Network Security Complete Guide

1. Network Security Fundamentals

Network security encompasses technologies, devices, and processes to protect network infrastructure from unauthorized access, misuse, and attacks. It's the foundation of enterprise security—if the network is compromised, everything connected to it is at risk.

OSI Model Security

• Layer 2 (Data Link): MAC filtering, port security, ARP inspection
• Layer 3 (Network): Firewalls, ACLs, routing security
• Layer 4 (Transport): TCP/UDP filtering, port blocking
• Layer 7 (Application): WAF, proxy filtering, DPI

2. Firewalls Deep Dive

Firewall Types

• Packet Filtering: Basic source/destination/port rules
• Stateful Inspection: Tracks connection state
• Next-Gen Firewall (NGFW): Application awareness, IPS, SSL inspection
• Web Application Firewall (WAF): HTTP/HTTPS layer 7 protection

# iptables examples (Linux)
# Block all incoming, allow outgoing
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from specific IP
iptables -A INPUT -s 192.168.1.100 -p tcp --dport 22 -j ACCEPT

# Block specific IP
iptables -A INPUT -s 10.0.0.50 -j DROP

# Log and drop suspicious traffic
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh --update --seconds 60 --hitcount 4 -j DROP

3. IDS/IPS Systems

IDS vs IPS

• IDS (Intrusion Detection System): Monitors and alerts (passive)
• IPS (Intrusion Prevention System): Blocks threats inline (active)

# Snort IDS/IPS configuration
# /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any

# Custom rule example
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force"; \
    flow:to_server; threshold:type both, track by_src, count 5, seconds 60; \
    sid:100001; rev:1;)

# Suricata (alternative)
suricata -c /etc/suricata/suricata.yaml -i eth0

4. Network Segmentation

VLAN Configuration

# Cisco switch VLAN example
vlan 10
  name USERS
vlan 20
  name SERVERS
vlan 30
  name MANAGEMENT
vlan 99
  name GUEST

# Inter-VLAN routing with ACL
interface Vlan10
  ip address 192.168.10.1 255.255.255.0
  ip access-group USERS-TO-SERVERS in

ip access-list extended USERS-TO-SERVERS
  permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 443
  permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 80
  deny ip any any log

5. Zero Trust Architecture

Zero Trust assumes no implicit trust—every access request must be verified regardless of source location.

Zero Trust Principles

1. Verify explicitly: Always authenticate and authorize
2. Least privilege: Minimum necessary access
3. Assume breach: Minimize blast radius, verify end-to-end

# Zero Trust Implementation Components
# 1. Identity: Strong authentication (MFA, passwordless)
# 2. Device: Device health attestation, compliance checks
# 3. Network: Micro-segmentation, encrypted connections
# 4. Application: Per-app access, no VPN-based trust
# 5. Data: Classification, encryption, DLP

# Example: Conditional Access (Azure AD)
# IF user.location NOT in trusted_locations
#   AND device.compliance != compliant
#   THEN block access OR require MFA

6. Network Monitoring

# Zeek (formerly Bro) - Network analysis
zeek -i eth0

# Generate connection logs, DNS logs, HTTP logs, SSL logs
# /usr/local/zeek/logs/current/
#   conn.log, dns.log, http.log, ssl.log

# NetFlow/sFlow analysis
# Flow data shows: Who talked to whom, when, how much data

# Wireshark filters
ip.addr == 192.168.1.100
tcp.port == 443
http.request.method == "POST"
dns.qry.name contains "suspicious"

7. Common Network Attacks

# ARP Spoofing
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

# Defense: Dynamic ARP Inspection (DAI)
ip arp inspection vlan 10

# DNS Spoofing, Cache Poisoning
# Defense: DNSSEC, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT)

8. Hardening Checklist

FAQ

Pentest Guide Lateral Movement Incident Response