Advanced ⏱ 90 Minutes Blue Team Focus Prereq: Network Attacks

Security Networking & Infrastructure

Understanding how modern enterprise networks defend against attackers using segmentation, continuous monitoring, and secure architecture.

Attacker Understanding

  • ✔ How networks work
  • ✔ How traffic flows
  • ✔ How to intercept & exploit

Security Engineer Thinking

  • ✔ How to architect defense
  • ✔ How to block lateral movement
  • ✔ How to monitor anomalies

1. Network Segmentation

The Problem: "Flat networks" are dangerous. If a receptionist's PC is compromised via phishing in a flat network, the attacker has direct, unimpeded access to the financial servers.

The Solution: Segmentation divides the network into isolated zones based on trust and function.

Flat Network (Bad)

Everything on 192.168.1.0/24. One breach compromises the entire organization.

Segmented Network (Good)

  • Users: 10.0.10.0/24
  • Servers: 10.0.20.0/24
  • Mgmt: 10.0.99.0/24

Security Benefit: It forces attackers to pass through heavily monitored choke points (routers/firewalls) to move laterally, increasing the chance of detection.

2. VLAN Security (Layer 2)

A VLAN (Virtual Local Area Network) provides logical segmentation inside physical switches. You can have the HR department and the IT department plugged into the exact same switch, but they cannot talk to each other directly.

Switch Port 1 (VLAN 10 - Guest) | Switch Port 2 (VLAN 20 - Admin)

Common Attacks & Defenses

  • VLAN Hopping: Attackers send forged 802.1Q tags to trick the switch into putting them on a restricted VLAN.
  • Defense: Hardcode switch ports as "Access Ports", disable auto-trunking (DTP), and place all unused ports into a "dead" VLAN.

3. NAT & Security Perspective

Network Address Translation translates internal private IPs into a single public IP. While designed to save IPv4 space, it has security implications.

  • Internal IP Hiding: External attackers cannot map your internal topology.
  • Reduced Exposure: Internal devices cannot be directly routed to from the internet.

⚠️ Critical Insight: NAT ≠ Firewall

NAT makes it harder to reach a device, but it performs no traffic inspection. If an attacker tricks an internal device into making an outbound connection (Reverse Shell), NAT allows the traffic right through. You still need a Firewall.

4. Firewalls Deep Dive

Firewalls are the decision engines placed at the borders of your network segments.

Packet Filtering (Legacy)

Looks only at headers (IP, Port, Protocol). Dumb and fast. Easily bypassed by spoofing.

Stateful Firewall

Tracks the "state" of connections. It knows if a packet is part of an established session or a rogue injection.

Next-Gen (NGFW)

Operates up to Layer 7. Can inspect the payload for malware, block specific apps (e.g., Block BitTorrent, Allow HTTP), and do SSL decryption.

# Typical Firewall Rule Logic (Top-Down Processing)
1. ALLOW TCP 443 FROM ANY TO Web_Server (Allow Web)
2. ALLOW TCP 22 FROM IT_VLAN TO Servers (Allow Admin SSH)
3. DENY ALL FROM ANY TO ANY (Implicit Deny)

5. IDS vs IPS

IDS (Detection)

Passive. Listens to a copy of the traffic. Sends an alert to the security team if an attack is seen. Alert Only.

IPS (Prevention)

Inline. Traffic physically flows through it. If an attack is seen, the packet is destroyed instantly. Detect + Block.

Detection Methods

  • Signature-Based: Looks for specific, known bytes of malware (like antivirus).
  • Behavior-Based: Looks for actions (e.g., a PDF trying to run a shell command).
  • Anomaly Detection: Learns the baseline of the network. Alerts if a server suddenly sends 50GB of data at 3 AM.

6. Secure Network Architecture & DMZ

The Demilitarized Zone (DMZ) is a heavily restricted subnetwork holding public-facing services (Web Servers, Email, DNS). It acts as a buffer zone.

☁️ The Internet
🛡️ Perimeter Edge Firewall
Public Access Allowed
DMZ
Web Server / Mail Relay
Strict Internal Only
Internal LAN
Databases / Employee PCs

If an attacker hacks the Web Server in the DMZ, they are still blocked by firewall rules from reaching the Internal LAN where the databases live.

7. VPN & Secure Communication

Virtual Private Networks create encrypted tunnels across untrusted networks (like the internet or a coffee shop Wi-Fi).

  • Remote Access VPN: An employee at home securely connecting to the office internal network.
  • Site-to-Site VPN: Connecting the New York office router directly to the London office router so they act as one secure network.

8. Continuous Network Monitoring

You cannot stop what you cannot see. Blue Teams rely on telemetry to hunt for attackers.

  • NetFlow: Like a phone bill. Shows who talked to whom, when, and for how long (but not what was said). Great for spotting data exfiltration.
  • SIEM (Security Information and Event Management): A central brain (like Splunk or Elastic) that collects logs from all firewalls, servers, and switches to correlate events.

9. Zero Trust Networking

The modern standard pioneered by Google (BeyondCorp) and Microsoft. It destroys the old idea that the "Internal Network is safe."

"Trust Nothing. Verify Everything."

  • No Default Trust: Even if you are plugged into the office wall, you are treated as a threat.
  • Identity Based: Access is granted based on who the user is and the health of their device, not just their IP address.
  • Micro-segmentation: Firewalls exist between individual apps, not just network borders.

10. The Defensive Attack Chain View

How security networking disrupts the attacker at every stage:

Recon
Blocked by: NAT & Firewalls
Initial Access
Blocked by: IPS & NGFW
Lateral Movement
Blocked by: VLANs & Segmentation
Data Exfiltration
Caught by: NetFlow & Monitoring

🛡️ The Security Engineer Mindset

Good security architecture does not assume attacks will be stopped.
It is designed to limit damage and detect attackers quickly when they inevitably get inside.

🧠 Knowledge Check

1. Why is network segmentation important?
It prevents lateral movement. If an attacker compromises one segment, they cannot easily access the rest of the network.
2. What is the difference between an IDS and an IPS?
An IDS is passive and only sends alerts (Detect). An IPS is inline and actively drops malicious packets (Detect + Block).
3. Why place web servers in a DMZ?
Because public-facing servers are highly targeted. Placing them in a DMZ ensures that if they are hacked, the attacker still faces a firewall before reaching internal data.
4. What is the core principle of Zero Trust?
"Trust nothing, verify everything." Never grant access simply because a device is on the internal network.
🏆
Networking Phase Completed

You now understand how packets flow, how devices route them, how attackers exploit them, and how defenders lock them down. You have built the foundation required for advanced cybersecurity.