0xnhl

Back

Network Security

Created: 1/12/2026 Updated: 1/12/2026
#gcpc#cybersec#networking

Firewall#

A firewall is a network security device that monitors traffic to and from your network. It either allows traffic or it blocks it based on a defined set of security rules.
Port filtering: A firewall function that blocks or allows certain port numbers to limit unwanted communication
A hardware firewall inspects each data packet before it’s allowed to enter the network. A software firewall performs the same functions as a hardware firewall, but it’s not a physical device. Instead, it’s a software program installed on a computer or on a server. If the software firewall is installed on a computer, it will analyze all the traffic received by that computer. If the software firewall is installed on a server, it will protect all the devices connected to the server.
Cloud service providers offer firewalls as a service, or FaaS, for organizations. Cloud-based firewalls are software firewalls hosted by a cloud service provider.
All the firewalls we have discussed can be either stateful or stateless.
Stateful refers to a class of firewall that keeps track of information passing through it and proactively filters out threats. A stateful firewall analyzes network traffic for characteristics and behavior that appear suspicious and stops them from entering the network. Stateless refers to a class of firewall that operates based on predefined rules and does not keep track of information from data packets. A stateless firewall only acts according to preconfigured rules set by the firewall administrator. A stateless firewall doesn’t store analyzed information. It also doesn’t discover suspicious trends like a stateful firewall does. For this reason, stateless firewalls are considered less secure than stateful firewalls.
A next generation firewall, or NGFW, provides even more security than a stateful firewall. Not only does an NGFW provide stateful inspection of incoming and outgoing traffic, but it also performs more in-depth security functions like deep packet inspection and intrusion protection. Some NGFWs connect to cloud-based threat intelligence services so they can quickly update to protect against emerging cyber threats.

VPN#

A virtual private network, also known as a VPN, is a network security service that changes your public IP address and hides your virtual location so that you can keep your data private when you’re using a public network like the internet.
VPNs also encrypt your data as it travels across the internet to preserve confidentiality. A VPN service performs encapsulation on your data in transit. Encapsulation is a process performed by a VPN service that protects your data by wrapping sensitive data in other data packets.
Security zones are a segment of a network that protects the internal network from the internet. They are a part of a security technique called network segmentation that divides the network into segments. Each network segment has its own access permissions and security rules. Security zones control who can access different segments of a network. Security zones act as a barrier to internal networks, maintain privacy within corporate groups, and prevent issues from spreading to the whole network.
An organization’s network is classified into two types of security zones. First, there’s the uncontrolled zone, which is any network outside of the organization’s control, like the internet. Then, there’s the controlled zone, which is a subnet that protects the internal network from the uncontrolled zone. There are several types of networks within the controlled zone. On the outer layer is the demilitarized zone, or DMZ, which contains public-facing services that can access the internet. This includes web servers, proxy servers that host websites for the public, and DNS servers that provide IP addresses for internet users. It also includes email and file servers that handle external communications. The DMZ acts as a network perimeter to the internal network. The internal network contains private servers and data that the organization needs to protect. Inside the internal network is another zone called the restricted zone. The restricted zone protects highly confidential information that is only accessible to employees with certain privileges.
Subnetting is the subdivision of a network into logical groups called subnets. It works like a network inside a network. Subnetting divides up a network address range into smaller subnets within the network. These smaller subnets form based on the IP addresses and network mask of the devices on the network. Subnetting creates a network of devices to function as their own network. This makes the network more efficient and can also be used to create security zones. If devices on the same subnet communicate with each other, the switch changes the transmissions to stay on the same subnet, improving speed and efficiency of the communications.

VPN protocols: Wireguard and IPSec

Remote access and site-to-site VPNs#

Individual users use remote access VPNs to establish a connection between a personal device and a VPN server. Remote access VPNs encrypt data sent or received through a personal device. The connection between the user and the remote access VPN is established through the internet.

Enterprises use site-to-site VPNs largely to extend their network to other networks and locations. This is particularly useful for organizations that have many offices across the globe. IPSec is commonly used in site-to-site VPNs to create an encrypted tunnel between the primary network and the remote network. One disadvantage of site-to-site VPNs is how complex they can be to configure and manage compared to remote VPNs.

WireGuard VPN vs. IPSec VPN#

WireGuard and IPSec are two different VPN protocols used to encrypt traffic over a secure network tunnel. The majority of VPN providers offer a variety of options for VPN protocols, such as WireGuard or IPSec. Ultimately, choosing between IPSec and WireGuard depends on many factors, including connection speeds, compatibility with existing network infrastructure, and business or individual needs.

WireGuard VPN#

WireGuard is a high-speed VPN protocol, with advanced encryption, to protect users when they are accessing the internet. It’s designed to be simple to set up and maintain. WireGuard can be used for both site-to-site connection and client-server connections. WireGuard is relatively newer than IPSec, and is used by many people due to the fact that its download speed is enhanced by using fewer lines of code. WireGuard is also open source, which makes it easier for users to deploy and debug. This protocol is useful for processes that require faster download speeds, such as streaming video content or downloading large files.

IPSec VPN#

IPSec is another VPN protocol that may be used to set up VPNs. Most VPN providers use IPSec to encrypt and authenticate data packets in order to establish secure, encrypted connections. Since IPSec is one of the earlier VPN protocols, many operating systems support IPSec from VPN providers.

Although IPSec and WireGuard are both VPN protocols, IPSec is older and more complex than WireGuard. Some clients may prefer IPSec due to its longer history of use, extensive security testing, and widespread adoption. However, others may prefer WireGuard because of its potential for better performance and simpler configuration.

Proxy servers#

Proxy servers are another system that helps secure networks. The definition of a proxy server is a server that fulfills the request of a client by forwarding them on to other servers. The proxy server is a dedicated server that sits between the internet and the rest of the network. When a request to connect to the network comes in from the internet, the proxy server will determine if the connection request is safe. The proxy server is a public IP address that is different from the rest of the private network. This hides the private network’s IP address from malicious actors on the internet and adds a layer of security.
There are different types of proxy servers that support network security.
A forward proxy server regulates and restricts a person with access to the internet. The goal is to hide a user’s IP address and approve all outgoing requests. In the context of an organization, a forward proxy server receives outgoing traffic from an employee, approves it, and then forwards it on to the destination on the internet.
A Reverse Proxy server regulates and restricts the internet access to an internal server. The goal is to accept traffic from external parties, approve it, and forward it to the internal servers. This setup is useful for protecting internal web servers containing confidential data from exposing their IP address to external parties.
An email proxy server is another valuable security tool. It filters spam email by verifying whether a sender’s address was forged. This reduces the risk of phishing attacks that impersonate people known to the organization.

Network interception attacks #

Network interception attacks work by intercepting network traffic and stealing valuable information or interfering with the transmission in some way.
Malicious actors can use hardware or software tools to capture and inspect data in transit. This is referred to as packet sniffing

Backdoor attacks#

backdoors are weaknesses intentionally left by programmers or system and network administrators that bypass normal access control mechanisms. Backdoors are intended to help programmers conduct troubleshooting or administrative tasks. However, backdoors can also be installed by attackers after they’ve compromised an organization to ensure they have persistent access.

DoS and DDoS Attacks#

Packet sniffing#

Packet sniffing is the practice of using software tools to observe data as it moves across a network.
Passive packet sniffing is a type of attack where data packets are read in transit. Since all the traffic on a network is visible to any host on the hub, malicious actors can view all the information going in and out of the device they are targeting.
Active packet sniffing is a type of attack where data packets are manipulated in transit. This may include injecting internet protocols to redirect the packets to an unintended port or changing the information the packet contains.

IP Spoofing#

IP spoofing is a network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network. In this kind of attack, the hacker is pretending to be someone they are not so they can communicate over the network with the target computer and get past firewall rules that may prevent outside traffic.
Some common IP spoofing attacks are on-path attacks, replay attacks, and smurf attacks.

  • An on-path attack is an attack where the malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit. On-path attackers gain access to the network and put themselves between two devices, like a web browser and a web server. Then they sniff the packet information to learn the IP and MAC addresses to devices that are communicating with each other. After they have this information, they can pretend to be either of these devices.
  • A replay attack is a network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time. A delayed packet can cause connection issues between target computers, or a malicious actor may take a network transmission that was sent by an authorized user and repeat it at a later time to impersonate the authorized user.
  • A smurf attack is a combination of a DDoS attack and an IP spoofing attack. The attacker sniffs an authorized user’s IP address and floods it with packets. This overwhelms the target computer and can bring down a server or the entire network.
    Firewalls can be configured to protect against IP spoofing. IP spoofing makes it seem like the malicious actor is an authorized user by changing the sender’s address of the data packet to match the target network’s address. So if a firewall receives a data packet from the internet where the sender’s IP address is the same as the private network, then the firewall will deny the transmission since all the devices with that IP address should already be on the local network. You can make sure that your firewalls configure correctly by creating a rule to reject all incoming traffic that has the same IP address as the local network.
    The device’s Network Interface Card (NIC) is a piece of hardware that connects the device to a network. The NIC reads the data transmission, and if it contains the device’s MAC address, it accepts the packet and sends it to the device to process the information based on the protocol. This occurs in all standard network operations. However, a NIC can be set to promiscuous mode, which means that it accepts all traffic on the network, even the packets that aren’t addressed to the NIC’s device.Malicious actors might use software like Wireshark to capture the data on a private network and store it for later use. They can then use the personal information to their own advantage. Alternatively, they might use the IP and MAC addresses of authorized users of the private network to perform IP spoofing.

Security hardening#

Security hardening is the process of strengthening a system to reduce its vulnerability and attack surface. All the potential vulnerabilities that a threat actor could exploit are referred to as a system’s attack surface.
Security hardening can be conducted on any device or system that can be compromised, such as hardware, operating systems, applications, computer networks, and databases. Physical security is also a part of security hardening.
Some common types of hardening procedures include software updates, also called patches, and device application configuration changes. These updates and changes are done to increase security and fix security vulnerabilities on a network.Other examples of security hardening include removing or disabling unused applications and services, disabling unused ports, and reducing access permissions across devices and network.

OS hardening#

It’s important to secure the OS in each system because one insecure OS can lead to a whole network being compromised.

  • A patch update is a software and operating system, or OS, update that addresses security vulnerabilities within a program or product. With patch updates, the OS should be upgraded to its latest software version. Sometimes patches are released to fix a security vulnerability in the software.
  • The newly updated OS should be added to the baseline configuration, also called the baseline image. A baseline configuration is a documented set of specifications within a system that is used as a basis for future builds, releases, and updates.
  • hardware and software disposal. This ensures that all old hardware is properly wiped and disposed of.
  • implementing a strong password policy.
    Brute force attacks

Network hardening’#

Network hardening focuses on network-related security hardening, like port filtering, network access privileges, and encryption over networks. Certain network hardening tasks are performed regularly, while others are performed once and then updated as needed.
tasks that are regularly performed are firewall rules maintenance, network log analysis, patch updates, and server backups.
tasks that are performed once. These tasks include port filtering on firewalls, network access privileges, and encryption for communication,

  • Port filtering can be formed over the network. Port filtering is a firewall function that blocks or allows certain port numbers to limit unwanted communication. A basic principle is that the only ports that are needed are the ones that are allowed. Any port that isn’t being used by the normal network operations should be disallowed
  • Security analysts also use network segmentation to create isolated subnets for different departments in an organization.
  • Network segmentation may also be used to separate different security zones. Any restricted zone on a network containing highly classified or confidential data should be separate from the rest of the network.

Intrusion Prevention System#

An intrusion prevention system (IPS) is an application that monitors system activity for intrusive activity and takes action to stop the activity. It offers even more protection than an IDS because it actively stops anomalies when they are detected, unlike the IDS that simply reports the anomaly to a network administrator.

Devices / ToolsAdvantagesDisadvantages
FirewallA firewall allows or blocks traffic based on a set of rules.A firewall is only able to filter packets based on information provided in the header of the packets.
Intrusion Detection System (IDS)An IDS detects and alerts admins about possible intrusions, attacks, and other malicious traffic.An IDS can only scan for known attacks or obvious anomalies; new and sophisticated attacks might not be caught. It doesn’t actually stop the incoming traffic.
Intrusion Prevention System (IPS)An IPS monitors system activity for intrusions and anomalies and takes action to stop them.An IPS is an inline appliance. If it fails, the connection between the private network and the internet breaks. It might detect false positives and block legitimate traffic.
Security Information and Event Management (SIEM)A SIEM tool collects and analyzes log data from multiple network machines. It aggregates security events for monitoring in a central dashboard.A SIEM tool only reports on possible security issues. It does not take any actions to stop or prevent suspicious events.

Cloud hardening#

Although cloud servers are hosted by a cloud service provider, these providers cannot prevent intrusions in the cloud—especially intrusions from malicious actors, both internal and external to an organization.
One distinction between cloud network hardening and traditional network hardening is the use of a server baseline image for all server instances stored in the cloud. This allows you to compare data in the cloud servers to the baseline image to make sure there haven’t been any unverified changes.

  • Identity access management (IAM): is a collection of processes and technologies that helps organizations manage digital identities in their environment. This service also authorizes how users can use different cloud resources.
  • Configuration: The number of available cloud services adds complexity to the network. Each service must be carefully configured to meet security and compliance requirements.
  • Attack surface: Every service or application on a network carries its own set of risks and vulnerabilities and increases an organization’s overall attack surface. An increased attack surface must be compensated for with increased security measures.
  • Zero-day attacks: is an exploit that was previously unknown. CSPs are more likely to know about a zero day attack occurring before a traditional IT organization does. CSPs have ways of patching hypervisors and migrating workloads to other virtual machines. These methods ensure the customers are not impacted by the attack.
  • Visibility and tracking: Network administrators have access to every data packet crossing the network with both on-premise and cloud networks. They can sniff and inspect data packets to learn about network performance or to check for possible threats and attacks.
  • Things change fast in the cloud: CSPs are large organizations that work hard to stay up-to-date with technology advancements. Cloud service updates can affect security considerations for the organizations using them.Organizations that use CSPs usually have to update their IT processes.
  • Shared responsibility model: states that the CSP must take responsibility for security involving the cloud infrastructure, including physical data centers, hypervisors, and host operating systems. The company using the cloud service is responsible for the assets and processes that they store or operate in the cloud.

### Hypervisors#

A hypervisor abstracts the host’s hardware from the operating software environment. There are two types of hypervisors. Type one hypervisors run on the hardware of the host computer. An example of a type one hypervisor is VMware®‘s ESXi. Type two hypervisors operate on the software of the host computer. An example of a type two hypervisor is VirtualBox. Cloud service providers (CSPs) commonly use type one hypervisors. CSPs are responsible for managing the hypervisor and other virtualization components. The CSP ensures that cloud resources and cloud environments are available, and it provides regular patches and updates. Vulnerabilities in hypervisors or misconfigurations can lead to virtual machine escapes (VM escapes). A VM escape is an exploit where a malicious actor gains access to the primary hypervisor, potentially the host computer and other VMs. As a CSP customer, you will rarely deal with hypervisors directly.

Baselining#

Baselining for cloud networks and operations cover how the cloud environment is configured and set up. A baseline is a fixed reference point. This reference point can be used to compare changes made to a cloud environment. Proper configuration and setup can greatly improve the security and performance of a cloud environment. Examples of establishing a baseline in a cloud environment include: restricting access to the admin portal of the cloud environment, enabling password management, enabling file encryption, and enabling threat detection services for SQL databases.

Cryptography in the cloud#

Cryptography can be applied to secure data that is processed and stored in a cloud environment. Cryptography uses encryption and secure key management systems to provide data integrity and confidentiality. Cryptographic encryption is one of the key ways to secure sensitive data and information in the cloud.

Cryptographic erasure#

Cryptographic erasure is a method of erasing the encryption key for the encrypted data. When destroying data in the cloud, more traditional methods of data destruction are not as effective. Crypto-shredding is a newer technique where the cryptographic keys used for decrypting the data are destroyed. This makes the data undecipherable and prevents anyone from decrypting the data. When crypto-shredding, all copies of the key need to be destroyed so no one has any opportunity to access the data in the future.

Key Management#

Modern encryption relies on keeping the encryption keys secure. Below are the measures you can take to further protect your data when using cloud applications:

  • Trusted platform module (TPM). TPM is a computer chip that can securely store passwords, certificates, and encryption keys.
  • Cloud hardware security module (CloudHSM). CloudHSM is a computing device that provides secure storage for cryptographic keys and processes cryptographic operations, such as encryption and decryption.
    Organizations and customers do not have access to the cloud service provider (CSP) directly, but they can request audits and security reports by contacting the CSP. Customers typically do not have access to the specific encryption keys that CSPs use to encrypt the customers’ data. However, almost all CSPs allow customers to provide their own encryption keys, depending on the service the customer is accessing. In turn, the customer is responsible for their encryption keys and ensuring the keys remain confidential. The CSP is limited in how they can help the customer if the customer’s keys are compromised or destroyed. One key benefit of the shared responsibility model is that the customer is not entirely responsible for maintenance of the cryptographic infrastructure. Organizations can assess and monitor the risk involved with allowing the CSP to manage the infrastructure by reviewing a CSPs audit and security controls. For federal contractors, FEDRAMP provides a list of verified CSPs.