CampusFlow
SecurityNetwork Security

Network Security

Protecting network infrastructure from threats — security layers, IDS/IPS, secure protocols, segmentation, and attack mitigation.

Network Security Layers

A layered approach to protecting network infrastructure

Edge

Perimeter firewalls, DDoS protection, CDN/WAF at the network boundary

Network

Internal firewalls, IDS/IPS, VLANs, NAC, VPN gateways

Host

OS hardening, endpoint protection, host firewalls, patch management

Application

Input validation, authentication, encryption, secure coding

OutsideEdgeNetworkHostApplicationInside

IDS vs IPS

Intrusion Detection vs Intrusion Prevention Systems

FeatureIDSIPS
PositionOut-of-band (monitors copy of traffic)Inline (traffic passes through)
ActionAlerts, logs, reportsBlocks, drops, resets connections
DetectionSignature + anomaly-basedSignature + anomaly + policy-based
LatencyNo impact on traffic flowMay add latency (inline processing)
False PositivesLow risk (no blocking)High risk (may block legitimate traffic)
ExamplesSnort (IDS mode), Suricata (IDS)Snort (inline), Palo Alto, Cisco Firepower
Use CaseMonitoring, forensics, complianceReal-time threat prevention

Note: Many modern systems combine both as IDPS (Intrusion Detection and Prevention Systems), offering configurable detection and automated response capabilities.

Secure Protocols

Protocols that provide encrypted and authenticated communication

HTTPS

Port 443

HTTP over TLS. Encrypts all web traffic between client and server.

SSH

Port 22

Secure Shell for remote administration. Encrypts login sessions and command execution.

SFTP

Port 22

SSH File Transfer Protocol. Secure file transfer over SSH.

TLS

Port 443

Transport Layer Security. Underlying encryption for HTTPS, SMTPS, FTPS, etc.

IPsec

Port 500/4500

IP Security. Encrypts IP packets for VPNs. Works in transport or tunnel mode.

SMTPS

Port 465/587

SMTP over TLS. Encrypts email transmission between mail servers and clients.

Network Segmentation

Dividing a network into smaller, isolated segments to limit breach impact

VLAN

Virtual LANs logically segment networks at Layer 2. Devices in different VLANs cannot communicate without a router or Layer 3 switch.

DMZ

Demilitarized Zone — a buffer network between internal LAN and the internet. Public-facing servers (web, mail, DNS) are placed here.

Subnetting

Dividing IP address ranges into smaller subnets. Limits broadcast domains and allows granular firewall rules between segments.

Zero Trust: Modern segmentation follows Zero Trust principles — never trust, always verify. Every request is authenticated and authorized regardless of network location (no implicit trust based on being "inside" the network).

Defense in Depth

A layered security strategy with overlapping controls

Physical Security

  • Locks, biometric access
  • Security cameras
  • Server room access control

Perimeter Security

  • Firewalls
  • DDoS protection
  • WAF
  • VPN gateways

Internal Security

  • Network segmentation
  • IDS/IPS
  • NAC
  • Internal firewalls

Host Security

  • Antivirus/EDR
  • OS hardening
  • Patch management
  • Host firewall

Application Security

  • Secure coding
  • Input validation
  • Auth & session mgmt

Data Security

  • Encryption at rest
  • Encryption in transit
  • DLP
  • Backup

Identity Security

  • MFA
  • IAM
  • SSO
  • Privileged access mgmt

Procedural

  • Security policies
  • Incident response
  • Awareness training
  • Audits

Common Network Attacks

Frequent attack vectors targeting network infrastructure

DoS / DDoS

Overwhelms a target with traffic, making services unavailable. DDoS uses distributed sources (botnets).

ARP Spoofing

Attacker sends forged ARP messages to associate their MAC with a legitimate IP, enabling traffic interception on the LAN.

DNS Spoofing

Attacker corrupts DNS cache to redirect users to malicious sites. Also known as DNS cache poisoning.

MitM

Man-in-the-Middle — attacker secretly relays and potentially alters communication between two parties.

Port Scanning

Attackers probe open ports to identify running services and potential vulnerabilities for exploitation.

Packet Sniffing

Capturing network packets to extract sensitive data like passwords, cookies, or unencrypted content.

Mitigation Strategies

Deploy firewalls at perimeter and between network segments
Use IDS/IPS for traffic monitoring and threat prevention
Implement network segmentation with VLANs and firewalls
Enforce HTTPS and use TLS 1.3 everywhere
Use VPNs for remote access and site-to-site connections
Enable port security on switches to prevent ARP spoofing
Deploy DDoS protection services (Cloudflare, AWS Shield)
Implement DNSSEC to prevent DNS spoofing attacks
Regular vulnerability scanning and penetration testing
Use 802.1X for network access control (NAC)
Monitor network traffic with SIEM and log analysis
Keep firmware and network device software updated

Interview Questions

Common network security interview questions with answers