5 min read
On this page

Network Security

Network security protects data in transit and network infrastructure from unauthorized access, interception, and attack.

Firewalls

Packet Filtering (Stateless)

Examine each packet independently. Filter based on: source/destination IP, source/destination port, protocol (TCP/UDP/ICMP), interface.

# Allow incoming HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop everything else
iptables -A INPUT -j DROP

Limitation: Can't track connection state. Difficult to handle FTP (dynamic ports), UDP "connections."

Stateful Inspection

Track connection state (NEW, ESTABLISHED, RELATED). Only allow packets belonging to established connections or valid new connections.

Example: Allow outgoing TCP connection → automatically allow return traffic (ESTABLISHED). Much simpler rules than stateless.

Linux: iptables with -m conntrack or nftables. The standard for Linux firewalls.

Application-Level Gateway (Proxy)

Inspect application-layer data (HTTP content, DNS queries, SMTP commands). Can filter based on URLs, content types, commands.

Web Application Firewall (WAF): Inspects HTTP requests for SQL injection, XSS, CSRF patterns. Operates at Layer 7.

Next-Generation Firewall (NGFW)

Combines: packet filtering + stateful inspection + application awareness + IPS + user identity. Deep packet inspection (DPI).

Examples: Palo Alto, Fortinet, Cisco Firepower.

Intrusion Detection/Prevention

IDS (Intrusion Detection System)

Monitors network traffic for suspicious patterns. Alerts administrators. Passive — doesn't block traffic.

Signature-based: Match against known attack patterns (like antivirus). Fast. Can't detect zero-day attacks.

Anomaly-based: Learn "normal" traffic patterns. Alert on deviations. Can detect novel attacks. Higher false positive rate.

IPS (Intrusion Prevention System)

Like IDS but actively blocks detected attacks. Inline (traffic passes through it).

Examples: Snort (open-source IDS/IPS), Suricata, Zeek (network analysis).

VPN (Virtual Private Network)

Create an encrypted tunnel over a public network.

IPsec VPN

Tunnel mode: Entire original packet encrypted and encapsulated. Used for site-to-site VPNs.

[New IP Header][ESP Header][Original IP Header][Original Data][ESP Trailer]
                            ←── encrypted ──→

IKE (Internet Key Exchange): Negotiates encryption keys and algorithms.

WireGuard

Modern VPN protocol. Simple (4000 lines of code vs 100K+ for OpenVPN/IPsec).

Features: Fast (in-kernel implementation), modern crypto (Curve25519, ChaCha20, Poly1305), low overhead, simple configuration.

# WireGuard config
[Interface]
PrivateKey = <base64>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = <base64>
AllowedIPs = 10.0.0.2/32
Endpoint = peer.example.com:51820

OpenVPN

SSL/TLS-based VPN. Runs in user space. Cross-platform. Widely deployed. Slower than WireGuard.

TLS/SSL

TLS 1.3 (Current Standard)

Improvements over TLS 1.2:

  • Simpler handshake (1-RTT vs 2-RTT)
  • Removed weak algorithms (RC4, SHA-1, RSA key exchange)
  • 0-RTT resumption (at the cost of replay risk)
  • Forward secrecy mandatory (ephemeral key exchange)
  • Encrypted handshake (certificate encrypted)

Cipher suites: Only 5 cipher suites in TLS 1.3 (vs 300+ in TLS 1.2). All use AEAD (authenticated encryption with associated data).

Certificate Management

X.509 certificates: Bind a public key to an identity (domain name). Signed by a Certificate Authority (CA).

Certificate chain: Server cert → intermediate CA → root CA. Client verifies each signature up to a trusted root.

Let's Encrypt: Free, automated certificate authority. Automated via ACME protocol. 90-day certificates (auto-renewed by certbot).

Certificate Transparency (CT): Public logs of all issued certificates. Detects mis-issued certificates. All major CAs submit to CT logs.

Certificate Pinning: Client expects a specific certificate or CA. Prevents MITM with a rogue CA-signed cert. Used by apps (not browsers — too inflexible).

DDoS Mitigation

Attack Types

Volumetric: Overwhelm bandwidth (UDP flood, DNS amplification, NTP amplification).

Protocol: Exploit protocol weaknesses (SYN flood, Ping of Death, Smurf).

Application: Target specific application weaknesses (HTTP flood, Slowloris, DNS query flood).

Defenses

Rate limiting: Limit requests per IP/subnet.

SYN cookies: Don't allocate state for half-open connections. Encode state in the sequence number.

Anycast: Distribute the same IP across multiple locations. Absorb traffic at the edge.

Scrubbing services: Route traffic through DDoS mitigation providers (Cloudflare, AWS Shield, Akamai) that filter malicious traffic.

CDN: Absorb HTTP floods at edge locations close to attackers.

DNS Security

DNS poisoning/spoofing: Attacker injects fake DNS responses → users directed to malicious servers.

DNSSEC: Cryptographic signatures on DNS records. Prevents spoofing but doesn't encrypt queries.

DNS over HTTPS (DoH): Encrypt DNS queries via HTTPS. Prevents ISP/network snooping on DNS queries.

DNS over TLS (DoT): Encrypt DNS queries via TLS (port 853). Similar goal to DoH.

Wi-Fi Security

| Protocol | Year | Security | |---|---|---| | WEP | 1997 | Broken. RC4 with static keys. Crackable in minutes. | | WPA | 2003 | TKIP (temporal key). Better but still RC4-based. | | WPA2 | 2004 | AES-CCMP. Secure but vulnerable to KRACK (2017). | | WPA3 | 2018 | SAE (dragonfly handshake). Forward secrecy. Resistant to offline dictionary attacks. |

Enterprise: 802.1X (RADIUS authentication) + per-user encryption keys. Used in corporate networks.

Network Access Control

802.1X

Port-based access control. Device must authenticate before the switch grants network access.

Supplicant (client) → Authenticator (switch) → Authentication Server (RADIUS)
  1. Client connects to switch port.
  2. Switch blocks all traffic except 802.1X.
  3. Client provides credentials (certificate, username/password).
  4. RADIUS server authenticates → switch opens the port.
  5. Can assign VLAN, ACLs based on identity.

RADIUS

Remote Authentication Dial-In User Service. Centralized authentication for network access. Used by 802.1X, VPN, Wi-Fi.

Zero Trust Architecture

"Never trust, always verify." No implicit trust based on network location.

Principles:

  1. Verify every access request (regardless of network position).
  2. Use least-privilege access.
  3. Assume breach (design for containment, not just prevention).
  4. Verify explicitly (identity, device health, context).

Implementation: Identity-aware proxy (BeyondCorp), micro-segmentation, MFA, continuous authentication, encrypted communication everywhere.

Google BeyondCorp: All applications accessed through an identity-aware proxy. No VPN needed. Access decisions based on user identity, device trust, and context — not network location.

Applications in CS

  • Web development: HTTPS configuration, CORS, CSP headers, secure cookie flags.
  • Cloud security: Security groups, NACLs, WAF, DDoS protection (Shield, CloudArmor).
  • DevOps: Certificate management, VPN setup, firewall rules, network segmentation.
  • Enterprise: 802.1X deployment, RADIUS/LDAP integration, zero trust architecture.
  • IoT: Lightweight TLS (DTLS), device authentication, network segmentation.
  • Compliance: PCI-DSS (firewall requirements), HIPAA (encryption in transit), SOC 2 (network security controls).