Network Security Fundamentals
Security is not an afterthought; it is built into the network design. From firewalls to VPNs, defense in depth is key.
1. The CIA Triad
Every security decision balances these three pillars:
- Confidentiality: Only authorized users can read the data. (Encryption, VPNs).
- Integrity: The data has not been altered in transit. (Hashing, HMAC).
- Availability: The system is accessible when needed. (DDoS protection, Redundancy).
2. Firewalls: Packet Filtering vs Stateful
A firewall sits at the perimeter (or internally) to enforce policy.
- Stateless (ACLs): Inspects each packet in isolation. Fast but "dumb". Cannot tell if a packet is part of an established connection.
- Stateful Inspection (SPI): Tracks the state of active connections in a session table.
- If a client sends a SYN (outbound), the firewall dynamically permits the return SYN-ACK (inbound).
- Next-Gen Firewall (NGFW): Deep Packet Inspection (DPI). Looks at Layer 7 (Application) to block specific URLs, malware, or app behaviors regardless of port.
Standard vs Extended ACLs (Cisco Syntax)
| Type | Range | Features | Placement |
|---|---|---|---|
| Standard | 1-99 | Source IP only. | Close to Destination. |
| Extended | 100-199 | Source, Destination, Protocol, Port. | Close to Source (Drop early). |
3. VPNs (Virtual Private Networks)
VPNs extend a private network across a public network (Internet) using tunneling (GRE/IPsec) and encryption.
Engineer's Notebook: IPsec IKE Phases
Phase 1 (IKE SA): Authenticate peers (Pre-Shared Key / Certs) and negotiate encryption for the management channel. (UDP 500).
Phase 2 (IPsec SA): Negotiate encryption for the actual data traffic (ESP/AH). (Protocol 50).
Troubleshooting Tip: "Phase 1 is up, Phase 2 is down" usually means a mismatch in the crypto map (ACLs or Transform Sets).
4. Historical Security Failures
- Telnet (Port 23): Sends passwords in clear text. Replaced by SSH (Port 22).
- HTTP (Port 80): Unencrypted. Replaced by HTTPS (Port 443) + TLS.
- WEP (Wired Equivalent Privacy): Early WiFi security. Used a weak Initialization Vector (IV) and could be cracked in minutes. Replaced by WPA2/WPA3 (AES).
5. Common Network Attacks
- MITM (Man-in-the-Middle): Attacker intercepts traffic. (e.g., ARP Spoofing). Mitigation: Dynamic ARP Inspection (DAI).
- DoS / DDoS: Flooding a target with traffic. (e.g., SYN Flood). Mitigation: Rate Limiting, Scrubbing Centers.
- Spoofing: Faking a Source IP. Mitigation: uRPF (Unicast Reverse Path Forwarding).