Network Security Basics
Learning Objectives
By the end of this reading, you will be able to:
- Understand fundamental network security concepts and principles
- Explain how firewalls protect networks
- Describe encryption, hashing, and digital signatures
- Understand TLS/SSL and how HTTPS secures communication
- Explain how VPNs create secure tunnels
- Identify common network attacks and their mitigation strategies
- Apply security best practices to network design
Introduction
Network security is the practice of protecting networks, devices, and data from unauthorized access, misuse, modification, or denial of service. As networks have become central to business and personal life, securing them has become increasingly critical.
In this reading, we'll explore the fundamental concepts of network security, from firewalls and encryption to VPNs and common attack vectors.
The CIA Triad
The foundation of information security is built on three principles:
┌─────────────┐
│ │
│ Confidentiality │
│ │
└──────┬──────┘
│
│
┌──────────┴──────────┐
│ │
┌───┴────┐ ┌────┴───┐
│ │ │ │
│ Integrity │ │ Availability │
│ │ │ │
└────────┘ └────────┘
1. Confidentiality
Definition: Ensuring information is accessible only to authorized parties
Mechanisms:
- Encryption (data at rest and in transit)
- Access control lists (ACLs)
- Authentication
- Authorization
Example Threats:
- Eavesdropping
- Man-in-the-middle attacks
- Data breaches
2. Integrity
Definition: Ensuring information is accurate and hasn't been tampered with
Mechanisms:
- Hashing (checksums, message digests)
- Digital signatures
- Version control
- Audit logs
Example Threats:
- Data modification
- Message tampering
- Replay attacks
3. Availability
Definition: Ensuring information and services are accessible when needed
Mechanisms:
- Redundancy
- Failover systems
- DDoS protection
- Regular backups
Example Threats:
- Denial of Service (DoS/DDoS)
- System failures
- Natural disasters
Firewalls
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Firewall Types
1. Packet Filtering Firewall (Stateless)
How it works:
- Examines each packet independently
- Checks against rules (source IP, destination IP, port, protocol)
- Makes allow/deny decision
Rule Table:
┌────────┬─────────┬──────────┬──────────┬────────┬────────┐
│ Rule # │ Action │ Protocol │ Src IP │ Dst IP │ Port │
├────────┼─────────┼──────────┼──────────┼────────┼────────┤
│ 1 │ Allow │ TCP │ Any │ Any │ 80 │
│ 2 │ Allow │ TCP │ Any │ Any │ 443 │
│ 3 │ Allow │ UDP │ Any │ Any │ 53 │
│ 4 │ Deny │ TCP │ Any │ Any │ 23 │
│ 5 │ Deny │ Any │ Any │ Any │ Any │
└────────┴─────────┴──────────┴──────────┴────────┴────────┘
Pros:
- Fast
- Simple
- Low overhead
Cons:
- No context awareness
- Vulnerable to fragmentation attacks
- Cannot inspect application data
2. Stateful Inspection Firewall
How it works:
- Tracks connection states (TCP connections, UDP "conversations")
- Maintains state table
- Allows return traffic for established connections
State Table:
┌────────────┬──────────────┬────────────┬──────────────┬─────────┐
│ Src IP │ Src Port │ Dst IP │ Dst Port │ State │
├────────────┼──────────────┼────────────┼──────────────┼─────────┤
│ 192.168.1.5│ 52000 │ 8.8.8.8 │ 53 │ ESTABLISHED │
│ 192.168.1.10│ 52001 │ 93.184.216.34│ 443 │ ESTABLISHED │
│ 192.168.1.15│ 52002 │ 172.217.1.46│ 80 │ SYN_SENT│
└────────────┴──────────────┴────────────┴──────────────┴─────────┘
Pros:
- Context-aware
- Better security than packet filtering
- Efficient for most traffic
Cons:
- More resource-intensive
- Limited application awareness
3. Application Layer Firewall (Proxy Firewall)
How it works:
- Operates at OSI Layer 7
- Inspects application data (HTTP, FTP, etc.)
- Acts as intermediary between client and server
Client → Proxy Firewall → Server
(inspects application content)
Capabilities:
- URL filtering
- Content inspection
- Malware scanning
- Data loss prevention
Pros:
- Deep packet inspection
- Application-specific rules
- Can block specific content
Cons:
- Slower (breaks end-to-end connection)
- Protocol-specific
- Resource-intensive
4. Next-Generation Firewall (NGFW)
Features:
- All stateful firewall capabilities
- Intrusion Prevention System (IPS)
- Application awareness and control
- SSL/TLS inspection
- User identity integration
- Advanced threat protection
Firewall Deployment
Network Firewall
Internet
|
[Firewall]
|
┌──────────┴──────────┐
│ │
[DMZ Servers] [Internal Network]
- Web Server - Workstations
- Email Server - Database Servers
DMZ (Demilitarized Zone):
- Separate network segment for public-facing servers
- Isolated from internal network
- Additional firewall protection
Host-Based Firewall
- Runs on individual devices
- Controls traffic to/from that device
- Examples: Windows Firewall, iptables, UFW
Firewall Rules Best Practices
- Default Deny: Block all traffic by default, explicitly allow needed traffic
- Least Privilege: Only allow necessary ports and protocols
- Logging: Log denied traffic for security monitoring
- Regular Review: Periodically audit and update rules
- Documentation: Document purpose of each rule
Example iptables Rules (Linux):
# Default policies: deny all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow SSH (port 22)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "Dropped: "
iptables -A INPUT -j DROP
Cryptography Fundamentals
Cryptography secures information through mathematical techniques.
Encryption vs Encoding vs Hashing
Encryption (Reversible with key):
Plaintext → [Encrypt with key] → Ciphertext → [Decrypt with key] → Plaintext
Purpose: Confidentiality
Encoding (Reversible without key):
Data → [Encode] → Encoded Data → [Decode] → Data
Purpose: Data representation (Base64, URL encoding)
Not for security!
Hashing (One-way, irreversible):
Input → [Hash Function] → Fixed-size Hash
Purpose: Integrity, password storage
Cannot reverse to original
Symmetric Encryption
Concept: Same key for encryption and decryption
Alice Bob
| |
| Shared Secret Key: "mysecretkey123" |
| |
| Plaintext: "Hello Bob" |
| |
| Encrypt with key |
| Ciphertext: "x8k#2mQ" |
|--------------------------------------------->|
| |
| Decrypt with same key |
| Plaintext: "Hello Bob"|
Common Algorithms:
- AES (Advanced Encryption Standard): Most widely used, very secure
- Key sizes: 128, 192, 256 bits
- Used in: HTTPS, VPNs, file encryption
- DES (Data Encryption Standard): Obsolete, insecure
- 3DES (Triple DES): Legacy, being phased out
- ChaCha20: Modern, efficient, used in TLS
Pros:
- Fast
- Efficient for large data
Cons:
- Key distribution problem (how to share key securely?)
- Need unique key for each pair of communicators
Asymmetric Encryption (Public Key Cryptography)
Concept: Two keys - public (encrypt) and private (decrypt)
Alice Bob
| |
| Bob's Public Key (known to everyone) |
| Bob's Private Key (secret, only Bob has) |
| |
| Plaintext: "Hello Bob" |
| Encrypt with Bob's PUBLIC key |
| Ciphertext: "x8k#2mQ" |
|--------------------------------------------->|
| |
| Decrypt with PRIVATE key |
| Plaintext: "Hello Bob"|
Common Algorithms:
- RSA (Rivest-Shamir-Adleman):
- Most common
- Key sizes: 2048, 3072, 4096 bits
- Used in: SSL/TLS, SSH, digital signatures
- ECC (Elliptic Curve Cryptography):
- Smaller keys, equivalent security
- Used in: Bitcoin, modern TLS
- Diffie-Hellman:
- Key exchange protocol
- Establishes shared secret over insecure channel
Pros:
- Solves key distribution problem
- Enables digital signatures
Cons:
- Slow (100-1000x slower than symmetric)
- Not suitable for large data
Hybrid Encryption (Best of Both)
Most systems use both:
- Asymmetric to exchange symmetric key
- Symmetric to encrypt actual data
1. Alice generates random AES key
2. Alice encrypts AES key with Bob's RSA public key
3. Alice sends encrypted AES key to Bob
4. Bob decrypts AES key with his RSA private key
5. Both use AES key to encrypt/decrypt messages (fast)
This is how HTTPS works!
Hashing
Concept: One-way function that produces fixed-size output
Input: "password123" → Hash: "ef92b778..."
Input: "password124" → Hash: "8d3e0f12..."
Input: (entire file) → Hash: "a3f5b9c2..."
Properties:
- Deterministic: Same input always produces same hash
- One-way: Cannot reverse hash to get input
- Fixed size: Output length constant regardless of input size
- Avalanche effect: Small input change drastically changes hash
- Collision-resistant: Hard to find two inputs with same hash
Common Hash Functions:
| Algorithm | Output Size | Status | Use Case |
|---|---|---|---|
| MD5 | 128 bits | Broken | Checksums only (not security) |
| SHA-1 | 160 bits | Deprecated | Legacy systems |
| SHA-256 | 256 bits | Secure | Certificates, blockchain |
| SHA-512 | 512 bits | Secure | High security needs |
| bcrypt | Variable | Secure | Password hashing |
| Argon2 | Variable | Secure | Password hashing (modern) |
Uses:
Password Storage:
User enters: "mypassword" Store in DB: hash("mypassword") = "5f4dcc3b..." Login attempt: "mypassword" Compare: hash("mypassword") == stored hash?File Integrity:
Download file + SHA-256 checksum Compute hash of downloaded file Compare with published checksum Match = file intact, no corruption/tamperingDigital Signatures:
Hash message → Encrypt hash with private key = Signature
Digital Signatures
Verify authenticity and integrity:
Signing (Alice):
1. Hash the message
2. Encrypt hash with Alice's PRIVATE key
3. Attach signature to message
Verification (Bob):
1. Hash the received message
2. Decrypt signature with Alice's PUBLIC key
3. Compare hashes
Match = Message from Alice, unaltered
No match = Message altered or not from Alice
Uses:
- Software distribution (verify publisher)
- SSL/TLS certificates
- Email (S/MIME, PGP)
- Code signing
Certificates and PKI
Public Key Infrastructure (PKI):
- Framework for managing public keys
- Certificate Authorities (CAs) issue certificates
- Certificates bind public key to identity
X.509 Certificate Contents:
Subject: www.example.com
Issuer: DigiCert Inc.
Public Key: [RSA 2048-bit key]
Valid From: 2024-01-01
Valid To: 2025-01-01
Signature: [CA's signature]
Certificate Chain:
[Root CA Certificate]
- Trusted by OS/browser
- Self-signed
↓ signs
[Intermediate CA Certificate]
- Issued by Root CA
↓ signs
[Server Certificate (www.example.com)]
- Issued by Intermediate CA
- Contains server's public key
TLS/SSL
Transport Layer Security (TLS) is the modern version of Secure Sockets Layer (SSL).
TLS Versions
| Version | Year | Status |
|---|---|---|
| SSL 2.0 | 1995 | Deprecated |
| SSL 3.0 | 1996 | Deprecated |
| TLS 1.0 | 1999 | Deprecated |
| TLS 1.1 | 2006 | Deprecated |
| TLS 1.2 | 2008 | Secure |
| TLS 1.3 | 2018 | Most Secure |
TLS Handshake (Simplified)
Client Server
| |
| 1. ClientHello |
| - TLS version |
| - Cipher suites |
| - Random number |
|------------------------------------------------>|
| |
| 2. ServerHello |
| - TLS version |
| - Selected cipher|
| - Random number |
| |
| 3. Certificate |
| - Server cert |
| |
| 4. ServerHelloDone |
|<------------------------------------------------|
| |
| 5. ClientKeyExchange |
| - Pre-master secret (encrypted with server's |
| public key from certificate) |
| |
| 6. ChangeCipherSpec |
| - Switch to encrypted communication |
| |
| 7. Finished |
| - Encrypted handshake verification |
|------------------------------------------------>|
| |
| 8. ChangeCipherSpec |
| 9. Finished |
|<------------------------------------------------|
| |
| Encrypted application data exchange |
|<===============================================>|
TLS 1.3 Improvements
- Faster handshake (1-RTT instead of 2-RTT)
- Removed weak cipher suites
- Always uses perfect forward secrecy
- Encrypted server certificate
TLS 1.2: 2 round trips
TLS 1.3: 1 round trip
0-RTT mode: 0 round trips (for resumed sessions)
Cipher Suites
Format: TLS_KeyExchange_Authentication_Encryption_MAC
Example: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS: Protocol
- ECDHE: Elliptic Curve Diffie-Hellman Ephemeral (key exchange)
- RSA: Authentication algorithm
- AES_256_GCM: Encryption (AES 256-bit in GCM mode)
- SHA384: Message Authentication Code
Strong cipher suites (TLS 1.2):
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Weak/Obsolete (avoid):
- Anything with RC4
- Anything with MD5
- Anything without perfect forward secrecy (no DHE/ECDHE)
Perfect Forward Secrecy (PFS)
Problem: If server's private key is compromised, all past encrypted sessions can be decrypted.
Solution: Generate ephemeral (temporary) session keys for each connection.
Without PFS:
Attacker records encrypted traffic
Later steals server's private key
Decrypts all recorded traffic
With PFS:
Session keys are temporary and discarded
Even if private key stolen, past sessions remain secure
Requires: DHE or ECDHE in cipher suite
VPN (Virtual Private Network)
VPNs create secure, encrypted tunnels over public networks.
VPN Benefits
- Privacy: Hide traffic from ISP, government, hackers
- Security: Encrypt data on public Wi-Fi
- Access: Bypass geo-restrictions
- Remote Access: Securely access company network
VPN Types
1. Remote Access VPN
Remote Worker Corporate Network
| |
| [VPN Client] |
| | |
| [Encrypted Tunnel] [VPN Server]
| | |
└───────┴─────────────Internet───────────────────┤
|
[Internal Resources]
Use Case: Employees working remotely
2. Site-to-Site VPN
Office A Office B
[Router] ────Encrypted Tunnel over Internet──── [Router]
| |
[LAN A] [LAN B]
Use Case: Connect branch offices
VPN Protocols
1. OpenVPN
- Open source
- Highly configurable
- Strong encryption (AES-256)
- Port: TCP 443 or UDP 1194 (configurable)
- Platform: All major platforms
2. WireGuard
- Modern (released 2020)
- Fast (simpler code, better performance)
- Secure (modern cryptography)
- Lean (4,000 lines of code vs OpenVPN's 100,000+)
3. IPsec
- Industry standard
- Complex to configure
- Two modes:
- Transport mode: Encrypts payload only
- Tunnel mode: Encrypts entire packet
4. SSL/TLS VPN
- Browser-based (no client needed)
- Uses HTTPS (port 443)
- Easy to deploy
5. PPTP (Point-to-Point Tunneling Protocol)
- Obsolete: Known vulnerabilities
- Avoid: Not secure
6. L2TP/IPsec
- L2TP: Layer 2 Tunneling Protocol
- Combined with IPsec for encryption
- Common on mobile devices
VPN Encryption Example
Without VPN:
Your Device → ISP → Website
ISP can see: Your IP, destination, unencrypted data
With VPN:
Your Device → [Encrypted Tunnel] → VPN Server → Website
ISP can see: Your IP, VPN server IP, encrypted data
ISP cannot see: Destination, actual data
Website can see: VPN server IP, data
Website cannot see: Your real IP
Split Tunneling
Full Tunnel: All traffic goes through VPN
Your Device → VPN Server → All Internet Traffic
Split Tunnel: Only specific traffic through VPN
Your Device → VPN Server → Corporate Resources
Your Device → Direct → Public Internet
Pros of Split Tunneling:
- Better performance
- Reduced VPN server load
Cons:
- Potential security gaps
- Inconsistent protection
Common Network Attacks
1. Denial of Service (DoS)
Goal: Make service unavailable
Method: Overwhelm server with requests
Attacker → floods → Server
(can't handle legitimate requests)
Types:
- Volume-based: Saturate bandwidth (UDP flood, ICMP flood)
- Protocol: Exhaust server resources (SYN flood)
- Application layer: Target application (HTTP flood)
DDoS (Distributed DoS):
Attacker
|
[Command & Control]
|
┌──────┼──────┐
| | |
[Bot] [Bot] [Bot] ... [Bot] (Botnet)
\ | /
\ | /
\ | /
\ | /
\ | /
Target
Mitigation:
- Rate limiting
- Traffic filtering
- CDN (Content Delivery Network)
- DDoS protection services
2. Man-in-the-Middle (MitM)
Goal: Intercept communication between two parties
Alice Eve (Attacker) Bob
| | |
| "Hello Bob" | |
|---------------------->| |
| [Intercepts, reads, maybe modifies] |
| | "Hello Bob" |
| |-------------------->|
Types:
- ARP Spoofing: Poison ARP cache
- DNS Spoofing: Return fake DNS records
- SSL Stripping: Downgrade HTTPS to HTTP
- Rogue Wi-Fi: Fake access point
Mitigation:
- HTTPS (TLS/SSL)
- Certificate pinning
- VPN on public networks
- DNSSEC
3. Packet Sniffing
Goal: Capture network traffic
Tools: Wireshark, tcpdump
Shared Network (e.g., Wi-Fi):
Device A ──┐
├─── [Switch/Hub] ─── Router
Device B ──┤
│
Attacker ──┘
(promiscuous mode, captures all traffic)
Mitigation:
- Encryption (HTTPS, VPN)
- Switched networks (not hubs)
- Network segmentation
4. Port Scanning
Goal: Discover open ports and services
Tools: Nmap, Masscan
Attacker → SYN packets to ports 1-65535 → Target
Target responds with SYN-ACK (open)
or RST (closed)
Scan Types:
- TCP Connect: Complete 3-way handshake
- SYN (Stealth): Send SYN, don't complete handshake
- UDP: Send UDP packets, check for ICMP unreachable
- FIN/NULL/Xmas: Send unexpected flags
Mitigation:
- Firewall (close unnecessary ports)
- Intrusion Detection System (IDS)
- Rate limiting
5. SQL Injection (Application Layer)
Goal: Execute malicious SQL commands
Example:
-- Normal query
SELECT * FROM users WHERE username = 'alice' AND password = 'pass123';
-- Malicious input: ' OR '1'='1
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
-- Returns all users (1=1 is always true)
Mitigation:
- Parameterized queries
- Input validation
- Least privilege (database permissions)
- Web Application Firewall (WAF)
6. Phishing
Goal: Trick users into revealing credentials
Methods:
- Fake emails (look like legitimate company)
- Fake websites (similar domain names)
- Social engineering
Example:
Real: www.paypal.com
Fake: www.paypa1.com (1 instead of l)
www.paypal-security.com
Mitigation:
- User education
- Email filtering
- Multi-factor authentication (MFA)
- Certificate checking
7. Brute Force
Goal: Guess passwords by trying many combinations
Try: password1 → Failed
Try: password2 → Failed
Try: password3 → Failed
...
Try: correctpassword → Success
Types:
- Dictionary attack: Try common passwords
- Credential stuffing: Try leaked passwords from other breaches
- Rainbow tables: Pre-computed hashes
Mitigation:
- Strong password policies
- Rate limiting
- Account lockout
- CAPTCHA
- Multi-factor authentication
Security Best Practices
1. Defense in Depth
Multiple layers of security:
┌─────────────────────────────────┐
│ User Education & Policies │
├─────────────────────────────────┤
│ Application Security │
├─────────────────────────────────┤
│ Endpoint Protection (Antivirus) │
├─────────────────────────────────┤
│ Access Control (Authentication) │
├─────────────────────────────────┤
│ Firewall │
├─────────────────────────────────┤
│ Network Segmentation │
├─────────────────────────────────┤
│ Physical Security │
└─────────────────────────────────┘
2. Principle of Least Privilege
- Grant minimum access necessary
- Time-limited permissions
- Regular access reviews
3. Zero Trust
"Never trust, always verify"
- Verify every access request
- Assume breach
- Micro-segmentation
4. Regular Updates
- Patch operating systems
- Update applications
- Firmware updates
5. Monitoring and Logging
- Log security events
- Monitor for anomalies
- Incident response plan
6. Encryption Everywhere
- Data at rest (disk encryption)
- Data in transit (TLS/VPN)
- Database encryption
7. Multi-Factor Authentication (MFA)
Something you:
- Know (password)
- Have (phone, token)
- Are (fingerprint, face)
Exercises
Basic Exercises
CIA Triad: For each scenario, identify which principle is violated:
- a) Attacker intercepts credit card numbers
- b) Hacker modifies grades in school database
- c) DDoS attack takes down e-commerce website
- d) Data breach exposes customer emails
Firewall Rules: Create firewall rules for a web server that:
- a) Allows HTTP (port 80)
- b) Allows HTTPS (port 443)
- c) Allows SSH (port 22) only from 192.168.1.0/24
- d) Denies all other traffic
Encryption Types: Identify whether each uses symmetric or asymmetric encryption:
- a) HTTPS initial handshake
- b) HTTPS bulk data transfer
- c) AES-256 file encryption
- d) RSA digital signature
Hash Functions: Why is MD5 not recommended for password storage? What should be used instead?
Intermediate Exercises
TLS Handshake: Explain each step of the TLS handshake:
- What is exchanged in ClientHello?
- Why does the server send its certificate?
- How is the pre-master secret protected?
- What is verified in the Finished messages?
Attack Identification: Identify the attack type:
- a) Attacker intercepts traffic at coffee shop Wi-Fi
- b) Website receives 1 million requests per second, goes offline
- c) User receives email asking to verify their bank account
- d) Hacker tries 10,000 common passwords on login page
VPN Configuration: Compare these VPN scenarios:
- a) When would you use site-to-site vs remote access VPN?
- b) What are the trade-offs of split tunneling?
- c) Why is WireGuard considered better than OpenVPN?
Certificate Verification: What should a browser check when verifying an HTTPS certificate?
- How does it build the trust chain?
- What happens if the certificate is expired?
- Why is the domain name important?
Advanced Exercises
Network Security Design: Design security for a three-tier web application:
- Web servers (public-facing)
- Application servers (internal)
- Database servers (internal)
- Include: Firewall rules, network segmentation, encryption, access control
Attack Mitigation: For each attack, describe 3 mitigation strategies:
- a) DDoS attack
- b) Man-in-the-Middle attack
- c) Brute force attack
- d) SQL injection
Cryptography Workflow: Design a secure communication system:
- Alice wants to send a confidential, authenticated message to Bob
- Bob needs to verify it came from Alice and wasn't modified
- Describe the complete process using encryption, hashing, and digital signatures
Zero Trust Architecture: Design a zero trust network for a company with:
- Remote employees
- Cloud services (AWS, Office 365)
- On-premises data center
- BYOD (Bring Your Own Device) policy
- Include: Authentication, authorization, micro-segmentation, monitoring
Incident Response: A company detects unusual outbound traffic from an internal server:
- What steps should be taken immediately?
- How would you investigate?
- What tools would you use?
- How would you prevent future incidents?
Summary
In this reading, we explored fundamental network security concepts:
- CIA Triad: Confidentiality, Integrity, and Availability are the core security principles
- Firewalls: Control network traffic at different levels (packet filtering, stateful, application, next-generation)
- Cryptography:
- Symmetric encryption (AES) for speed
- Asymmetric encryption (RSA) for key exchange
- Hashing (SHA-256) for integrity
- Digital signatures for authenticity
- TLS/SSL: Secures web traffic through certificates, encryption, and handshakes
- VPNs: Create secure tunnels over public networks using protocols like OpenVPN and WireGuard
- Common Attacks: DoS/DDoS, MitM, packet sniffing, port scanning, SQL injection, phishing, brute force
- Best Practices: Defense in depth, least privilege, zero trust, regular updates, encryption, MFA
Network security is an ongoing process requiring constant vigilance, updates, and adaptation to new threats.
Key Takeaways
- Security is built on layers (defense in depth)
- Encryption protects confidentiality; hashing ensures integrity
- Always use TLS 1.2 or higher with strong cipher suites
- Firewalls should default deny, explicitly allow only needed traffic
- VPNs are essential for securing traffic on public networks
- No single security measure is sufficient; use multiple defenses
- Human error is often the weakest link (education is critical)
Next Steps
Now that you understand network security basics, you're ready to put theory into practice with socket programming. In the next reading, we'll cover:
- Socket API fundamentals
- Client-server architecture
- TCP sockets in Python
- UDP sockets in Python
- Building networked applications
Continue to: 05-sockets.md
Additional Resources
- NIST Cybersecurity Framework
- OWASP Top 10 (Web Application Security)
- RFC 8446: TLS 1.3
- RFC 4253: SSH Protocol
- SSL Labs SSL Test (test HTTPS configuration)
- Wireshark Network Protocol Analyzer
- SANS Institute Security Resources
This reading is part of Module 8: Networking