Section

3.1 Secure protocols 3

Vid 101 :Secure protocols

Voice and Video Communications

 RTP (Real-time Transport Protocol) is used for voice/video over IP

 SRTP (Secure RTP) encrypts RTP using AES for confidentiality to keep the cove private,
add features to RTP .
 It also uses HMAC-SHA1 for authentication, integrity, and replay protection : hash based messag
authentication code using SHA1

Time Synchronization

 NTP (Network Time Protocol) originally lacked security (exploited as amplifiers in DdoS
attacks )
 NTPsec (Secure network time protocol) enhances NTP with improved security and code
sanitization.

Email Security

 S/MIME (Secure/Multipurpose Internet Mail Extensions):

o Uses public/private key encryption.
o Provides confidentiality and digital signatures.
o Requires a Public Key Infrastructure (PKI) or similar organization of keys to properly
manage the public/private key .
 POP3 and IMAP:
o POP3 can use STARTTLS to secure the connection with SSL.
o IMAP can use Secure IMAP (IMAPS) wich aldo uses SSL .
o Web-based email (e.g., Gmail, Yahoo Mail) uses SSL/TLS for secure
communication.

Web Security

 SSL (Secure Sockets Layer) is outdated.

 TLS (Transport Layer Security) is the current standard.
 HTTPS (HTTP over TLS or over SSL) is used to encrypt web traffic.
o Uses public key encryption to share a symmetric session key for secure
communication.

VPN Tunneling

 IPSec (Internet Protocol Security):

o Encrypts data across layer 3 networks: authentication and encryption for every
packet .
o Includes encryption, integrity, and anti-replay features.->packet signing
o Very standardized : common to use / multi-vendor implementations
o Uses:
 AH (Authentication Header) for integrity.
 ESP (Encapsulation Security Payload) for encryption.
File Transfer

 FTPS: FTP ( file transfer protocol ) over SSL; uses SSL/TLS for encryption.
 SFTP: SSH File Transfer Protocol; uses SSH for encryption.
o Supports file operations like listing directories, resuming transfers, manipulate the file
system.

Directory Services

 LDAP (Lightweight Directory Access Protocol):

o Protocol for reading and writing directories (structred info ) over an IP network
o Based on X.500, updated for TCP/IP from DAP (Directory Access Protocol).
o X.500 is a set of standards that describes:
 How directory information is structured (like a tree).
 How to access and manage that information.
 to ensure interoperability across systems.
o Used by Active Directory, Open Directory, OpenLDAP.
 LDAPS: LDAP over SSL for secure communication.
 SASL (Simple Authentication and Security Layer):
o A framework used by LDAP for authentication (e.g., Kerberos, client certificates).

Remote acces

 SSH (Secure Shell):

o Encrypts terminal communications between client and server.
o Replaces Telnet (also provides a terminal but without any encryption mechanism ) .

DNS Security

 DNS has no security in the original design (easy to poison a DNS)

 DNSSEC (DNS Security Extensions):

o Validate DNS responses ( origin authentication , data integrity .. )
o Uses digital signatures and public key cryptography.(DNS records are signed with
a trusted third party and the signed records are published in DNS )

Routing and switching

 We use SSH

 SNMPv3 (Simple Network Management Protocol v3):

o Adds encryption (confidentiality, integrity, and authentication for managing
network devices.
 HTTPS is used instead of HTTP for web-based device management interfaces (encrypted
communication ) .

Network address allocation

 Securing DHCP (Dynamic Host Configuration Protocol) lacks built-in security.

 o Automatically assign IP adresses to the devices on our network
o There is no secure version of the DHCP protocol
 Rogue DHCP servers :
o To enhance the security of DHCP we’ve added additional controls outside of the
DHCP protocol .
o Mitigation techniques include:
 Active Directory authorization of devices that are able to act as DHCP
devoces to avoid rogue DHCP servers .
 DHCP snooping on switches to allow DHCP traffic only from trusted
interfaces.
 DHCP client DoS – Starvation attack
o Use spoofed MAC addresses to exhaust the DHCP pool causing starvation or limiting
the number of IP addresses that are available to other devices on the network
o To avoid this , switches can be configured to limit the number of MAC addresses per
interface (disable an interface when multiple MAC addresses are seen )

Automatic Updates

 Devices like anti-virus software, firewalls, and IPS systems need updates.
o Each may use different protocols/IPs.
o Requires custom firewall rules trusted server configurations (check for
encryption and integrity checks) to manage updates securely ( receive updates from
specefic well-known and trusted servers ).

3.2 – Host and Application Security

Vid 102 :Endpoint protection

The endpoint -> the user’s access (apps and data )

Key concerns:
 Inbound threats: Attackers accessing our devices.
 Outbound threats: Sensitive data being exfiltrated to attackers
 The OS

We implement layered security, known as Defense in Depth.

 Defense in Depth is a cybersecurity strategy where multiple layers of security controls are
placed throughout an IT system — so that if one layer is breached, others still protect the
system.

Anti-Virus and Anti-Malware

 Common endpoint protection tools.

 Designed to stop:
o Viruses, worms, Trojan horses
o Fileless malware, ransomware
 Modern suites often combine antivirus and anti-malware features.
 Anti-virus doftware is aldo anti-malware software now
 Traditional detection relies on signatures (specific code patterns).
 Attackers increasingly bypass signature-based systems.
Endpoint Detection and Response (EDR)

 EDR uses advanced techniques to detect threats beyond signatures, so instaed of looking for a
signature to occur within a file we can look at what the file is doing using :
o Behavioral analysis : monitors how programs behave , if smth tries to do smth
strange
o Machine learning : it watches everything running on your system in real time
o Process monitoring
 Capabilities of EDR :
o Root cause analysis : It figures out how the threat got there in the first place (like a
detective).

o System isolation :disconnect the infected system from the network to stop the spread
o Quarantine/removal :moves the malious file to a safe zone (quarantine ) or deletes it
o Rollback to known good state : it can return your computer to a point before the
attack happened .
 Automation via APIs allows handling without human intervention.

Data Loss Prevention (DLP)

 Protects against data leaks, even encrypted ones.

 Prevents sensitive data like medical records, SSNs, credit card info from unauthorized
transmission.
 DLP systems can exist:
o At the firewall
o On the client device
o In the cloud (e.g., for email monitoring)
 If sensitive data is detected in any of data streams, transmission is blocked.

Next Generation Firewalls (NGFWs)

 Tradionnaly we used firewalls to allow or block trafic based on IP addresses & a port number
 NGFWs provide more granular security than traditional firewalls.
 Key features:
o Application awareness: Controls traffic based on app, not just IP/port.
o Also known as:
 Application Layer Gateway
 Stateful multi-layer inspection
 Deep packet inspection
 Can control specific application features (e.g., allow viewing Twitter but block posting).
 Often include:
o Antivirus/anti-malware
o SSL decryption and inspection
o URL filtering : block individual access to a particular website or based on
categorizations (by domain or category)

Host-Based Firewalls

 Software firewalls on individual endpoints.

 Benefits:
o Visibility into all running applications
 o Ability to allow/block specific apps, even encrypted traffic
o Can detect and block unknown/malicious processes
 Centrally managed host-based firewalls allow enterprise-wide visibility and control.

Host-Based Intrusion Detection/Prevention Systems (HIDS/HIPS)

 HIDS: Monitors logs to detect intrusions; (can trigger or reconfihure firewall to block but
usually can’t act , hids can just detect )
 HIPS: More proactive, blocks known vulnerabilities before they reach the OS.
 Often integrated into endpoint protection software .
 Uses multiple detection techniques:
o Signature-based detection (e.g., buffer overflows)
o Heuristic analysis (e.g., large volume of registry updates)
o Behavioral monitoring (e.g., unexpected file writes to Windows folder)
 Since these tools run on endpoints, they have access to unencrypted, in-memory data,
offering deeper inspection capabilities.

Vid 103 : Boot integrity

 Hackers want to get into your operating system and stay there without being noticed. One way
they try to do that is by attacking your system before it even boots up
Why attackers target the boot process:

 Once they compromise a device, they want persistence (stay inside undetected).
 Re-infecting a device is hard, so if they can get in during the boot, they can stay hidden from
antivirus and the OS.
 Tools like rootkits work at the kernel level (deep inside the OS), giving attackers full control
before the system starts.

Every steo of boot process should be secured using a chain of trust .

Hardware root of trust
 we should ensure that the OS has not been infceted
 for this we use : Trusted platform module (TPM)

 A hardware chip (either built into the motherboard or plugged in).

 Used for security and cryptography.
 It can include a cryptographic processor wich is commonly used as a key generator
 Stores keys, configuration info, and unique system data.
 Has protections against brute force attacks.
 Used to store "measurements" (hashes) during the boot process.
 Since it’s a hardware , it is diffuclt to change or avoid

Secure Boot (via UEFI BIOS)

 The TPM provides the hardware security and BIOS provides software security
  Part of your modern BIOS (UEFI).
 Uses digital signatures to check if the OS bootloader (the program that loads the operating
system into memory) is legitimate.
 If the bootloader is modified or not signed by a trusted vendor, the system won’t boot.
 There is also protections built into the UFEI BIOS to protect it (examples : the manufacturer’s
public key , digital signature is checked during a BIOS update , BIOS prevents unauthorized
writes to the flash )

Trusted Boot

 Once Secure Boot verifies the bootloader, the bootloader checks the OS kernel.
 If the kernel has been changed (e.g., by malware), it won’t load.
 Then the kernel checks other startup files and drivers.

 Before any drivers load, the system runs ELAM (Early Launch Anti-Malware).
 ELAM checks that all drivers are digitally signed and trusted before allowing them to run.

Measured Boot

 Checking if nothing on the computer has changed

 Every component loaded during Secure Boot and Trusted Boot is measured (hashed).
 These hashes are stored inside the TPM.(to solve the problem of checking a huge number of
computers )
 Remote attestation : our device is going to provide a central management server with a
verification report showing all of the info that’s been gathered
 That report is going to be encrypted and digitally signed with the keys that are part of the
TPM and that is sent to the attestation server
 The attestation server is then going to receive the boot report & compare the info in that
report with the info that os knows to be trusted on that system
 If it detects any change (even a small one), it can:

o Alert IT staff
o Block the device
o Quarantine the machine

Vid 104: Database security

 Data inside db should complies with rules and regulations such as PCI DSS , HIPAA , GDPR …
 A data breach (happens when private or protected information is accessed, copied, or stolen by
someone who isn’t supposed to see it ) can cause significant disruption and be costly to
resolve
 There are many ways to protect data :

Tokenization

 A method to protect sensitive data by replacing it with a token that has no mathematical or
algorithmic link to the original value.
  Example: Replacing a Social Security Number (ex 266-12-1112) with a token like 691-61-
8539.
 Credit cards: Tokens are used instead of storing actual numbers. A temporary token is used
during a transaction and then discarded.(server of tokenization ..)
o Each new transaction uses a different token.
o Even if an attacker intercepts the token, it's useless for future use.
 Benefits: No encryption or hashing overhead—simply substitution with unrelated values.

Hashing

 Commonly used to store passwords securely.

 A hash is a fixed-length, unique string (message digest) representing data.
o One-way function: Cannot reverse-engineer the original password from the hash.
o Hashes are unique for each input—no collisions.
 During login, the input password is hashed and compared to the stored hash.
 Example (SHA-256):
o Password: 123456 → unique 256-bit hash
 If hashes are leaked, attackers cannot reverse them into passwords.

Salting

 To make hashes more secure, a random salt is added to each password before hashing.
 Each user gets a unique salt, even if they use the same password.
 Stored value in the database becomes a hash of password + salt.
 Benefits:
o Prevents use of rainbow tables (precomputed hash databases).
o Forces attackers to use brute-force, which is slower and more resource-intensive.
 Example:
o All users use the password "dragon".
o Hash for "dragon" without salt is the same for all.
o With different salts, stored hashes appear completely different, making attacks much
harder.

Vid 105: Application security

Secure coding concepts

 a balance between time & quality

 Testing and QA process : verifying that the app meets specifications and it is secure
Input Validation and Normalization

A major responsibility of developers is input validation ensuring all incoming data is valid.
Developers should:

 Document all input points, including form fields and file uploads
 Normalize input (i.e., ensure it fits expected formats)

Example: A zip code might need to follow specific patterns (e.g., length, character type). If input
deviates, it should be corrected or rejected.

The attackers are going to use 3rd party tools such as fuzzers to be able to randomize input into the
app

Fuzzing and Dynamic Analysis

 Fuzzing, a form of dynamic analysi, a software testing technique where a program is given
random, unexpected, or invalid data to see if it crashes or behaves incorrectly.
 Other terms include: Fault injecting , Robustness testing , Syntax testing , Negative testing
 Attackers are looking for some smth out of the ordinary : app crash , server error …

History: Fuzzing began in 1988 as a class project at the University of Wisconsin, led by Prof. Barton
Miller.

Fuzzing:

 Is often automated ( by fuzzing engines )

 Uses many randomized iterations
 Can take significant time and processing power
 Often focuses on likely weak points to speed up testing

Tool Example: CERT’s Basic Fuzzing Framework (BFF) from Carnegie Mellon is a publicly
available tool. (It automates the process of sending random or malformed input to a program and
watches for crashes, errors, or abnormal behavior.)

Cookies and Browser Security

Cookies are used by browsers to store:Session data , preferences , tracking info

Cookies are not executable, and generally not a direct security risk, but should be protected from
unauthorized access.

 Secure cookies include an attribute that forces transmission over encrypted HTTPS.
 However, cookies should not contain private or sensitive information.
HTTP Secure Headers

To enhance application security, web servers can use HTTP Secure Headers to control browser
behavior.

These headers can:

 Force HTTPS usage to ensure encrypted communication

 Restrict scripts, stylesheets, or images to load only from the web server (mitigates XSS)
 Block content from being loaded into an <iframe> (another XSS defense)

Code signing

There's always a risk of the application being tampered with.

To validate the authenticity of an application, we use code signing (digital signatures):

 A certificate authority (CA) signs the developer’s public key

 The developer signs their code with a private key
 Users validate the code with the developer’s public key

 This confirms the code hasn’t been altered since it was signed.

Allow Lists and Deny Lists

Admins may use application control mechanisms such as:

 Allow lists (whitelists): Only pre-approved apps can run

 Deny lists (badlists): Only blocked apps are prevented from running

Decisions of allow and deny lists are made in the OS based on :

1. Hash of the application

2. Digital signature (e.g., only allow signed apps from trusted vendors like Microsoft or Cisco)
3. File location (e.g., only run apps from specified folders)
4. Network zone (e.g., apps from internal servers allowed, external blocked)

Static Application Security Testing (SAST)

Because manual code review is difficult, developers use SAST tools (static analyzers) to
automatically scan source code for vulnerabilities like: buffer overflows , SQL/DB injection , Known
coding flaws.

 SAST doesn't catch everything (e.g., insecure encryption implementation)

 False positives are possible—each issue flagged must be manually verified

Example: A static analyzer may report:

 On line 32: Missing buffer overflow checks; suggests using fgets()

 On line 56: Other insecure code practices
 Could give some good practices to fix these problems

These must be reviewed and corrected before deployment.

Vid 105: Application hardening
 Application hardening is an overall term for “hardening” or protecting an app against
intrusions by eliminating vulnerabilities and increasing layers of security
 Application hardening minimizes attack surfaces, reducing the chances for attackers to
exploit applications.
 It protects against both known and unknown attack vectors.
 Hardening may be influenced by third-party requirements or compliance
mandates, such as:
o HIPAA (for healthcare)
o PCI DSS (for credit card data protection)

Resources for Hardening Guidance

 CIS (Center for Internet Security)

 SANS (SysAdmin, Audit, Network, and Security Institute)
 NIST (National Institute of Standards and Technology)

Open ports and services

 Limit open network ports using firewalls:

o Close all ports except those necessary for the application.

o Use next-generation firewalls to restrict traffic by IP, port, and application.

 Be carful of unused or uknown services (installed with the OS or from pther applications ) ,
they uses ports that you don’t have any idea that they’re open .
 Software installations and default OS configurations may open unnecessary ports.
 Developers may sometimes request to open all ports (0–65535), which is unsafe.
 Use tools like Nmap (Network mapper : It is an open-source Linux command-line tool that is
used to scan IP addresses and ports in a network and to detect installed applications ) to scan
and verify open ports, and restrict access accordingly.

Windows Registry Hardening

 The Windows registry is a centralized, hierarchical database that manages resources and
stores configuration settings for windows and applications on that Windows operating
system..
 Registry changes during app installation can introduce vulnerabilities.
 Use third-party tools to compare registry before and after installation of application.
 Registry configurations can:
o Control permissions
o Enable/disable app behavior
o Disable vulnerabilities (e.g., SMBv1)
 Backup the registry before making changes ( installation .. )—errors can disrupt OS or apps.

Storage Encryption

 Prevent access to app data files (file system encryption)

  Use full disk encryption (FDE) to protect data:
o Encrypt everything on the drive
o Windows BitLocker , FileVault are some examples.
 Self-encrypting drive(SED) :
o Hardware-based full disk encryption
o No OS needed
o SEDs should conform to the Opal standard for secure implementation.

Operating System Hardening

 Applies to Windows, Linux, macOS, Android, iOS, etc.

 Core practices:
o Keep OS updated with latest security patches and service packs.
o Harden user accounts:
 Enforce strong password policies.
 Limit permissions to what’s necessary for job roles.
o Restrict network and device access to/from other systems.
o Continue using antivirus, antimalware, and endpoint protection tools.

Patch Management

 A patch is a small update to a software or system that fixes a bug, closes a security hole, or
improves performance.
 Built into most modern operating systems.
 Monthly updates (e.g., “Patch Tuesday”) help manage and standardize patch deployment.
 Third-party applications and device drivers must also be updated.
 Avoid auto-updates in enterprise environments:
o IT departments test updates first, then push them after validation.
 Emergency/zero-day patches should be deployed immediately to block active threats.

Sandboxing

 Sandboxing is the process or technique of running code or apps inside a sandbox — to

isolate them from the rest of the system.
 Sandboxing restricts applications from accessing data outside their environment.
 Used in both development and production environments.
 Examples:
o Virtual machines are sandboxed from each other and the host.
o Mobile browsers can’t access data without user permission.
o Browsers isolate content like iFrames from one another.
o In windows there is an extensive sandboxing especially realting to user account
control
o Windows UAC (User Account Control : is a security feature in Windows that
helps prevent unauthorized changes to the operating system. ) , like a sandbox to
restrict app permissions until user approval is given.

3.3 – Secure Network Designs

Vid 107: Load balancing

What is Load Balancing?

 Load balancing distributes traffic across multiple servers.

 Instead of just one server handling all visitors, the load balancer spreads requests across
many.
 This makes the service more scalable, reliable, and efficient.

Scalability and High Availability

 Load balancing allows websites and services to scale up.

 Large companies use it to balance traffic across web servers , db servers ….

Fault Tolerance / Redundancy

 If one server fails, the load balancer will stop sending traffic to that server.
 Traffic continues to the remaining healthy servers.
 The end user won’t notice the failure — the service remains up.

TCP Offloading

 Load balancers can handle TCP overhead (like handshake, session setup).
 This reduces work for backend servers.
 Result: More efficient and faster communication between servers and the load balancer.

SSL Offloading

 SSL/TLS encryption and decryption requires CPU resources.

 The load balancer can do the encryption/decryption instead of each server.
 After that, unencrypted (in-the-clear) traffic goes from the load balancer to the backend
servers.
 This is safe within a secured data center.

Caching Services

 Load balancers can cache common responses.

 If a user requests something already in the cache, the load balancer can respond immediately
— no need to contact a server.
 This improves performance and reduces server load. ( fast response )

Quality of Service (QoS)

 Load balancers can prioritize traffic.

 Example: Give higher priority to video streaming over file downloads.
 Helps ensure critical applications stay responsive.

Content Switching

 Different types of requests can go to different backend servers.

 For example:
o Web traffic → Server A
o Database traffic → Server B
 Based on content, load balancer routes accordingly.
Load Distribution Methods
a) Round Robin

 Requests are distributed in a circular pattern:

o User 1 → Server A
o User 2 → Server B
o User 3 → Server C
 Ensures equal distribution of requests.

b) Weighted Round Robin

 Some servers get more traffic based on their capacity.

 Example:
o Server A is more powerful → gets 50% of traffic
o Server B and C share the rest

c) Dynamic Round Robin

 The load balancer monitors server usage in real-time.

 New requests go to the least busy server.
 More intelligent than regular round robin.

d) Active/active load balancing :

 Where all of these servers are active simultaneously

 if one of these servers happens to fail all of the other servers can then pick up the load and
continue to operate without anyone on the outside knowing thet there’s a problem

Session Persistence (Affinity / Sticky Sessions)

 In computing, affinity refers to assigning or linking a task (like a program or process) to a

specific CPU core or processor.
 Some applications need the same user to always connect to the same server.
 Load balancer uses:
o Session ID
o Or IP address + port
 Ensures continuity of the session.

Example:

 User 1 gets assigned to Server A.

 Even in future requests, that user will go to Server A as long as the session is active.

Load Balancer Modes

🔸 a) Active-Active Mode

 All servers are active and handling traffic.

 If one server fails, the rest continue to handle the load.
  This is very efficient and fault-tolerant.

🔸 b) Active-Passive Mode

 Only some servers are active.

 Others are on standby (passive).
 If an active server fails, a standby server becomes active automatically.
 Example:
o Server A fails → Server C (standby) becomes active.

Vid 108: Network segmentation

What is Network Segmentation?

Network segmentation is the practice of dividing a network into smaller parts to improve security,
performance, and manageability ( compliance ). It controls which devices or services can
communicate with each other.

Types of Segmentation

A. Physical Segmentation

 Devices are on physically separate switches with no direct connection.

 Sometimes called an air gap — literally just air between devices.
 If communication is needed, a router or firewall must be introduced ( physical
communication).

Use cases:

 Separate customer networks.

 Isolate web servers from database servers.

Challenges :

 We have 2(for example) separate physical switches thet have to be separatly

o Maintained
o Upgraded
o Powered
 We can’t use all of the capabilities of a switch ( example ) -> spend a lot of mony

B. Logical Segmentation

 Uses VLANs (Virtual LANs) to create separation within a single switch.

 Behaves as if devices are on different switches even though they share the same physical
hardware.
 Cannot communicate between VLANs without a layer 3 device/router

Benefit:

 More efficient use of hardware; no need for multiple physical switches.

C. Virtual Segmentation
  Used in virtual environments to isolate application instances or virtual machines.
 Often used for performance or security (e.g., isolating database VMs from frontend VMs).

Network Zones

A. Screened Subnet / DMZ

 A separate network (not the internal LAN) exposed to the internet.

 Hosts public-facing services (web, mail, etc.).
 Protects internal network from external access.
 Users from the internet access only the DMZ, not the internal LAN.

B. Extranet

 Similar to a DMZ, but designed for partners, vendors, or third parties.

 Usually requires authentication to access.
 Controlled access to specific resources, not full internal access.
C. Intranet

 An internal-only network
accessible only to employees or authenticated internal users.
 Private network
 Contains confidential resources like HR tools, internal documents.
 Not accessible from the internet unless via VPN.

Data Center Traffic Segmentation

Direction-Based Traffic:
  East-West Traffic: Communication between devices within the same data center.
o Example: Web server talking to a file server.
o Fast and internal.
 North-South Traffic: Traffic entering or leaving the data center.
o Typically from external users or clients.
o Needs stricter security checks due to potential untrusted sources.

Security

Challenge: Trust Model

Traditional Model:

 Devices inside the network were implicitly trusted.

 Lack of internal security controls made lateral movement easy for attackers once inside.

Zero Trust Model:

 Trust nothing, verify everything.

 Every device, user, and data flow is considered untrusted by default.
 Security measures include:
o Multifactor authentication (MFA)
o Encryption of internal traffic
o Internal firewalls and strict access control
 Applies authentication and verification even for internal communication.

Vid 109: Virtual private networks

What is a VPN?

A Virtual Private Network (VPN) securely transmits data over a public network (like the Internet).
It creates an encrypted tunnel between two points so that no one in between can view or tamper
with the data.

VPN Core Component: VPN Concentrator

 The VPN concentrator handles:

o Encryption of outgoing data.
o Sending it out over the network
o Decryption of incoming data.
 It may be a dedicated device or integrated into another device like a firewall.
 Available as:
o Hardware appliances
o Software-based solutions

VPN Clients

 The end-user device runs a VPN client that handles encryption/decryption.

 The client may be:
o Standalone software
o Built into the OS
 VPN clients are activated:
o Manually (on demand)
o Or automatically on login (always-on VPN)

Use Case Example

 You're at a coffee shop, hotel, or home.

 You need to access the corporate network securely.
 Without VPN, data is exposed on the internet.
 With VPN:
o You start the VPN client, creating a secure tunnel to the VPN concentrator at your
corporate network.
o All data is decrypted by the concentrator and enters the internal network securely.
o Reverse traffic is encrypted by the concentrator and decrypted by your client.

Types of VPNs
A. SSL VPN (Secure Sockets Layer VPN)

 Communicates over TCP port 443 (standard HTTPS).

 Works even in restrictive networks.
 Ideal for remote users accessing from various locations.
 Benefits:
o No special client needed — can run in a browser.
o Uses username/password and possibly 2FA (not digital certificates).
 Can be client-based or clientless.

B. HTML5 VPNs
  Includes comprehensive API support and web cryptography
 Just start your browser that support HTML5 ( no client or app installation
needed )
 The communication will be directly to the VPN concentrator

C. Full Tunnel vs. Split Tunnel

Full Tunnel:

 All traffic, including internet-bound, is routed through the VPN.

 VPN concentrator decrypts traffic and decide where that data happens to go.
 Provides maximum security, but more bandwidth and latency overhead.

Split Tunnel:

 Only specific traffic (e.g., corporate resources) goes through the VPN.
 Other traffic (like web browsing) goes directly to the internet.
 Reduces VPN load but may introduce security risks.

D.Site-to-Site VPN

 Connects entire networks, not just individuals.

 Used between:
o Corporate network and a branch office
o Two data centers
 Always-on or on-demand connection.
 Often built between firewalls that act as VPN concentrators.

Site-to-Site VPN Technologies

A. L2TP (Layer 2 Tunneling Protocol)

 Many site-to site are implemented using L2TP

 Connecting two networks together over layer 3 network (Routed communication across
networks ) as if they are on the same layer 2 network (Local area communication)
 Connects networks at Layer 2 (as if they were on the same LAN).
 Often combined with IPsec for encryption.(L2TP over Ipsec or L2TP/Ipsec)
B. IPsec (Internet Protocol Security)

 Provides authentication, encryption, and data integrity over Layer 3 (IP) ( encryption and
packet signing ) .
 Standards-based → compatible across vendors.
 Supports anti-replay protection (via sequence numbers).

IPsec Modes:

1. Transport Mode:
o Encrypts only the data payload
o Leaves the original IP header unencrypted
o Used for end-to-end communication where IP addresses don't need to be hidden.
2. Tunnel Mode:
o Encrypts the entire original packet (IP header + data)
o Adds a new IP header to route the encrypted packet.
o Common for site-to-site VPNs

IPsec Protocols
1. AH (Authentication Header)

 Used between two devices (e.g., computer ↔ server)

 Uses hashing (e.g., SHA-2) + shared secret key.
 Provides data integrity (hash), authentication(shared key ), and anti-replay attacks
(sequence number)
 Does not encrypt the data.
2. ESP (Encapsulating Security Payload)

 Used between two networks or gateways (e.g., router ↔ router in a VPN)

 Provides encryption, authentication, and integrity.
 Uses:
o AES for encryption
o SHA-2 for integrity
 Adds ESP headers/trailers and integrity check values.

Combined Usage of AH and ESP

 AH ensures data hasn't been altered (auth + integrity).

 ESP ensures confidentiality (encryption).
 Can be used together in transport or tunnel mode depending on security needs.

 The integrity check value is a value added to the packet that ensures the data hasn’t been
modified or tampered with.
Vid 110: Port security
Port Security (Physical Interfaces, Not TCP/UDP)

 This video discusses physical ports on switches/routers, not TCP/UDP ports.

 Port security focuses on controlling what devices can connect to a network
physically via these ports to:
o Maintain uptime and availability.
o Limit overall network traffic.
o Control specific traffic types.
o Remove unwanted traffic.

Broadcast Traffic Challenges

 Broadcasts: Packets sent from one device to all devices on the same network segment.
 Every device must process each broadcast, which:
o Consumes bandwidth.
o Wastes resources.

Broadcast Domains

 Broadcasts are limited to the same VLAN (Virtual Local Area Network).
 VLANs contain broadcasts within a segment, improving efficiency.
 IPv4 often uses broadcasts for protocols like:
o ARP (Address Resolution Protocol)
o Routing updates
 IPv6, in contrast, uses multicast(sends data to a specific group of devices that have joined
that group) instead of broadcast, making traffic easier to manage.

Controlling Broadcasts

 Managed switches allow control of:

o Broadcasts
o Multicasts
o Unicasts
 Admins can:
o Limit broadcast rate (e.g., 100 or 1000 per second).
o Set up thresholds to detect sudden spikes and automatically block excessive
broadcasts.

Layer 2 Loops and Spanning Tree Protocol (STP)

 Layer 2 networks lack built-in mechanisms to prevent loops.

 Loops can be created accidentally by misconnecting cables—especially in dense wiring
closets.(bring down a network )

Spanning Tree Protocol (STP)

 Defined in IEEE 802.1D, created by Radia Perlman.

 Purpose: Prevent loops in switched networks.
 STP blocks certain ports (marked BP for Blocked Port) to eliminate loop paths.
 Example Topology:

 Multiple bridges/switches interconnect networks (e.g., Network M, J, B, C, Y).

 Without STP, traffic could loop endlessly.
 With STP, certain ports are disabled to stop looping paths.

Handling Failures with STP

 STP monitors links. If a path fails:

o STP converges, recalculates paths, and activates previously blocked ports.
o Ensures continued communication with no loops.
o E.g., if the path from Network M to Y breaks, STP finds a new route via other
bridges.

Spanning Tree Performance and PortFast

 STP introduces delay (20–30 seconds) during initial port activation.

 This delay is unnecessary for single-end devices (e.g., PCs).

PortFast (named by cisco)

 Speeds up connection for end devices by bypassing STP delay.

 But risky if someone plugs in a switch, potentially creating a loop.

BPDU Guard

 Protects PortFast-enabled ports.

 BPDU frames are special messages exchanged between network switches to prevent
loops in a Layer 2 (Ethernet) network.
 If BPDU (Bridge Protocol Data Unit) frames are detected (indicating a switch), the port
is disabled to prevent a loop.
 DHCP Snooping

 A DHCP server is a network service that automatically gives IP addresses to devices when
they connect to a network — so you don’t have to configure them manually.
 DHCP = Dynamic Host Configuration Protocol
 Attackers can plug in unauthorized DHCP servers, causing:
o Denial of service
o Security risks
 Switches have software inside of them that can also look for these types of problems (DHCP
snooping )
 DHCP snooping:
o Configures trusted and untrusted ports(interfaces)
o Blocks DHCP offers from untrusted interfaces.

MAC Filtering

 Based on Media Access Control (MAC) addresses of devices.

 Switches can:
o Allow/deny traffic from specific MAC addresses.
o Prevent unauthorized devices from joining the network.

Limitations of MAC Filtering

 MAC addresses are visible (no encryption at Layer 2).

 Attackers can:
o Capture allowed MAC addresses.
o Spoof their device’s MAC to match an allowed one.
 MAC filtering allows the administrator of this device to allow or disallow traffic based on
the MAC address that’s communicating through the network
 Therefore, MAC filtering offers weak security.
o Considered "security through obscurity".
o More useful as an administrative control, not strong security.
o MAC filtering = security through obscurity

Vid 111: Secure networking

DNS Security and DNSSEC

 DNS was originally created with no built-in security.

 DNSSEC (Domain Name System Security Extensions) adds:
o Origin authentication – confirms DNS responses are from a legitimate server.
o Data integrity – ensures DNS responses aren’t altered.
o Achieved via digital signatures and public key cryptography; each DNS record is
signed.

DNS as a Security Tool

 DNS can help protect endpoints by:

o Redirecting DNS queries to malicious sites toward a sinkhole address.
 Prevents users from reaching harmful destinations.
 Enables logging/reporting of infected devices attempting access.
 o Acts as content filtering: blocks access to known malicious or unwanted sites.
(prevent queries to unwanted sited )

Out-of-Band Management (OOBM)

 It’s a method or strategy that uses a separate, dedicated path to manage devices — outside
the main (production) network.
 Used when normal network access is down.
 Devices (switches, routers, firewalls) often have separate management interfaces (serial,
USB, or Ethernet).
 Admins can connect via modem or cellular connections.
 In large environments, a console router/comm server can centralize this access.

Application-Aware Network Monitoring

 Networks carry diverse device types and application types (real-time, streaming, web apps).
 Each app has different needs:
o Voice over IP (VoIP): real-time, needs low latency.
o Streaming video: uses buffering, can tolerate delay.
o Database/web apps: interactive, require quick response.
 Admins assign priority levels to traffic:
o VoIP > streaming video > web browsing.
o Based on latency, bandwidth, and traffic needs.
 This prioritization is called QoS (Quality of Service).
 QoS can be implemented in switches, routers, or next-gen firewalls.

IPv6 and Security Enhancements

 IPv6 was designed with more security in mind than IPv4.

 Benefits include:
o Larger address space (IPv6 has 128-bit addresses (vs. 32-bit for IPv4)) makes
port/interface scans harder.
o No need for NAT/PAT (In IPv4, because of the limited number of addresses, we
often use NAT (Network Address Translation) to let many devices share one public
IP) due to vast number of IPs, simplifying communication.
o ARP removed – eliminates ARP spoofing vulnerabilities.
 However, IPv6 has its own risks:
o Example: Neighbor Cache Exhaustion can disrupt communication.

Taps and Port Mirroring

 Useful for monitoring but also pose security risks.

 Taps: hardware placed between connections to copy traffic.
o Example: a DS3 tap with separate lines for transmit/receive and monitor output.
 Port mirroring (software-based):
o Refers as port redirection or SPAN
o Built into switches (Cisco term: SPAN – Switched Port Analyzer).
o Copies traffic from one port to another for monitoring.
 Continuous Security Monitoring

 Done by monitoring services (an organization that might monitor the security on your
network : perform ongoing security checks) or Security Operations Centers (SOCs):
o 24/7 oversight of network traffic and threat detection.
o Ensure systems are patched and compliant (e.g., HIPAA, PCI-DSS).
o Can quickly identify threats and react to attacks, even outside business hours.

File Integrity Monitoring (FIM)

 Detects unauthorized changes to files (e.g., system/OS files).

 Windows: use SFC (System File Checker) to verify system file integrity.
 Linux: use Tripwire for real-time FIM.
 Some host-based intrusion prevention systems (HIPS : software installed on individual
computers or servers to monitor and block potential security threats in real-time. )
also include FIM capabilities.

Vid 112 : Firewalls

 A firewall controls the flow of traffic — both inbound and outbound.

 Some firewalls include:

o Content filtering to control what internet content users can access.
o Antivirus/antimalware detection.

Traditional vs. Next Generation Firewalls

 Traditional firewalls control traffic using IP addresses and port numbers.

 Next Generation Firewalls (NGFWs) can:
o Identify applications in traffic flows.
o Act as VPN endpoints for secure remote communication.
o Replace routers with Layer 3(network) functionality and NAT.
o Support dynamic routing, route redistribution, and more.

Stateless vs. Stateful Firewalls

Stateless Firewalls:

 Don’t know that there is a response for our resuest to a server

 Don’t track sessions or flows.
 Require separate rules for each traffic direction.
 Example:
o Rule 1: Jack (10.1.1) → SGC Web Server (10.10.10) on TCP port 80 → Allowed.
o Rule 2: Web Server (10.10.10) → Jack (10.1.1) on any TCP port → Also Allowed.
 Problem: An attacker can send unsolicited data from the server to Jack, and it will be
allowed if it matches the rule.
 Stateful Firewalls:

 More intelligent about how they allow trafic through the network
 Track session states.
 Only need one rule to allow the initial connection.
 Automatically allow return traffic if part of an established session.
 More secure -> so it is the default firewell type that you’ll use
 Example:
o Jack initiates a session → Allowed.
o Server replies → Allowed because the session is in the state table.(table created
after initiating the session )
 Unsolicited traffic (e.g., from an attacker) that doesn’t match any active session and using
a different TCP port is denied.

UTM – Unified Threat Management

 Newer vesrion of the firewalls that just allow or disallow trafic .

 UTM devices (aka Web Security Gateways) combine:
o URL filtering
o Content inspection
o Malware detection
o Spam filtering
o WAN interface options (CSU/DSU)
o Routing & switching
o Firewall, IDS/IPS, VPN, bandwidth shaping
 Problem: Often required integrating features from different vendors, which caused
compatibility issues.

Next Generation Firewalls (NGFW)

 Replaced UTMs in many networks.

 Application-layer firewalls: Understand traffic based on application behavior, not just
ports/IPs.
 Other names:
o Application Layer Gateways
o Stateful Multi-layer Inspection Devices
o Deep Packet Inspection Devices
 Can:
o Identify apps (e.g., BitTorrent, Blackboard, browsing).
o Apply application-specific security rules.
o Include intrusion prevention systems IPS (security device or software for
monitoring network traffic for threats and stop or block them) , URL filtering, etc.
 Every packet is analyzed and categorized.
 NGFWs are network-based firewalls : they are able to look at all of the traffic going through
and show how much web browsing , how much blackboard communication …

Web Application Firewall (WAF)

 Special firewall for HTTP/HTTPS applications.

 Not based on IPs/ports like regular firewalls or NGFWs.
 Blocks based on input content, e.g.:
o SQL injection
o Cross-site scripting (XSS)
  Required for PCI DSS compliance (e.g., for online credit card payments).
 Example log:
o XSS attempt → Blocked.
o SQL injection → Blocked.
o Web server error 405 → Hidden from user but logged.

Firewall Rule Bases and ACLs

 Firewall uses a rule base (also called security policy or access control list – ACL : list of
rules that the firewall will follow to decide whether information should be allowed through
the firewall or denied).
 Rules are based on tuples (groupings of info):
o Source IP, destination IP, port, protocol, application, time of day, etc.
 Rules are evaluated top to bottom.(starting with very top of the rule base until we find the
rule that does match the characteristics of that flow )
 Once a rule matches, it allows or denies the traffic.
 Most firewalls have an implicit deny at the end: one you get to the bottom of the rule base
and nothing matches , none of that data is allowed through the firewall

Firewall characteristics :
 Open Source vs. Proprietary

 Open-source firewalls:
o Typically work with IP/port rules only.(traditional )
o Rarely support deep application inspection.
 Proprietary firewalls:
o More advanced functionality.
o Often include support for applications control, next-gen features, better
integration, and vendor support.
  Hardware vs software
 Purpose-built hardware provides efficient and flexible connectivity options
 Offer high performance and are ideal for enterprise environments.
 Software-based firewalls can be installed almost anywhere
 Appliance vs host-based vs virtual

o Appliance-Based (Physical) Firewalls

 These are dedicated hardware devices.

 They usually offer the fastest throughput.
 Why? Because they're built with purpose-specific hardware optimized for high-
speed and high-connection-volume environments (like enterprise networks).

o Host-Based Firewalls

 These are software firewalls running directly on servers or workstations.

 Since they're integrated into the operating system, they can:
o Identify which applications are running.
o Make security decisions based on the specific applications in use.
 Another key benefit: because they run locally, they can inspect decrypted data
(after it’s been decrypted from the network).

o Virtual Firewalls

 Best suited for environments with many virtual systems (e.g., data centers or
cloud).
 These control traffic within the virtual infrastructure.
 Especially useful for managing east-west traffic (i.e., traffic between virtual
machines or servers inside a single data center—not just external traffic).
 A virtual firewall helps control which applications are allowed to communicate
between servers inside the virtual network.

Vid 113 : Network acces control

Edge vs access control

 Control at the edge

 Firewalls are commonly placed at the network edge (the point where your internal
network connects to the outside world, such as the internet or another network) to
connect the internal network to the internet.
 These firewalls use rules to control traffic.
 Once these rules are configured and tested, they’re usually not changed often.

 Access control : beyond the firewall

 Access control means allowing or denying access based on various criteria, not just
firewall rules.
  Applies to both:

 Internal users accessing internal resources.

 External users trying to access internal resources.

 Access control rules can be based on:

 Username
 User group
 User location
 Application in use

 Unlike static firewall rules, access control rules can change dynamically without formal
change control processes.

BYOD (Bring Your Own Device) Concerns

 In BYOD environments, users connect personal devices (phones, tablets, etc.) to the
corporate network. ( to avoid this problem : when we allow people acces to the network ,
sometimes they’re using some equipment that we did not provide to them )
 Security risks:
o Devices may have malware.
o Devices might lack anti-malware protection.
o Devices might run unauthorized applications

Posture Assessment

 Checking if a device is safe and follows security rules before giving it access to the network.
 Performed when a device connects to the network to evaluate its security posture.
 Checks may include:
o Is the device trusted and pre-configured?
o Is antivirus software installed? Which one? What version?
o Are corporate apps installed, or do they need to be?
o Is data encrypted on mobile devices like laptops or phones?
 Applies to all operating systems: Windows, macOS, iOS, Android, etc.

Posture Assessment Tools

 Tools used to perform posture assessments:

1. Persistent Agents

o Installed permanently on the device.

o Always active when the device connects to the network.
o Requires maintenance and updates.
 2. Dissolvable Agents

o Temporarily run on the device during connection.

o Not installed permanently.
o Run the assessment, then self-delete.

3. Agentless Solutions

o Built into the OS (e.g., Windows with Active Directory).

o No extra software needed.
o Limitations: No scheduled health checks. (if you want some other functionnality , it
may require a persistent or dissolvable agent )

Network Access Control (NAC) in Action

 Security teams set minimum configuration requirements.

 When a user logs in:
o The NAC system evaluates the device.
o If the device fails the posture check:
 It's moved to a quarantine network.
 The user can install missing software or updates.
o Once resolved:
 The device is re-evaluated.
 If it passes, it's granted full network access.
 If not, the cycle repeats.

Vid 114 : Proxy servers

What is a Proxy Server?

 A proxy server is a device that sits between users and the rest of the network.
 It receives requests from users, makes those requests on their behalf, performs security
checks, and then returns the response to the users.
 This setup gives the proxy control over the traffic flow.

Common Proxy Features

 Caching: Stores copies of frequently accessed data to improve performance.

 Access Control: Requires user authentication (e.g., username and password).
 URL Filtering & Content Scanning: Blocks access to malicious or inappropriate content.
Types of Proxy Configuration

1. Explicit Proxy
o Requires manual configuration on user devices (IP address, port).
2. Transparent Proxy
o Invisible to the end-user.
o No manual configuration needed.
o Automatically intercepts traffic.

Application vs. Network-Level Proxies

 Network Address Translation (NAT) on routers acts like a network-level proxy (is a type
of proxy that works at the network or transport layer (Layers 3 and 4 of the OSI model)).
 Most proxies used in enterprise settings are application-level proxies:
o Understand the specific protocols (e.g., HTTP, HTTPS, FTP).(single or multiple
protocoles at the same time )
o Can create and analyze application-specific requests.

Forward Proxy (a.k.a. Internal Proxy)

 Used by internal users to access external resources (e.g., websites).

 Process:
1. User sends request to the proxy.
2. Proxy checks for:
 Malicious URLs
 Category-based content filtering
3. If the content is approved:
 Proxy retrieves it from the internet.
 Evaluates and returns it to the user.

Reverse Proxy

 Used by external users (from the internet) to access internal services.

 Common in web hosting and load balancing.
 Process:
1. Internet users send a request to the proxy.
2. Proxy checks if the request is safe.
3. If valid:
 It forwards the request to the internal server.
 Gets the server’s response.
 Sends a copy of the response to the external user

Open Proxy

 A third-party proxy on the internet, open for anyone to use.

 Often used to bypass security restrictions (e.g., firewalls, content filters).
 Major security concern:
o Proxy can alter the traffic (e.g., inject ads or malware).
o Add malicious code
o User requests can be monitored, logged, or tampered with.
Vid 115 : Intrusion prevention

NIDS and NIPS

 A Network-based IDS (NIDS) or more commonly a Network-based IPS (NIPS) monitors

traffic to:
o Detect known attacks.
o Block or mitigate those attacks (in case of IPS).

 Targets attacks on:

o Operating systems
o Application servers
o Known vulnerabilities (e.g., buffer overflows, SQL injection, cross-site scripting).

IDS vs. IPS

 IDS (Intrusion Detection System):

o Detects and alerts on malicious traffic.
o Cannot block traffic in real time.
 IPS (Intrusion Prevention System):
o Can block malicious traffic in real time.
o Often used instead of IDS even if only alerting is configured.

Deployment Methods

1. Passive Monitoring (Out-of-Band)

 IPS is not in the direct traffic path.

 Traffic is mirrored from a switch (via:
o Port mirror
o SPAN (SwitchPort Analyzer)
o Network tap).
 IPS gets a copy of the traffic, examines it, and raises alerts.
 Cannot block traffic directly.

But:

o It can perform out-of-band responses, like sending TCP Reset (RST) packets to
disrupt malicious flows.
 o Only works with TCP, not UDP.

2.In-Line Monitoring (In-Band)

 IPS is directly in the traffic path.

 All traffic flows through the IPS.
 IPS can:
o Analyze traffic in real time.
o Block malicious packets before they reach the destination.
 Offers full real-time prevention capability.

Detection Techniques used by IPS

1. Signature-Based Detection

 Looks for known

attack signatures
(e.g., Conficker
worm).
 If a match is found,
traffic is blocked.

2. Anomaly-Based
Detection
  Learns what normal traffic looks like over time.
 Detects deviations (e.g., unusual volume or type of traffic).
 Example: Sudden file transfers on a low-traffic network.

3. Behavior-Based Detection

 Understands normal application behavior.

 Example: Knows how a typical database request should look.
o Can detect SQL injection even without a known signature.

4. AI and Machine Learning

 Advanced IPS systems use big data, AI, and machine learning.
 Can:
o Learn patterns in your specific network.
o Detect novel or subtle threats beyond traditional methods.

Vid 116 : Other network appliances

Secure Network Administration Tools

🔹 Jump Server

 A Jump Server (or Jump Host) allows secure administrative access to internal devices.
 It's typically placed inside a private network.
 Usage flow:
1. Admin connects (e.g., via SSH or VPN) to the Jump Server.
2. From there, they access internal systems: application servers, web servers,
databases, etc.
 Security considerations:

o Must be hardened to prevent unauthorized access.

o A compromise of the jump server could expose the internal network, so its
protection is critical.

🔹 Hardware Security Module (HSM)

 An HSM is a specialized device for managing cryptographic keys and certificates.

 Common in large environments with many devices needing secure keys.
 Key features:
o Often deployed in clusters with redundancy and multiple power supplies.
o May include specialized cryptographic hardware:
 Either added (e.g., PCI card).
 Or built-in as a purpose-built HSM.
 Functions:
o Secure storage of sensitive keys (e.g., web server private keys).
o Cryptographic acceleration: offloads encryption/decryption from servers.
  Server communicates in the clear, while the HSM handles cryptographic
work.
 Reduces CPU load on the servers.

🔹 Sensors and Collectors

 Large networks use sensors and collectors to centralize monitoring data.

 Sources include:
o Switches, routers, servers, firewalls, etc.
o Devices with logs and statistics useful for network management.

Sensors

 Installed on or within devices.

 Examples:
o Sensors inside an intrusion prevention system (IPS).
o Logs from firewalls, authentication servers, web servers.

Collectors

 Receives and aggregates data from all sensors.

 Presenting a presentation of that data on the screen .
 Functions:
o Parses and displays collected data.
o Can be:
 Proprietary (device-specific, e.g., a firewall collector).
 Generic (works with multiple device types).

 SIEM (Security Information and Event Management)

o A SIEM is a universal log collector and analyzer.

o SIEM is like a security control room that watches everything happening in your
network and raises an alarm when something looks suspicious.
o Combines:
 Logs from switches, routers, servers, and other infrastructure.
o Benefits:
 Centralized visibility across the network.
 Correlation of logs and events from different sources.
 Helps identify broader security incidents or trends.

3.4 Wireless security

Vid 116 : Wireless cryptography