Network security Study Guide

📖 Core Concepts Network Security – Controls, policies, and practices that prevent, detect, and monitor unauthorized access, misuse, modification, or denial of network resources. Authentication Factors – Something you know: password/username (1‑factor). Something you have: token, dongle, mobile phone (2‑factor). Something you are: fingerprint, retinal scan (3‑factor). Firewalls – After a user is authenticated, a firewall enforces access‑policy rules that decide which services/ports a user may reach. Security Technologies – Anti‑virus, Intrusion Prevention Systems (IPS), Anomaly‑based IDS, and encryption protect data in‑flight and at rest. Honeypot / Honeynet – Deliberately vulnerable, decoy systems used to lure attackers and gather intelligence. Passive vs. Active Attacks – Passive: eavesdrop, wiretap, traffic analysis – listen only. Active: inject, modify, disrupt – act on the traffic. --- 📌 Must Remember 1‑factor = password only; 2‑factor = password + token/device; 3‑factor = password + token + biometric. Firewalls work after authentication; they do not authenticate users. Encryption = plaintext → ciphertext → protects confidentiality and integrity. Passive attacks do not generate alerts → harder to detect. Active attacks include DoS, MITM, DNS spoofing, ARP poisoning, VLAN hopping, buffer overflow, SQL injection, XSS, CSRF, phishing. Honeypot = single decoy host; Honeynet = network of multiple decoys. --- 🔄 Key Processes User Login Flow User submits identifier + password → 1‑factor check. If enabled, system requests second factor (token/OTP). Optional third factor (biometric) verified. Upon success, firewall policy is applied to the session. Intrusion Prevention (IPS) Workflow Capture live traffic → compare against signatures/behavioral rules → block matching packets before they reach the host. Anomaly‑Based IDS Detection Baseline normal traffic patterns (e.g., via Wireshark) → continuously monitor → flag statistical deviations → log for later audit. Encryption of Communication Sender: plaintext → encryption algorithm (e.g., AES) → ciphertext → transmit. Receiver: ciphertext → same key/algorithm → plaintext. --- 🔍 Key Comparisons One‑Factor vs. Two‑Factor vs. Three‑Factor 1‑Factor: username + password – easiest to compromise. 2‑Factor: adds something you have – mitigates stolen passwords. 3‑Factor: adds something you are – highest assurance. Passive Attack vs. Active Attack Passive: listen only (wiretapping, traffic analysis). Active: interact (DoS, MITM, injection). Honeypot vs. Honeynet Honeypot: single, isolated decoy host. Honeynet: entire network of decoys, richer data on attacker tactics. Anti‑Virus vs. Intrusion Prevention System AV: scans for known malware signatures on hosts. IPS: blocks malicious traffic in real time on the network. --- ⚠️ Common Misunderstandings “Firewalls replace authentication.” – Firewalls enforce policy after authentication; they don’t verify identity. “Encryption prevents all attacks.” – Encryption protects confidentiality but does not stop active attacks like DoS or MITM on unencrypted channels. “Passive attacks are harmless.” – Even without alerts, data leakage (e.g., traffic analysis) can be critical. “One‑factor is sufficient for corporate networks.” – Modern threats require at least two‑factor for privileged access. --- 🧠 Mental Models / Intuition Layers = Onion – Think of network security as layers: Physical → Data Link → Network → Transport → Application. Each layer can have its own controls (firewall, IDS, encryption). “Lock + Alarm” analogy – Authentication = lock (who can enter); firewall = alarm (what they can do). Passive = “Listening in the dark”; Active = “Breaking the door” – Helps decide detection vs. mitigation strategies. --- 🚩 Exceptions & Edge Cases Public Wi‑Fi – Even with WPA2, Man‑in‑the‑Middle attacks are common; always use VPN encryption. ARP Poisoning – Works only on local LAN; not a threat across routed subnets. VLAN Hopping – Requires misconfigured trunk ports; properly set native VLAN and disable auto‑negotiation to mitigate. --- 📍 When to Use Which Use 2‑factor for any privileged, remote, or external‑facing accounts. Deploy IPS on high‑traffic, perimeter segments where real‑time blocking is critical. Enable Anomaly‑based IDS in segments with sensitive data where unknown attacks may appear. Encrypt all client‑server communications (HTTPS, TLS) and internal service‑to‑service traffic in data centers. Deploy honeypots in research labs to study attacker tools; use honeynets when you need broader attack‑pattern visibility. --- 👀 Patterns to Recognize Repeated failed logins → possible brute‑force → trigger account lockout or 2‑factor challenge. Burst of SYN packets → potential DoS → look for SYN‑flood pattern. Unusual DNS queries → DNS spoofing → monitor for NXDOMAIN spikes. ARP table changes without admin action → ARP poisoning. Outbound traffic to rare external IPs after a breach → data exfiltration attempt. --- 🗂️ Exam Traps Choosing “firewall” as the authentication method – firewalls enforce policy after authentication; they are not an auth mechanism. Selecting “encryption” as a passive‑attack defense – encryption prevents reading but does not stop traffic analysis or active manipulation. Confusing “honeypot” with “IDS” – a honeypot is a decoy, not a detection system; IDS monitors real traffic. Assuming “anti‑virus” blocks DoS – AV is host‑focused; DoS requires network‑level controls (firewall, IPS). Mixing up “passive” and “active” scanning – Port scanning is passive (no alteration) whereas idle scanning is also passive but hides the scanner’s IP; both are not “active” attacks. ---