Comp-432 Network Security

Introduction to Network Security

Presented by Kyriakos Costa, MSc
Spring 2025
 ▪ Introduction to Network Security
▪ Threat Landscape
▪ Basic Concepts and Terminology
Lecture ▪ Network Appliances
▪ Topologies
Outline ▪ Core Systems
▪ Traditional vs Modern Architecture

William Stallings, 2017. Network Security Essentials:

Applications and Standards, 6Th Edition.

2
Introduction to Network
Security

3
 ➢ Confidently assess, design and defend networks
against a wide range of cybersecurity threats.

Course ➢ Understand and manage cryptographic controls within

a network topology.
Objectives ➢ Identify and optimize network protocols.
➢ Secure lan, wireless and web applications within an
environment.

4
 Upon completion of the course, it is expected that you will
be able to:
➢ Identify and define common network security
terminologies.
➢ Analyze network vulnerabilities and apply mitigation
Course controls to defend.
Outcomes ➢ Design secure network topologies
➢ Understand and implement security policies
➢ Identify and respond to network events
➢ Evaluate the trade-offs between security and usability
in network designs

5
 ➢ Hacking is only legal under the following circumstances:
1. You gain explicit, written permission from a physical or
legal person, stating the reason, duration, type of test and
systems in scope.
2. You are the owner of the system and surrounding
infrastructure.
3. You have a security clearance (issued by a national
Disclaimer authority) that allows the ad-hoc evaluation of systems.
➢ All tools, techniques and material discussed in Comp-432 Network
Security is intended for educational purposes only.
➢ Hacking is considered illegal in any other circumstances and
under the L.22(III)/2004 Cyprus Law may result in up to 20 years in
prison or a fine of up to €85000.
http://www.cylaw.org/nomoi/indexes/2004_3_22.html &
https://www.europol.europa.eu/annual_review/2015/cybercrime.h
tml
6
Definition of Network Security

NIST (National Institute of Standards and Technology): Describes

network security as measures to protect the usability, reliability,
integrity and safety of network and its data.

ENISA (EU Agency for Cyber Security): Measures to safeguard critical

infrastructure and ensure the continuity of network services.

Microsoft: The practice of protecting the underlying networking

infrastructure from unauthorized access, misuse, or theft. It involves a
set of policies, processes, and technologies designed to safeguard
networks, devices, data, and services.

7
Key objectives of Network Security
“ The protection afforded to an
automated information system
to attain the applicable
objectives of preserving the
integrity, availability and
confidentiality of information
system resources”

This definition summarizes the

objectives of Network Security
and introduces 3 key aspects:

8
Confidentiality
- Restricted Access: Ensures sensitive data
is accessible only to authorized
individuals or systems.
- Encryption: Protects data during storage
and transmission by converting it into
unreadable formats.
- Authentication: Verifies the identity of
users, devices and systems before
granting access to resources.
- Privacy: Aligns with regulations to
protect personal data and ensure
confidentiality.
- Secure Disposal: Ensures data is
completely erased or destroyed when no
longer needed.
9
Integrity
- Accuracy: Ensures data remains accurate, consistent, and reliable.
- Tampering: Safeguards data from unauthorized modification, whether
accidental or malicious.
- Hashing: Verifies data integrity by generating unique fingerprints for files or
messages.
- Digital Signatures: Provides proof of authenticity and integrity by verifying
the sender and ensuring data has not been altered.
- Error Checking: Detects and corrects errors during data transmission or
storage.
- Redundancy: Ensures data integrity can be restored in case of corruption or
accidental loss.

10
Availability
- Uninterrupted Access: Ensures authorized users can access systems, data
and services whenever needed.
- Redundancy: Implements backup systems to prevent single point of failure.
- Fault Tolerance: Designs systems to continue functioning even if
components fail.
- Disaster Recovery: Develops plans and tools to restore services quickly after
natural disasters, cyberattacks or system failures.
- System Maintenance: Schedules regular updates and maintenance without
interrupting service.
- Power and Network Continuity: Includes uninterrupted power supplies
(UPS) and reliable internet connections.

11
 Are the CIA triad the only principles to consider?

Ensuring thr righful

ownership or control Ensuring
Ensure that data or of an asset traceability and
systems are useful and auditability of
server their intended Guaranteeing the data, actions.
purpose. communications, or
systems are genuine
and have not been Providing
tampered with. verifiable evidence
of compliance.

12
Threat Landscape

13
The Sony’s Hack

Sony Pictures – 2014: In

November 2014, a group
that the FBI later said
was tied to the North
Korean military
apparatus attacked Sony
Pictures' servers,
wreaking havoc on the
company's internal
systems. The hackers
involved claim
to have taken more than
100 terabytes of data
from Sony.

14
The Sony’s Hack (Cont.)

15
The Sony’s Hack (Cont.)
1. Breach Discovery:
• Hackers, identifying themselves as "Guardians of Peace"
(GOP), infiltrated Sony's systems in November 2014.
• They leaked unreleased films, confidential emails,
employee personal data, and financial records.
2. Scope of the Breach:
• Sensitive employee data such as Social Security numbers
and medical information were exposed.
• Embarrassing internal communications, including
Hollywood gossip and racist comments, were made
public.
• Screenplays and unreleased films, such as Spectre and
Annie, were leaked online
3. Impact on Operations:
• Sony's network was severely disrupted, forcing the
company offline for days.
• The fallout led to lawsuits from employees and significant
reputational damage
4. The "The Interview" Controversy:
• The attack was allegedly linked to North Korea
in retaliation for the release of The Interview, a
film depicting a fictional assassination of Kim
Jong-un.
• Sony initially canceled the movie's release,
drawing criticism for yielding to pressure, but
later distributed it digitally and in select
theatres.
5. U.S. Government Response:
• The FBI attributed the attack to North Korea's
Lazarus Group.
• President Obama promised a "proportional
response," and shortly after, North Korea
experienced temporary internet outages
6. Security Lessons:
• Post-breach analysis revealed weak internal
security, including poor password
management and network misconfigurations
that facilitated the attack
16
The Sony’s Hack (Cont.)

Spear Phishing Listening UPNP DLL Proxy SMB

•Email Gateway Implant •User Permissions •Firewall •Network
•Antivirus •Antivirus •Network •IDS / IPS Segregation
•Security •User Permissions Segregation •SIEM •IDS / IPS
Awareness •Alerting & •IDS / IPS •Firewall
Monitoring

17
 Pegasus: The spyware against democracy
- It was developed in 2016 by a private,
government-founded Israeli
company, the NSO Group.
- An early version of it could
compromise your phone via a
phishing or smishing notification
(email or sms).
- In early 2020, a new version became
available, the so-called “zero-click”.
- Mid 2021, another version that allows
compromise via WhatsApp call,
iMessage, and SMS.
- Today, able to compromise via
proximity wireless antenna networks.

18
 Pegasus: The spyware against democracy (cont.)
- It was officially sold to 60 clients in 40 countries.
- The governments of Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco,
Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates have
acknowledged utilizing it.
- In 2022, the code of Pegasus was stolen by an employee and was sold in TOR for
1 billion dollars.
- Latest figures show that at least 50 000 devices are compromised.

19
Sample of Security Incidents
Year Attack Name Type Target Threat Actor Impact
- 13500 appointments cancelled
- 1100 emergency admissions
2017 WannaCry Ransomware NHS UK North Korea
- 2200 elective admissions
- £5.9 million pounds cost
- $300 million dollars cost
- Stock collapsed
Janus
Pharmaceutical - Lost critical research on vaccine to
2017 Petya Ransomware Cybercrime
Merck & Co prevent cancer
Solutions
- 500 people globally lost their job in
the next 12 months.
Cozy Bear
2020 Undisclosed Espionage CIA - Sensitive data through supply chain
(Russia)
Microsoft, Lapsus$ hacking
2022 Unidisclosed Extortion - Source code and sensitive data
NVIDIA group
2023 Undisclosed Data Leak Twitter Unknown - 5.4 million accounts leaked
T-Mobile - 37 million accounts were
2023 Undisclosed Data Breach Unknown
Customers compromised

20
Sample of Security Incidents - Cyprus
Year Attack Name Type Target Threat Actor Impact
2017 Undisclosed Unknown Electricity Authority Unknown - Unknown
2018 Undisclosed DDOS CYTA, Cablenet Unknown - Networks Unavailable
Turkish Hacking
2020 Undisclosed Data Breach Government Officials - Unknown
Group
Turkish Hacking
2021 Undisclosed Undisclosed Larnaka Airport Wifi - Unknown
Group
2023 Undisclosed DDOS GESY Portal Unknown - System Unavailable
2023 Undisclosed Ransomware Land Registry Unknown - All information encrypted
- All information encrypted
2023 Undisclosed Ransomware Open University Unknown
and leaked
House of Turkish Hacking
2024 Undisclosed Defacement - Website defaced
Representatives Group
BoC, EKO, CYTA, - Customers abroad were
French Hacking
2024 Undisclosed DDOS Airports, Government unable to access accounts
Group
Portal for 4 days.

21
Basic Concepts and
Terminology

22
OSI Model (Open Systems Interconnection)
Example Protocols

HTTP, FTP, SSH, DNS

SSL

Web Sockets, SOCKS5, SOCKS4

TCP, UDP

IP, IPSec, ICMP

Ethernet

Coax, Fiber, Wireless

23
1. Physical Layer
- Description: This layer is about the physical
hardware and connections involved in
transmitting data—cables, switches, and
electrical signals.
- Key Functions:
- Converts data to signals (light, electricity,
radio waves).
- Handles physical connections between
devices.
- Examples:
- Ethernet cables connecting a router to a
computer.
- Fiber optic cables for internet connections.
- Wi-Fi signals transmitting data wirelessly.
| 2. Data Link Layer
- Description: Responsible for reliable data
transfer over a single link in the network. It deals
with addressing (MAC addresses) and error
detection/correction.
- Key Functions:
- Ensures data is correctly framed.
- Detects and sometimes corrects errors in
the physical layer.
- Examples:
- Switches that use MAC addresses
- Wi-Fi protocol (IEEE 802.11)
24
3. Network Layer
- Description: Determines the path data takes to reach its destination across multiple networks.

- Key Functions:
- Logical addressing (IP addresses).
- Routing data packets between devices.
- Examples:
- IP (Internet Protocol), like IPv4 and IPv6.
- Routers determining the best path for data.
- Visiting a website via a public IP address.

25
3. Network Layer – RFC 1918 (Private IPs)
Range Number of CIDR and Mask Clasful Description
Addresses
10.0.0.0 – 16,777,216 10.0.0.0/8 Single class A
10.255.255.255 (255.0.0.0) network
172.16.0.0 – 1,048,576 172.16.0.0/12 16 contiguous class
172.31.255.255 (255.240.0.0) B networks
192.168.0.0 – 65,536 192.168.0.0/16 256 continguous
192.168.255.255 (255.255.0.0) class C networks

Why do I get three different results?

26
3. Network Layer – Public IP Ranges
Starting IP Ending IP Notes
1.0.0.0 9.255.255.255 Includes public ranges
11.0.0.0 126.255.255.255 Excludes 10.0.0.0/8
128.0.0.0 171.255.255.255 Excludes private and
reserved
173.0.0.0 191.255.255.255 Includes public ranges
192.0.2.0 192.88.98.255 Excludes 192.168.0.0/16
198.18.0.0 223.255.255.255 Excludes 224.0.0.0/4
240.0.0.0 255.255.255.254
0.0.0.0/8 0.255.255.255 Your Current Network
127.0.0.0/8 127.255.255.255 Loopback IP (127.0.0.1)
169.254.0.0/16 169.254.255.255 Link-local addresses (No
DHCP Available)

27
4. Transport Layer

- Description: This layer is responsible for end-to-

end communication and data transfer. Ensures
reliable, error-free, and in-sequence delivery of
data.

- Key Functions:
- Segmentation
- Error Control, Detection and Correction
- Multiplexing (ports to direct data)

- Examples:
- TCP
- UDP

28
5. Session Layer | 6. Presentation Layer
- Description: Responsible for translating data
into a readable format for the receiving system
- Description: This layer Manages sessions and handles encryption/decryption and
between applications and coordinates between compression/decompression.
systems for data organization and
synchronization. - Key Functions:
- Data Translation (e.g. ASCII)
- Key Functions: - Encryption, Decryption
- Session Establishment, maintenance and - Compression / Decompression (reducing
termination size to make it more efficient)
- Dialog Control (half-duplex, full duplex)
- Examples:
- Examples: - SSL/TLS
- NetBIOS - JPEG
- RPC (e.g. WakeOnLan)

29
7. Application Layer

- Description: This layer is the only one directly

interacting with end-user applications. Provides
protocol and services for applications.

- Key Functions:
- Provides services directly to user
applications
- Allows applications to advertise available
services and discover network services

- Examples:
- HTTP, SMPT, FPT, DNS and many more.

30
OSI model vs TCP/IP model
Although OSI model is considered the reference framework for networking, today’s internet
doesn’t strictly follow those rules. As the Internet mostly relies on TCP over IP as its
foundational protocols another model was designed based on OSI. RFC 7540 describes the
relation and design.

31
Network Appliances

32
Multi-cloud & On-Premise Network Diagram Example

33
Firewall (Network, Transport, Application)
• Network Security: Protects networks by monitoring and controlling
incoming and outgoing traffic based on predetermined security rules.
• Access Control: Blocks unauthorized access to or from a private
network, ensuring only trusted sources can connect.
• Traffic Monitoring: Inspects data packets entering or leaving the
network, identifying and filtering potential threats.
• Threat Prevention: Stops malicious traffic, such as viruses, worms, and
hackers, from entering the network.
• VPN Support: Facilitates secure remote access to the network through
Virtual Private Network (VPN) connections.
• Content Filtering: Controls access to specific websites or content
types, enforcing corporate policies or parental controls.
• Intrusion Detection/Prevention: Identifies and reacts to suspicious
activities by detecting intrusions and taking preventive actions.
• Logging and Reporting: Records traffic and security events, providing
detailed logs and reports for analysis and compliance.
• Application Layer Filtering: Filters traffic based on specific
applications or services, enhancing security beyond simple port-based
filtering.
• Network Address Translation (NAT): Masks internal IP addresses,
protecting the identity of devices on the internal network from external
threats.

34
Firewall (Network, Transport, Application)

35
Switch (Datalink, Network)

• Routing: Performs routing functions, including forwarding packets

based on IP.
• VLAN / Inter-VLAN: Logically segment network traffic within the same
physical switch. Can route forward traffic to other VLANs without
needing another physical device.
• Quality of Service: Prioritize network traffic to ensure the performance
of critical applications and manage bandwidth allocation.
• Link Aggregation: Combines multiple physical links into a single
logical link to increase bandwidth and redundancy.
• Port Security: Limits the number of MAC addresses that can be
learned on a port and restrict access based on MAC addresses.

36
Switch (Datalink, Network)

37
Network Isolation (Datalink, Network, Transport,
Application)
• Security Enhancement: Limits the spread of threats by isolating sensitive
systems or segments from the broader network.
• Containment of Breaches: Prevents attackers from easily moving laterally across
the network in case of a security breach.
• Access Control: Restricts access between network segments, ensuring only
authorized devices or users can communicate with isolated areas.
• Segmentation: Divides the network into smaller, isolated segments or zones
(e.g., VLANs), each with its own security policies.

• Regulatory Compliance: Meets compliance requirements by isolating and

protecting sensitive data, such as in PCI DSS or HIPAA environments.

• Performance Optimization: Reduces network congestion by limiting

unnecessary communication between different network segments.

• Test and Development Environments: Isolates test or development

environments from production systems, preventing unintended interactions or
disruptions.

• Enhanced Control: Provides better control over traffic flow, allowing granular
management of how different network segments interact.

• Improved Fault Tolerance: Limits the impact of network failures to isolated

segments, preventing a single point of failure from affecting the entire network.

• Zero Trust Architecture: Supports the Zero Trust security model by enforcing
strict access controls and minimizing trust within the network.

38
Intrusion Detection / Intrusion Prevention Systems
(Network, Transport, Application)
Intrusion Detection System (IDS)

• Threat Detection: Monitors network traffic or system activities to identify suspicious

behavior or known attack patterns.

• Alert Generation: Triggers alerts when potential security threats are detected,
enabling prompt investigation by security personnel.

• Passive Monitoring: Operates in a monitoring mode, analyzing traffic without

directly affecting network performance or traffic flow.

• Forensic Analysis: Provides detailed logs and data for post-incident analysis, helping
to understand and respond to security breaches.

• Signature-Based Detection: Identifies known threats using pre-defined patterns or

signatures of known attacks.

• Anomaly-Based Detection: Detects unusual behavior by establishing a baseline of

normal activity and identifying deviations.

• Visibility: Offers visibility into network and system activities, aiding in overall security
Intrusion Prevention System (IPS) posture assessment.

• Active Threat Mitigation: Not only detects but also actively prevents attacks by blocking or rejecting malicious traffic in real -time.

• In-Line Deployment: Sits directly in the path of network traffic, inspecting and taking action on data before it reaches its destination.

• Automated Response: Takes immediate action to stop detected threats, such as dropping malicious packets, resetting connections, or
blocking IP addresses.

• Policy Enforcement: Enforces security policies by preventing unauthorized access or activities based on predefined rules.

• Real-Time Protection: Provides continuous, real-time protection against known and emerging threats, minimizing the window of
exposure.

• Signature and Anomaly-Based: Combines signature-based detection with anomaly-based techniques to provide comprehensive threat
prevention.

• Reduced False Positives: Tends to have stricter tuning to minimize false positives, ensuring legitimate traffic is not unnecessarily
blocked. 39
Intrusion Detection / Intrusion Prevention Systems
(Network, Transport, Application)

40
VPN / IPSec (Network)
Virtual Private Network (VPN)
• Secure Remote Access: Enables secure access
to a private network over the internet, allowing
remote users to connect as if they were on the
local network.
• Data Encryption: Encrypts data transmitted
between the user and the VPN server,
protecting sensitive information from
eavesdropping.
• Cost-Effective: Provides a cost-effective way
for organizations to secure remote connections
without the need for dedicated leased lines.
• Corporate Security: Ensures that employees
can securely access corporate resources from
any location, reducing the risk of data breaches.
Internet Protocol Security (IPsec)
• Layer 3 Security: Operates at the network layer (Layer 3), providing end-to-end security for IP
packets across an IP network.
• Data Integrity: Ensures that data has not been tampered with during transmission by using
cryptographic checksums.
• Authentication: Verifies the identity of the communicating parties, ensuring that data is
exchanged between trusted sources.
• Confidentiality: Encrypts IP packets to ensure that data remains confidential and cannot be
read by unauthorized parties.
• Security Associations (SA): Establishes security associations that define the cryptographic
algorithms and keys used for securing communications.
• Interoperability: Widely supported and interoperable across different vendors’ devices,
making it a standard choice for secure IP communications.
41
Application / Network Load Balancers (Transport,
Application)

Application Load Balancer (ALB / Application Gateway) Network Load Balancer (NLB)

• Advanced Request Routing: Routes traffic based on host, path, method, • SSL/TLS Termination: Offloads SSL/TLS decryption from backend
headers, and source IP. servers.

• SSL/TLS Termination: Offloads SSL/TLS decryption from backend servers. • Static IP Support: Provides a single static IP per Availability Zone for
applications.
• Health Checks: Performs health checks on targets and routes traffic to
healthy instances. • Cross-Zone Load Balancing: Distributes traffic evenly across targets in
multiple Availability Zones.
• Auto Scaling Integration: Distributes traffic across multiple targets, such
as EC2 instances and containers. • Support for TCP, UDP, and TLS Protocols: Handles a variety of traffic
types for different applications.
• Security Features: Integrates with AWS WAF for web exploit protection
and AWS Shield for DDoS protection. • Connection Draining: Ensures ongoing requests are completed before
deregistering or terminating targets.
• High Availability and Fault Tolerance: Designed for high availability with
automatic failover capabilities. • Health Checks: Performs health checks on targets and routes traffic to
healthy instances.
42
 Wireless Access Points (Physical, Datalink)
WIFI Access Points:

• Beamforming: Focuses the WiFi signal directly at connected devices to

improve signal strength and coverage.

• Seamless Roaming: Enables devices to move between access points

without losing connection, ensuring continuous coverage in large
areas.

• Mesh Networking: Allows multiple access points to work together to

extend coverage and eliminate dead zones.

• Quality of Service (QoS): Prioritizes traffic to ensure critical

applications receive the necessary bandwidth and low latency.

• Security Features: Offers robust security protocols such as WPA3,

enterprise authentication (e.g., 802.1X), and guest network isolation.

• Load Balancing: Distributes client connections evenly across multiple

access points to optimize performance and prevent overload.

• VLAN Support: Segregates network traffic into different virtual LANs

for better security and traffic management.

• Network Segmentation: Divides the network into smaller segments to

isolate hosts and control traffic flow between them.

43
Core Network Systems

44
Dynamic Host Configuration Protocol (DHCP)
Overview:

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to automate the process of
configuring devices on IP networks. It enables devices to receive IP addresses and other necessary network configurations
automatically, reducing the need for manual intervention.

• Automatic IP Address Assignment: DHCP automatically assigns IP addresses to devices from a predefined range (scope).
This simplifies network management and reduces the risk of IP address conflicts.

• IP Address Lease Management: DHCP assigns IP addresses for a specific lease duration. Devices need to renew their leases
periodically to maintain their IP address, allowing for efficient reuse of IP addresses.

• Configuration of Network Parameters: In addition to IP addresses, DHCP can provide other network configuration
parameters such as subnet masks, default gateways, DNS servers, and domain names.

• Dynamic DNS Updates: DHCP can work with DNS to update the mapping between device names and IP addresses
dynamically, ensuring that DNS records remain accurate as devices join and leave the network.

DHCP and Network Security:

• DHCP Snooping: This security feature is implemented on network switches to monitor DHCP traffic and prevent rogue DHCP servers from operatin g on the network. It ensures that
only trusted DHCP servers can respond to DHCP requests.

• IP Address Allocation Control: By using access control lists (ACLs) and other mechanisms, network administrators can restrict which devices can receive IP a ddresses from the DHCP
server. This prevents unauthorized devices from joining the network.

• Authentication: Implementing authentication mechanisms such as DHCP authentication using 802.1X can ensure that only authorized devices can obtain network configurations
from the DHCP server.

• Lease Time Management: By configuring appropriate lease times, network administrators can balance the need for IP address reuse with the security of frequent re-authentication.

Conclusion

DHCP is a critical protocol for network management, providing automated and efficient IP address allocation and configuration . By implementing security features such as DHCP
snooping, authentication, and proper lease management, network administrators can mitigate potential risks and enhance the ov erall security of the network.

45
Domain Name System (DNS)
Overview:

The Domain Name System (DNS) is a hierarchical and decentralized naming system for
computers, services, or other resources connected to the Internet or a private network. It
translates human-readable domain names (e.g., www.example.com) into IP addresses (e.g.,
192.0.2.1) that computers use to identify each other on the network.

• Domain Name Resolution: DNS translates domain names into IP addresses, enabling
users to access websites and other resources using easy-to-remember names instead of
numerical IP addresses.

• Hierarchy and Delegation: DNS is organized in a hierarchical structure, with the root
domain at the top, followed by top-level domains (TLDs), second-level domains, and so
on. This hierarchy allows for efficient delegation and management of DNS zones.

• Caching: DNS resolvers and clients cache DNS query results to reduce latency and
improve performance. Cached entries are stored for a specified time-to-live (TTL) period.

• Load Balancing: DNS can be used to distribute traffic across multiple servers using
techniques like round-robin DNS, improving the availability and performance of services.

• Reverse DNS Lookup: DNS supports reverse lookups, where an IP address is resolved to
a domain name. This is commonly used for logging and security purposes.

• DNS Records: Various types of DNS records are used to store different kinds of
information, including:

• A and AAAA Records: Map domain names to IPv4 and IPv6 addresses,
respectively.
• CNAME Records: Alias one domain name to another.
• MX Records: Specify mail exchange servers for a domain.
• TXT Records: Store arbitrary text data, often used for verification and
security purposes (e.g., SPF, DKIM).

46
Domain Name System (DNS)
DNS and Network Security:

• DNSSEC (Domain Name System Security Extensions): DNSSEC adds a layer of security by
enabling DNS responses to be digitally signed. It helps prevent attacks like DNS spoofing and
cache poisoning by ensuring the authenticity and integrity of DNS data.

• DNS over HTTPS (DoH) and DNS over TLS (DoT): These protocols encrypt DNS queries and
responses, protecting them from eavesdropping and man-in-the-middle attacks. DoH uses
HTTPS, while DoT uses TLS to secure DNS traffic.

• Access Control: Implementing access control mechanisms on DNS servers can restrict who
can query or modify DNS records, reducing the risk of unauthorized changes.

• Rate Limiting: Rate limiting DNS queries can help mitigate the impact of DNS-based denial-
of-service (DoS) attacks by limiting the number of queries from a single source.

• Monitoring and Logging: Regularly monitoring and logging DNS traffic can help detect and
respond to suspicious activities, such as unusual query patterns or unauthorized changes.

• Split Horizon DNS: This technique involves maintaining separate DNS views for internal and
external networks. It helps protect internal network information from being exposed to
external users.

• Redundancy and Failover: Deploying redundant DNS servers and implementing failover
mechanisms ensures the availability and resilience of DNS services, even in the event of
server failures or attacks.

• Regular Updates and Patching: Keeping DNS software up to date with the latest security
patches reduces the risk of exploitation through vulnerabilities.

Conclusion

DNS is a fundamental component of the Internet, providing essential services for domain name
resolution and management. By implementing security features such as DNSSEC, DoH/DoT,
access control, and monitoring, network administrators can enhance the security and reliability
of DNS, protecting it from various threats and attacks.

47
Identity Service Provider (Idp) / Active Directory
Overview:
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems and is used for
identity management, authentication, and authorization within a network.

• Centralized Identity and Access Management: AD provides a centralized platform for managing user identities, groups, and access permissions across the network.
• Authentication and Authorization: AD uses protocols like Kerberos and NTLM for secure authentication and authorization, ensuring that users and devices are who
they claim to be and have appropriate access rights.
• Group Policy Management: Group Policy allows administrators to manage and configure operating systems, applications, and user settings centrally. It can enforce
security policies, software installation, and other configurations across multiple devices.
• Schema and Attributes: AD schema defines the types of objects and attributes that can be stored in the directory. Administrators can extend the schema to include
custom attributes as needed.

48
Identity Service Provider (Idp) / Active Directory
Active Directory and Network Security:
• Strong Authentication Protocols: AD uses Kerberos, a strong authentication protocol that provides mutual authentication between clients and servers, reducing the risk
of impersonation attacks.

• Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by requiring users to provide additional verification factors (e.g., a code from a
mobile app) in addition to their password.
• Role-Based Access Control (RBAC): AD supports RBAC, enabling administrators to assign permissions based on user roles. This principle of least privilege minimizes the
risk of unauthorized access.
• Audit and Monitoring: Regularly auditing and monitoring AD activities, such as login attempts, changes to group memberships, and modifications to security policies,
helps detect and respond to suspicious activities.
• Account Lockout Policies: Configuring account lockout policies can prevent brute-force attacks by locking user accounts after a specified number of failed login
attempts.
• Password Policies: Enforcing strong password policies, including complexity requirements and regular password changes, reduces the risk of password-related attacks.

• Secure Administrative Practices**: Using dedicated administrative accounts for privileged tasks, applying the principle of least privilege, and using secure workstations
for administrative tasks enhance AD security.
• Encryption: Encrypting sensitive data, such as the communication between domain controllers and clients, protects against eavesdropping and data tampering.
• Backup and Recovery: Regularly backing up AD data and having a robust recovery plan ensures that the directory service can be restored quickly in case of data
corruption or loss.
• Patch Management: Keeping AD servers and associated software up to date with the latest security patches reduces the risk of exploitation through vulnerabilities.
Conclusion:
Active Directory is a powerful directory service that provides centralized identity and access management, authentication, and authorization. By implementing security
features such as strong authentication protocols, MFA, RBAC, and regular auditing, network administrators can enhance the security and reliability of Active Directory,
protecting it from various threats and attacks.

49
Simple Network Management Protocol (SNMP)
Overview:

Simple Network Management Protocol (SNMP) is a protocol used for managing devices on IP
networks. It enables network administrators to monitor network performance, detect faults, and
configure devices remotely.

• Data Collection: SNMP collects data from network devices such as routers, switches,
servers, and workstations. This data includes performance metrics, configuration settings,
and status information.

• Trap Notifications: SNMP allows devices to send asynchronous notifications called traps to
the SNMP manager. Traps alert administrators to significant events or changes in the
network, such as device failures or security breaches.

• Polling and Queries: SNMP managers can poll devices to retrieve specific information or
query the status of various parameters. This helps in proactive monitoring and management
of the network.

• Remote Configuration: SNMP enables administrators to remotely configure network

devices. This includes changing settings, updating firmware, and managing device
parameters.

SNMP and Network Security:

• SNMPv3 Security Enhancements: SNMPv3 introduces significant security improvements over previous versions, including:

• Authentication: SNMPv3 supports user-based authentication using HMAC-MD5 or HMAC-SHA algorithms, ensuring that only authorized users can access
SNMP data. –

• Encryption: SNMPv3 provides encryption using DES or AES algorithms to protect the confidentiality of SNMP messages. –

• Access Control: SNMPv3 includes fine-grained access control mechanisms, allowing administrators to specify who can access what information.

• Access Control Lists (ACLs): Implementing ACLs on network devices can restrict SNMP access to trusted IP addresses or subnets, preventing unauthorized devices
from querying SNMP data.

Conclusion

SNMP is a powerful protocol for network management, providing essential features for monitoring, data collection, and remote configuration. By
implementing security features such as SNMPv3, strong community strings, access control, and regular monitoring, network admi nistrators can
enhance the security and reliability of SNMP, protecting it from various threats and attacks.
50
Other
• File and Print Services: Enables file sharing and printer access across
the network, facilitating collaboration and resource sharing.
• Email Services (e.g., Microsoft Exchange) : Manages the sending,
receiving, and storage of email within the organization.
• Web Services (e.g., Intranet, Internal Web Applications): Hosts
internal websites and web applications for use by employees.
• Virtual Private Network (VPN): Allows remote users to securely
connect to the corporate network over the internet.
• Remote Desktop Services (RDS): Provides remote access to desktops
and applications hosted on the corporate network.
• Backup and Disaster Recovery Services: Ensures data is regularly
backed up and can be restored in case of data loss or network failure.
• Voice over IP (VoIP) Services: Facilitates voice communication over
the corporate network.
• Database Services: Hosts databases used by internal applications and
services.
• Collaboration Services (e.g., SharePoint, Teams): Provides tools for
team collaboration, document sharing, and communication.

51
Traditional vs Modern
Architecture

52
Traditional Architectures
Design:
• Centralized Network:
• Hub-and-Spoke Model: Centralized servers and mainframes with users connecting through a hub-and-spoke topology.
• Single Point of Failure: Centralized systems are vulnerable to a single point of failure.
• Physical Segmentation:
• Dedicated Hardware: Use of physical routers, switches, and firewalls to segment and secure different parts of the network.
• Static Configuration: Manual configuration of network devices, leading to static and inflexible networks.
• Perimeter-Based Security:
• Firewalls and VPNs: Security focused on the network perimeter, using firewalls and VPNs to protect against external threats.
• DMZ (Demilitarized Zone): A physical or logical subnetwork that contains and exposes external-facing services to the untrusted
network (internet).
Security:
• Perimeter Defense:
• Firewalls: Used to filter traffic entering and leaving the
network.
• Intrusion Detection Systems (IDS): Monitor network
traffic for suspicious activity.
• Access Control:
• Role-Based Access Control (RBAC): Access
permissions based on user roles.
• Network Access Control (NAC): Policies to enforce
who can access the network.
• Manual Updates and Patching:
• Scheduled Maintenance: Regular, often manual,
updates and patching of network devices and security
systems.

53
Modern Architectures
Design:
• Decentralized and Distributed Network:
• Cloud Computing: Utilization of cloud services (IaaS, PaaS, SaaS) to distribute network resources.
• Edge Computing: Processing data closer to the source (e.g., IoT devices) to reduce latency and improve performance.
• Virtualization and Software-Defined Networking (SDN):
• Virtual Networks: Use of virtual machines (VMs) and containers to create virtual networks.
• SDN: Centralized control of network traffic using software applications, allowing for dynamic and automated network configuration.
• Micro segmentation:
• Granular Segmentation: Dividing the network into smaller, isolated segments to limit the attack surface.
• Dynamic Policies: Automated and dynamic security policies based on real-time analytics.
Security:
• Zero Trust Security Model:
• Assume Breach: Trust no one, verify everyone, whether inside or outside the network.
• Continuous Authentication: Continuous verification of user and device identities.
• Automation and Orchestration:
• Security Orchestration, Automation, and Response (SOAR): Integration of security tools and processes to automate
incident response.
• Infrastructure as Code (IaC): Automated deployment and management of network infrastructure through code.
• Advanced Threat Detection:
• Behavioral Analytics: Use of AI and machine learning to detect abnormal behavior and potential threats.
• Endpoint Detection and Response (EDR): Continuous monitoring and response to threats on endpoints.
• Cloud Security:
• Shared Responsibility Model: Security responsibilities shared between cloud providers and customers.
• Cloud Access Security Brokers (CASB): Security policy enforcement points placed between cloud service consumers
and providers.
54
Modern Architectures – IaaS, PaaS, SaaS

55
 Modern Architectures – Health Care Example
Research Data Pharmacy Information
Web Portal System
Mobile Apps Tracking Logs
Electronic Pathology Information
Medical System
Devices Records
Remote Care Blood Bank System
System Data Research Information System
Bracelets Radiology Information
Badges Clinical Information System
Biometric Admissions System
Systems
s
Power
CCTV Identification Climate
System
Gas
Routers Buildings Door Locks
Switches Fire Alarm
FW Glucose Measuring Smoke
IDS/IPC Implants Radiation
Radio Freq. Life Support Chemical
Physical Machines Fumes
Lines Networking Medical
Devices Assistive Robots
Equipment

56
Modern Architectures – Edge Computing

57
Modern Architectures – Zero Trust Model

58