layer Security (TLS) protocol—in standard web browsers to provide secure, remote-access VPN capability.

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It is faster and more efficient than both IPsec and OpenVPN.

- **WEP**: Extremely insecure, easily crackable. - **WPA**: Improved WEP, but still vulnerable (TKIP). - **WPA2**: Uses AES encryption, widely used today. - **WPA3**: Latest standard, protects against offline dictionary attacks and provides forward secrecy.

WPA3 uses SAE (Simultaneous Authentication of Equals) to replace the WPA2 4-way handshake, protecting against offline dictionary attacks. It also uses 192-bit cryptographic strength for higher security.

A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. It is a form of wireless phishing.

Disabling SSID broadcasting prevents the network name from appearing in the list of available networks. While it provides 'security by obscurity', it is easily bypassed by sniffers like Kismet or Airodump-ng.

Wardriving is the act of searching for Wi-Fi wireless networks, usually from a moving vehicle, using a laptop or smartphone.

- **Bluejacking**: Sending unsolicited messages to Bluetooth-enabled devices. - **Bluesnarfing**: The theft of information from a wireless device through a Bluetooth connection.

- **Site-to-Site**: Connects two complete networks (e.g., Office A to Office B). - **Remote Access**: Connects a single user to a private network (e.g., Employee working from home).

WPS was designed to make WiFi setup easy. It is vulnerable to brute-force attacks on the 8-digit PIN, allowing attackers to recover the main WPA key in hours.

In wireless security (WPA-Enterprise), RADIUS is used for centralized authentication. Instead of a single shared password, each user logs in with their own unique credentials.

A captive portal is a Web page that the user of a public-access network is obliged to view and interact with before access is granted. Frequently used for authentication and terms of service.

KRACK is a protocol vulnerability in the WPA2 standard's 4-way handshake, allowing an attacker to decrypt traffic, hijack connections, and inject malware.

MAC filtering allows only specific devices to connect to a network based on their physical address. It's easily bypassed by sniffing an authorized MAC and 'spoofing' it on the attacker's device.

Always On VPN is a solution that enables users to stay connected to their organization's network whenever their device is connected to the internet, without needing to manually start the connection.

PKI uses digital certificates to verify the identity of the VPN gateway and/or the user. It is much more secure than using static pre-shared keys (PSK).

Beacons are frames sent periodically by an Access Point to announce its presence. Analyzing beacons can reveal technical details about the network configuration.

PFS ensures that even if a server's private key is compromised in the future, past encrypted sessions cannot be decrypted because each session uses a unique, ephemeral key.

L2TP is a tunneling protocol that does not provide any encryption by itself. It is almost always paired with IPsec (L2TP/IPsec) to provide a secure VPN connection.

PPTP is old and has many security flaws. L2TP provides no encryption but, when combined with IPsec, is much more secure and reliable than PPTP.

A VPN kill switch is a security feature that automatically disconnects your device from the internet if your VPN connection drops, preventing your real IP address from being exposed.

802.1X is a network authentication protocol that opens a port for network access only when a user's identity has been verified. It involves three parties: the Supplicant (device), Authenticator (switch/AP), and Authentication Server (RADIUS).

Threat modeling is a structured process with three objectives: identify security objectives, enumerate vulnerabilities, and define counter-measures to prevent or mitigate the effects of threats to the system.

STRIDE is a threat modeling framework: - **S**poofing identity. - **T**ampering with data. - **R**epudiation. - **I**nformation disclosure. - **D**enial of service. - **E**levation of privilege.

- **DoS**: An attack originating from a single source aimed at making a service unavailable. - **DDoS**: An attack originating from multiple sources (botnets) simultaneously, making it much harder to block.

Amplification attacks exploit a asymmetry in protocol request/response sizes. For example, in a DNS amplification attack, a small query results in a much larger response sent to the victim's IP (spoofed).

Traffic scrubbing is the process of diverting network traffic to a high-capacity network where specialized hardware can filter out malicious traffic (like DDoS) and pass only clean traffic to the destination.

- **In-Band**: Managing devices through the same network channels used for regular data traffic. - **Out-of-Band**: Managing devices through a dedicated, isolated network (e.g., console ports or separate management LAN), which is more secure.

Session hijacking involves an attacker taking over a user's active session. Prevention includes using non-predictable session IDs, implementing HTTPS (HSTS), and utilizing the 'Secure' and 'HttpOnly' cookie flags.

- **Stateless**: Filters based only on the current packet's attributes. - **Stateful**: Understands the context of the connection (e.g., if a packet is a response to an existing outbound request) and is more secure.

- **AH (Authentication Header)**: Provides integrity and authentication but NO encryption (data is visible). - **ESP (Encapsulating Security Payload)**: Provides encryption, integrity, and authentication.

- **Agent-Based**: Requires software installation on the target. Provides deep visibility but higher overhead. - **Agentless**: Scans via the network (e.g. via SSH/WMI). Lower overhead but less depth.

Change management ensures that modifications to the network (e.g., firewall rule changes) are documented, tested, and approved. Most security breaches result from misconfigurations during unauthorized changes.

- **Vulnerability Assessment**: A passive scan to identify known weaknesses. - **Penetration Test**: An active simulation of an attack to see if vulnerabilities can actually be exploited.

Egress filtering is the practice of monitoring and potentially restricting the flow of information leaving a network. It's critical for preventing malware from 'calling home' (C2) and preventing data exfiltration.

Port mirroring is used on a network switch to send a copy of network packets seen on a specific port to a network monitoring connection. This is how IDS and packet sniffers receive data for analysis.

Network hardening is the process of securing a network by reducing its surface of vulnerability. This includes disabling unused services, closing unused ports, and implementing strong authentication.

An attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. The server stays in 'SYN-RCVD' state waiting for an ACK that never comes.

Attackers bypass Deep Packet Inspection using fragmentation, non-standard port usage, or high-level encryption (TLS) where the DPI engine cannot inspect the payload.

Path MTU Discovery (PMTUD) can be exploited by sending fake ICMP 'Fragmentation Needed' messages, causing a connection to drop its packet size significantly, leading to poor performance or denial of service.

Network forensics involves the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. Tools like Wireshark and full-packet capture systems are used.

Cloud networking relies heavily on 'Security Groups' (virtual firewalls) and Software-Defined Networking (SDN). The 'Shared Responsibility Model' means the provider secures the hardware while the user secures the virtual network.

IoCs include unusual outbound traffic to known malicious IPs, spikes in DNS requests, large data transfers at odd hours, and repeat connection attempts to closed ports.

Protocol fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a network protocol stack to find crashes or memory leaks.

A broadcast storm is a state where a network is overwhelmed by continuous broadcast traffic. Often caused by a Layer 2 loop (lack of STP - Spanning Tree Protocol).

Micro-segmentation is a security technique that enables security policies to be granularly defined and assigned to individual workloads (VMs/Containers), preventing lateral movement within the data center.

To ensure the CIA Triad (Confidentiality, Integrity, and Availability) for all network communications and to maintain a resilient infrastructure capable of resisting, detecting, and recovering from attacks.