Exercises: Network Security Fundamentals
These exercises move from reading packets to designing networks. Difficulty is marked ⭐ (recall/ application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/design/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.
Work in your own notebook or a private lab. All IP addresses use documentation ranges (192.0.2.0/24,
198.51.100.0/24, 203.0.113.0/24) and RFC 1918 private space; never scan or capture on a network you
do not own or are not explicitly authorized to test.
Part A — The stack and the vocabulary ⭐
1.† For each of the following, name the OSI layer it primarily operates at and one attack that lives there: (a) an IP packet's source address; (b) a TCP port number; (c) an Ethernet MAC address and ARP; (d) an HTTP request body; (e) a TLS-encrypted session.
2. Define, in one sentence each, packet, port, socket, and the three-way handshake. Then write one sentence that correctly uses all four in the context of a browser loading a web page.
3. Explain encapsulation in your own words, and state why it implies that no single network control can defend against every attack.
4.† A connection is identified by a 4-tuple. List the four values, and explain why the destination port alone is not enough to tell two simultaneous connections apart.
5. Match each port to its common service: 22, 25, 53, 80, 443, 3389. For each, name whether a defender would normally expect it to be reachable from the public internet on a bank's online-banking server, and why.
6. Distinguish north-south from east-west traffic with one concrete Meridian example of each.
Part B — Reading the handshake and the logs ⭐⭐
7.† Analyze this log. You are handed this (illustrative) connection log for one server at
192.0.2.10. All times are UTC.
time src_ip src_port dst_ip dport flags state
09:02:11 198.51.100.22 49600 192.0.2.10 443 SYN NEW
09:02:11 192.0.2.10 443 198.51.100.22 49600 SYN,ACK NEW
09:02:11 198.51.100.22 49600 192.0.2.10 443 ACK ESTABLISHED
09:05:40 203.0.113.9 55001 192.0.2.10 21 SYN NEW
09:05:40 203.0.113.9 55002 192.0.2.10 22 SYN NEW
09:05:40 203.0.113.9 55003 192.0.2.10 23 SYN NEW
09:05:40 203.0.113.9 55004 192.0.2.10 80 SYN NEW
09:05:40 203.0.113.9 55005 192.0.2.10 445 SYN NEW
(a) Classify the 09:02 activity and the 09:05 activity. (b) Which field is the strongest indicator for the 09:05 pattern? (c) Is the 09:05 activity a threat, a vulnerability, an exploit, or some combination? (d) Name one control that would reduce the risk the 09:05 activity represents.
8.† Analyze this log. This (illustrative) excerpt summarizes traffic to the online-banking front-end during a five-minute window. Identify what is happening and the single ratio that proves it.
metric baseline (per min) observed (per min)
SYN received 1,200 880,000
SYN-ACK sent 1,200 880,000
ACK / completed connections 1,180 1,050
half-open connections ~20 ~610,000
distinct source IPs ~900 ~70,000 (random, spoofed)
(a) Name the attack precisely. (b) State the diagnostic ratio. (c) Why can't you simply block the attacking source IPs? (d) Name two appropriate defenses and where each must sit.
9. A junior analyst says, "This host is fine — every SYN got a SYN-ACK back." Explain why a SYN-ACK for every SYN does not indicate health, and what they should have measured instead.
10.† Explain why UDP-based services are commonly abused for amplification DDoS, referencing the absence of the three-way handshake.
Part C — Find the vulnerability / harden it ⭐⭐
11.† Find the vulnerability. Sam reviews this proposed inter-zone firewall policy for Meridian (simplified). Identify the most serious problem and rewrite the offending rule(s).
# Inter-zone policy (top matches first)
1. ALLOW branch -> banking-app tcp/443
2. ALLOW corporate -> internet tcp/443,80
3. ALLOW any -> any any # "to avoid breaking things"
4. DENY any -> any any
12. Harden it. A team has created VLAN 10 (tellers) and VLAN 20 (guest WiFi) on the same switch and declared the network "segmented." On inspection, the Layer 3 device routing between VLANs permits any-to-any traffic. Explain why this is not segmentation and list the specific changes that would make it real.
13.† Find the vulnerability. An engineer argues that the internal network needs no encryption "because it's behind the firewall and NAT hides our addresses." Identify every flawed assumption in that sentence using the chapter's concepts, and state what attack the missing internal encryption leaves open.
14. Harden it. A branch switch has every port active and untagged on the default VLAN, including ports in an unlocked lobby. List four Layer 1/Layer 2 hardening steps and the specific attack each one mitigates.
15. A server unexpectedly has port 3389 (RDP) listening and reachable from the corporate zone. Walk through how you would (a) confirm this, (b) decide whether it is malicious or a misconfiguration, and (c) remediate, referencing ports, sockets, and segmentation.
Part D — Write the rule / write the policy ⭐⭐
16.† Write the firewall rule. Meridian's public web server lives in the DMZ at 192.0.2.20 and
must be reachable from the internet on HTTPS only; it must reach a back-end app server at 10.0.5.10 on
TCP 8443 and nothing else internal; all other traffic is denied. Write an ordered, default-deny ruleset
(pseudo-syntax is fine) and annotate what each rule does.
17. Write the rule. Write a default-deny inter-zone policy fragment that (a) lets branch tellers reach only the banking application on TCP 443, (b) lets the management zone reach all network-device admin interfaces on TCP 22, (c) denies the guest zone all access to any internal zone, and (d) logs every denied attempt. Explain why the order of your rules matters.
18.† Write the policy. Draft a three-to-five-sentence network segmentation standard for Meridian suitable for the security program: state the zones, the default posture between them, the special handling of the cardholder data environment, and the monitoring requirement for inter-zone traffic.
19. Write a one-paragraph justification, in the language of risk (likelihood × impact, Chapter 1), for funding internal segmentation before an incident rather than after. What likelihood and impact would you cite for "flat internal network," and what residual risk remains after segmentation?
Part E — Design the architecture ⭐⭐–⭐⭐⭐
20.† Design it. A regional credit union (smaller than Meridian) has a single flat network: tellers, servers, a public website, and guest WiFi all share one address space. Redesign it into trust zones. Produce a labeled diagram (ASCII is fine), name each zone's trust level and contents, place the firewall(s), and state the default posture between zones. Call out where you would isolate any cardholder data.
21. Design it. Meridian wants to add a new third-party fraud-analytics vendor that needs read access to specific transaction data. Where in the zone architecture (Figure 6.4) does this connection belong, what is the minimum access it should receive, and what must be true before any traffic flows? (This previews third-party risk, Chapter 29.)
22. ⭐⭐⭐ Design it. Sketch how you would segment a hospital network where the worst case is patient safety, not data theft (contrast with the bank). Which zones are most critical, and how does the re-weighting of the CIA triad change your priorities versus Meridian's?
Part F — Respond to this incident ⭐⭐
23.† Respond to this incident. A branch SOC alert fires: a workstation's switch port reports that the IP of the default gateway is now associated with a different MAC address than usual, and several tellers report intermittent certificate warnings. (a) What attack does this most likely indicate, and at which layer? (b) List your first three containment actions. (c) What would have prevented or detected this earlier?
24. Respond to this incident. The online-banking portal becomes unreachable; inbound traffic is 50× normal from tens of thousands of random source addresses. Outline your response in order, including who you would call and why your own firewall is not the right place to stop it.
Part G — CTF-style challenge ⭐⭐⭐
25.† The mislabeled "firewall." A vendor sells Meridian a "network security appliance" and claims it
"makes the internal network invisible and therefore secure" because it performs NAT. The sales engineer
adds: "Since everything inside is on 10.0.0.0/8, attackers can't reach it, so internal segmentation and
encryption are unnecessary." Identify every claim that is false or misleading, explain the precise reason
each is wrong using the chapter's concepts, and state what an attacker who phishes one internal user
could still achieve despite the NAT.
Part H — Interleaved & forward-looking ⭐⭐
26. Interleaved (Ch.3). For each of these network controls, classify it by function (preventive/detective/corrective) and nature (administrative/technical/physical): (a) a default-deny firewall rule; (b) a firewall log reviewed by the SOC; (c) a network-segmentation policy document; (d) a locked network closet; (e) dynamic ARP inspection on a switch.
27. Interleaved (Ch.1). Rank these three findings by risk (likelihood × impact, 1–5 each), justifying every rating in a phrase: (a) the cardholder data environment shares a flat segment with the corporate network; (b) an unpatched printer on an isolated management VLAN; (c) the guest WiFi can reach the teller VLAN.
28. Interleaved (Ch.5). Explain how validated TLS and Layer 2 ARP-spoofing defenses combine to defeat a man-in-the-middle attack, and why relying on either alone is weaker. Name the recurring theme this illustrates.
29. This chapter says "the perimeter is dead." Based only on the east-west/north-south distinction, write two sentences predicting what zero trust (a Chapter 32 topic) might propose to replace the trusted internal network.
30. ⭐⭐⭐ Open reflection. The chapter argues that internal segmentation is often a better security investment than a better perimeter firewall, yet most organizations spend the opposite way. Write half a page on why that misallocation happens (consider visibility, audits, vendor incentives, and the offense/defense asymmetry from Chapter 1), and what would change the incentives.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.