Key Takeaways: Network Security Fundamentals
A one-page reference. Reread before an exam or before moving on. Dense by design.
The OSI stack ↔ attacks ↔ defenses (memorize cold)
| Layer | Name | Unit / addressing | Attack lives here | Defense |
|---|---|---|---|---|
| 7 | Application | data (HTTP, DNS) | injection, XSS, phishing | AppSec, WAF (Ch.12–13) |
| 6 | Presentation | encoding, TLS | weak TLS, downgrade | strong TLS (Ch.5) |
| 5 | Session | sessions | session hijack/fixation | session mgmt (Ch.13) |
| 4 | Transport | port, TCP/UDP segment | port scan, SYN flood | stateful firewall (Ch.7) |
| 3 | Network | packet, IP address | IP spoofing, routing, DDoS | IP filtering, anti-spoof, segmentation |
| 2 | Data Link | frame, MAC, ARP | ARP spoofing, MAC flood, VLAN hop | port security, DAI, segmentation |
| 1 | Physical | bits | tap, rogue device, jamming | physical access control |
- TCP/IP model = 4 layers (Application / Transport / Internet / Link) implementing OSI's 7.
- "Layer 3" = IP; "Layer 4" = TCP/UDP; "Layer 7" = the app protocol.
- Encapsulation: each layer wraps the one above (packet inside frame inside bits). Every control is blind to the layers it does not inspect → the structural reason for defense in depth on the network.
Ports, sockets, and the handshake
| Term | Definition |
|---|---|
| Packet | Layer 3 unit; carries source/destination IP |
| Port | 16-bit number (0–65535) identifying a service/endpoint |
| Socket | IP address + port (e.g., 192.0.2.10:443) |
| Connection (4-tuple) | src IP + src port + dst IP + dst port |
| Three-way handshake | SYN → SYN-ACK → ACK (then data flows) |
Common ports quick reference:
| Port | Service | Port | Service |
|---|---|---|---|
| 22 | SSH | 443 | HTTPS |
| 23 | Telnet (insecure) | 445 | SMB |
| 25 | SMTP | 3389 | RDP |
| 53 | DNS | 80 | HTTP |
Read the handshake shape in telemetry:
| Pattern | Signature | Meaning |
|---|---|---|
| Healthy | SYN → SYN-ACK → ACK, completes | normal connection |
| Port scan | SYNs to many ports, no completion | reconnaissance (enumerate open services) |
| SYN flood | SYNs to one port, no completion, table fills | protocol DoS (exhaust half-open conns) |
Diagnostic ratio: in normal traffic almost every SYN → completed ACK; in a SYN flood almost none do.
Segmentation: subnet vs VLAN vs DMZ vs NAT
| Concept | Layer | What it is | Security role |
|---|---|---|---|
| Subnet | 3 | logically subdivided IP range | addressing boundary between zones |
| VLAN | 2 | one switch as several logical switches | isolates broadcast domains; boundary, not a vault |
| DMZ | — | zone between internet and internal | contains internet-facing systems |
| NAT | 3 | rewrites/hides internal addresses | conserves IPv4; NOT a security control |
North-south vs east-west:
- North-south = crosses the perimeter (in/out to internet). A perimeter firewall sees this.
- East-west = lateral movement inside the network. A perimeter firewall sees none of this — and east-west is how breaches actually spread. This killed the sufficient perimeter.
Segmentation decision aid — when to put a boundary:
| Put a default-deny boundary when… | Because… |
|---|---|
| A zone is internet-facing (→ DMZ) | it will be probed and may be compromised; contain it |
| A zone holds regulated/crown-jewel data (CDE, core) | the worst case must cross the most boundaries |
| A zone is large and phishable (branch, corporate) | contain the inevitable foothold |
| A system is unpatchable (OT, medical, legacy) | segmentation replaces the patch you can't apply (Ch.33) |
| A zone is convenience-only (guest WiFi) | isolate to internet-only; no internal reach |
Segmenting the cardholder data environment also reduces PCI-DSS scope (other zones no longer "connected to" it). Security + compliance win.
The three attack families ↔ defenses
| Attack | Layer | How it works | Detect / prevent |
|---|---|---|---|
| IP spoofing | 3 | forge source IP | ingress/egress filter (BCP 38); don't trust IP as identity |
| ARP spoofing | 2 | forge MAC↔IP, usually for the gateway | dynamic ARP inspection, port security, static ARP, segmentation |
| MITM | 2–7 | sit between two parties, relay/alter | L2 ARP defenses + validated TLS (defense in depth) |
| DoS/DDoS | 3/4/7 | exhaust bandwidth, conn state, or app | upstream scrubbing (volumetric), SYN cookies (protocol), rate-limit/WAF (L7) |
Two rules to keep: - MITM defeats confidentiality/integrity only if traffic is unencrypted or TLS is improperly validated. Validated TLS reduces a successful MITM to relaying ciphertext + metadata. - Volumetric DDoS must be absorbed upstream (ISP/scrubbing) — your own firewall is already behind the saturated link. You can't block spoofed/botnet source IPs.
The defining ideas
- Every control lives at a layer and is blind to the layers it doesn't inspect. Attackers probe the layer you're not watching (Theme 2 + 4).
- Segmentation is the network-layer implementation of "assume breach": a foothold reaches its zone and stops; crossing a boundary is denied and logged → the network becomes a sensor.
- "Low-value data" ≠ "low risk": risk lives in impact (safety, uptime), not just data sensitivity.
Recurring themes surfaced
- #4 Defense in depth assumes each layer fails (layered controls per OSI layer; segmentation behind the perimeter; ARP defenses + TLS).
- #1 Security is a process, not a product (the perimeter firewall is not "network security"; the interior architecture and monitoring are).
Certification crosswalk
| Concept | CompTIA Security+ | (ISC)² CISSP domain |
|---|---|---|
| OSI/TCP-IP model, encapsulation | 1.0 General Concepts; 3.0 Architecture | Communication & Network Security |
| Ports, protocols, three-way handshake | 3.0 Security Architecture | Communication & Network Security |
| Segmentation, VLAN, DMZ, NAT | 3.0 Architecture; 4.0 Operations | Communication & Network Security; Security Architecture |
| Spoofing, MITM, DoS/DDoS | 2.0 Threats, Vulnerabilities & Mitigations | Communication & Network Security |
| East-west / north-south, zero-trust framing | 3.0 Architecture | Communication & Network Security |
Project additions this chapter
- Meridian program: network architecture diagram v1 — default-deny trust zones (internet / DMZ / core / CDE / branch / corporate / management / guest), CDE isolated for PCI-DSS scope reduction.
bluekittoolkit:netfilter.py—parse_fw_log(line)(parses firewall log lines into structured records; flagsdenied). Extended in Ch.7 withrule_matches()anddefault_deny().
Common pitfalls
- "We have VLANs, so we're segmented" — separation is the enforced default-deny policy, not the VLAN.
- Treating NAT as a security control.
- Assuming encryption (L6) protects against L2/L3 attacks (redirection, floods).
- Spending on the perimeter while the interior is flat and unmonitored.
- Trying to stop a volumetric DDoS at your own edge instead of upstream.
- One over-broad firewall rule silently re-flattening a segmented network.