Vulnarex | Elite Cybersecurity Learning Platform

#Defending the Digital Highway: Network Security#link

With the CIA Triad as our guiding framework, we now turn to one of the most critical domains of cybersecurity: network security. Networks are the arteries of every organization — they carry data between users, servers, applications, and the internet. If an attacker gains access to your network, they can potentially reach everything connected to it. In this lesson, you'll learn the fundamental concepts, protocols, and tools that form the backbone of network defense.

How Networks Work: A Security Perspective

To secure a network, you must first understand how it operates. The OSI (Open Systems Interconnection) model describes networking in seven layers, each with its own protocols, functions, and potential vulnerabilities. Security controls can be applied at every layer, and attackers can target any of them.

Layer	Name	Function	Security Relevance
7	Application	User-facing services (HTTP, FTP, SMTP)	Web app attacks, phishing, malware
6	Presentation	Data formatting, encryption, compression	SSL/TLS vulnerabilities, encoding attacks
5	Session	Session management between applications	Session hijacking, token theft
4	Transport	End-to-end communication (TCP, UDP)	Port scanning, SYN floods, TCP hijacking
3	Network	Routing and addressing (IP, ICMP)	IP spoofing, ICMP attacks, route poisoning
2	Data Link	Frame transfer between adjacent nodes (Ethernet)	MAC flooding, ARP spoofing, VLAN hopping
1	Physical	Raw bit transmission over physical medium	Cable tapping, physical access attacks

IP Addressing and Subnetting Basics

Every device on a network has an IP address — a unique identifier that allows it to send and receive data. Understanding IP addressing is fundamental to network security because firewalls, access controls, and monitoring tools all rely on IP addresses to make decisions about what traffic to allow or block.

bash

# View your IP address and network configuration
# On Linux/macOS:
ifconfig
# or
ip addr show

# On Windows:
ipconfig /all

# Test connectivity to a host
ping 8.8.8.8

# Trace the route packets take to a destination
traceroute google.com
# On Windows: tracert google.com

info

💡 IPv4 addresses are 32-bit (e.g., 192.168.1.1), while IPv6 addresses are 128-bit (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334). IPv6 was created because we're running out of IPv4 addresses. Both are in active use today, and security professionals must understand both.

Firewalls: The First Line of Defense

A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks like the internet. Firewalls can be hardware-based, software-based, or cloud-based.

▪Packet Filtering Firewall — Examines individual packets against rules (source/destination IP, port, protocol). Fast but limited context awareness.
▪Stateful Inspection Firewall — Tracks the state of active connections and makes decisions based on context. More secure than simple packet filtering.
▪Next-Generation Firewall (NGFW) — Combines traditional firewall capabilities with intrusion prevention, application awareness, deep packet inspection, and threat intelligence feeds.
▪Web Application Firewall (WAF) — Specifically designed to protect web applications by filtering HTTP traffic. Defends against SQL injection, XSS, and other web attacks.

Basic iptables Firewall Rules (Linux)

root@vulnarex:~## Set default policies: drop all incoming, allow outgoing iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow loopback interface iptables -A INPUT -i lo -j ACCEPT # Allow established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow SSH (port 22) from a specific IP iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT # Allow HTTP and HTTPS iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Log dropped packets iptables -A INPUT -j LOG --log-prefix "DROPPED: " iptables -A INPUT -j DROP

Network Segmentation and DMZ

Network segmentation is the practice of dividing a network into smaller, isolated segments (subnets) to limit the spread of attacks and control access between zones. A DMZ (Demilitarized Zone) is a special segment that hosts public-facing services (web servers, email servers) — accessible from the internet but isolated from the internal network.

callout

Think of network segmentation like the compartments in a ship. If one compartment floods, the others remain sealed and the ship stays afloat. Similarly, if an attacker compromises one network segment, segmentation prevents them from easily moving laterally to reach critical systems.

Intrusion Detection and Prevention Systems

While firewalls control what traffic enters and leaves the network, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor traffic for signs of malicious activity. An IDS alerts administrators when it detects suspicious behavior, while an IPS can actively block the malicious traffic in real-time.

Feature	IDS	IPS
Action	Detects and alerts	Detects and blocks
Placement	Passive (monitors copy of traffic)	Inline (in the traffic path)
Impact on traffic	None — passive monitoring	Can introduce latency
False positive impact	Alert fatigue	May block legitimate traffic
Example tool	Snort (in IDS mode), Suricata	Snort (in IPS mode), Palo Alto NGFW

STRICT SECURE AUDIT RULE

⚠️ A firewall alone is NOT sufficient for network security. Defense in depth requires multiple layers: firewalls, IDS/IPS, network segmentation, endpoint protection, encryption, access controls, and continuous monitoring. No single tool can protect against all threats.

quiz BLOCK (★ 50 XP)

At which layer of the OSI model does ARP spoofing occur, and what type of attack is it?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Firewall Rule Analysis