1.

Introduction to Network Security

1.1 Basics of Network Security

Network security consists of the provisions and policies adopted by a network administrator
to prevent and monitor unauthorized access, misuse, modification, or denial of a computer
network and network-accessible resources.

 Goal: To create a secure environment for users, devices, and applications to interact.

 Key Components:

o Physical Security: Protecting actual hardware (routers, servers) from physical

tampering.

o Technical Security: Using software and protocols (Firewalls, VPNs, Encryption)

to protect data in transit.

o Administrative Security: Policies, user training, and access levels defined by

the organization.

1.2 Security Goals: The CIA Triad

The CIA Triad is the benchmark model designed to guide information security policies within
an organization.

Goal Description Common Measures

Encryption, Access Control Lists

Ensuring that data is accessible only
Confidentiality (ACLs), Two-Factor Authentication
to those authorized to have access.
(2FA).

Ensuring that data is accurate and has

Digital Signatures, Hashing (MD5,
Integrity not been tampered with or altered
SHA), Version Control.
during transit.

Ensuring that systems, networks, and Redundancy (RAID), DDoS

Availability data are available to users when protection, regular backups,
needed. hardware maintenance.
1.3 Security Threats and Attacks

Threats are potential violations of security, while attacks are the actual actions taken to
exploit vulnerabilities.

A. Malware (Malicious Software)

Broad term for any software intentionally designed to cause damage to a computer, server,
or network.

 Viruses/Worms: Self-replicating programs that spread through files or networks.

 Ransomware: Encrypts a victim's files, demanding payment (ransom) for the

decryption key.

 Spyware: Secretly monitors user activity to steal sensitive info (e.g., keyloggers).

B. Phishing

A form of Social Engineering where attackers pose as legitimate institutions (via email, SMS,
or phone) to trick individuals into providing sensitive data like passwords or credit card
numbers.

C. DoS/DDoS (Denial of Service)

 DoS: A single source floods a system with traffic to exhaust its resources, making it
unavailable.

 DDoS (Distributed DoS): The attack comes from multiple compromised systems (a
Botnet) simultaneously, making it much harder to block.

1.4 Security Policies and Risk Management

Security Policies

A formal document that outlines the rules, expectations, and instructions on how an
organization protects its technology and information assets.

 Acceptable Use Policy (AUP): Defines what users can and cannot do on the network.

 Access Control Policy: Outlines who has access to which data (Principle of Least
Privilege).

Risk Management

The process of identifying, assessing, and controlling threats to an organization's capital and
earnings.
 1. Identification: Finding vulnerabilities and threats.

2. Assessment: Determining the likelihood and impact of a threat.

3. Mitigation: Implementing controls (like firewalls or training) to reduce risk.

4. Monitoring: Continually reviewing the security posture.

OSI Security Architecture (ITU-T X.800)

The X.800 standard provides a systematic way to define security requirements and
characterize approaches to satisfy them. It organizes security into three main categories:

1. Security Attacks

 Passive Attacks: Monitoring/eavesdropping (e.g., Release of message contents,

Traffic analysis). Hard to detect but easy to prevent (encryption).

 Active Attacks: Modifying data or creating false streams (e.g., Masquerade, Replay,
Modification, Denial of Service).

2. Security Mechanisms

Features designed to detect, prevent, or recover from an attack.

 Specific: Encipherment (encryption), Digital Signatures, Access Control.

 Pervasive: Trusted Functionality, Security Audit Trails, Recovery.

3. Security Services

Services that enhance security (often by using one or more mechanisms).

 Authentication: Confirming identity.

 Access Control: Preventing unauthorized use of a resource.

 Non-repudiation: Preventing someone from denying they sent or received a

message.
 2. Cryptographic Techniques
2.1 Fundamentals of Cryptography

 Cryptography: The science of securing information by transforming it into an

unreadable format.

 Plaintext: The original, readable message or data.

 Ciphertext: The scrambled, unreadable version of the message produced after

encryption.

 Cipher Key: A piece of information (a string of bits) used by a cryptographic

algorithm to transform plaintext into ciphertext (Encryption) and vice versa
(Decryption).

2.2 Categories of Cryptography

1. Symmetric Key (Secret Key): Both the sender and receiver use the same key for
encryption and decryption. It is fast but requires a secure way to share the key.

2. Asymmetric Key (Public Key): Uses a pair of keys. A Public Key (shared with
everyone) for encryption and a Private Key (kept secret) for decryption.

2.3 Key Exchange Mechanisms: Diffie-Hellman

The Diffie-Hellman (DH) algorithm allows two parties to establish a shared secret key over
an insecure channel without ever having met or sent the key itself.

 It relies on the mathematical difficulty of calculating discrete logarithms.

 Note: It provides key exchange but does not provide encryption or authentication on
its own.

2.4 & 2.5 Symmetric Key Cryptography & Ciphers

2.5.1 Traditional Ciphers

 Substitution Cipher: Replacing one character/unit with another (e.g., Caesar Cipher).

 Shift Cipher: A type of substitution where letters are moved a fixed number of
positions down the alphabet.

 Transposition Cipher: Shuffling the order of the units without changing the units
themselves (e.g., Rail Fence cipher).
2.5.2 Simple Modern Ciphers

 XOR: A bitwise operation where 0 XOR 0 = 0, 1 XOR 1 = 0, and 0 XOR 1 = 1. If you XOR
plaintext with a key, XORing the result with the same key returns the plaintext.

 Rotation Cipher: Bit-level circular shifting.

 S-Box (Substitution Box): Replaces input bits with output bits to provide confusion
(obscuring the relationship between the key and ciphertext).

 P-Box (Permutation Box): Transposes bits to provide diffusion (spreading the

influence of one plaintext bit over many ciphertext bits).

2.5.3 Modern Round Ciphers: DES

 Data Encryption Standard (DES): A block cipher that uses a 56-bit key to process data
in 64-bit blocks.

 It uses a Feistel Network structure with 16 rounds of substitution and permutation.

(Largely replaced by AES due to small key size).

2.5.4 Modes of Operation

Since block ciphers encrypt fixed-size blocks, modes of operation define how to handle data
larger than one block:

 ECB (Electronic Codebook): Each block is encrypted independently. Identical

plaintext blocks result in identical ciphertext (Insecure for patterns).

 CBC (Cipher Block Chaining): Each block is XORed with the previous ciphertext block
before encryption. Uses an Initialization Vector (IV) for the first block.

 CFB (Cipher Feedback) & OFB (Output Feedback): Convert block ciphers into stream
ciphers.

2.6 Asymmetric Key Cryptography: RSA & Security Services

RSA (Rivest-Shamir-Adleman): The most common asymmetric algorithm. Its security is

based on the difficulty of factoring large prime numbers.

2.6.1 Message Confidentiality

 Symmetric: Fast, used for bulk data encryption.

 Asymmetric: Slower, often used to encrypt the "Symmetric Key" for secure delivery
(Hybrid Encryption).

2.6.2 Message Integrity

  Message Digest (Hash): A "fingerprint" of a document. If even one bit of the
document changes, the hash changes completely. Common algorithms: SHA-256,
MD5.

2.6.3 Message Authentication

 MAC (Message Authentication Code): Uses a secret key + the message to produce a
tag. Ensures the message hasn't changed and comes from someone with the key.

 HMAC: A specific type of MAC involving a cryptographic hash function.

2.6.4 Digital Signatures

A digital signature provides Authentication, Integrity, and Non-repudiation.

1. Sender hashes the message.

2. Sender encrypts the hash with their Private Key.

3. Receiver decrypts the hash with the sender's Public Key. If it matches the hash of the
received message, the signature is valid.

2.6.5 Entity Authentication

Verifying that an entity (user or device) is who they claim to be.

 Fixed Passwords: Traditional login (vulnerable to sniffing).

 Challenge-Response: The server sends a random "challenge" (nonce). The user must
perform a cryptographic operation (using their password/key) and send back the
"response." The actual password is never sent over the network.

3. Network Security Protocols

3.1 SSL & TLS (Transport Layer)

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), provide security
for communication over networks by encrypting the link between a web server and a
browser.

3.1.1 SSL Services

 Fragmentation: Breaks data into manageable blocks.

 Compression: Optional reduction of data size.

 Message Integrity: Uses Message Authentication Codes (MAC).

 Confidentiality: Encrypts the payload using symmetric encryption.

3.1.2 & 3.1.3 Sessions vs. Connections

 Session: An association between a client and a server created by the Handshake

Protocol. Sessions define a set of cryptographic security parameters to avoid
expensive negotiation for every connection.

 Connection: A transient, peer-to-peer communication link. One session can support

multiple connections (e.g., loading multiple images on one webpage).

 Parameters: These include the Session Identifier, Peer Certificate, Compression

Method, and Cipher Spec (encryption and hash algorithms).

3.1.4 Transport Layer Security (TLS)

TLS is the standardized, more secure version of SSL.

 Key difference: TLS uses a more secure HMAC algorithm and a wider variety of cipher
suites than the original SSL.

 Handshake: The process where the client and server "introduce" themselves, agree
on encryption versions, and exchange keys.

3.2 IP Security (IPSec)

IPSec operates at the Network Layer (Layer 3). It secures all traffic between two endpoints,
regardless of the application.

3.2.1 Two Modes

1. Transport Mode: Only the payload (the data) of the IP packet is

encrypted/authenticated. The original IP header is preserved. Usually used for end-
to-end communication.

2. Tunnel Mode: The entire IP packet (including the original header) is encrypted and
placed inside a new IP packet with a new header. Used for VPNs.

3.2.2 Two Security Protocols

 AH (Authentication Header): Provides integrity and authentication of the sender. It

does not provide confidentiality (data is not encrypted).

 ESP (Encapsulating Security Payload): Provides confidentiality (encryption) in

addition to authentication and integrity. ESP is more commonly used today.

3.3.3 & 3.3.4 IPSec Services & Security Association (SA)

 Services: Connectionless integrity, Data origin authentication, Anti-replay service,

and Confidentiality.

 Security Association (SA): A one-way "contract" between a sender and receiver that
defines the security parameters (keys, protocols) for their communication. For two-
way communication, two SAs are required.

3.3 Virtual Private Networks (VPNs)

A VPN creates a "tunnel" through a public network (like the Internet) to provide secure
access to a private network.

 Remote Access VPN: Allows individual users to connect to a central organizational

network.

 Site-to-Site VPN: Connects two entire branch offices together.

 Mechanism: VPNs typically use IPSec or SSL/TLS to ensure that data remains private
and untampered with while crossing the public web.

3.4 Wireless Security Protocols

Wireless signals travel through the air, making them easy to intercept. These protocols
protect Wi-Fi networks:

Protocol Security Level Key Features

WEP (Wired
Uses 24-bit IV; easily cracked in minutes with modern
Equivalent Obsolete/Weak
tools.
Privacy)

WPA (Wi-Fi Introduced TKIP to change keys frequently; better than

Legacy
Protected Access) WEP but still vulnerable.

Uses AES (Advanced Encryption Standard) and CCMP.

WPA2 Standard
Very secure for most users.

Introduced in 2018. Uses SAE (Simultaneous

WPA3 Strongest Authentication of Equals) to prevent dictionary attacks
and provides stronger 192-bit encryption.

4. Intrusion Detection and Prevention

4.1 Firewalls: Types and Configurations

A firewall is a network security device that monitors and filters incoming and outgoing
network traffic based on an organization's previously established security policies.2

Types of Firewalls (by Method of Operation)

 Packet-Filtering Firewall: The most basic type.3 It inspects packets at the network
layer and filters them based on source/destination IP, protocol, and port numbers. 4 It
is fast but cannot "see" the data payload.5

 Stateful Inspection Firewall: Tracks the "state" of active connections.6 It remembers

if an incoming packet is part of an established conversation, making it much more
secure than basic packet filters.7

 Application-Level Gateway (Proxy Firewall): Operates at the Application Layer.8 It

acts as an intermediary, preventing direct connection between the network and the
outside world.9 It can inspect the content of specific protocols (like HTTP or FTP).10

 Next-Generation Firewall (NGFW): Combines traditional firewall capabilities with

advanced features like Deep Packet Inspection (DPI), encrypted traffic inspection, and
integrated Intrusion Prevention (IPS).11

Common Firewall Configurations

  Screened Host Architecture: Uses a packet-filtering router and a "Bastion Host" (a
highly secured server).12 All external traffic must go through the bastion host.

 Screened Subnet (DMZ): The most secure common setup. It uses two firewalls to
create a "Demilitarized Zone" (DMZ).13 Public-facing servers (web, mail) sit in the
DMZ, while the internal network is protected by a second inner firewall.

4.2 IDS and IPS

While firewalls act as a "locked door," IDS and IPS act as the "security cameras and guards"
inside the building.

Feature Intrusion Detection System (IDS) Intrusion Prevention System (IPS)

Active: Detects and automatically

Role Passive: Monitors and alerts.
blocks.

Out-of-band (monitors a copy of

Placement In-line (traffic must flow through it).
traffic).

Action Generates an alert for the admin. Drops packets or resets connections.14

Detection Methods

 Signature-Based: Matches traffic against a database of known "signatures" or

patterns of past attacks (like an antivirus).15

 Anomaly-Based: Creates a "baseline" of normal network behavior. Anything that

deviates significantly from this baseline (e.g., a sudden spike in traffic at 3 AM)
triggers an alert.

4.3 Honeypots and Honeynets

 Honeypot: A decoy system designed to look like a high-value target (e.g., a database
with "customer info") but is actually a trap.16 It is used to lure attackers away from
real assets and study their methods.17

 Honeynet: A network of multiple honeypots.18 It simulates an entire production

network to capture more complex attacker behavior, like lateral movement across
servers.19

o Production Honeypots: Used by companies to distract and detect active

intruders.
 o Research Honeypots: Used by security researchers to gather intelligence on
new, emerging threats.20

4.4 SIEM (Security Information and Event Management)

SIEM is a high-level management layer that sits above all other security tools.

 How it Works: It collects Log Data and Event Data from firewalls, IDS/IPS, servers,
and antivirus software across the entire organization.21

 Key Functions:

o Log Management: Centralized storage of all security logs.22

o Event Correlation: Connecting the dots between separate events.23 (e.g.,

"User A logged in from Russia" + "User A just downloaded the entire HR
database" = An alert).

o Reporting: Providing automated reports for compliance (like HIPAA or GDPR).

o Real-time Alerting: Notifying the Security Operations Center (SOC)

immediately when a high-risk pattern is detected.

5. Web & API Security

5.1 OWASP Top 10 Security Risks

The Open Web Application Security Project (OWASP) is a global non-profit that identifies
the most critical security risks to web applications. The 2021/2025 standards focus on:
 1. A01: Broken Access Control: Users acting outside of their intended permissions (e.g.,
a regular user accessing an admin panel).

2. A02: Cryptographic Failures: Formerly "Sensitive Data Exposure." Focuses on failures

to protect data in transit and at rest (e.g., using HTTP instead of HTTPS).

3. A03: Injection: SQL, NoSQL, or Command injection where malicious data is sent to an
interpreter.

4. A04: Insecure Design: A new category focusing on flaws in the architecture rather
than the code implementation.

5. A05: Security Misconfiguration: Using default passwords, keeping unnecessary

features enabled, or unpatched software.

6. A06: Vulnerable and Outdated Components: Using libraries or frameworks with

known security holes.

7. A07: Identification and Authentication Failures: Weak passwords, lack of MFA, or

improper session management.

8. A08: Software and Data Integrity Failures: Focusing on CI/CD pipelines and software
updates without integrity checks.

9. A09: Security Logging and Monitoring Failures: Inability to detect a breach because
logs aren't being monitored or even created.

10. A10: Server-Side Request Forgery (SSRF): Forcing a server to make an unauthorized
request to an internal or external resource.

5.2 Secure Authentication & Authorization

While often used interchangeably, these are two distinct steps in security:

OAuth 2.0 (Authorization Framework)

Allows a third-party application to access a user's data without ever seeing the user's
password (e.g., "Sign in with Google").

 Mechanism: Uses Scopes and Access Tokens to delegate limited permissions.

 Key Benefit: Centralized control and the ability to revoke access.

JWT (JSON Web Token - Authentication)

A compact, URL-safe way to represent "claims" between two parties.

 Structure: Composed of three parts: [Link].

  How it Works: The server generates a JWT after login. The client sends this token in
the header of every subsequent request. Because it is signed, the server can verify it
without looking at a database (Stateless).

5.3 & 5.4 Secure API Design & WAF

Secure API Design

APIs are the primary target for modern hackers. Secure design includes:

 Rate Limiting: Preventing "brute force" or DoS attacks by limiting how many requests
a user can make per minute.

 Input Validation: Never trust client-side data; sanitize every parameter to prevent
injection.

 HTTPS Only: Ensuring all API traffic is encrypted using TLS.

 Least Privilege: APIs should only return the specific data requested, not entire
database objects.

Web Application Firewall (WAF)

A WAF is a specific type of firewall that filters, monitors, and blocks HTTP traffic to and from
a web service.

 Difference from Network Firewall: A network firewall protects Layers 3 & 4 (IPs and
Ports). A WAF protects Layer 7 (Application), looking specifically for SQL injection,
Cross-Site Scripting (XSS), and OWASP risks.

5.5 Emerging Threats and Trends

5.5.1 Cloud Security & Zero Trust

 Zero Trust Architecture (ZTA): Shifts the mindset from "Trust but Verify" to "Never
Trust, Always Verify." It assumes the network is already compromised.

o Key Principles: Continuous authentication, Micro-segmentation (dividing the

network into small zones), and Least Privilege access.

 Cloud Security: Focuses on the "Shared Responsibility Model"—the cloud provider

secures the infrastructure, but the user must secure the data and configurations.

5.5.2 AI and Machine Learning in Cybersecurity

AI is currently an "arms race" in the security world:

 The Defense (AI for Good):

 o Anomaly Detection: ML models can spot a "weird" login attempt that a
human would miss.

o Automated Response: AI can automatically shut down a port the millisecond

it detects a ransomware pattern.

 The Threat (AI for Evil):

o AI-Driven Phishing: Attackers use LLMs to write perfect, personalized emails

that don't have the typical "broken English" errors.

o Adversarial AI: Hackers try to "poison" the data used to train security models,
making the AI blind to certain types of attacks.