Chapter 19: Network Security Fundamentals

Learning Objectives

By the end of this chapter, you will be able to: - Understand fundamental network security concepts and threats - Implement defense-in-depth security strategies - Configure basic security features in ContainerLab environments - Apply security best practices to network infrastructure - Recognize and mitigate common network attacks

Network Security Overview

What is Network Security?

Network security encompasses the policies, procedures, and technologies designed to protect network infrastructure, data, and resources from unauthorized access, misuse, modification, or destruction. It involves multiple layers of defense to create a comprehensive security posture.

Core Security Principles

CIA Triad: - Confidentiality: Ensuring information is accessible only to authorized users - Integrity: Maintaining data accuracy and preventing unauthorized modification - Availability: Ensuring systems and data are accessible when needed

Additional Principles: - Authentication: Verifying user and device identities - Authorization: Controlling access to resources - Accounting: Tracking and logging security events - Non-repudiation: Preventing denial of actions

Common Network Threats

External Threats

1. Malware: Viruses, worms, trojans, ransomware
2. DDoS Attacks: Distributed denial of service
3. Man-in-the-Middle: Intercepting communications
4. Social Engineering: Manipulating users for information
5. Advanced Persistent Threats (APTs): Long-term targeted attacks

Internal Threats

1. Insider Threats: Malicious or negligent employees
2. Privilege Escalation: Unauthorized access elevation
3. Data Exfiltration: Unauthorized data removal
4. Misconfigurations: Accidental security weaknesses
5. Shadow IT: Unauthorized technology usage

Defense-in-Depth Strategy

Defense-in-depth implements multiple security layers to protect against various threats.

Security Layers

1. Physical Security: Securing physical access to infrastructure
2. Perimeter Security: Firewalls, IPS, and network segmentation
3. Network Security: VLANs, ACLs, and network monitoring
4. Host Security: Endpoint protection and hardening
5. Application Security: Secure coding and application firewalls
6. Data Security: Encryption and data loss prevention

Network Security Lab Environment

Basic Security Lab Setup

# Network security demonstration lab
name: network-security-lab
prefix: sec

topology:
  nodes:
    # Internet-facing router (DMZ)
    edge-router:
      kind: cisco_iosxe
      image: cisco/iosxe:latest
      mgmt-ipv4: 172.20.20.10
      startup-config: |
        hostname Edge-Router
        !
        ! External interface (simulated internet)
        interface GigabitEthernet0/0/0
         description Internet-Facing
         ip address 203.0.113.1 255.255.255.252
         no shutdown
        !
        ! DMZ interface
        interface GigabitEthernet0/0/1
         description DMZ-Network
         ip address 192.168.100.1 255.255.255.0
         no shutdown
        !
        ! Internal interface
        interface GigabitEthernet0/0/2
         description Internal-Network
         ip address 10.1.1.1 255.255.255.252
         no shutdown
        !
        ! Basic security configuration
        no ip source-route
        no ip gratuitous-arps
        ip cef
        !
        ! Access control lists (will be configured later)
        !

    # Internal firewall/router
    internal-fw:
      kind: cisco_iosxe
      image: cisco/iosxe:latest
      mgmt-ipv4: 172.20.20.11
      startup-config: |
        hostname Internal-Firewall
        !
        interface GigabitEthernet0/0/0
         description To-Edge-Router
         ip address 10.1.1.2 255.255.255.252
         no shutdown
        !
        interface GigabitEthernet0/0/1
         description Internal-LAN
         ip address 192.168.10.1 255.255.255.0
         no shutdown
        !
        interface GigabitEthernet0/0/2
         description Server-VLAN
         ip address 192.168.20.1 255.255.255.0
         no shutdown
        !
        ! Security hardening
        no ip source-route
        no ip gratuitous-arps
        service password-encryption
        !

    # DMZ web server
    dmz-server:
      kind: linux
      image: nginx:alpine
      mgmt-ipv4: 172.20.20.20
      exec:
        - ip addr add 192.168.100.10/24 dev eth1
        - ip route add default via 192.168.100.1
        - nginx -g "daemon off;" &

    # Internal workstation
    internal-pc:
      kind: linux
      image: alpine:latest
      mgmt-ipv4: 172.20.20.21
      exec:
        - ip addr add 192.168.10.10/24 dev eth1
        - ip route add default via 192.168.10.1
        - apk add --no-cache curl nmap

    # Internal server
    internal-server:
      kind: linux
      image: ubuntu:20.04
      mgmt-ipv4: 172.20.20.22
      exec:
        - ip addr add 192.168.20.10/24 dev eth1
        - ip route add default via 192.168.20.1
        - apt update && apt install -y openssh-server
        - service ssh start

    # Simulated internet/attacker
    internet-sim:
      kind: linux
      image: alpine:latest
      mgmt-ipv4: 172.20.20.100
      exec:
        - ip addr add 203.0.113.2/30 dev eth1
        - ip route add default via 203.0.113.1
        - apk add --no-cache nmap hping3 curl

  links:
    # Network connections
    - endpoints: ["edge-router:eth1", "internet-sim:eth1"]
    - endpoints: ["edge-router:eth2", "dmz-server:eth1"]
    - endpoints: ["edge-router:eth3", "internal-fw:eth1"]
    - endpoints: ["internal-fw:eth2", "internal-pc:eth1"]
    - endpoints: ["internal-fw:eth3", "internal-server:eth1"]

Access Control Lists (ACLs)

ACL Fundamentals

Access Control Lists are packet filters that permit or deny traffic based on various criteria such as source/destination IP addresses, ports, and protocols.

ACL Types

Standard ACLs (1-99, 1300-1999): - Filter based on source IP address only - Applied close to destination

Extended ACLs (100-199, 2000-2699): - Filter based on source/destination IP, ports, protocols - Applied close to source

Named ACLs: - Use descriptive names instead of numbers - Allow modification of individual entries

Basic ACL Configuration

Standard ACL Example

# Deploy the security lab
containerlab deploy -t network-security-lab.yml

# Configure standard ACL on internal firewall
docker exec -it clab-sec-internal-fw cli

configure terminal
! Standard ACL to block specific source
access-list 10 deny 192.168.10.50 0.0.0.0
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 deny any

! Apply to interface
interface GigabitEthernet0/0/1
 ip access-group 10 in

! Verify ACL
show access-lists
show ip interface GigabitEthernet0/0/1

Extended ACL Example

# Extended ACL for more granular control
configure terminal
! Block HTTP traffic from internal network to internet
access-list 101 deny tcp 192.168.10.0 0.0.0.255 any eq 80
access-list 101 deny tcp 192.168.10.0 0.0.0.255 any eq 443
access-list 101 permit ip 192.168.10.0 0.0.0.255 any

! Apply to interface
interface GigabitEthernet0/0/0
 ip access-group 101 out

Named ACL Example

# Named ACL for better management
configure terminal
ip access-list extended INTERNET-FILTER
 deny tcp 192.168.10.0 0.0.0.255 any eq 80 log
 deny tcp 192.168.10.0 0.0.0.255 any eq 443 log
 permit tcp 192.168.10.0 0.0.0.255 any eq 22
 permit tcp 192.168.10.0 0.0.0.255 any eq 53
 permit udp 192.168.10.0 0.0.0.255 any eq 53
 deny ip any any log

! Apply to interface
interface GigabitEthernet0/0/0
 ip access-group INTERNET-FILTER out

Advanced ACL Features

Time-Based ACLs

# Configure time range
time-range BUSINESS-HOURS
 periodic weekdays 8:00 to 17:00

# Apply to ACL
ip access-list extended TIME-BASED-FILTER
 permit tcp 192.168.10.0 0.0.0.255 any eq 80 time-range BUSINESS-HOURS
 deny tcp 192.168.10.0 0.0.0.255 any eq 80
 permit ip any any

Reflexive ACLs

# Configure reflexive ACL
ip access-list extended OUTBOUND
 permit tcp 192.168.10.0 0.0.0.255 any reflect TCP-TRAFFIC
 permit udp 192.168.10.0 0.0.0.255 any reflect UDP-TRAFFIC

ip access-list extended INBOUND
 evaluate TCP-TRAFFIC
 evaluate UDP-TRAFFIC
 deny ip any any log

! Apply to interfaces
interface GigabitEthernet0/0/0
 ip access-group OUTBOUND out
 ip access-group INBOUND in

Network Address Translation (NAT) Security

NAT as Security Feature

NAT provides security benefits by hiding internal network structure and preventing direct external access to internal hosts.

Basic NAT Configuration

# Configure NAT on edge router
configure terminal
! Define inside and outside interfaces
interface GigabitEthernet0/0/0
 ip nat outside

interface GigabitEthernet0/0/2
 ip nat inside

! Configure NAT pool and access list
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat pool INTERNET-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.240
ip nat inside source list 1 pool INTERNET-POOL overload

! Static NAT for DMZ server
ip nat inside source static 192.168.100.10 203.0.113.5

NAT Security Considerations

# Monitor NAT translations
show ip nat translations
show ip nat statistics

# Clear NAT translations for security
clear ip nat translation *
clear ip nat translation inside 192.168.10.10

Device Hardening

Router and Switch Security

Basic Device Hardening

# Security hardening configuration
startup-config: |
  ! Disable unnecessary services
  no ip source-route
  no ip gratuitous-arps
  no ip redirects
  no ip proxy-arp
  no ip unreachables
  no ip mask-reply
  no service pad
  no service finger
  no service udp-small-servers
  no service tcp-small-servers

  ! Enable security features
  service password-encryption
  service timestamps debug datetime msec
  service timestamps log datetime msec

  ! Secure console and VTY lines
  line console 0
   exec-timeout 5 0
   logging synchronous
   login local

  line vty 0 15
   exec-timeout 5 0
   logging synchronous
   login local
   transport input ssh

  ! Configure strong passwords
  enable secret $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
  username admin privilege 15 secret $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

  ! SSH configuration
  ip domain-name secure.lab
  crypto key generate rsa modulus 2048
  ip ssh version 2
  ip ssh time-out 60
  ip ssh authentication-retries 3

Advanced Security Features

# Configure login security
security authentication failure rate 3 log
security passwords min-length 8

# Enable TCP intercept for SYN flood protection
ip tcp intercept list 100
ip tcp intercept mode intercept
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550

access-list 100 permit tcp any 192.168.100.0 0.0.0.255

SNMP Security

# Secure SNMP configuration
! Remove default community strings
no snmp-server community public
no snmp-server community private

! Configure SNMPv3 with authentication and encryption
snmp-server group SECURE-GROUP v3 priv
snmp-server user secure-user SECURE-GROUP v3 auth sha AuthPass123 priv aes 128 PrivPass123
snmp-server view SECURE-VIEW system included
snmp-server view SECURE-VIEW interfaces included
snmp-server group SECURE-GROUP v3 priv read SECURE-VIEW

! Restrict SNMP access
access-list 50 permit 192.168.10.100
snmp-server community SecureComm123 RO 50

Network Monitoring and Logging

Logging Configuration

# Configure comprehensive logging
logging buffered 16384 informational
logging console critical
logging monitor informational
logging trap informational
logging facility local0
logging source-interface Loopback0
logging 192.168.10.100

! Log security events
login on-failure log
login on-success log
security authentication failure rate 3 log

! Archive logs
archive
 log config
  logging enable
  logging size 100
  notify syslog contenttype plaintext

Network Time Protocol (NTP) Security

# Secure NTP configuration
ntp authenticate
ntp authentication-key 1 md5 NTPSecretKey123
ntp trusted-key 1
ntp server 192.168.10.100 key 1
ntp access-group serve-only 10

access-list 10 permit 192.168.10.0 0.0.0.255

Intrusion Detection and Prevention

Basic IDS/IPS Concepts

Detection Methods

1. Signature-based: Matches known attack patterns
2. Anomaly-based: Detects deviations from normal behavior
3. Hybrid: Combines both approaches

Deployment Models

1. Network-based (NIDS/NIPS): Monitors network traffic
2. Host-based (HIDS/HIPS): Monitors individual hosts
3. Hybrid: Combines network and host-based monitoring

Cisco IOS IPS Configuration

# Configure IOS IPS
ip ips config location flash:ips/
ip ips name IPS-POLICY

! Create IPS rule
ip ips signature-category
 category all
  retired true
 category ios_ips basic
  retired false

! Apply to interface
interface GigabitEthernet0/0/0
 ip ips IPS-POLICY in

Wireless Security

Wireless Security Protocols

WEP (Wired Equivalent Privacy)

• Status: Deprecated, insecure
• Key Length: 40-bit or 104-bit
• Vulnerabilities: Weak encryption, easily cracked

WPA (Wi-Fi Protected Access)

• Improvement: Over WEP
• Encryption: TKIP
• Authentication: PSK or 802.1X

WPA2 (Wi-Fi Protected Access 2)

• Encryption: AES-CCMP
• Authentication: PSK or 802.1X
• Status: Current standard

WPA3 (Wi-Fi Protected Access 3)

• Improvements: Enhanced security
• Features: SAE, enhanced open, 192-bit security
• Status: Latest standard

Wireless Security Best Practices

# Wireless security configuration example
! Change default SSID and disable broadcast
dot11 ssid SECURE-CORPORATE
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii SecureWirelessKey123!
 no guest-mode

! Enable strong encryption
encryption mode ciphers aes-ccmp

! MAC address filtering
dot11 association mac-list 610

! Disable unnecessary features
no dot11 extension aironet
no dot11 beacon dtim-period

VPN Security

VPN Types

Site-to-Site VPN

• Connects entire networks
• Typically uses IPSec
• Permanent connections

Remote Access VPN

• Connects individual users
• Uses SSL/TLS or IPSec
• On-demand connections

Basic IPSec Configuration

# IPSec site-to-site VPN configuration
crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 28800

crypto isakmp key SecretPresharedKey123 address 203.0.113.100

crypto ipsec transform-set STRONG-SET esp-aes 256 esp-sha256-hmac
 mode tunnel

crypto map VPN-MAP 10 ipsec-isakmp
 set peer 203.0.113.100
 set transform-set STRONG-SET
 match address 110

access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

interface GigabitEthernet0/0/0
 crypto map VPN-MAP

Security Testing and Validation

Penetration Testing Lab

# Test network security from internet simulator
docker exec -it clab-sec-internet-sim sh

# Network reconnaissance
nmap -sS 203.0.113.1
nmap -sU 203.0.113.1

# Port scanning
nmap -p 1-1000 203.0.113.1

# Service enumeration
nmap -sV 203.0.113.1

# Test for common vulnerabilities
nmap --script vuln 203.0.113.1

Security Monitoring

# Monitor security events on routers
show logging | include SECURITY
show ip access-lists
show ip nat translations
show crypto isakmp sa
show crypto ipsec sa

# Real-time monitoring
debug ip packet 101 detail
debug crypto isakmp
debug crypto ipsec

Incident Response

Security Incident Handling

Incident Response Process

1. Preparation: Establish procedures and tools
2. Identification: Detect and analyze incidents
3. Containment: Limit damage and prevent spread
4. Eradication: Remove threats from environment
5. Recovery: Restore normal operations
6. Lessons Learned: Improve security posture

Network Isolation Procedures

# Emergency network isolation
! Shutdown compromised interfaces
interface GigabitEthernet0/0/1
 shutdown

! Block malicious traffic
access-list 199 deny ip host 192.168.10.50 any
access-list 199 permit ip any any

interface GigabitEthernet0/0/0
 ip access-group 199 in

! Clear NAT translations
clear ip nat translation *

! Reset connections
clear tcp local 192.168.10.50 foreign any

Security Best Practices

Network Design Security

1. Network Segmentation: Use VLANs and subnets
2. Least Privilege: Minimal necessary access
3. Defense in Depth: Multiple security layers
4. Regular Updates: Keep systems patched
5. Monitoring: Continuous security monitoring

Configuration Management

1. Change Control: Document all changes
2. Configuration Backup: Regular backups
3. Version Control: Track configuration versions
4. Compliance: Follow security standards
5. Auditing: Regular security audits

Security Policies

# Security policy template
! Password policy
security passwords min-length 8
enable secret $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

! Access control policy
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 deny any log

! Logging policy
logging buffered 16384 informational
logging trap warnings
logging facility local0

! Time synchronization
ntp server 192.168.10.100
service timestamps log datetime msec

Summary

Network security is a critical aspect of modern networking that requires a comprehensive, multi-layered approach. Understanding fundamental security concepts, implementing proper access controls, hardening network devices, and maintaining continuous monitoring are essential for protecting network infrastructure and data.

Key concepts covered: - Network security fundamentals and threat landscape - Access control lists and traffic filtering - Device hardening and security configuration - Network monitoring and logging - Intrusion detection and prevention - Wireless and VPN security - Incident response procedures

In the next chapter, we’ll explore specific switch and router security implementations and advanced security features.

Review Questions

1. What are the core principles of network security (CIA triad)?
2. How do standard and extended ACLs differ in functionality?
3. What are the key components of a defense-in-depth strategy?
4. How does NAT provide security benefits beyond address translation?
5. What are the essential steps in network device hardening?

Hands-on Exercises

Exercise 1: Basic Network Security Implementation

1. Deploy the network security lab topology
2. Configure ACLs to control traffic flow
3. Implement basic device hardening
4. Test security controls with traffic generation

Exercise 2: Advanced Access Control

1. Configure named and time-based ACLs
2. Implement reflexive ACLs for stateful filtering
3. Set up NAT with security considerations
4. Monitor and log security events

Exercise 3: Security Testing and Validation

1. Perform network reconnaissance from external host
2. Test ACL effectiveness with various traffic types
3. Simulate security incidents and response procedures
4. Document security gaps and improvements

Exercise 4: Comprehensive Security Hardening

1. Implement complete device hardening checklist
2. Configure secure remote access (SSH, SNMP)
3. Set up centralized logging and monitoring
4. Create security policies and procedures

Additional Resources

• NIST Cybersecurity Framework
• Cisco Security Configuration Guide
• Network Security Best Practices
• OWASP Network Security Testing Guide