Part II: Network Security
"You can't defend what you can't see — and on the network, almost everything an attacker does is, in principle, visible."
Every intrusion travels. The phishing link in Chapter 1 resolved a domain, opened a connection, and — had it succeeded — would have carried stolen credentials back out over the wire. Command-and-control beacons, lateral movement between servers, data leaving the building: all of it is traffic, and traffic is where defenders have the home-field advantage. The network is the one place where you can watch the adversary move in near real time. Part II is about owning that ground: understanding how traffic works, shaping it with firewalls and segmentation, hardening the protocols everyone uses every day, and turning packets into the evidence that feeds your detection program.
The old story of network security was a hard shell around a soft center — a perimeter firewall, and trust on the inside. That model is dead, and a recurring message of this part is why it died and what replaces it. The perimeter has dissolved into cloud, remote work, mobile devices, and partner connections; the interesting traffic is increasingly east-west (server to server, inside the walls) rather than north-south (in and out at the edge). So we treat the network not as a wall to be defended but as a terrain to be segmented, instrumented, and continuously watched. Defense in depth lives here in its most literal form: zones within zones, each assuming the one outside it has already been breached.
These five chapters move from fundamentals to telemetry. You will learn the stack layer by layer — and where attacks live at each layer — then the controls that enforce policy on the wire, the wireless and protocol surfaces that attackers love because they are everywhere and often forgotten, and finally the traffic analysis that converts raw packets into detections. The part deliberately ends at monitoring, because everything you learn to build in Chapters 6–9 only matters if you can see whether it is working, which is the bridge into Security Operations (Part V).
What you will learn
- Chapter 6 — Network Security Fundamentals. Map the TCP/IP and OSI layers to attack and defense opportunities; read ports, sockets, and the three-way handshake; and design segmentation, VLANs, subnets, and DMZs to contain spoofing, MITM, and DoS/DDoS.
- Chapter 7 — Firewalls, IDS/IPS, and Network Access Control. Write stateful and next-gen firewall rules with default-deny; distinguish IDS from IPS and signatures from anomalies; deploy NAC, 802.1X, and microsegmentation; and tune to cut false positives.
- Chapter 8 — Wireless Security. Compare WEP through WPA3 and their weaknesses, defend enterprise wireless with 802.1X/EAP, assess Bluetooth/NFC and rogue-AP risk, and design segmented guest and branch WiFi.
- Chapter 9 — DNS, Email, and Web Security. Harden DNS (DNSSEC, sinkholing, monitoring), stop spoofing with SPF/DKIM/DMARC, defend against phishing and BEC, and recognize DNS and email as detection goldmines.
- Chapter 10 — Network Monitoring and Traffic Analysis. Capture and read packets with Wireshark, scale up with Zeek logs and NetFlow, detect beaconing, exfiltration, and lateral movement, and build the visibility layer that feeds the SIEM.
Advancing the Meridian program
Part II gives Meridian its network architecture. In Chapter 6 you draw the bank's zones — branch, core, and the PCI cardholder-data environment — as a first segmentation diagram. Chapter 7 populates those boundaries with a default-deny firewall ruleset and IDS sensors. Chapter 8 adds a wireless policy that separates branch operations from guest WiFi. Chapter 9 dissects the very phishing near-miss that opened the book and rolls out SPF, DKIM, and DMARC so the next one is caught at the gateway. Chapter 10 designs Meridian's network-monitoring layer and hunts for command-and-control beaconing in its flow data. The bluekit toolkit grows in parallel: netfilter.py (firewall-log parsing and rule matching), wifiaudit.py (assess_wifi), dnsguard.py (SPF/DMARC checks and a DGA score), and pktflow.py (flow summaries, top talkers, and a beaconing score). By the end, Meridian can both shape and see its traffic.
Prerequisites
Read Part I first — especially Chapter 1 (risk vocabulary), Chapter 3 (defense in depth, least privilege, control types), and Chapters 4–5 (cryptography, which underpins TLS and VPNs in Chapter 9). Within Part II, the chapters build in order: Chapter 7 assumes the stack and segmentation of Chapter 6; Chapters 9 and 10 assume both. If you are short on time, Chapter 6 is non-negotiable before any of the others.
Time investment
| Chapter | Title | Estimated hours |
|---|---|---|
| 6 | Network Security Fundamentals | 6 |
| 7 | Firewalls, IDS/IPS, and NAC | 6 |
| 8 | Wireless Security | 5 |
| 9 | DNS, Email, and Web Security | 6 |
| 10 | Network Monitoring and Traffic Analysis | 6 |
| Part II total | 29 |
SOC-track readers should weight Chapters 6, 9, and 10 (the detection-rich material); engineering-track readers will spend the most time in Chapters 7 and 8 building and tuning controls. Plan extra lab time for Chapter 10 — reading real packet captures is a skill that only develops by doing.
Where this leads
You have now secured the wire and learned to watch it. But traffic terminates somewhere — on operating systems, in applications, on phones, in the cloud. Part III moves from the network to the endpoints and software that traffic reaches, where a different class of weakness waits.
Chapters in This Part
- Chapter 6: Network Security Fundamentals: TCP/IP, Ports, Protocols, and Where Attacks Live
- Chapter 7: Firewalls, IDS/IPS, and Network Access Control: The Perimeter That Doesn't Exist Anymore
- Chapter 8: Wireless Security: WiFi, Bluetooth, and the Invisible Attack Surface
- Chapter 9: DNS, Email, and Web Security: Securing the Protocols Everyone Uses Every Day
- Chapter 10: Network Monitoring and Traffic Analysis: Seeing the Invisible with Wireshark, Zeek, and Flow Data