Network Security Basics
Network Security Basics¶
Overview¶
Network security protects computer networks and data from unauthorized access, misuse, and modification. This chapter covers core network security concepts including firewalls, NAT, VPNs, and encryption basics.
Difficulty: βββ
Learning Objectives: - Understand basic network security principles - Learn firewall types and operating principles - Understand NAT concepts and security roles - Learn VPN types and usage methods - Acquire basic encryption concepts
Table of Contents¶
- Network Security Overview
- Firewalls
- NAT
- VPN
- Encryption Basics
- Practice Problems
- Next Steps
- References
1. Network Security Overview¶
CIA Triad¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CIA Triad (Security Elements) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββ β
β β Confidentiality β β
β β β β
β ββββββββββ¬βββββββββ β
β β β
β Only authorized users β
β can access information β
β β β
β βββββββββββββββββββΌββββββββββββββββββ β
β β β β β
β βββββββββΌββββββββ β βββββββββΌββββββββ β
β β Integrity β β β Availability β β
β β ββββββββββΌβββββββββΆβ β β
β βββββββββββββββββ β βββββββββββββββββ β
β β β
β Information accurate β Information accessible β
β and unmodified β when needed β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Elements Details¶
| Element | Description | Threat Examples | Countermeasures |
|---|---|---|---|
| Confidentiality | Authorized access only | Eavesdropping, sniffing | Encryption, access control |
| Integrity | Prevent data modification | MITM attack, tampering | Hashing, digital signatures |
| Availability | Continuous service provision | DoS/DDoS attacks | Redundancy, load balancing |
Additional Security Elements¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Additional Security Elements β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Authentication β
β ββ Verify user/system identity β
β Examples: Passwords, certificates, biometrics β
β β
β Authorization β
β ββ Grant access permissions β
β Example: Role-Based Access Control (RBAC) β
β β
β Non-repudiation β
β ββ Cannot deny actions performed β
β Examples: Digital signatures, audit logs β
β β
β Accountability β
β ββ Actions can be traced to actors β
β Examples: Logging, monitoring β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Defense in Depth¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Defense in Depth Strategy β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Physical Security β β
β β (Server room, access control) β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Perimeter Security β β β
β β β (Firewall, IDS/IPS) β β β
β β β βββββββββββββββββββββββββββββββββββββββββββ β β β
β β β β Network Security β β β β
β β β β (VLAN, network segregation) β β β β
β β β β βββββββββββββββββββββββββββββββββββ β β β β
β β β β β Host Security β β β β β
β β β β β (OS security, antivirus) β β β β β
β β β β β βββββββββββββββββββββββββββ β β β β β
β β β β β β Application Security β β β β β β
β β β β β β (Input validation, auth)β β β β β β
β β β β β β βββββββββββββββββββ β β β β β β
β β β β β β β Data Security β β β β β β β
β β β β β β β (Encryption,backup)β β β β β β
β β β β β β βββββββββββββββββββ β β β β β β
β β β β β βββββββββββββββββββββββββββ β β β β β
β β β β βββββββββββββββββββββββββββββββββββ β β β β
β β β βββββββββββββββββββββββββββββββββββββββββββ β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Firewalls¶
Firewall Overview¶
A firewall is a network security device that monitors network traffic and allows or blocks traffic according to security rules.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Firewall Position β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [Internet] β
β β β
β βΌ β
β ββββββββββββββββββββ β
β β Border Router β β
β ββββββββββ¬ββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββ β
β β Firewall βββ Traffic filtering β
β β (External FW) β β
β ββββββββββ¬ββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββ β
β β DMZ βββ Web server, mail server β
β ββββββββββ¬ββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββ β
β β Firewall βββ Internal protection β
β β (Internal FW) β β
β ββββββββββ¬ββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββ β
β β Internal Network βββ Employee PCs, internal servers β
β ββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Firewall Types¶
1. Packet Filtering Firewall¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Packet Filtering Firewall β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Operating Layer: L3 (Network), L4 (Transport) β
β β
β Inspection criteria: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βSource IPβDest IPβProtocolβSource PortβDest Portβ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Rule example: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β # Rule Source IP Dest IP Port Protocol Action ββ
β β 1 192.168.1.0/24 any 80 TCP ALLOW ββ
β β 2 any 192.168.1.10 22 TCP ALLOW ββ
β β 3 10.0.0.0/8 any any any DENY ββ
β β 4 any any any any DENY ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β Pros: Fast speed, simple implementation β
β Cons: Cannot inspect packet content, no state tracking β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Stateful Inspection Firewall¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Stateful Inspection Firewall β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Operating Layer: L3, L4 + connection state tracking β
β β
β State Table: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Src IP:Port Dest IP:Port Protocol State Timeout ββ
β β 192.168.1.10:45000 93.184.216.34:80 TCP ESTABLISHED 3600 ββ
β β 192.168.1.10:45001 8.8.8.8:53 UDP ACTIVE 60 ββ
β β 192.168.1.20:52000 10.0.0.5:22 TCP ESTABLISHED 7200 ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β TCP state tracking: β
β β
β [Client] [Firewall] [Server] β
β β β β β
β βββββ SYN βββββββββΆβββββ SYN ββββββββΆβ β
β β (NEW) β β β
β β βββββ SYN-ACK βββββ β
β βββββ SYN-ACK ββββββ β β
β βββββ ACK βββββββββΆβββββ ACK ββββββββΆβ β
β β (ESTABLISHED) β β β
β β β β β
β β
β Pros: Connection state tracking, auto-allow return traffic β
β Cons: Cannot inspect packet content β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
3. Application Layer Firewall¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Application Layer Firewall β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Operating Layer: L7 (Application) β
β β
β Inspection criteria: β
β - HTTP method, URL, headers, body β
β - DNS query content β
β - FTP commands β
β - SQL query patterns β
β β
β Features: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β - Web Application Firewall (WAF) ββ
β β - Block SQL Injection ββ
β β - Block XSS attacks ββ
β β - Block malicious file uploads ββ
β β - API request validation ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β Pros: Detailed traffic analysis, application-level protection β
β Cons: High processing load, complex configuration β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Next-Generation Firewall (NGFW)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Next-Generation Firewall (NGFW) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β NGFW Features β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ β
β β β Packet Filter β β Stateful Insp β β Application ββ β
β β β β β β β Recognition ββ β
β β βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ β
β β βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ β
β β β IPS Integratedβ β SSL Decryptionβ β User Identity ββ β
β β β β β β β ββ β
β β βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ β
β β βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ β
β β βThreat Intel β β Sandboxing β β URL Filtering ββ β
β β β β β β β ββ β
β β βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Major vendors: Palo Alto, Fortinet, Check Point, Cisco β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Firewall Rule Example (iptables)¶
# Set default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections (stateful)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (port 22)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH from specific IP only
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
# Allow ICMP (ping)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# View rules
iptables -L -n -v
# Save rules
iptables-save > /etc/iptables.rules
3. NAT¶
NAT Overview¶
NAT (Network Address Translation) is a technology that translates IP addresses to different IP addresses.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β NAT Basic Concept β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Private Network ββ
β β 192.168.1.0/24 ββ
β β ββ
β β βββββββββββ βββββββββββ βββββββββββ ββ
β β β PC-1 β β PC-2 β β PC-3 β ββ
β β β.10 β β.20 β β.30 β ββ
β β ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ ββ
β β β β β ββ
β β βββββββββββ¬βββ΄βββββββββββββ ββ
β β β ββ
β β βββββββ΄ββββββ ββ
β β β Router β ββ
β β β NAT β ββ
β β β 192.168.1.1 (internal) ββ
β β β 203.0.113.1 (external) ββ
β β βββββββ¬ββββββ ββ
β βββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Internet β
β β β
β β All PCs appear as 203.0.113.1 β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
NAT Types¶
1. Static NAT (1:1)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Static NAT β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Fixed mapping: Private IP β Public IP (1:1) β
β β
β Mapping table: β
β ββββββββββββββββββββββ¬βββββββββββββββββββββ β
β β Private IP β Public IP β β
β ββββββββββββββββββββββΌβββββββββββββββββββββ€ β
β β 192.168.1.10 β 203.0.113.10 β β
β β 192.168.1.20 β 203.0.113.20 β β
β β 192.168.1.30 β 203.0.113.30 β β
β ββββββββββββββββββββββ΄βββββββββββββββββββββ β
β β
β Use case: When external access to internal server is needed β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Dynamic NAT (N:N)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Dynamic NAT β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Dynamic mapping: Private IP pool β Public IP pool β
β β
β Private IP Pool Public IP Pool β
β 192.168.1.10 203.0.113.10 β
β 192.168.1.20 ββββΆ 203.0.113.11 β
β 192.168.1.30 203.0.113.12 β
β 192.168.1.40 (available IP assigned) β
β β
β Features: β
β - First-come-first-served allocation β
β - Concurrent connections limited to number of public IPs β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
3. PAT/NAPT (N:1) - Most Common¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PAT (Port Address Translation) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Multiple private IPs share one public IP (distinguished by port)β
β β
β [Private Network] [NAT Router] β
β β
β 192.168.1.10:45000 βββββββΆ 203.0.113.1:10001 βββββββΆ Internetβ
β 192.168.1.20:45001 βββββββΆ 203.0.113.1:10002 βββββββΆ Internetβ
β 192.168.1.30:45002 βββββββΆ 203.0.113.1:10003 βββββββΆ Internetβ
β β
β NAT Table: β
β ββββββββββββββββββββββββββ¬ββββββββββββββββββββββββ β
β β Internal Address:Port β External Address:Port β β
β ββββββββββββββββββββββββββΌββββββββββββββββββββββββ€ β
β β 192.168.1.10:45000 β 203.0.113.1:10001 β β
β β 192.168.1.20:45001 β 203.0.113.1:10002 β β
β β 192.168.1.30:45002 β 203.0.113.1:10003 β β
β ββββββββββββββββββββββββββ΄ββββββββββββββββββββββββ β
β β
β Use case: Home, small business (routers) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
NAT Operation Process¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β NAT Packet Translation β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. Internal β External (Outbound) β
β βββββββββββββββββββββββββ β
β β
β [PC] [NAT Router] [Web Server]β
β 192.168.1.10:45000 203.0.113.1 93.184.216.34 β
β β β β β
β ββββββββββββββββββββββββΆβ β β
β β Source: 192.168.1.10:45000 β β
β β Dest: 93.184.216.34:80 β β
β β β β β
β β [NAT Translation]βββββββββββββββββββββββββΆβ β
β β β Source: 203.0.113.1:10001β β
β β β Dest: 93.184.216.34:80 β β
β β β β β
β β
β 2. External β Internal (Inbound - response) β
β ββββββββββββββββββββββββββββββ β
β β β β β
β β ββββββββββββββββββββββββββ β
β β β Source: 93.184.216.34:80β β
β β β Dest: 203.0.113.1:10001β β
β β β β β
β βββββββββββββββββββββββββ [NAT Reverse] β β
β β Source: 93.184.216.34:80β β β
β β Dest: 192.168.1.10:45000 β β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
NAT's Security Role¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β NAT Security Characteristics β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Pros (Security Perspective): β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β 1. Hide internal IP addresses β β
β β - Difficult for outsiders to learn internal network β β
β β β β
β β 2. Natural firewall effect β β
β β - Direct external access to internal not possible β β
β β - Only internally-initiated connections allowed β β
β β β β
β β 3. Session-based filtering β β
β β - Packets not in NAT table are blocked β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Caution: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β NAT is address translation, not a security function β β
β β β Should be used with firewall β β
β β β Internal exposure with port forwarding β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Port Forwarding¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Port Forwarding β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β NAT configuration for external access to internal server β
β β
β [Internet] [NAT Router] [Internal Server]β
β 203.0.113.1 192.168.1.100 β
β β β β β
β βββββββββββββββββββββββββΆβ β β
β β Dest: 203.0.113.1:80 β β β
β β β β β
β β [Port Forwarding] βββββββββββββββββββββββββΆβ β
β β β Dest: 192.168.1.100:80 β β
β β β β β
β β
β Configuration example: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β External Port Internal IP Internal Port Protocol ββ
β β 80 192.168.1.100 80 TCP ββ
β β 443 192.168.1.100 443 TCP ββ
β β 22 192.168.1.200 22 TCP ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β Linux iptables example: β
β iptables -t nat -A PREROUTING -p tcp --dport 80 \ β
β -j DNAT --to-destination 192.168.1.100:80 β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
4. VPN¶
VPN Overview¶
VPN (Virtual Private Network) provides secure private network connections through public networks.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VPN Basic Concept β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Without VPN (Public Internet) β
β ββββββββββββββββββββββ β
β [PC] βββββ Plaintext data ββββββββΆ [Internet] ββββββββΆ [Server]β
β Eavesdropping possible β
β β
β With VPN β
β ββββββββββββ β
β [PC] βββ Encrypted tunnel ββββΆ [Internet] ββββΆ [VPN Server] βββΆ [Server]β
β Secure connection β
β β
β VPN Features: β
β - Data encryption (confidentiality) β
β - Data integrity verification β
β - User authentication β
β - IP address hiding β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
VPN Types¶
1. Site-to-Site VPN¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Site-to-Site VPN β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββ ββββββββββββββββββ β
β β HQ Network β β Branch Network β β
β β 10.1.0.0/16 β β 10.2.0.0/16 β β
β β β β β β
β β ββββββ ββββββ β β ββββββ ββββββ β β
β β βPC β βSrv β β β βPC β βSrv β β β
β β ββββ¬ββ ββββ¬ββ β β ββββ¬ββ ββββ¬ββ β β
β β ββββ¬ββββ β β ββββ¬ββββ β β
β β β β β β β β
β β βββββββ΄ββββββ β β βββββββ΄ββββββ β β
β β βVPN Gatewayβ β β βVPN Gatewayβ β β
β β βββββββ¬ββββββ β β βββββββ¬ββββββ β β
β βββββββββΌββββββββ βββββββββΌββββββββ β
β β β β
β β ββββββββββββββββββββ β β
β ββββββββ Internet ββββββββββββ β
β β β β
β β βββ VPN Tunnel βββ β
β ββββββββββββββββββββ β
β β
β Use case: HQ-branch connection, data center connection β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Remote Access VPN¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Remote Access VPN β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [Remote Users] β
β β
β βββββββ βββββββ βββββββ β
β β PC1 β β PC2 β β PC3 β β
β β VPN β β VPN β β VPN β β
β βClientβ βClientβ βClientβ β
β ββββ¬βββ ββββ¬βββ ββββ¬βββ β
β β β β β
β β ββββββ΄βββββββββ΄βββββ β
β βββββ Internet β β
β β β β
β β βββ VPN Tunnel βββ β
β ββββββββββ¬ββββββββββ β
β β β
β ββββββββ΄βββββββ β
β β VPN Server β β
β ββββββββ¬βββββββ β
β β β
β βββββββββββββββββΌββββββββββββββββββββ β
β β Company Network β β
β β ββββββ ββββββ ββββββ β β
β β βSrv β β DB β βFileβ β β
β β ββββββ ββββββ ββββββ β β
β βββββββββββββββββββββββββββββββββββββ β
β β
β Use case: Remote work, business trip access to company network β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
VPN Protocols¶
| Protocol | Layer | Features | Security |
|---|---|---|---|
| PPTP | L2 | Old, fast | Weak (not recommended) |
| L2TP/IPsec | L2+L3 | Common | Strong |
| IPsec | L3 | Standard, compatible | Strong |
| OpenVPN | L3/L4 | Open source, flexible | Strong |
| WireGuard | L3 | Latest, fast, simple | Strong |
| SSL/TLS VPN | L4-L7 | Browser-based | Strong |
IPsec VPN¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IPsec Protocol β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β IPsec Components: β
β β
β 1. IKE (Internet Key Exchange) β
β - Key exchange and SA(Security Association) establishment β
β - Phase 1: IKE SA establishment (auth, encryption negotiation)β
β - Phase 2: IPsec SA establishment (actual tunnel setup) β
β β
β 2. AH (Authentication Header) β
β - Data integrity, source authentication β
β - No encryption β
β β
β 3. ESP (Encapsulating Security Payload) β
β - Data encryption + integrity + authentication β
β - Most commonly used β
β β
β IPsec Modes: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Tunnel Mode ββ
β β - Encrypts entire IP packet ββ
β β - Used in Site-to-Site VPN ββ
β β ββ
β β Original: [IP Header][Data] ββ
β β Result: [New IP Header][ESP Header][Encrypted Original Packet][ESP Trailer]ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β
β β Transport Mode ββ
β β - Encrypts data payload only ββ
β β - Used in host-to-host communication ββ
β β ββ
β β Original: [IP Header][Data] ββ
β β Result: [IP Header][ESP Header][Encrypted Data][ESP Trailer]ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WireGuard¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WireGuard VPN β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Features: β
β - Modern encryption (ChaCha20, Poly1305, Curve25519) β
β - ~4,000 lines of code (100x less than IPsec) β
β - Fast connection, low latency β
β - Built into Linux kernel (5.6+) β
β β
β Configuration example (/etc/wireguard/wg0.conf): β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β [Interface] ββ
β β PrivateKey = <server private key> ββ
β β Address = 10.0.0.1/24 ββ
β β ListenPort = 51820 ββ
β β ββ
β β [Peer] ββ
β β PublicKey = <client public key> ββ
β β AllowedIPs = 10.0.0.2/32 ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β Commands: β
β wg-quick up wg0 # Start VPN β
β wg-quick down wg0 # Stop VPN β
β wg show # Show status β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
5. Encryption Basics¶
Encryption Overview¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Basic Encryption Concepts β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Plaintext Encryption Ciphertext β
β β
β "Hello World" βββββββββββββββββββΆ "Xj2#kL9@mP" β
β β β
β [Key] β
β β β
β "Hello World" βββββββββββββββββββ "Xj2#kL9@mP" β
β β
β Decryption β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Symmetric Encryption¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Symmetric Encryption β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Encrypt/decrypt with same key β
β β
β [Sender] [Receiver] β
β β β β
β β Plaintext: "Hello" β β
β β β β β
β β βΌ β β
β β ββββββββ β β
β β βEncryptββββββ Secret Key βββββββββΆβ β
β β ββββ¬ββββ "secretkey" β β
β β β β β
β β βΌ βΌ β
β β Ciphertext: "Xj2#k" ββββββββββΆ ββββββββ β
β β βDecryptβ β
β β ββββ¬ββββ β
β β β β
β β βΌ β
β β Plaintext: "Hello" β
β β
β Main algorithms: β
β - AES (Advanced Encryption Standard) - Current standard β
β - ChaCha20 - Optimized for mobile β
β - 3DES - Legacy (not recommended) β
β β
β Pros: Fast speed β
β Cons: Key distribution problem (how to share key securely?) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Asymmetric Encryption¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Asymmetric Encryption β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Uses public/private key pair β
β β
β [Receiver Key Pair] β
β βββββββββββββββ βββββββββββββββ β
β β Public Key β βPrivate Key β β
β β(Public access)β β(Owner only) β β
β βββββββββββββββ βββββββββββββββ β
β β
β Encryption scenario: β
β β
β [Sender Alice] Public channel [Receiver Bob] β
β β β β
β β Request Bob's public key β β
β βββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Plaintext: "Hello" β β
β β β β β
β β βΌ β β
β β ββββββββββββββ β β
β β βEncrypt withβ β β
β β βBob's publicβ β β
β β β key β β β
β β βββββββ¬βββββββ β β
β β β β β
β β βΌ βΌ β
β β Ciphertext βββββββββββββββββββΆ ββββββββββββββ β
β β βDecrypt with β β
β β βBob's privateβ β
β β β key β β
β β βββββββ¬βββββββ β
β β β β
β β βΌ β
β β Plaintext: "Hello" β
β β
β Main algorithms: β
β - RSA (2048+ bit) β
β - ECC (Elliptic Curve Cryptography) β
β - Ed25519 (specialized for digital signatures) β
β β
β Pros: Solves key distribution problem β
β Cons: Slower than symmetric (100~1000x) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Hybrid Encryption¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Hybrid Encryption β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Exchange symmetric key securely with asymmetric key, then β
β communicate with symmetric key β
β β
β [Client] [Server] β
β β β β
β β βββ(1) Request server public key ββΆ β
β β β β
β β ββ(2) Send server public key βββββ β
β β β β
β β βββββββββββββββββββββββββ β β
β β β 1. Generate symmetric β β β
β β β key (session key) β β β
β β β (e.g., AES-256) β β β
β β β β β β
β β β 2. Encrypt session β β β
β β β key with server β β β
β β β public key β β β
β β βββββββββββββββββββββββββ β β
β β β β
β β βββ(3) Send encrypted session keyββΆ β
β β β β
β β βββββββββββββββββββββββββ β
β β β Decrypt session key β β
β β β with private key β β
β β βββββββββββββββββββββββββ β
β β β β
β β βββ(4) Communication encrypted with session keyββββΆβ β
β β ββββββββββββββββββββββββββββββββ β
β β
β β» TLS/SSL uses this method β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Hash Functions¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Hash Functions β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Convert input data to fixed-length hash value (one-way) β
β β
β Input (variable length) Hash (fixed length) β
β βββββββββββββββββββββββββββββββββββββββββββββββββ β
β "Hello" βββΆ a591a6d40bf... (SHA-256) β
β "Hello World" βββΆ b94d27b9934... β
β "hello" βββΆ 2cf24dba5fb... β
β (Small change β completely different result)β
β β
β Properties: β
β 1. One-way: Cannot recover original from hash β
β 2. Deterministic: Same input β always same hash β
β 3. Collision resistance: Difficult for different inputs to have same hashβ
β 4. Avalanche effect: Small input change β large hash change β
β β
β Main algorithms: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Algorithm β Output β Status ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β
β β MD5 β 128 bit β Weak (prohibited) ββ
β β SHA-1 β 160 bit β Weak (prohibited) ββ
β β SHA-256 β 256 bit β Safe (recommended) ββ
β β SHA-3 β Variable β Safe (latest) ββ
β β BLAKE2 β Variable β Safe (fast) ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β Use cases: β
β - Password storage (hash + salt) β
β - Data integrity verification β
β - Digital signatures β
β - File checksums β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Digital Signatures¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Digital Signatures β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Signature creation (Sender) β
β βββββββββββββββββ β
β β
β Original document β
β β β
β βΌ β
β βββββββββββ β
β β Hash ββββΆ Document hash value β
β βββββββββββ β β
β βΌ β
β βββββββββββββ β
β βSender's β β
β βprivate keyββββΆ Digital signature β
β βencryption β β
β βββββββββββββ β
β β
β Transmission: [Original document] + [Digital signature] β
β β
β Signature verification (Receiver) β
β βββββββββββββββββ β
β β
β [Original document] [Digital signature] β
β β β β
β βΌ βΌ β
β βββββββββββ βββββββββββββ β
β β Hash β βSender's β β
β ββββββ¬βββββ βpublic key β β
β β βdecryption β β
β β βββββββ¬ββββββ β
β β β β
β βΌ βΌ β
β Calculated hash =? Decrypted hash β
β β
β Match β Integrity verified + Sender authenticated β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
6. Practice Problems¶
Basic Problems¶
- Security Basics
- Explain the three elements of the CIA Triad.
-
What is Defense in Depth?
-
Firewalls
- What's the difference between packet filtering and stateful firewalls?
-
What does this iptables rule do?
bash iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT -
NAT
- What are the two main purposes of NAT?
- Explain the operating principle of PAT (Port Address Translation).
Intermediate Problems¶
- VPN
- What's the difference between Site-to-Site VPN and Remote Access VPN?
-
Explain the difference between IPsec tunnel mode and transport mode.
-
Encryption
- Compare the pros and cons of symmetric and asymmetric encryption.
-
Why does TLS use hybrid encryption?
-
Practical Problems
# Suggest appropriate security solutions for these scenarios
# 1. Remote worker needs to access company internal network
# Answer:
# 2. Need to block SQL Injection attacks on web server
# Answer:
# 3. Secure communication needed between HQ and branch office
# Answer:
Advanced Problems¶
- Comprehensive Analysis
-
Find security vulnerabilities in this network:
Internet βββ Router βββ Internal Network β Web Server -
Encryption Application
- Explain how to use hashing to verify file integrity.
- Why is using only hash insufficient for password storage?
7. Next Steps¶
In 16_Security_Threats_Response.md, let's learn about specific security threats like sniffing, spoofing, and DDoS, along with response strategies!
8. References¶
Standards and RFC¶
Tools¶
- iptables/nftables - Linux firewalls
- OpenVPN - Open source VPN
- WireGuard - Modern VPN
- OpenSSL - Encryption tools