Further Reading: Network Security Fundamentals

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 7.

Suggested order

  1. If TCP/IP is shaky, read an accessible TCP/IP fundamentals primer until the handshake and ports feel natural (Kozierok, or any solid networking text).
  2. Skim NIST SP 800-41 on firewall and network policy to see how a standards body frames default-deny and zone design.
  3. Open Wireshark in your own lab and watch one handshake — the §6.2 "Try It" makes the rest stick.
  4. Browse the MITRE ATT&CK tactics for Discovery and Lateral Movement to see east-west attack techniques named formally (you will master ATT&CK in Chapter 2 and Part V).

Standards & primary documents (Tier 1)

  • NIST SP 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy. 🏗️📋 The authoritative treatment of network policy, default-deny, and DMZ/zone design; the standards backbone for §§6.4 and 6.6 and for Chapter 7.
  • NIST SP 800-125 / 800-215 (network and zero-trust networking guidance). 🏗️ NIST's broader network security and segmentation guidance; read for how the agency frames internal trust boundaries (and as a bridge to zero trust, Chapter 32).
  • PCI-DSS v4.0, Requirement 1 (network security controls) and the scoping/segmentation guidance. 📋🏗️ The reason Meridian isolates its cardholder data environment; defines what "segmentation" must achieve to reduce scope. The single most practical standard for §6.6.
  • BCP 38 / RFC 2827, Network Ingress Filtering. 🏗️🛡️ The defining document for anti-spoofing filtering; short, foundational, and directly answers "how do we stop IP spoofing at the edge."
  • CISA / MS-ISAC guidance on network segmentation and DDoS mitigation. 🛡️📋 Practical, defender-oriented advisories on segmenting networks and surviving denial-of-service; grounded in real incident patterns.

Books (Tier 1)

  • Kurose, J., & Ross, K., Computer Networking: A Top-Down Approach. 🏗️📜 The standard, readable text for how networks actually work — the OSI/TCP-IP model, ports, TCP, and the handshake of §§6.1–6.2.
  • Kozierok, C., The TCP/IP Guide. 🏗️🛡️ An exhaustive, approachable reference for every protocol and field you will meet reading packets; keep it nearby as a lookup, not a cover-to-cover read.
  • Sanders, C., Practical Packet Analysis (with Wireshark). 🛡️ The hands-on companion for §6.2 and a direct on-ramp to Chapter 10; learn to see the handshake, scans, and anomalies in real captures.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide (network chapters). 📜 Exam-aligned coverage of the OSI model, ports, segmentation, and the attack taxonomy at the right depth for certification.

Free online & talks (Tier 1 / Tier 2)

  • MITRE ATT&CK — Discovery and Lateral Movement tactics (attack.mitre.org). 🛡️ The formal catalog of the east-west techniques this chapter described informally; the shared language for what a flat network enables.
  • The Wireshark project documentation and sample captures (wireshark.org). 🛡️🏗️ Free tool, free captures; the fastest way to make Layer 3/4 concepts concrete in your own lab.
  • Cloudflare / major-provider "Learning Center" articles on DDoS, SYN floods, and amplification. 🛡️ Clear, vendor-neutral-enough explanations of the DoS families in §6.5. (Tier 2: vendor educational material — accurate on fundamentals; read for concepts, not product claims.)

Tools to explore (in your own lab only)

  • Wireshark 🛡️🏗️ — capture and read the three-way handshake, ports, and ARP on a network you own.
  • A lab firewall (pfSense/OPNsense or iptables/nftables in a VM) 🏗️ — write a default-deny ruleset and watch its logs; the perfect sandbox for the netfilter.py checkpoint and for Chapter 7.
  • A small virtual network lab (e.g., GNS3 or a few VMs on isolated host-only networks) 🏗️ — build two segments and a firewall between them, then prove that default-deny contains traffic. Designing segmentation by hand fixes §6.4 permanently.

⚖️ Authorization & Ethics reminder: Packet capture, scanning, and ARP analysis are powerful and, on a network you do not own or are not explicitly authorized to test, potentially illegal. Apply every technique here only in your own lab or with written permission (Chapter 39).