Chapter	Key Topics	Priority
1 — Network Security Concepts	CIA Triad, threats, malware, IDS/IPS, social engineering	Medium
2 — Firewall Technologies	Packet filter, stateful, NGFW, DMZ, Cisco ASA, security levels	High
3 — Cryptography	Symmetric, Asymmetric, Hashing, PKI, TLS, Digital Signatures	High
4 — VPN	IPsec, AH, ESP, IKE phases, SSL VPN, GRE, tunnel vs transport	High
5 — ACL	Standard, Extended, Named, wildcard masks, placement rules	High
6 — Cyber Attacks	DoS/DDoS, SYN Flood, MITM, ARP, phishing, SQL injection, kill chain	High
Labs	Nmap, Deauth, hping3 SYN flood, rockyou, Wifite	High

Chapter 1: Network Security Concepts

1.1 The CIA Triad

The three foundational security principles every control must address:

Pillar	Definition	Attack Example	Control Example
Confidentiality	Only authorized parties can read data	Eavesdropping, sniffing	Encryption, ACLs, VPNs
Integrity	Data is not altered without authorization	MITM tampering, hash collision	Hashing (SHA-256), digital signatures
Availability	Systems/data accessible when needed	DoS/DDoS, ransomware	Redundancy, backups, rate limiting

Extra: AAA Framework — Authentication (who are you?), Authorization (what can you do?), Accounting (what did you do?). Used by RADIUS/TACACS+.

1.2 Threat Terminology

Term	Definition
Threat	Potential cause of an unwanted event (e.g., an attacker)
Vulnerability	Weakness that can be exploited
Exploit	Code or technique that takes advantage of a vulnerability
Risk	Likelihood × Impact of a threat materializing
Attack surface	All possible entry points for an attacker
Zero-day	Unknown vulnerability with no available patch
CVE	Common Vulnerabilities and Exposures — public database of known vulnerabilities

1.3 Attacker Types

Type	Motivation	Skill Level
Script Kiddie	Curiosity / bragging rights	Low (uses existing tools)
Hacktivist	Political / ideological	Medium
Cybercriminal	Financial gain	Medium–High
Nation-state / APT	Espionage, sabotage	Very High
Insider Threat	Disgruntled employee / accidental	Variable

1.4 Malware Types

Type	Behavior	Example
Virus	Attaches to host file, spreads when file executes	ILOVEYOU
Worm	Self-replicates across network without host file	WannaCry, Morris
Trojan	Looks legitimate, hides malicious payload	Remote-access Trojans
Ransomware	Encrypts data, demands payment for decryption key	CryptoLocker, NotPetya
Rootkit	Hides itself/other malware at OS or firmware level	Sony BMG rootkit
Spyware	Silently monitors/steals user data	Pegasus, keyloggers
Adware	Displays unwanted ads, may redirect browser	—
Botnet/Bot	Compromised host controlled by C2 server for attacks	Mirai (IoT botnet)
Logic Bomb	Dormant until trigger condition (date, event)	—

1.5 Social Engineering

Types

Phishing — Mass email pretending to be trusted entity
Spear Phishing — Targeted phishing at specific individual/organization
Whaling — Spear phishing targeting C-level executives
Vishing — Voice/phone phishing
Smishing — SMS phishing
Pretexting — Creating a fabricated scenario to extract information
Baiting — Leaving infected USB drives in parking lots
Tailgating / Piggybacking — Following authorized person through door
Quid Pro Quo — Offering something in exchange for credentials

Social engineering exploits human psychology, not technology. No firewall stops a phishing email that convinces the user to enter credentials on a fake site.

1.6 IDS vs IPS

Feature	IDS (Intrusion Detection System)	IPS (Intrusion Prevention System)
Position	Out-of-band (passive tap)	Inline (in traffic path)
Action on alert	Logs and alerts only	Drops/blocks malicious traffic
Impact on traffic	None (no blocking)	Adds latency; can block legitimate traffic (false positive)
Failure mode	Fail-open (traffic continues)	Fail-open or fail-closed (configurable)

Detection Methods

Signature-based — Matches known attack patterns. Fast but can't detect new (zero-day) attacks.
Anomaly-based (Behavioral) — Establishes baseline, alerts on deviations. Detects unknowns but high false-positive rate.
Policy-based — Alerts when traffic violates admin-defined policy.

1.7 Defense-in-Depth

Layered security strategy — no single control is sufficient. Layers include:

Physical security (locks, badges)
Perimeter (firewall, IPS)
Network (VLANs, ACLs)
Host (antivirus, patch management)
Application (input validation, WAF)
Data (encryption, DLP)
User (training, awareness)

Practice Questions — Ch1

Q: Which CIA pillar does a DDoS attack target?
A: Availability

Q: What is the difference between a worm and a virus?
A: A virus requires a host file to spread; a worm self-replicates independently across the network.

Q: IDS is placed _______ while IPS is placed _______ in the network.
A: Out-of-band (passive) / Inline (active)

Chapter 2: Firewall Technologies

2.1 Firewall Overview

A firewall is a network security device that monitors and controls incoming/outgoing traffic based on predefined security rules. It establishes a barrier between trusted internal networks and untrusted external networks.

2.2 Firewall Types (Generation)

Type	OSI Layer	How it works	Pros	Cons
Packet Filtering (1st gen)	3–4	Inspects each packet in isolation: src/dst IP, port, protocol	Fast, simple, low overhead	No state tracking, easily spoofed, no application awareness
Stateful Inspection (2nd gen)	3–4	Tracks TCP/UDP connection state table; allows return traffic for established sessions	Better than packet filter; tracks state	No application awareness; can't inspect encrypted payloads
Application Layer / Proxy (3rd gen)	7	Acts as proxy; deep packet inspection of application data (HTTP, FTP, DNS)	Can block malicious payloads; URL filtering	Slow, complex, must decode each protocol
NGFW (Next-Gen)	2–7	Stateful + DPI + Application ID + IPS + SSL inspection + user identity + URL filtering	Comprehensive visibility and control	Expensive, high CPU, complex config

2.3 Stateful Inspection Deep Dive

The firewall maintains a state table (connection tracking table). For each TCP connection:

Tracks: source IP, destination IP, source port, destination port, protocol, connection state (SYN_SENT, ESTABLISHED, etc.)
Allows return traffic automatically without needing explicit inbound rules
Drops packets that don't match any existing connection entry

Example State Table Entry:
Src: 192.168.1.10:54321  Dst: 8.8.8.8:80  Proto: TCP  State: ESTABLISHED

2.4 DMZ (Demilitarized Zone)

A DMZ is a separate network segment that sits between the external (Internet-facing) and internal networks, hosting public-facing services like web servers, mail servers, and DNS servers.

Internet ──── [Firewall Outside] ──── DMZ (Web/Mail/DNS) ──── [Firewall Inside] ──── Internal LAN

External users can reach DMZ servers but cannot reach internal LAN
Internal users can reach both DMZ and Internet
If a DMZ server is compromised, the attacker still cannot directly access the internal network

Two-firewall DMZ: One firewall between Internet and DMZ, another between DMZ and LAN — more secure but more expensive.

2.5 Cisco ASA (Adaptive Security Appliance)

Security Levels

ASA assigns a security level (0–100) to each interface:

Level	Interface Name	Trust	Default behavior
100	Inside	Most trusted	Traffic flows out freely
0	Outside	Least trusted	Traffic blocked inbound by default
1–99	DMZ (custom)	Intermediate	Depends on level difference

Rule: Traffic flows freely from higher security level to lower (inside → outside). Traffic from lower to higher is blocked unless explicitly permitted by an ACL.

Key ASA Commands

! Enter privileged exec mode
enable

! Enter global configuration mode
configure terminal

! Configure interface
interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 203.0.113.1 255.255.255.0
  no shutdown

interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  no shutdown

interface GigabitEthernet0/2
  nameif dmz
  security-level 50
  ip address 172.16.1.1 255.255.255.0
  no shutdown

! NAT — inside to outside
nat (inside,outside) dynamic interface

! Access list — permit HTTP from outside to DMZ web server
access-list OUTSIDE_IN permit tcp any host 172.16.1.10 eq 80
access-group OUTSIDE_IN in interface outside

! Show commands
show interface
show running-config
show access-list
show conn           (connection table)

ASA NAT Types

NAT Type	Description	Use Case
Dynamic NAT	One-to-one mapping from pool	Multiple internals → multiple public IPs
Dynamic PAT (overload)	Many-to-one, different port numbers	Most common; home routers
Static NAT	Fixed one-to-one mapping	Servers accessible from outside (DMZ)
Identity NAT	No address translation	VPN traffic (bypass NAT for IPsec)

2.6 NGFW Features

Application Identification — Identifies apps regardless of port (e.g., Facebook on port 443)
SSL/TLS Inspection — Decrypts, inspects, re-encrypts HTTPS traffic
User Identity — Links traffic to specific Active Directory users
URL Filtering — Blocks malicious/inappropriate websites by category
Threat Intelligence — Real-time feeds of known malicious IPs/domains
Sandboxing — Executes suspicious files in isolated environment

2.7 Firewall Deployment Modes

Mode	Layer	Has IP?	Best for
Routed mode	3 (default)	Yes — each interface has IP	Standard deployment, can route between subnets
Transparent mode	2 (bridge)	No (uses management IP only)	Drop-in between existing segments without re-IP

Practice Questions — Ch2

Q: An ASA interface with security level 0 is called what?
A: Outside (least trusted)

Q: What does a stateful firewall track that a packet filter does not?
A: Connection state — it maintains a state table of active sessions and allows return traffic automatically.

Q: Where are public-facing servers (web, mail, DNS) typically placed?
A: In the DMZ

Q: Which firewall generation operates at Layer 7 and can inspect application data?
A: Application-layer firewall (proxy firewall) and NGFW

Chapter 3: Cryptography

3.1 Cryptography Fundamentals

Term	Definition
Plaintext	Original readable data
Ciphertext	Encrypted unreadable data
Encryption	Converting plaintext → ciphertext using a key and algorithm
Decryption	Converting ciphertext → plaintext using a key and algorithm
Key	Secret value that controls the encryption/decryption process
Algorithm (Cipher)	Mathematical function for encryption

3.2 Symmetric Encryption

Same key used for encryption and decryption. Fast, used for bulk data.

Key Management Problem

The key must be securely shared before communication begins. With N parties, you need N(N-1)/2 keys.

Algorithm	Key Size	Block Size	Status	Notes
DES	56-bit effective	64-bit	❌ Broken	Vulnerable to brute force (exhausted in <24h)
3DES (Triple DES)	112 or 168-bit	64-bit	⚠️ Deprecated	Apply DES three times: E-D-E with 3 keys
AES	128, 192, 256-bit	128-bit	✅ Current standard	Adopted by NIST 2001; used in WPA2, TLS, IPsec
RC4	Variable (40–2048 bit)	Stream cipher	❌ Broken	Used in WEP, SSL (both broken)
Blowfish	32–448-bit	64-bit	⚠️ Older	Fast, public domain

Block Cipher Modes

Mode	Name	Notes
ECB	Electronic Codebook	Same block → same ciphertext; DO NOT USE for images/structured data
CBC	Cipher Block Chaining	Each block XOR'd with previous ciphertext; needs IV. Most common.
CTR	Counter Mode	Turns block cipher into stream cipher; parallelizable
GCM	Galois/Counter Mode	Authenticated encryption (confidentiality + integrity); used in TLS 1.3

3.3 Asymmetric Encryption (Public-Key Cryptography)

Uses a mathematically linked key pair: public key (share freely) + private key (keep secret).

Encrypt with public key → only private key can decrypt (Confidentiality)
Encrypt with private key → anyone with public key can verify (Authentication / Digital Signature)

Algorithm	Key Size	Based On	Use Case
RSA	2048–4096 bit	Factoring large primes	Key exchange, digital signatures, PKI
Diffie-Hellman (DH)	2048+ bit	Discrete logarithm	Key exchange only (no encryption/signing directly); IKE Phase 1
ECC (Elliptic Curve)	256–521 bit	Elliptic curve discrete log	Smaller keys, same security as RSA; TLS, mobile
DSA	1024–3072 bit	Discrete logarithm	Digital signatures only (not encryption)

DH vs RSA: DH is used to negotiate a shared secret (key agreement). RSA can both sign and encrypt. DH alone does not authenticate — it's combined with RSA/certificates in TLS/IKE for authentication.

3.4 Hashing

A one-way function that produces a fixed-size digest (fingerprint) from any input. Cannot be reversed.

Properties of a Good Hash

Deterministic — same input always gives same output
Avalanche effect — small change in input → completely different output
Collision-resistant — hard to find two inputs with same hash
Pre-image resistant — cannot determine input from output

Algorithm	Output Size	Status	Notes
MD5	128-bit (32 hex)	❌ Broken (collisions)	Still used for checksums, NOT security
SHA-1	160-bit (40 hex)	❌ Deprecated	Collisions found in 2017 (SHAttered)
SHA-256	256-bit (64 hex)	✅ Current standard	Part of SHA-2 family; Bitcoin, TLS, IPsec
SHA-3	224–512 bit	✅ Approved	Different design from SHA-2; Keccak algorithm
HMAC	Depends on hash	✅ Used widely	Hash + shared secret key → authentication + integrity

Hash Use Cases

Password storage — Store hash of password, not plaintext (+ salt to prevent rainbow tables)
File integrity — Verify file not tampered (hash before/after)
Digital signatures — Hash the document, sign the hash
Data integrity in VPN — HMAC in IPsec AH/ESP

3.5 Digital Signatures

Process for authenticating data origin and ensuring integrity:

Sender computes hash of the message
Sender encrypts the hash with their private key → this is the digital signature
Sender sends message + digital signature
Receiver decrypts signature using sender's public key → recovers hash
Receiver hashes the received message independently
If both hashes match → message is authentic and unmodified

Digital signatures provide: Authentication (came from key owner), Integrity (not tampered), Non-repudiation (cannot deny sending).

3.6 PKI (Public Key Infrastructure)

PKI is the framework of policies, procedures, and technologies for managing digital certificates and public keys.

Components

Component	Role
CA (Certificate Authority)	Issues and signs digital certificates (e.g., DigiCert, Let's Encrypt)
RA (Registration Authority)	Verifies identity before CA issues certificate
Digital Certificate (X.509)	Binds public key to an entity; signed by CA
CRL (Certificate Revocation List)	List of revoked certificates
OCSP	Online Certificate Status Protocol — real-time revocation check

X.509 Certificate Contents

Subject (owner): CN, Organization, Country
Subject's Public Key
Issuer (CA name)
Validity period (Not Before / Not After)
Serial Number
CA's Digital Signature

Chain of Trust

Root CA → Intermediate CA → End-entity Certificate. Browser trusts root CAs in built-in trust store.

3.7 TLS (Transport Layer Security)

TLS secures communications over TCP. Successor to SSL (SSL is deprecated).

TLS 1.2 Handshake

ClientHello — Client sends supported cipher suites, TLS version, random nonce
ServerHello — Server selects cipher suite, sends its certificate (with public key)
Certificate Verify — Client verifies server certificate via PKI chain
Key Exchange — Client generates pre-master secret, encrypts with server public key (RSA) or DH key exchange
Session Keys Derived — Both sides derive symmetric session keys from pre-master secret + nonces
Finished — Both send Finished message encrypted with session key to confirm

TLS 1.3 (2018): Only forward-secret cipher suites, removed RSA key exchange (uses only DH/ECDH), 1-RTT handshake (vs 2-RTT in 1.2), removed MD5/SHA-1/RC4.

Cipher Suite Notation

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
│    │     │       │       │      │
│    │     │       │       │      └─ Hash (HMAC)
│    │     │       │       └─ Mode
│    │     │       └─ Bulk encryption algorithm + key size
│    │     └─ Authentication (certificate type)
│    └─ Key Exchange (ECDHE = Elliptic Curve Diffie-Hellman Ephemeral)
└─ Protocol

3.8 Symmetric vs Asymmetric Summary

Feature	Symmetric	Asymmetric
Keys	One shared key	Key pair (public + private)
Speed	Fast (1000x faster)	Slow
Key distribution	Difficult (must share secret)	Easy (public key is public)
Use case	Bulk data encryption	Key exchange, digital signatures, authentication
Examples	AES, 3DES, DES	RSA, DH, ECC
In TLS	Session data encryption	Key exchange + certificate authentication

Practice Questions — Ch3

Q: Why is asymmetric encryption not used to encrypt bulk data?
A: It is much slower than symmetric encryption. Asymmetric is used only for key exchange and authentication; the session data is encrypted with symmetric AES.

Q: What makes SHA-256 different from MD5?
A: SHA-256 produces a 256-bit output and is collision-resistant; MD5 (128-bit) has known collisions and is broken for security use.

Q: What is the purpose of a CA in PKI?
A: A CA issues and digitally signs certificates, binding a public key to an identity, creating a chain of trust.

Q: In a digital signature, the sender signs with their ______ key.
A: Private key

Chapter 4: VPN (Virtual Private Networks)

4.1 VPN Overview

A VPN creates an encrypted tunnel over a public network (Internet), allowing remote hosts to communicate as if on the same private network.

VPN Type	Use Case	Protocol
Site-to-Site	Connect two office networks permanently	IPsec
Remote Access	Individual users connect to corporate network	SSL VPN, IPsec with client
Extranet	Connect to partner/supplier network	IPsec

4.2 IPsec (Internet Protocol Security)

IPsec is a suite of protocols that provides authentication, integrity, and confidentiality at the IP layer (Layer 3).

IPsec Protocols

Protocol	Purpose	Provides	Header added?
AH (Authentication Header)	Integrity + Authentication	Authentication, anti-replay, no encryption	Yes — IP Protocol 51
ESP (Encapsulating Security Payload)	Encryption + optional Auth	Confidentiality, integrity, authentication	Yes — IP Protocol 50

AH does NOT encrypt data — it only authenticates. ESP provides both encryption and authentication. In practice, ESP is almost always used over AH because it provides confidentiality.

IPsec Modes

Mode	What's protected	Original IP header	Use case
Transport Mode	Only the payload (data)	Preserved (visible)	End-to-end between hosts (e.g., L2TP/IPsec client)
Tunnel Mode	Entire original IP packet	Encapsulated (hidden)	Site-to-site VPN between gateways

Transport Mode:  [Original IP Header | ESP Header | Payload | ESP Trailer | ESP Auth]
Tunnel Mode:     [New IP Header | ESP Header | Original IP Header | Payload | ESP Trailer | ESP Auth]

4.3 IKE (Internet Key Exchange)

IKE is the protocol that negotiates and establishes IPsec SAs (Security Associations). Uses UDP port 500 (IKEv1) or UDP 500/4500 (IKEv2).

IKE Phase 1 — Management Tunnel

Goal: Establish a secure, authenticated channel (ISAKMP SA) to protect Phase 2 negotiation.

Negotiates: encryption algorithm, hash, authentication method, DH group, lifetime
Authentication methods: Pre-Shared Key (PSK) or Digital Certificates (RSA)
DH key exchange occurs here to create a shared secret
Two modes: Main Mode (6 messages, more secure, protects identities) vs Aggressive Mode (3 messages, faster but exposes identities)

IKE Phase 2 — Data Tunnel (IPsec SA)

Goal: Establish the actual IPsec SA for data encryption. Uses the Phase 1 tunnel for protection.

Negotiates: ESP or AH, encryption algorithm (AES), hash algorithm (SHA), tunnel or transport mode, lifetime
Only mode: Quick Mode (3 messages)
Creates two unidirectional SAs (one for each direction)

Memory trick: Phase 1 = Protect the negotiation. Phase 2 = Protect the data.

Security Association (SA)

An SA is a one-directional logical connection that defines: protocol (ESP/AH), key, SPI (Security Parameter Index), encryption/hash algorithm. Identified by: (SPI, destination IP, protocol).

4.4 Site-to-Site IPsec VPN Configuration (Cisco IOS)

! Step 1: ISAKMP Policy (Phase 1)
crypto isakmp policy 10
  encr aes 256
  hash sha256
  authentication pre-share
  group 14
  lifetime 86400

crypto isakmp key MY_SECRET_KEY address 203.0.113.2

! Step 2: IPsec Transform Set (Phase 2)
crypto ipsec transform-set MY_SET esp-aes 256 esp-sha256-hmac
  mode tunnel

! Step 3: Crypto Map
crypto map MY_MAP 10 ipsec-isakmp
  set peer 203.0.113.2
  set transform-set MY_SET
  match address VPN_ACL

! Step 4: ACL to define interesting traffic
ip access-list extended VPN_ACL
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

! Step 5: Apply to interface
interface Serial0/0
  crypto map MY_MAP

4.5 SSL/TLS VPN

Operates at Layer 4–7. Uses standard HTTPS (port 443) so it works through most firewalls without special configuration.

Feature	SSL VPN	IPsec VPN
Layer	4–7 (Application/Transport)	3 (Network)
Port	443 (HTTPS)	UDP 500, 4500; ESP (IP 50)
NAT traversal	Excellent (no issues)	Requires NAT-T (UDP 4500)
Client required	Browser or thin client	VPN client software required
Use case	Remote workers, BYOD	Site-to-site, full-tunnel remote access

4.6 GRE (Generic Routing Encapsulation)

GRE encapsulates any Layer 3 protocol inside IP. It is NOT encrypted by itself — used with IPsec for GRE-over-IPsec tunnels.

Allows routing protocols (OSPF, EIGRP) to run over tunnels
Adds a 24-byte overhead header
IP Protocol 47

! GRE Tunnel Configuration
interface Tunnel0
  ip address 10.0.0.1 255.255.255.252
  tunnel source Serial0/0
  tunnel destination 203.0.113.2

4.7 L2TP (Layer 2 Tunneling Protocol)

L2TP encapsulates PPP frames at Layer 2. Like GRE, it provides no encryption by itself — always combined with IPsec (L2TP/IPsec) for security.

UDP port 1701
Common in Windows VPN clients (legacy)
L2TP/IPsec: L2TP provides the tunnel, IPsec provides encryption

4.8 VPN Protocol Comparison

Protocol	Layer	Encrypts?	Authentication	Port	Common Use
IPsec	3	Yes (ESP)	PSK, Certificates	UDP 500, 4500	Site-to-site, enterprise
SSL/TLS VPN	4–7	Yes	Certificate	TCP 443	Remote access, BYOD
GRE	3	No	None	IP Proto 47	Tunnel for routing protocols
L2TP	2	No	PPP auth	UDP 1701	Used with IPsec
OpenVPN	3–4	Yes	Certificate	UDP/TCP 1194	Open-source remote access

Practice Questions — Ch4

Q: What is the difference between AH and ESP in IPsec?
A: AH provides authentication and integrity only (no encryption). ESP provides confidentiality, integrity, and authentication. AH uses IP Protocol 51; ESP uses Protocol 50.

Q: What occurs in IKE Phase 1 vs Phase 2?
A: Phase 1 establishes the ISAKMP SA (management tunnel) using DH key exchange. Phase 2 (Quick Mode) establishes the IPsec SA that actually protects the VPN data.

Q: In tunnel mode, what is encapsulated?
A: The entire original IP packet (header + payload) is encapsulated inside a new IP packet.

Q: Why is GRE often used with IPsec?
A: GRE provides the tunnel structure and supports routing protocols, but has no encryption. IPsec adds encryption and authentication to secure the GRE tunnel.

Chapter 5: Access Control Lists (ACL)

5.1 ACL Overview

An ACL is an ordered list of permit/deny statements applied to a router interface to filter traffic based on packet attributes. Processed top-down; stops at first match.

Implicit Deny: Every ACL ends with an invisible deny any any — any traffic not explicitly permitted is denied.

5.2 ACL Types

Type	Number Range	Filters on	Placement
Standard (numbered)	1–99, 1300–1999	Source IP only	Close to destination
Extended (numbered)	100–199, 2000–2699	Src IP, Dst IP, Protocol, Port	Close to source
Named	Any name	Standard or Extended	Same rules as above

Why placement matters: Standard ACL only matches on source IP — place near destination so traffic from that source can still reach other destinations. Extended ACL can filter specifically — place near source to drop unwanted traffic early (save bandwidth).

5.3 Wildcard Masks

Wildcard masks are the inverse of subnet masks. Used in ACLs to define address ranges.

0 in wildcard = check this bit (must match)
1 in wildcard = ignore this bit (don't care)

Subnet	Subnet Mask	Wildcard Mask	Matches
192.168.1.0/24	255.255.255.0	0.0.0.255	192.168.1.0–192.168.1.255
192.168.1.0/25	255.255.255.128	0.0.0.127	192.168.1.0–192.168.1.127
10.0.0.0/8	255.0.0.0	0.255.255.255	10.x.x.x
Any host	—	255.255.255.255	Keyword: `any`
Specific host	—	0.0.0.0	Keyword: `host x.x.x.x`

Formula: Wildcard = 255.255.255.255 – Subnet Mask
Example: 255.255.255.255 – 255.255.255.0 = 0.0.0.255

5.4 Standard ACL Syntax

! Numbered Standard
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny   host 10.0.0.5
access-list 10 permit any

! Named Standard
ip access-list standard BLOCK_HOST
  deny   host 192.168.2.100
  permit any

! Apply to interface
interface GigabitEthernet0/1
  ip access-group 10 in      ! Filter inbound traffic
  ip access-group 10 out     ! Filter outbound traffic

5.5 Extended ACL Syntax

! Syntax:
access-list [number] [permit|deny] [protocol] [src] [src-wildcard] [dst] [dst-wildcard] [operator] [port]

! Examples:
! Deny FTP from 192.168.1.0/24 to any
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 21

! Permit HTTP from any to DMZ web server
access-list 100 permit tcp any host 172.16.1.10 eq 80

! Permit HTTPS from any to DMZ web server
access-list 100 permit tcp any host 172.16.1.10 eq 443

! Permit ICMP (ping) from 10.0.0.0/8 to anywhere
access-list 100 permit icmp 10.0.0.0 0.255.255.255 any

! Implicit deny all (already there, but can be explicit)
access-list 100 deny ip any any log

! Named Extended
ip access-list extended SECURE_TRAFFIC
  permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 443
  permit icmp 192.168.1.0 0.0.0.255 any
  deny   ip any any log

5.6 Port Numbers to Know

Port	Protocol	Service
20	TCP	FTP Data
21	TCP	FTP Control
22	TCP	SSH
23	TCP	Telnet
25	TCP	SMTP (email)
53	TCP/UDP	DNS
80	TCP	HTTP
110	TCP	POP3
143	TCP	IMAP
443	TCP	HTTPS / SSL/TLS
500	UDP	IKE (IPsec)
3389	TCP	RDP

5.7 ACL Operators

Operator	Meaning	Example
eq	Equal to port	`eq 80` (HTTP)
neq	Not equal	`neq 23`
lt	Less than	`lt 1024` (well-known ports)
gt	Greater than	`gt 1023` (ephemeral)
range	Range of ports	`range 20 21` (FTP)

5.8 Verification Commands

show access-lists                  ! Show all ACLs with hit counts
show ip access-lists               ! Show IP ACLs only
show running-config | include access  ! Find ACL in config
show ip interface GigabitEthernet0/1  ! Show which ACLs applied to interface

Practice Questions — Ch5

Q: A standard ACL should be placed close to the ______.
A: Destination (because standard ACLs only match on source IP — if placed near source, they could block traffic to other destinations)

Q: What wildcard mask would match the network 192.168.5.0/26?
A: 0.0.0.63 (255.255.255.255 − 255.255.255.192 = 0.0.0.63)

Q: Write an extended ACL statement to deny Telnet (TCP/23) from any source to any destination.
A: access-list 100 deny tcp any any eq 23

Q: What happens to traffic that doesn't match any ACL entry?
A: It is dropped by the implicit deny any any at the end of every ACL.

Chapter 6: Cyber Attacks

6.1 DoS and DDoS

Denial of Service (DoS)

Attack from a single source that exhausts target resources (bandwidth, CPU, memory, connections), making services unavailable.

Distributed DoS (DDoS)

Coordinated attack from multiple compromised hosts (botnet). Much harder to block because traffic comes from many IPs.

DoS Attack Types

Type	Method	Target
Volumetric	Flood bandwidth with traffic (UDP flood, ICMP flood)	Network bandwidth
Protocol	Exploit protocol weaknesses (SYN Flood, ping of death, Smurf)	Network equipment / servers
Application Layer	Flood with legitimate-looking requests (HTTP GET flood, slowloris)	Web server resources

6.2 SYN Flood Attack

Exploits the TCP 3-way handshake:

Attacker sends many SYN packets with spoofed source IPs
Server responds with SYN-ACK and holds a half-open connection in memory
Attacker never sends the final ACK
Server's connection table fills up → legitimate connections refused

Countermeasures:

SYN cookies — server doesn't store state until handshake completes
Rate limiting SYN packets per source IP
Firewall SYN flood protection (stateful inspection drops half-open connections)

Lab Command (hping3)

# Basic SYN flood
hping3 --flood -S -p 80 192.168.1.1

# Full lab attack:
hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.1.159
# -c 15000  = 15000 packets
# -d 120    = data size 120 bytes
# -S        = SYN flag
# -w 64     = window size 64
# -p 80     = target port 80
# --flood   = send as fast as possible
# --rand-source = randomize source IP (spoofing)

# Wireshark filter to detect:
tcp.flags.syn==1 and tcp.flags.ack==0

6.3 MITM (Man-in-the-Middle) Attack

Attacker secretly intercepts and possibly alters communications between two parties who believe they are communicating directly.

MITM Techniques

ARP Spoofing/Poisoning — Attacker sends fake ARP replies to associate their MAC with a victim's IP address
DNS Spoofing — Corrupt DNS cache to redirect domain to attacker's IP
SSL Stripping — Downgrade HTTPS to HTTP between victim and server
Evil Twin — Rogue Wi-Fi AP with same SSID as legitimate one
BGP Hijacking — Inject false BGP routes to redirect Internet traffic

6.4 ARP Spoofing

ARP (Address Resolution Protocol) is stateless — hosts accept ARP replies even without sending requests.

Attacker sends gratuitous ARP: "IP 192.168.1.1 is at [attacker's MAC]"
Victim updates its ARP cache
Victim's traffic to 192.168.1.1 goes to attacker
Attacker can inspect/modify and forward

Defenses

Dynamic ARP Inspection (DAI) — Switch validates ARP packets against DHCP snooping table
Static ARP entries — On critical devices
HTTPS/TLS — Even if traffic is intercepted, it's encrypted

6.5 Password Attacks

Attack Type	Method	Defense
Brute Force	Try every possible combination	Account lockout, long passwords
Dictionary Attack	Try words from a wordlist (e.g., rockyou.txt)	Complex passwords not in dictionaries
Rainbow Table	Precomputed hash lookup table	Salting passwords (makes rainbow tables useless)
Credential Stuffing	Use leaked username/password pairs from breaches	Unique passwords, MFA
Password Spraying	Try one common password against many accounts	Block after X failures, MFA

rockyou.txt

14,341,564 real leaked passwords from 2009 RockYou breach
Located at /usr/share/wordlists/rockyou.txt.gz in Kali Linux
Decompress: gzip -d /usr/share/wordlists/rockyou.txt.gz
Used with aircrack-ng, hashcat, John the Ripper

6.6 Web Application Attacks

SQL Injection

Injecting malicious SQL code into user input fields to manipulate database queries.

Normal query:  SELECT * FROM users WHERE username='admin' AND password='pass'
Injected:      SELECT * FROM users WHERE username='admin' --' AND password=''
Result: '--' comments out the password check → logs in as admin

Defense: Parameterized queries / prepared statements, input validation, WAF.

XSS (Cross-Site Scripting)

Injecting malicious JavaScript into web pages viewed by other users.

Stored XSS — Script stored in database, runs for every user who loads the page
Reflected XSS — Script in URL parameter, reflected back in response
DOM-based XSS — Manipulates DOM without server involvement

Impact: Cookie theft, session hijacking, redirecting users to malicious sites.

Defense: Input sanitization, Content Security Policy (CSP), HttpOnly cookies.

CSRF (Cross-Site Request Forgery)

Tricks authenticated user's browser into sending unauthorized requests to a trusted site.

Defense: CSRF tokens, SameSite cookies, re-authentication for sensitive actions.

6.7 Wireless Attacks

De-Authentication Attack

IEEE 802.11 management frames (including deauth) are unauthenticated by default. Attacker sends forged deauthentication frames to force client to disconnect.

# Step 1: Enable monitor mode
airmon-ng start wlan0
# Creates wlan0mon interface

# Step 2: Find target network
airodump-ng wlan0mon
# Shows BSSID (AP MAC), SSID, channel, clients

# Step 3: Deauthentication attack (send 100 deauth frames)
aireplay-ng -0 100 -a [AP_BSSID] -c [CLIENT_MAC] wlan0mon
# -0 = deauth attack
# 100 = number of frames (0 = continuous)
# -a = AP MAC address
# -c = client MAC address

# Detection in Wireshark:
# Filter: wlan.fc.type_subtype == 0x0c
# Deauth frames are subtype 12 (0x0c)

WPA Handshake Attack (Wifite)

Capture the WPA 4-way handshake, then crack the password offline using dictionary attack.

# Automated with Wifite:
wifite --wpa --dict /usr/share/wordlists/rockyou.txt --kill

# Manual process:
# 1. airmon-ng start wlan0
# 2. airodump-ng --bssid [AP_MAC] -c [channel] -w capture wlan0mon
# 3. aireplay-ng -0 5 -a [AP_MAC] wlan0mon  (force reconnect to capture handshake)
# 4. aircrack-ng capture-01.cap -w rockyou.txt  (offline crack)

Key Terms

Term	Definition
SSID	Service Set Identifier — human-readable network name
BSSID	Basic SSID — MAC address of the AP
ESSID	Extended SSID — used when multiple APs share the same SSID
WPA Handshake	4-way handshake between client and AP that proves both know the PSK; captured for offline cracking

6.8 Cyber Kill Chain (Lockheed Martin)

Phase	Name	Description	Example
1	Reconnaissance	Research the target	Nmap scanning, OSINT
2	Weaponization	Create malware payload	Embed exploit in Word document
3	Delivery	Transmit weapon to target	Phishing email, USB drop
4	Exploitation	Exploit vulnerability on target	Execute malicious macro
5	Installation	Install malware/backdoor	Drop RAT, create scheduled task
6	C2 (Command & Control)	Establish communication channel	Beacon to C2 server
7	Actions on Objectives	Accomplish goal	Data exfiltration, ransomware deployment

Practice Questions — Ch6

Q: What makes a DDoS harder to defend against than a DoS?
A: DDoS uses a botnet (many source IPs), making it impossible to simply block a single source IP.

Q: Why does a SYN flood use spoofed source IPs?
A: To prevent the real ACK from completing the handshake (keeping connections half-open) and to prevent the server's SYN-ACK from reaching the attacker, avoiding detection.

Q: What Wireshark filter detects de-authentication frames?
A: wlan.fc.type_subtype == 0x0c

Q: What is the 6th phase of the Cyber Kill Chain?
A: Command and Control (C2) — establish communication channel back to attacker.

🧪 Lab Reference

Lab 3.1 — rockyou.txt Wordlist

Detail	Value
Source	2009 RockYou.com data breach
Size	14,341,564 unique passwords
Path in Kali	`/usr/share/wordlists/rockyou.txt.gz`
Decompress	`gzip -d /usr/share/wordlists/rockyou.txt.gz`

# Use with aircrack-ng
aircrack-ng handshake.cap -w /usr/share/wordlists/rockyou.txt

# Use with hashcat (WPA)
hashcat -m 2500 handshake.hccapx /usr/share/wordlists/rockyou.txt

# Use with John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Lab 4.2 — Nmap Scanning

Command	Flag	Description
Ping scan	`-sn`	Host discovery only (no port scan). Also called "ping scan".
SYN scan (stealth)	`-sS`	Half-open scan. Sends SYN, receives SYN-ACK, sends RST (doesn't complete handshake). Requires root.
Connect scan	`-sT`	Full TCP connect. Doesn't require root but more detectable.
UDP scan	`-sU`	Scan UDP ports (slower)
Version detection	`-sV`	Detect service version running on open ports
OS detection	`-O`	Detect target OS (requires root)
Aggressive	`-A`	Enables OS detection + version + scripts + traceroute
Output to file	`-oN file`	Save output in normal format. (`-oX` = XML, `-oA` = all formats)
Scan all ports	`-p-`	Scan all 65535 ports
Fast scan	`-F`	Scan only top 100 common ports
Timing	`-T0` to `-T5`	T0=paranoid (slow, stealthy), T3=default, T5=insane (fast, detectable)

# Common examples:
nmap -sn 192.168.1.0/24            # Discover live hosts
nmap -sS -p 1-1000 192.168.1.1     # Stealth scan ports 1-1000
nmap -A 192.168.1.1                # Aggressive scan
nmap -sV -p 22,80,443 10.0.0.1    # Version detect on specific ports
nmap -oN output.txt 192.168.1.0/24 # Save results

Zenmap = Official GUI for Nmap. Provides topology view and profile-based scanning.

Lab 5.3 — TCP SYN Flood with hping3

# hping3 SYN flood — basic
hping3 --flood -S -p 445 192.168.1.1
# --flood: no delay between packets
# -S: set SYN flag
# -p 445: target port 445 (SMB)

# Full lab attack:
hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.1.159
# -c 15000:     send 15000 packets
# -d 120:       data payload 120 bytes
# -S:           SYN flag
# -w 64:        TCP window size 64
# -p 80:        target port 80 (HTTP)
# --flood:      saturate link, no delays
# --rand-source: randomize source IP (simulate DDoS, evade IP-based blocks)
# 192.168.1.159: target IP

# Wireshark filter to detect SYN flood:
tcp.flags.syn==1 and tcp.flags.ack==0
# This shows only SYN packets without ACK (half-open connections)

hping3 Flag	Meaning
`-S`	Set SYN flag
`-A`	Set ACK flag
`-F`	Set FIN flag
`-R`	Set RST flag
`-P`	Set PUSH flag
`-c`	Packet count
`-d`	Data size (bytes)
`-p`	Destination port
`--flood`	Max speed, no stats
`--rand-source`	Random source IP

Lab 6.1 — De-Authentication Attack

# Aircrack-ng suite commands:

# Step 1: Check wireless interfaces
iwconfig

# Step 2: Kill conflicting processes
airmon-ng check kill

# Step 3: Enable monitor mode
airmon-ng start wlan0
# Creates: wlan0mon

# Step 4: Scan for networks
airodump-ng wlan0mon
# Shows: BSSID, PWR, CH, ESSID, connected clients

# Step 5: Focus on target network
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 wlan0mon

# Step 6: Send deauth frames
aireplay-ng -0 100 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# -0 100: deauth attack, 100 frames
# -a: Access Point (AP) MAC = BSSID
# -c: Client MAC address
# Use -0 0 for continuous attack

# Detection:
# Wireshark filter: wlan.fc.type_subtype == 0x0c
# Deauth frame = management frame (type 0), subtype 12 (0x0c = 12 decimal)

Term	Definition
BSSID	MAC address of the Access Point
SSID	Human-readable network name ("MyWiFi")
ESSID	Extended SSID (same SSID across multiple APs in a network)
Monitor mode	Wireless card mode that captures all frames (not just those addressed to it)
Managed mode	Normal client mode — only processes frames addressed to its MAC

Lab 6.3 — WPA Handshake Attack (Wifite)

# Automated attack
wifite --wpa --dict /usr/share/wordlists/rockyou.txt --kill

# What Wifite does automatically:
# 1. Enables monitor mode (airmon-ng)
# 2. Scans for WPA networks (airodump-ng)
# 3. Sends deauth to capture handshake (aireplay-ng)
# 4. Captures WPA 4-way handshake
# 5. Cracks offline with aircrack-ng using provided wordlist

# Manual equivalent:
airmon-ng start wlan0
airodump-ng --bssid [AP] -c [CH] -w capture wlan0mon
aireplay-ng -0 5 -a [AP] wlan0mon
aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt

The WPA 4-way handshake does NOT transmit the password. It transmits a cryptographic proof (MIC) that both sides know the PSK. Cracking works by testing dictionary words to find which produces the matching MIC.

Shell Commands Reference

# Network information
ifconfig / ip addr         # Show IP addresses
iwconfig                   # Wireless interface info
netstat -an                # Active connections
route                      # Routing table

# File operations
ls -la                     # List files with permissions
cat /etc/passwd            # Read file
grep -r "pattern" /dir     # Search recursively
find / -name "file.txt"    # Find file

# Process management
ps aux                     # List processes
kill -9 [PID]              # Force kill process
service [name] start/stop  # Manage services

# Network tools
ping [host]                # ICMP test
traceroute [host]          # Trace route
nslookup [domain]          # DNS lookup
nc -lvp 4444              # Netcat listener

🔐 CSCI623 Network Security

Study Roadmap

Chapter 1: Network Security Concepts

1.1 The CIA Triad

1.2 Threat Terminology

1.3 Attacker Types

1.4 Malware Types

1.5 Social Engineering

Types

1.6 IDS vs IPS

Detection Methods

1.7 Defense-in-Depth

Practice Questions — Ch1

Chapter 2: Firewall Technologies

2.1 Firewall Overview

2.2 Firewall Types (Generation)

2.3 Stateful Inspection Deep Dive

2.4 DMZ (Demilitarized Zone)

2.5 Cisco ASA (Adaptive Security Appliance)

Security Levels

Key ASA Commands

ASA NAT Types

2.6 NGFW Features

2.7 Firewall Deployment Modes

Practice Questions — Ch2

Chapter 3: Cryptography

3.1 Cryptography Fundamentals

3.2 Symmetric Encryption

Key Management Problem

Block Cipher Modes

3.3 Asymmetric Encryption (Public-Key Cryptography)

3.4 Hashing

Properties of a Good Hash

Hash Use Cases

3.5 Digital Signatures

3.6 PKI (Public Key Infrastructure)

Components

X.509 Certificate Contents

Chain of Trust

3.7 TLS (Transport Layer Security)

TLS 1.2 Handshake

Cipher Suite Notation

3.8 Symmetric vs Asymmetric Summary

Practice Questions — Ch3

Chapter 4: VPN (Virtual Private Networks)

4.1 VPN Overview

4.2 IPsec (Internet Protocol Security)

IPsec Protocols

IPsec Modes

4.3 IKE (Internet Key Exchange)

IKE Phase 1 — Management Tunnel

IKE Phase 2 — Data Tunnel (IPsec SA)

Security Association (SA)

4.4 Site-to-Site IPsec VPN Configuration (Cisco IOS)

4.5 SSL/TLS VPN

4.6 GRE (Generic Routing Encapsulation)

4.7 L2TP (Layer 2 Tunneling Protocol)

4.8 VPN Protocol Comparison

Practice Questions — Ch4

Chapter 5: Access Control Lists (ACL)

5.1 ACL Overview

5.2 ACL Types

5.3 Wildcard Masks

5.4 Standard ACL Syntax

5.5 Extended ACL Syntax

5.6 Port Numbers to Know

5.7 ACL Operators

5.8 Verification Commands

Practice Questions — Ch5

Chapter 6: Cyber Attacks

6.1 DoS and DDoS

Denial of Service (DoS)

Distributed DoS (DDoS)

DoS Attack Types

6.2 SYN Flood Attack

Lab Command (hping3)

6.3 MITM (Man-in-the-Middle) Attack

MITM Techniques

6.4 ARP Spoofing

Defenses