Unit 2

Network Security Infrastructure

Network security infrastructure is everything that helps protect a
computer network from bad actors, such as hackers or viruses. It includes
tools, devices, rules, and methods used to keep the network safe and
ensure that data is secure.
Key Parts of Network Security Infrastructure

1. Firewalls
 What they do: Firewalls act like a barrier between your network and
the outside world (like the internet). They check and block harmful
traffic from entering the network.
 Why they matter: They keep unwanted visitors out and protect your
network from attacks.
2. Intrusion Detection and Prevention Systems (IDS/IPS)
 What they do: These systems watch network traffic to find any
suspicious activity (like hackers trying to break in). If they detect a
threat, they either alert you (IDS) or stop it (IPS).
 Why they matter: They help catch bad things happening on the
network before they cause harm.
3. Virtual Private Network (VPN)
 What it does: A VPN creates a secure, private connection between
your computer and the internet. It keeps your data safe from being
seen or stolen when using public Wi-Fi.
 Why it matters: It helps keep your information safe while using the
internet, especially when you're working remotely.
4. Encryption Tools
 What they do: Encryption changes data into a code so that only the
right person can understand it. It keeps sensitive information safe
when it’s sent over the network.
 Why it matters: If your data is encrypted, even if someone steals it,
they won’t be able to read it.
5. Anti-Malware Software
 What it does: Anti-malware software (like antivirus) detects and
removes viruses, spyware, and other malicious software.
  Why it matters: It keeps your devices safe from harmful programs
that can steal information or cause problems.
6. Network Segmentation
 What it does: This divides your network into smaller parts, so if one
part gets attacked, the others are still safe.
 Why it matters: It helps contain damage and keeps the rest of your
network secure.
7. Access Control
 What it does: Access control ensures that only the right people or
devices can use certain parts of the network. It checks users’
identities before allowing them to access sensitive data or systems.
 Why it matters: It stops unauthorized people from accessing or
damaging important resources.
8. Security Monitoring
 What it does: Monitoring tools watch your network constantly to look
for signs of problems or attacks.
 Why it matters: It helps you quickly find and fix any issues before
they cause big problems.
How Network Security Infrastructure Works Together
These parts of network security work together to keep your network safe:
 Firewalls stop harmful traffic.
 IDS/IPS find and stop attacks.
 VPNs secure remote connections.
 Encryption keeps data safe while being sent.
 Anti-malware protects from harmful software.
 Access Control ensures only authorized users can access sensitive
data.
 Monitoring watches for issues and alerts you to problems.
Why It’s Important
A good network security infrastructure helps protect against hackers,
viruses, and other cyber threats. It makes sure data is safe, networks stay
up and running, and unauthorized users can't access private information.
Without this infrastructure, networks are more vulnerable to attacks and
damage.
Network Topologies
 Definition: The physical or logical arrangement of network devices and
how they communicate.
 Detailed Types:
o Bus Topology:

 Advantages: Easy to implement; requires less cable.

 Disadvantages: Limited cable length and number of nodes;
difficult to troubleshoot; a single failure can take down the
entire network.
o Star Topology:

 Advantages: Centralized management; easy to add/remove

devices; failure of one device does not affect others.
 Disadvantages: Central point of failure (the hub); can be
more expensive due to the hub and cabling.
o Ring Topology:

 Advantages: Predictable data transmission time; easy to

identify and isolate faults.
 Disadvantages: A failure in any single cable or device
disrupts the entire network; maintenance can be challenging.
o Mesh Topology:

 Types: Full mesh (every node connected to every other node)

and partial mesh (some nodes are interconnected).
 Advantages: High redundancy and reliability; failure of one
link does not affect others.
 Disadvantages: Expensive due to the amount of cabling and
complexity of setup.
o Hybrid Topology:

 Examples: Combines elements of star and ring topologies;

widely used in modern networks.
 Advantages: Flexible and scalable; can leverage the
strengths of multiple topologies.
 Disadvantages: Complexity in design and management.
Security Devices
Security devices work together to form a comprehensive defense strategy by
securing various network layers and components
1. Firewalls
They monitor and control incoming and outgoing traffic based on predetermined
security rules. Firewalls act as a barrier between an internal network and external
networks (like the internet) to prevent unauthorized access and attacks.
Types of Firewalls:
 Packet-Filtering Firewall: Inspects packets at the network layer (Layer 3)
and checks them against predefined rules (e.g., IP addresses, ports,
protocols). If the packet matches a rule, it is allowed; otherwise, it is
blocked.
 Stateful Inspection Firewall: Tracks the state of active connections and
makes decisions based on the context of traffic (not just individual
packets). It ensures that only legitimate traffic related to established
connections is allowed.
 Proxy Firewall: Acts as an intermediary between the internal network and
the external world, inspecting requests on behalf of users. This can add an
extra layer of security by hiding the internal network structure.
2. Intrusion Detection and Prevention Systems (IDS/IPS)
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are
essential for detecting and preventing malicious activities on a network.
  IDS: Monitors network traffic for signs of suspicious behavior and
generates alerts when potential threats are detected. It does not take
action to prevent attacks but rather informs network administrators of the
threat.
 IPS: Similar to IDS, but it goes a step further by actively blocking or
preventing malicious traffic. It can drop malicious packets in real-time and
take preventive actions, such as resetting connections.
Key Functions:
 Signature-Based Detection: IDS/IPS compare network traffic against known
attack signatures.
 Anomaly-Based Detection: Detects deviations from normal traffic patterns
and identifies unknown threats.
 Behavioral Analysis: Observes network behavior over time to detect
patterns that may indicate an attack.
3. Virtual Private Network (VPN) Gateways
A VPN Gateway is a device that allows secure remote access to a network over
the internet by encrypting data traffic between the user's device and the
corporate network. VPNs create a secure "tunnel" through which data is
transmitted, protecting it from interception and tampering.
 Remote Access VPN: Allows users to connect securely to the corporate
network from remote locations.
 Site-to-Site VPN: Connects entire networks securely over the internet,
typically used to link branch offices to a central corporate network.
4. Unified Threat Management (UTM)
Unified Threat Management (UTM) devices combine multiple security features
into a single platform. These devices integrate various security technologies such
as firewalls, antivirus, intrusion detection/prevention, VPN, email filtering, and
web filtering.
Key Features of UTM:
 Firewall Protection: Block unwanted traffic based on predefined rules.
 Antivirus and Antimalware: Detect and block malicious files and malware.
 Intrusion Prevention: Actively monitor network traffic to prevent exploits
and attacks.
 Content Filtering: Blocks inappropriate or harmful web content, such as
websites known to distribute malware.
5. Network Access Control (NAC)
Network Access Control (NAC) solutions help manage and enforce security
policies regarding devices accessing the network. NAC devices ensure that only
compliant and authenticated devices can connect to the network, preventing
unauthorized access and potentially malicious devices from entering the system.
Key Functions of NAC:
 Authentication and Authorization: Ensures that devices and users
authenticate before gaining network access.
 Endpoint Compliance: Verifies that devices meet security standards (e.g.,
up-to-date antivirus, patches) before granting network access.
 Guest Networking: Provides secure access for guest users while isolating
them from critical internal resources.
6. Web Application Firewall (WAF)
A Web Application Firewall (WAF) is specifically designed to protect web
applications by filtering and monitoring HTTP traffic between web applications
and the internet. WAFs are particularly effective against web-based attacks like
SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
Key Functions of WAF:
 Request Filtering: Inspects and filters HTTP/HTTPS requests for malicious
content.
 Protection Against OWASP Top 10: Mitigates common web application
vulnerabilities listed by the Open Web Application Security Project
(OWASP).
 Rate Limiting: Prevents Denial of Service (DoS) attacks by limiting the
number of requests from a specific source.
7. Secure Web Gateway (SWG)
A Secure Web Gateway (SWG) is a security solution that protects users from
online threats while accessing the internet. SWGs are designed to block access to
malicious websites, enforce acceptable use policies, and prevent data breaches
by controlling what content users can access.
Key Functions of SWG:
 URL Filtering: Blocks access to harmful websites and enforces content
filtering policies.
 Malware Detection: Scans web traffic for viruses and malware.
 Data Loss Prevention (DLP): Prevents sensitive data from leaving the
network through unauthorized wb applications or communications.

Security Services
1. Authentication
Authentication is the process of verifying the identity of users, devices, or
systems trying to access a network. It ensures that only authorized entities are
granted access to network resources.
Types of Authentication:
 Password-Based Authentication: Users provide a username and
password to verify their identity.
 Two-Factor Authentication (2FA): Combines two forms of
authentication, usually something you know (password) and something
you have (e.g., a smartphone or hardware token).
 Biometric Authentication: Uses physical characteristics like fingerprints
or facial recognition to authenticate users.
 Certificate-Based Authentication: Utilizes digital certificates to validate
the identity of users, devices, or services.
Protocols:
 Kerberos: A network authentication protocol that uses tickets to
authenticate users and services in a secure manner.
 RADIUS (Remote Authentication Dial-In User Service): A protocol for
centralized authentication, authorization, and accounting, often used in
wireless networks.
 TACACS+: A security protocol that provides AAA (Authentication,
Authorization, and Accounting) for network devices.
2. Authorization
Authorization refers to the process of granting or denying access to specific
resources based on the identity of an authenticated user or device. Once a user
is authenticated, the system needs to decide what resources or actions they are
allowed to access.
Types of Authorization Models:
 Discretionary Access Control (DAC): The owner of a resource decides
who has access to it.
 Mandatory Access Control (MAC): Access to resources is determined
based on system-enforced policies (e.g., classification of data).
 Role-Based Access Control (RBAC): Users are assigned roles, and
access is based on the role’s permissions.
 Attribute-Based Access Control (ABAC): Access is granted based on
attributes (e.g., department, location, time).
Protocols:
 LDAP (Lightweight Directory Access Protocol): A protocol used to
query and modify directory services that store authentication and
authorization data.
 OAuth: An authorization framework commonly used in third-party
authentication systems.
3. Confidentiality
Confidentiality ensures that data is kept secret from unauthorized users or
entities. It is one of the key principles of information security, ensuring that
sensitive information (e.g., passwords, financial data) is not exposed.
Encryption:
 Symmetric Encryption: The same key is used to both encrypt and
decrypt the data. Common algorithms include AES (Advanced
Encryption Standard) and DES (Data Encryption Standard).
 Asymmetric Encryption: Uses a pair of keys (public and private).
Common algorithms include RSA and ECC (Elliptic Curve
Cryptography).
 End-to-End Encryption (E2EE): Data is encrypted on the sender's
device and can only be decrypted by the recipient, ensuring that no
intermediate party can read the data.
Protocols:
 SSL/TLS (Secure Sockets Layer / Transport Layer Security):
Protocols that provide encryption and secure communication over
networks, especially for web traffic (HTTPS).
 IPsec (Internet Protocol Security): A suite of protocols for securing IP
communications by authenticating and encrypting each IP packet in a
communication session.
4. Integrity
Integrity ensures that data is not altered in transit or storage, whether
accidentally or maliciously. Data integrity guarantees that information remains
accurate, consistent, and unmodified.
Hashing:
 Hash Functions: A cryptographic hash function (e.g., SHA-256) is used
to produce a fixed-size string from variable-length data. Even a small
change in the original data will result in a completely different hash.
 Digital Signatures: A combination of hashing and asymmetric encryption
that ensures data integrity and authenticity. The sender creates a digital
signature over the data, and the recipient can verify both the integrity of
the data and the identity of the sender.
Protocols:
 HMAC (Hash-Based Message Authentication Code): A specific type of
cryptographic hash function used for verifying both the integrity and
authenticity of a message.
  Message Authentication Code (MAC): A code that ensures the
integrity and authenticity of a message using a secret key.
5. Availability
Availability refers to ensuring that network resources and services are
accessible and operational when needed by authorized users. This involves
implementing measures to prevent downtime due to cyberattacks, system
failures, or other disruptions.
Redundancy and Fault Tolerance:
 Load Balancing: Distributes network traffic across multiple servers to
ensure that no single server is overwhelmed.
 Clustering: Combines multiple servers or systems into a group to ensure
high availability in case one server fails.
 Failover: Automatically switches to a backup system in case the primary
system becomes unavailable.
Protection Against Denial of Service (DoS):
 Anti-DDoS Protection: Uses firewalls, load balancers, and specialized
anti-DDoS devices to mitigate traffic overloads that could lead to service
disruption.
 Traffic Filtering: Filters out malicious traffic before it reaches the network
or server.

Network Attacks
Denial of Service (DoS) Attacks
 Definition: Aimed at making a service unavailable to its intended
users by overwhelming it with requests.
 Types:
o Flood Attacks: Send a large volume of traffic to overwhelm
bandwidth.
 SYN Flood: Exploits the TCP handshake by sending SYN
requests but never completing the handshake.
 UDP Flood: Sends a barrage of UDP packets to random
ports, causing the system to respond with ICMP packets.
o Application Layer Attacks: Target specific applications to
exhaust resources.
 HTTP Flood: Overwhelms web servers with requests for
web pages.
  Mitigation: Use rate limiting, traffic filtering, and DDoS protection
services to absorb or redirect malicious traffic.
. Distributed Denial of Service (DDoS) Attacks
 Definition: Similar to DoS but launched from multiple compromised
devices (botnets) to amplify the attack.
 Characteristics:
o Scale: Can involve thousands of infected devices.
o Amplification: Attackers use DNS amplification or NTP
reflection to significantly increase attack volume.
 Mitigation: Deploy DDoS protection services, implement redundant
server architecture, and use anycast routing to distribute traffic.
. Man-in-the-Middle (MitM) Attacks
 Definition: An attacker intercepts and potentially alters the
communication between two parties without their knowledge.
 Methods:
o Eavesdropping: Capturing data transmitted over insecure
networks.
o Session Hijacking: Taking over a web session after the user
has logged in, often using stolen session cookies.
o SSL Stripping: Downgrading HTTPS connections to HTTP to
intercept unencrypted data.
 Mitigation: Use strong encryption protocols (TLS), implement secure
coding practices, and employ VPNs for sensitive communications.

Phishing Attacks
 Definition: Deceptive attempts to acquire sensitive information by
impersonating legitimate entities, often via email.
 Types:
o Spear Phishing: Targeted attacks on specific individuals or
organizations, often using personalized information.
o Whaling: High-profile phishing attacks aimed at executives or
high-ranking officials.
o Clone Phishing: An attacker creates a nearly identical replica
of a legitimate email previously sent, changing the
attachment or link to a malicious one.
  Mitigation: User training, email filtering, and employing multi-factor
authentication (MFA).
. Malware Attacks
 Types of Malware:
o Viruses: Malicious code that attaches to legitimate files and
spreads when the file is executed.
o Worms: Self-replicating malware that spreads through networks
without human intervention.
o Trojans: Malicious software disguised as legitimate software
that, when executed, compromises the system.
o Ransomware: Encrypts files on a victim's system and demands
payment for decryption.
 Mitigation: Use updated antivirus software, regular system scans, and
user education on safe browsing habits.

5. Types of Attack Tools Used by Threat Actors

1. Malware Tools
These are malicious programs designed to harm or steal from your
computer.
 Viruses: S
 pread and damage files.
 Trojans: Fake programs that let attackers access your system.
 Ransomware: Locks your files and demands money to unlock them.
 Worms: Spread automatically across networks.
 Spyware: Tracks your activities without you knowing.
 Adware: Displays unwanted ads or tracks your web behavior.
2. Exploitation Frameworks
These tools help attackers find and use weaknesses in systems.
 Metasploit: A tool to exploit security flaws and control systems.
 Cobalt Strike: Helps attackers take control of systems and stay
hidden.
 BeEF: Exploits web browser vulnerabilities.
3. DDoS Tools
These tools overwhelm a website or server with too much traffic, making
it crash.
 LOIC and HOIC: Overload a target with requests to cause a crash.
 Botnets: Groups of hacked devices used to launch massive attacks.
4. Phishing Tools
Phishing tools trick people into giving away personal information, like
passwords.
 SET: Creates fake websites and emails to steal info.
 Gophish: Sends fake emails to trick users into clicking harmful links.
5. Password Cracking Tools
These tools guess or break passwords to get unauthorized access.
 John the Ripper: Cracks passwords using different methods.
 Hydra: Tries many password combinations to break into systems.
6. Keyloggers
Keyloggers record what you type, like passwords, to steal your
information.

7. RATs (Remote Access Trojans)

These tools allow attackers to remotely control your computer.
 njRAT: Gives attackers control over infected devices.

Network Monitoring and Tools

Network monitoring is the process of observing network activity to ensure all
components (servers, routers, switches, firewalls, and devices) are functioning
well. It involves tracking network traffic, performance metrics, uptime, and
detecting anomalies that might indicate issues like congestion, failures, or
cyberattacks.
Types of Network Monitoring
 Performance Monitoring: Tracks the health and performance of network
devices, including latency, bandwidth, and throughput.
 Traffic Monitoring: Observes the data flowing across the network, such
as the amount of data and the type of traffic (HTTP, FTP, etc.).
 Security Monitoring: Detects malicious activities, such as unauthorized
access, malware, or unusual traffic patterns that could indicate a security
breach.
  Availability Monitoring: Ensures that all network devices (routers,
servers, etc.) are up and running without any downtime.
 Configuration Monitoring: Tracks and logs changes to network
configurations to detect any unauthorized or accidental changes.
Key Network Monitoring Tools
1. SolarWinds Network Performance Monitor (NPM)
 Function: A comprehensive tool used to monitor the health, availability,
and performance of network devices. It provides alerts, visualizations, and
insights into network performance.
 Features:
o Real-time network monitoring.

o Customizable dashboards.

o Advanced alerting and troubleshooting tools.

o Network traffic analysis.

2. PRTG Network Monitor

 Function: Monitors network infrastructure, including servers, routers,
switches, and bandwidth. It offers real-time data on network traffic and
performance.
 Features:
o Monitors devices, traffic, and bandwidth.

o Supports SNMP, WMI, and NetFlow.

o Provides custom alerts and automated actions.

o Multi-device support for scalability.

3. Nagios
 Function: Open-source network monitoring system that helps track the
status of network devices, servers, and services. Nagios alerts
administrators if there are issues.
 Features:
o Open-source, highly customizable.

o Alerts for network issues and failures.

o Can monitor servers, applications, and network services.

o Support for plugins to extend functionality.

4. Wireshark
  Function: A packet analyzer used to capture and analyze network traffic
in detail. It's widely used for troubleshooting and identifying issues in data
packets.
 Features:
o Real-time packet capture and analysis.

o Detailed traffic insights.

o Protocol analysis (e.g., TCP, HTTP, DNS).

o Useful for troubleshooting network problems.

5. Zabbix
 Function: An open-source network monitoring tool that provides metrics,
such as CPU load, memory usage, and network utilization, across multiple
devices.
 Features:
o Highly customizable monitoring.

o Can monitor a wide variety of network devices, services, and

applications.
o Provides real-time monitoring and alerts.

o Open-source and free to use.

6. NetFlow Analyzer
 Function: A tool specifically designed to monitor bandwidth usage and
flow data. It uses NetFlow or similar technologies to analyze network
traffic and identify bottlenecks.
 Features:
o Flow-based traffic analysis.

o Bandwidth usage monitoring.

o Detects traffic patterns and anomalies.

o Provides detailed reports and insights into network performance.

7. ManageEngine OpManager
 Function: A comprehensive network monitoring tool used to track
network performance, availability, and health of devices. It’s suitable for
large-scale enterprise networks.
 Features:
o Real-time monitoring and alerts.

o Customizable dashboards.

o Tracks device performance, including routers, servers, and switches.

 o Provides network visualization with maps and topologies.

Benefits of Network Monitoring

 Improved Network Performance: Continuous monitoring ensures that
devices and services are working optimally, reducing slowdowns or
downtime.
 Early Detection of Problems: Monitoring tools can quickly detect issues
like bandwidth congestion, faulty devices, or network failures, allowing for
rapid intervention.
 Security Enhancements: By monitoring traffic patterns, unusual
behavior can be identified early, helping prevent cyberattacks,
unauthorized access, or data breaches.
 Preventing Downtime: Monitoring tools help detect issues before they
lead to network outages, ensuring consistent service availability.
 Troubleshooting: Helps network administrators identify and fix issues
faster by providing real-time data and reports on network performance.