NCS

Mr.Santosh, Assistant Professor

Cyber Security
 Unit - 2

Basics of Routing & Switching

Router
The router is a physical internetworking device that is
designed to receive, analyze, and forward data packets
between computer networks.
Static Routing
In static routing, network administrators manually configure
the routing tables on routers.
The routing paths do not change automatically; they remain
fixed unless the administrator makes manual changes.
It is suitable for small networks with a stable topology.
Dynamic Routing
Dynamic routing protocols allow routers to automatically
discover and communicate with each other to determine the
best path for data packets.
Examples of dynamic routing protocols include RIP (Routing
Information Protocol), OSPF (Open Shortest Path First), and
EIGRP (Enhanced Interior Gateway Routing Protocol).
Dynamic routing is more scalable and adaptable to changes in
network topology
Default Routing
Default routing is used when a router does not have specific
information about the destination network in its routing
table.
The router forwards the packet to a default gateway, which
then determines the next hop.
Switches
A network switch connects devices in a network to each
other.
Circuit switching
Circuit switching is a method of communication in
telecommunications networks where a dedicated
communication path or circuit is established between two
devices for the duration of their conversation. This is in
contrast to packet switching, where data is divided into
packets that are individually routed to their destination and
reassembled.
Packet switching
Packet switching is a method of communication in which data
is broken down into small packets that are individually sent
from the source to the destination over a shared network.
This is in contrast to circuit switching, where a dedicated
communication path is established for the entire duration of
a conversation. Packet switching is the underlying technology
of the Internet and many modern data networks.
Message switching
Message switching is an older and less common method of
communication compared to circuit switching and packet
switching. In message switching, complete messages or data
units are sent from the source to the destination. Unlike
packet switching, where data is divided into packets, and
unlike circuit switching, where a dedicated path is established
for the entire conversation, message switching involves
forwarding entire messages.
Endpoint solution
An "endpoint solution" typically refers to a comprehensive
set of security tools and technologies designed to protect the
various endpoints (devices) within a network. Endpoints
include devices such as computers, laptops, servers,
smartphones, tablets, and other devices that connect to a
network. Endpoint security is crucial because these devices
are often targeted by malicious actors seeking to exploit
vulnerabilities and gain unauthorized access to sensitive data.
Types of Endpoint solutions:
Antivirus and Antimalware:
Function: Real-time scanning and protection against viruses,
malware, and other malicious software.
Examples: Symantec, McAfee, Kaspersky.

Firewall Protection:
Function: Monitors and controls incoming and outgoing
network traffic based on predefined security rules.
Examples: Windows Firewall, ZoneAlarm.
Endpoint Detection and Response (EDR):
Function: Monitors and responds to advanced threats and
suspicious activities on endpoints in real-time.
Examples: CrowdStrike, Carbon Black, SentinelOne.

Device Control:
Function: Manages and restricts the use of removable
storage devices, USB drives, and other peripherals.
Examples: Symantec Endpoint Protection, Trend Micro Apex
One.
Active Directory
Directory service allows information to be stored, classified,
and retrieved.
The directory service in Microsoft office is called Active
Directory.

It is a database that is used to store an enormous amount of

information about the User, User Groups, Client computers,
and Network resources like Printers and Shared folders.
Active Directory Structure
Active Directory structure, the top part is called a Forest.
move down, it forms the tree which can be seen as a
collection of domain and sub-domains.

The domain is at the center of the Windows Network.

Features Of Active Directory
It is a database of Objects. Some of these objects can be-
Users, Groups, Printers, Devices, and computers.

It stores, organize and enables access to other objects.

It also provides essential networking services like DNS and
Kerberos-based authentication.

If there is a network of hundreds or thousands of computers,

an Active Directory is the only option to manage this network
easily.
Active Directory governs the security policies when a VPN
connection is established and people are allowed to connect
to that network.

It allows Administrators to sit and centrally give users and

computers permissions on the network and on individual
computers.

The usage of Active Directory can vary from small

organizations with a few hundred users to thousands of users
across the world.
Tor Network
The Tor Network, short for The Onion Router, is a privacy-
focused network that aims to enhance anonymity and
security on the internet. It achieves this by directing internet
traffic through a volunteer-operated network of servers,
encrypting the data at each step in the process. The Tor
Network is designed to protect users' privacy and anonymity
by making it more challenging to trace their online activities
and identity.
Features of the Tor Network:
Onion Routing:
The term "onion routing" refers to the layered encryption
used by Tor. When data passes through the Tor network, it is
encrypted in layers, much like the layers of an onion. Each
server in the network decrypts one layer, revealing the
instructions for where to send the data next. This process
helps in obscuring the origin and destination of the data.

Volunteer-Operated Nodes:
The Tor Network relies on a decentralized network of
volunteer-operated servers, known as nodes or relays.
Entry Nodes and Exit Nodes:
Entry nodes are the first nodes that a user's data passes
through when entering the Tor network. Exit nodes are the
final nodes through which data exits the Tor network and
reaches its destination on the internet.

Anonymous Browsing:
Tor is commonly used to browse the internet anonymously.
When a user accesses the internet through Tor, their IP
address is hidden, making it more challenging for websites
and online services to track their location and identity.
Hidden Services (.onion websites):
Tor allows the creation of hidden services, which are websites
with addresses ending in ".onion." These sites can only be
accessed through the Tor network, providing an additional
layer of privacy for both the website and the user.

Encryption:
The data transmitted through the Tor network is encrypted,
preventing eavesdroppers from understanding the content of
the communication.
Circuits:
Tor creates circuits for each user, consisting of a series of
nodes through which the user's data passes. Circuits are
dynamically established and changed, enhancing security.

Privacy and Censorship Resistance:

Tor is often used by individuals seeking privacy in their online
activities, as well as by those living in regions with internet
censorship. It can help users bypass restrictions and access
information that might be blocked by certain countries or
organizations.
Networking Devices (Layer1,2,3)
Networking devices operate at different layers of the OSI
(Open Systems Interconnection) model, which is a conceptual
framework used to understand and design computer
networks. Each layer in the OSI model serves specific
functions, and various networking devices are designed to
operate at different layers.
Examples of networking devices
Layer 1: Physical Layer
Hub:
Connects multiple network devices in a star topology at the
physical layer. It operates by broadcasting data to all
connected devices.

Repeater:
Extends the reach of a network by amplifying and
retransmitting signals over long distances.
Layer 2: Data Link Layer
Switch:
Operates at the data link layer, forwarding frames based on
MAC addresses.

Bridge:
Connects and filters traffic between different network
segments based on MAC addresses.
Network Interface Card (NIC):
Hardware component that provides the interface between a
device (e.g., computer) and the network, translating data
between the device and the network.

Wireless Access Point (WAP):

Connects wireless devices to a wired network, allowing
wireless communication based on the IEEE 802.11 standards.
Layer 3: Network Layer
Router:
Operates at the network layer, forwarding packets between
different networks based on IP addresses.

Layer 3 Switch:
Combines features of a switch and a router, making routing
decisions based on IP addresses. Layer 3 switches are often
used to perform routing within a local network.
Multilayer Switch:
Similar to a layer 3 switch, a multilayer switch can operate at
multiple layers of the OSI model, allowing for more complex
networking functionality.
Network layer attacks
IP Spoofing:
In IP spoofing attacks, attackers forge the source IP address in
the packets to make it appear as if the traffic is coming from a
trusted source. This can be used to bypass access controls
and launch various other attacks.

Denial of Service (DoS) Attacks:

DoS attacks flood a network, service, or website with traffic
to overwhelm its resources and make it unavailable to
legitimate users. Common forms include ICMP flood,
SYN/ACK flood, and UDP flood attacks.
Session Hijacking:
Also known as session stealing, this attack involves an
attacker intercepting and taking control of an established
session between two parties.
Firewall
A firewall is a network security device or software that
monitors and controls incoming and outgoing network traffic
based on predetermined security rules. The primary goal of a
firewall is to establish a barrier between a trusted internal
network and untrusted external networks, such as the
internet. Firewalls play a crucial role in protecting networked
systems from unauthorized access, cyber attacks, and other
security threats.
Packet Filtering:
Firewalls examine individual data packets and filter them
based on predetermined rules. Packet filtering involves
making decisions about whether to allow or block packets
based on factors like source and destination IP addresses,
port numbers, and protocol types.

Proxy Services:
Proxy services involve an intermediary (proxy) between
internal users and external servers. The proxy serves as a
gateway, forwarding requests and responses between the
internal network and the external network.
Stateful Inspection:
Stateful inspection, also known as dynamic packet filtering,
involves tracking the state of active connections and making
decisions based on the context of the traffic. This allows
firewalls to understand the state of connections and make
more informed decisions.
ACL(Access Control List)
An ACL works as a stateless firewall. While a stateful firewall
examines the contents of network packets, a stateless
firewall only checks if the packets follow the defined security
rules.
How Does an ACL Work?
An ACL works as a stateless firewall. While a stateful firewall
examines the contents of network packets, a stateless
firewall only checks if the packets follow the defined security
rules.

ACLs are tables containing access rules found on network

interfaces such as routers and switches. When the user
creates an ACL on a router or switch, the device becomes a
traffic filter.
Packet filtering
Packet filtering is a network security technique used to
control the flow of network traffic based on predetermined
criteria, such as source and destination IP addresses, port
numbers, and protocols. This technique is implemented using
devices like routers and firewalls that examine individual
packets as they traverse the network and make decisions
about whether to permit or deny their passage.
Key aspects of packet filtering
Filtering Criteria:
Packet filtering rules are defined based on various criteria,
including:
Source and destination IP addresses: Filtering based on the
source and destination addresses of the packets.

Port numbers: Filtering based on the port numbers

associated with the communication.
Key aspects of packet filtering
Protocol type: Filtering based on the specific network
protocol (e.g., TCP, UDP, ICMP).

Allow and Deny Decisions:

Packet filtering rules specify whether to allow or deny
packets that match certain criteria. If a packet meets the
conditions specified in an "allow" rule, it is permitted to pass
through. Conversely, if it matches a "deny" rule, it is blocked.
Implicit Deny:
Packet filtering typically follows an "implicit deny" model,
meaning that if a packet does not match any of the defined
rules, it is implicitly denied by default. This ensures that
administrators explicitly define the traffic they want to allow.

Stateless Inspection:
Packet filtering is stateless, meaning that each packet is
evaluated independently of previous or subsequent packets.
The device making filtering decisions does not maintain
information about the state of active connections.
Router and Firewall Implementation:
Packet filtering is commonly implemented in routers and
firewalls. Routers filter packets based on network layer
criteria (e.g., source and destination IP addresses), while
firewalls, especially stateful firewalls, can also filter based on
transport layer criteria (e.g., port numbers).

Network Segmentation:
Packet filtering is often used to segment networks and
control the flow of traffic between different network
segments. This helps enforce security policies and restrict
unauthorized access.
Access Control Lists (ACLs):
Access Control Lists (ACLs) are commonly used to implement
packet filtering rules. ACLs define the criteria for filtering and
specify the corresponding action (permit or deny).

Performance Considerations:
Packet filtering is generally efficient in terms of performance
because it operates at the network layer and can make
decisions quickly based on header information in each
packet.
DMZ( Demilitarized Zone)
A DMZ network provides a buffer between the internet and
an organization's private network.
In computer security, a DMZ or demilitarized zone is a
physical or logical subnetwork that contains and exposes an
organization's external-facing services to an untrusted,
usually larger, network such as the Internet.
Characteristics of a DMZ
Purpose:
The primary purpose of a DMZ is to host services that need
to be accessible from external networks, such as the internet,
while minimizing the potential risks to the internal network.

Isolation:
The DMZ is a neutral zone that acts as a buffer between the
internal network and the external network. It isolates
services and systems that are exposed to the internet,
reducing the risk of direct attacks on internal assets.
Hosted Services:
Common services hosted in a DMZ include:
Web Servers: Hosting public-facing websites.
Mail Servers: Handling external email traffic.
FTP Servers: Allowing file transfers from external sources.
DNS Servers: Resolving domain names for external users.

Firewall Configuration:
Firewalls are used to control the traffic entering and leaving
the DMZ. Typically, there are two firewalls:
External Firewall: Between the internet and the DMZ.
Internal Firewall: Between the DMZ and the internal network.
Security Measures:
Security measures within the DMZ may include intrusion
detection and prevention systems, web application firewalls,
and other security appliances to monitor and protect hosted
services.

Proxy Servers and Reverse Proxies:

Proxy servers and reverse proxies may be used in the DMZ to
enhance security. Proxies can filter and forward traffic,
providing an additional layer of protection for internal
systems.
Separation of Networks:
The DMZ allows for the separation of different network
segments with varying levels of trust. External users can
access services in the DMZ, but direct access to the internal
network is restricted.

Security Policies:
Security policies are established to govern the access and
usage of resources in the DMZ. These policies define the
rules for interacting with external services and help maintain
a secure network environment.
Monitoring and Logging:
The DMZ is typically monitored closely, and logs are regularly
reviewed to identify and respond to any suspicious activities
or security incidents.
Alerts and Audit Trails
Alerts and audit trails are essential components of network
security and monitoring. They play a crucial role in detecting
and responding to security incidents, ensuring compliance
with security policies, and providing a detailed record of
activities within a network.
Alerts:
Purpose:
Alerts are notifications generated by security systems or
monitoring tools to inform administrators or security
personnel about potential security incidents, anomalies, or
predefined events.

Event Types:
Alerts can be triggered by various events, including:
Unusual network traffic patterns.
Security policy violations.
Suspicious login attempts.
Malware or intrusion detection.
Changes in system configurations.
Real-Time Notification:
Alerts are often configured to provide real-time notifications
to administrators or a security operations center (SOC) when
unusual or potentially malicious activities are detected.

Prioritization:
Alerts may be categorized and prioritized based on the
severity of the detected event. High-priority alerts may
require immediate attention, while lower-priority alerts may
be reviewed periodically.
Integration with Incident Response:
Alerts are a critical component of incident response. They
trigger the initiation of incident response procedures to
investigate, contain, and mitigate security incidents.

Examples:
Intrusion detection system (IDS) alerts.
Firewall alerts for blocked or suspicious traffic.
Anomalies detected by network monitoring tools.
Audit Trails
Purpose:
Audit trails are chronological records of events and activities
that occur within a network. They serve as a detailed log for
auditing, compliance, and forensic analysis purposes.

Logged Events:
Events recorded in audit trails include:
User logins and logouts.
File or resource access.
Configuration changes.
System and application events.
Security policy changes.
User Accountability:
Audit trails help establish user accountability by recording
the actions of users within the network. This is crucial for
investigating security incidents and ensuring compliance.

Compliance Requirements:
Many industries and organizations are subject to regulatory
compliance requirements that mandate the collection and
retention of audit logs. Audit trails help demonstrate
adherence to these regulations.
Forensic Analysis:
Audit trails play a vital role in forensic analysis by providing a
detailed timeline of events. Security professionals can use
audit logs to reconstruct the sequence of actions leading up
to and following a security incident.
Monitoring and Analysis:
Security teams regularly monitor and analyze audit trails to
identify unusual patterns, detect insider threats, and ensure
that systems are being used in accordance with security
policies.

Integrity and Non-Repudiation:

Audit trails contribute to data integrity and non-repudiation.
They provide a record of who did what and when, making it
difficult for users to deny their actions.
Examples:
Security Information and Event Management (SIEM) system
logs.
Windows Event Logs.
Database audit logs.
Network device logs.