Network Security Fundamentals

Explain Introduction.

Explain The OSI Model.

Explain The TCP/IP Stack.

Explain IP Addressing and Subnetting.

Networks are the arteries of modern computing: nearly every piece of software of consequence communicates over a network, and nearly every organization's most sensitive data flows…

The internet, as the world's largest and most open network, is simultaneously its most powerful communications medium and its largest attack surface.

Understanding how networks function — their architecture, protocols, and inherent vulnerabilities — is a prerequisite for understanding how to defend them.

Networks are the arteries of modern computing: nearly every piece of software of consequence communicates over a network, and nearly every organization's most sensitive data flows…

The internet, as the world's largest and most open network, is simultaneously its most powerful communications medium and its largest attack surface.

Understanding how networks function — their architecture, protocols, and inherent vulnerabilities — is a prerequisite for understanding how to defend them.

This chapter begins with a review of the networking concepts needed to understand security: the OSI and TCP/IP models, addressing, and routing.

The Open Systems Interconnection (OSI) model is a conceptual framework that divides network communication into seven distinct layers.

Each layer provides services to the layer above it and relies on the layer below.

Understanding this model is critical for security professionals because different attacks target different layers, and defensive tools are typically designed to operate at one or…

The TCP/IP model is the practical implementation underlying the internet.

It collapses the OSI's seven layers into four: - Application Layer (combines OSI layers 5-7): HTTP/S, DNS, SMTP, SSH.

- Transport Layer (OSI layer 4): TCP (connection-oriented, reliable) and UDP (connectionless, best-effort).

- Internet Layer (OSI layer 3): IP addressing and routing.

Every device on an IP network has an IP address (IPv4: 32-bit, written as four octets, e.g., 192.168.1.100; IPv6: 128-bit, written in hexadecimal).

A subnet mask defines which portion of an IP address identifies the network and which identifies the host within that network.

CIDR notation (e.g., 192.168.1.0/24) expresses the subnet mask as the number of bits in the network portion.

Understanding subnetting is foundational to network segmentation, a core defensive strategy discussed later in this chapter.

Security threats do not target the network as a monolithic entity — they target specific protocols and mechanisms at specific layers.

Understanding the layer at which a threat operates guides the appropriate defensive response.

- Layer 1 (Physical) : Physical eavesdropping (tapping copper cables), jamming wireless signals, unauthorized physical access to network hardware.

- Layer 2 (Data Link) : ARP poisoning, MAC flooding (overwhelming a switch's address table to force broadcasting), VLAN hopping.

The Address Resolution Protocol (ARP) maps IP addresses to MAC (hardware) addresses on a local network segment.

ARP is a stateless protocol — devices cache ARP replies without verifying whether they requested them.

An attacker on the same local network segment can broadcast forged ARP replies, associating their own MAC address with the IP address of another device (such as the default…

Subsequent traffic destined for that IP address is then forwarded to the attacker instead.

The Domain Name System (DNS) translates human-readable domain names (e.g., www.bank.com) into IP addresses.

DNS cache poisoning (also called DNS spoofing) involves injecting false DNS records into a resolver's cache so that subsequent lookups for a domain return an attacker-controlled…

Classic DNS poisoning exploited the fact that DNS used predictable transaction IDs and source ports.

The Kaminsky attack (discovered in 2008) demonstrated a practical, fast method for poisoning DNS caches on a wide scale.

IP spoofing involves sending IP packets with a forged source address, making the traffic appear to originate from a different host.

IP spoofing is used in denial-of-service attacks (to amplify traffic or make the source harder to trace) and in some types of session hijacking.

Defenses include ingress filtering : routers at network perimeters are configured to drop packets arriving from outside the network that claim to have source addresses belonging…

A SYN flood attack exploits the TCP three-way handshake.

The attacker sends a large volume of SYN packets — typically with spoofed source IPs — to a target server.

The server allocates resources (a half-open connection entry in its state table) and sends SYN-ACK responses that never receive an ACK because the source IPs are fake.

As the state table fills, the server can no longer accept legitimate connections.

Packet sniffing (or network capture) involves capturing and analyzing network traffic.

On networks using hubs (which broadcast traffic to all ports), sniffing is trivial.

Modern switched networks only forward frames to the intended recipient, but sniffing is still possible through ARP poisoning, compromising a switch's SPAN port, or placing a…

Wireshark is the most widely used packet capture and analysis tool.

Port scanning probes a target host's TCP or UDP ports to discover which services are running.

Nmap (Network Mapper) is the de facto standard tool for port scanning and network discovery.

A basic TCP SYN scan sends SYN packets to a range of ports; open ports respond with SYN-ACK, closed ports respond with RST, and filtered ports (behind a firewall) produce no…

Nmap also supports OS detection, service version detection, and script-based vulnerability scanning through the Nmap Scripting Engine (NSE).

A firewall is the most fundamental network security control — a device or software that monitors and controls incoming and outgoing network traffic based on predefined security…

Packet-filtering firewalls (Layer 3) examine individual packets and make allow/deny decisions based on source IP, destination IP, protocol, and port number.

They are fast but stateless — they cannot distinguish between a new connection request and an established connection's return traffic.

Stateful inspection firewalls (Layer 4) track the state of network connections and make decisions based on context.

An Intrusion Detection System (IDS) monitors network traffic or host activity for signs of malicious activity and generates alerts.

An Intrusion Prevention System (IPS) goes further — it actively blocks detected attacks in real time.

Both IDS and IPS can use two fundamental detection approaches: - Signature-based detection : Compares traffic against a database of known attack patterns (signatures).

Highly effective against known threats; ineffective against novel ("zero-day") attacks.

Network segmentation divides a network into isolated zones, limiting the blast radius of a compromise.

If an attacker gains access to one segment, they cannot freely move to others.

VLANs (Virtual Local Area Networks) implement segmentation at Layer 2 using logical rather than physical separation.

Traffic between VLANs must pass through a router or Layer 3 switch, where firewall rules can be applied.

A DMZ (Demilitarized Zone) is a network segment that hosts publicly accessible services (web servers, mail servers, DNS) while being isolated from the internal network.

Traffic from the internet is permitted to reach DMZ hosts (with restrictions), but DMZ hosts cannot freely initiate connections into the internal network.

A typical DMZ architecture uses two firewalls: an outer firewall between the internet and the DMZ, and an inner firewall between the DMZ and the internal network.

This ensures that even a complete compromise of a DMZ server does not give the attacker direct access to internal systems.

A VPN (Virtual Private Network) creates an encrypted tunnel between endpoints over a public network (typically the internet), providing confidentiality and integrity for the…

VPNs are used to allow remote employees to securely access internal resources, to connect geographically separated offices, and to provide privacy for general internet browsing.

IPSec (Internet Protocol Security) operates at Layer 3 and can be deployed in transport mode (encrypting only the payload) or tunnel mode (encrypting the entire original IP…

IPSec uses two main protocols: AH (Authentication Header) for integrity without encryption, and ESP (Encapsulating Security Payload) for both confidentiality and integrity.

Network Access Control (NAC) systems enforce security policy before allowing devices to connect to a network.

A NAC system can verify that a device meets minimum security requirements (up-to-date operating system patches, active antivirus, required security software) before granting…

Devices that fail compliance checks may be placed in a quarantine VLAN until remediated.

NAC is implemented using the 802.1X standard in conjunction with a RADIUS authentication server.

SIEM is the backbone of a Security Operations Center (SOC).

Popular SIEM platforms include Splunk, IBM QRadar, Microsoft Sentinel, and the open-source Elastic Stack (ELK).

Effective SIEM implementation requires careful tuning to balance detection sensitivity with alert fatigue — too many low-quality alerts cause analysts to become desensitized,…

WEP (Wired Equivalent Privacy) , the original Wi-Fi security protocol (802.11b, 1997), is a cautionary tale in protocol design.

WEP used the RC4 stream cipher with a 40-bit (later 104-bit) key, XORed with a 24-bit Initialization Vector (IV) that was transmitted in plaintext.

Critical flaws: - The 24-bit IV space was small enough that IVs were reused frequently on busy networks, allowing traffic analysis.

- Several classes of "weak" IVs leaked key material, enabling key recovery with as few as 40,000-80,000 captured packets (achievable in minutes on a busy network).

WPA2 (Wi-Fi Protected Access 2) , based on the IEEE 802.11i standard, replaced WEP and WPA using the CCMP (Counter Mode CBC-MAC Protocol) based on AES-128.

WPA2 comes in two variants: - WPA2-Personal (PSK) : Uses a pre-shared key.

The passphrase is used to derive the PMK (Pairwise Master Key) , from which session keys are derived through the 4-way handshake .

The 4-way handshake can be captured and subjected to offline dictionary attacks if the passphrase is weak.

Introduction

The OSI Model

The TCP/IP Stack

IP Addressing and Subnetting

Where Introduction applies.

Where The OSI Model applies.

How the difference changes the security decision.

Identify the asset or process at risk.

Choose a preventive, detective, or corrective control.

Explain what evidence would prove the control is working.

Define one core concept in plain language.

Compare two controls or threats from the week.

Apply one idea to a campus or business system.

Evaluate why a solution might fail in practice.

Collect evidence, not just screenshots.

Explain what the artifact proves.

Connect the proof back to risk and control selection.

Network Security Fundamentals

Security is a decision process, not just a tool list.

Use the reading to justify practical choices.