Network Security #
Designing Secure Networks #
- Different security controls usually operate on a distinct ISO Model Layer
- Most popular: Application Layer (7); Transport Layer (4) ; and Network Layer (3)
Infrastructure Considerations #
- Attack Surface - Points at which an unauthorized user could gain access.
- Device Placement - Physical placement is impacted by needs, features and preferred topology and security design
- Examples: create VLANs, …
- Security Zones - Network segments (physical/virtual)
- For many reasons
- Examples: Guest networks, internet-facing networks (DMZ), management networks, higher clearance level, more sensitive data.
- Connectivity Considerations how connectivity is implemented (Wi‑Fi, optics, cable, …) and necessary throughput
- Also multiple ISPs/failover connections are part of this
- Failure Modes - What if a security device fails ? Depends on business requirements
fail-closed- block any traffic during failurefail-open- don’t interfere with traffic during failure
- Network Taps to monitor traffic
activepoweredpassivenot powered (removes loss of power failure mode)
Network Design Concepts #
- Physical Isolation - requires physical presence to move data between air-gapped systems.
- aka Air-Gapped
- Known hack: Malware that copied itself to USB sticks.
- Logical Segmentation - Virtual/software level isolation of networks
- Often on Layer 2,3
- aka VLANs, Subnets, …
- Packets move with VLAN tags.
- Attacks focus on devices/systems that separate/enforce this.
- High Availability (HA) to handle the
Availabilitygoal - Implementing Secure Protocols - ensure that services/communication is secure
- E.g. HTTPS over HTTP; SSH over Telnet
- Mind the Protocol versions! (downgrade attacks)
- Using an alternate port NOT a security control (Just obscurity)
- Reputation Services - feeds that track IP addresses, domains, and hosts known to engage in malicious activity.
- Often combined with threat feeds.
- Software-Defined Networking (SDN) software-based network configuration.
- Relies on controllers that manage network devices and configurations.
- Flexible, can be changed based on metrics/insights.
- You can configure security zones and such (like security groups in AWS).
- Often on Layer 2,3 and sometimes 4.
- Software-Defined Wide Area Network (SD-WAN)
- Used more for availability, connecting various internet providers in a transparent way.
- Replacement for Multiprotocol Label Switching (MPLS)
- *SD-WAN and MPLS are alternative WAN technologies that often compete or complement each other:
- Key Relationship:
- MPLS = Traditional approach:
- Hardware-centric: Dedicated circuits, fixed paths
- Service provider managed: Limited customer control
- Expensive: Premium pricing for guaranteed performance
- Predictable: Consistent performance, SLAs
- SD-WAN = Modern approach:
- Software-defined: Centralized policy management
- Internet-based: Uses broadband, LTE, etc. (cheaper links)
- Customer controlled: Dynamic path selection, policies
- Flexible: Adapts to real-time network conditions
- Secure Access Service Edge (SASE)
- Pronounced “Sassy”
- Combines: VLAN, SDN-WAN, firewalls, Cloud Access Security Brokers (CASB)
- USed to
- make endpoints secure.
- in-transit data is secure
- policy-based security enforcement
- Cloud Access Security Brokers (CASB) - policy enforcement point between service providers and service customers to allow organizations to enforce their policies for cloud resources.
Network Segmentation #
- VLAN is one of the many technologies to implement segmentation.
- Sets up a broadcast domain that is segmented at Data Link Layer (Layer 2).
- Network devices enforce packet forwarding based on the VLAN “tag”.
- The tag is assigned by the network devices as they receive traffic from an endpoint, the endpoint itself doesn’t tag the data.
- Segmentation Designs
- Demilitarized Zones (DMZ)/Screened Subnets - Exposed to less trusted areas (public internet)
- Mostly used for public facing devices. But internally in networks this could also be necessary.
- Intranets - Like only for employees
- Extranets - For external access
- Demilitarized Zones (DMZ)/Screened Subnets - Exposed to less trusted areas (public internet)
- North-South Traffic
- Traffic between internal systems and the outside world (clients, internet, external networks).
- Think: in/out of the datacenter or cloud.
- East-West Traffic - traffic flow in datacenter
- Traffic within a datacenter, cloud, or enterprise network, i.e., between internal systems.
- Think: side-to-side, lateral movement inside the environment.
Zero Trust #
- Never trust, always verify.
- See also General Concepts

- Source - NIST Zero Trust Architecture (NIST SP 800-207)
- Subjct: The actors
- Policy Engines: Are the decision/rule engines
- Policy Administrators: Enforce the decisions
- Policy Enforcement Points: Where enforcement happens
- Commonly deployed as a local agent
- Control Plane
- Adaptive Identity/Authentication - use context-based authN
- based on: location subject, device of subject, does device meet security, …
- Can request additional validation for AuthN if necessary
- Threat Scope Reduction (limited blast radius)
least privilege+identity based network segmentation- meaning, based on your identity, the scope for network segmentation is set for the subject.
- Policy-Driven Access Control - the policy check
- Policy Administrator - who enforces
- Adaptive Identity/Authentication - use context-based authN
- Data Plane
- Implicit trust zones - where can subject move once authenticated
- Subjects and systems - users/systems that seek access
- Policy Enforcement Points - Where it’s enforced
Network Access Control (NAC) #
Is a system/device/endpoint allowed to connect to a given network?
- Implementation types
- Agent
- Agent based: Installed agent on endpoint to perform security checks.
- Can go very deep based on OS, version, patches, detailed endpoint intelligence.
- More control but more effort to install/maintain
- Agentless
- less control but easier/cheaper
- Agent based: Installed agent on endpoint to perform security checks.
- Admission Checks
- preadmission - before connecting
- postadmission - after connecting
- Agent
- If violations happen, endpoint can be put in quarantine so it can be fixed.
- 802.1X - authN standard for endpoints on WIRED & WIRELESS networks.
Supplicant- the subject- Post authentication/connecting, then segmentation happens if applied.
- See also
- Also used for
port-authentication, being thephysical port.- So even when you connect physically to a port, a
supplicanthas to be provided and an AuthN process must take place.
- So even when you connect physically to a port, a
Port Security and Port-Level Protections #
Again, we are referring here to the physical ports.
- Port Security - Allow list
MAC addressesfor a specific port (or max amount of MAC addresses)- Prevents MAC spoofing, content-addressable memory (CAM) table overflows, plug in extra network devices
- Content-addressable memory (CAM) table
- Maps
MACaddresses toIPaddresses. - Poisoning the CAM could allow attackers to “escape” certain limitations.
- CAM Table Overflow Attack
- Overflow the CAM table (usually fixed size) by spamming thousands of frames with random different MAC addresses
- Once full, no new MAC addresses can be learned, so it falls back to HUB (broadcast anything you get)
- Result: Attacker receives now all traffic on their port
- Maps
- MAC Spoofing might not be hard, port security can still be that extra layer of challenge.
- Port-Level Protections
- General Concepts
- Bridge Protocol Data Unit (BPDU) - Messages to coordinate the Spanning Tree.
- Spanning Tree - Loop-free path layout that Spanning Tree Protocol (STP) creates across your switched network.
- Protections*
- Loop Prevention - Detect and stop loops (e.g. connect 2 ports on the same switch)
- Spanning Tree Protocol (STP) is used for this, using BPDUs.
- Broadcast storm prevention - Prevent broadcast packets from being amplified and traverse the network.
- BPDU Guard - Block ports from sending BPDU messages that shouldn’t. Usually ports with endpoints connecting to them.
- Dynamic Host Configuration Protocol (DHCP) SNOOPING - Prevent rogue/random DHCP servers of handing out IP addresses.
- If DHCP message is not from a “trust list” and/or “expected mac list”, drop the message.
- If DHCP message response to “offer an IP address” does not come from the same port as it was requested
- Why did you come from the left door? I send my request through the right door.
- Loop Prevention - Detect and stop loops (e.g. connect 2 ports on the same switch)
- General Concepts
Virtual Private Networks (VPNs) and Remote Access #
Allows to act as 2 endpoints are on the same network over a public network.
- Important: A VPN tunnel is not by definition encrypted!
- The Major VPN technologies
- IPSec VPNs
- Mostly for
site-to-siteconnections- Need to transport more than just web/app traffic.
- level 3 (network layer)
- Require a client
- 2 Modes
tunnel- Entire packets of data sent over the connection are protected.- Network devices route based on original IP addresses
transport- IP header is unprotected, but IP payload is encrypted.- Network devices route based on tunnel endpoint IP addresses
- Important if you still need routing/network visibility (That’s why
site-to-siteworks great)
- Mostly for
- SSL/TLS VPNs*
- Actually uses TLS obviously
- Either
- Portal-Based approach: Users access via web page and access services through the connection
tunnelmode like IPSec: Entirely encrypted data, but doesn’t require the client!
- Doesn’t require a client.
- Allows segmenting application access, so more granular access without too much complexity.
- IPSec VPNs
- Deciding VPN Type
- Do you need
site-to-site(always-on)remote access(as-needed) - for traveling/remote employees
- Do you need
- Tunneling
- Split-Tunnel - Only send traffic intended for the secure other side of the tunnel.
- Example: Public internet via usual connection, but intranet storage via tunnel.
- Full-Tunnel - Send all network traffic through VPN tunnel
- Example: When you are in a coffeeshop and you can’t trust even the local network, you might then want to direct ALL traffic through the tunnel.
- Split-Tunnel - Only send traffic intended for the secure other side of the tunnel.
Network Appliances and Security Tools #
Jump Servers/Boxes - Securely operate in security zones with different security levels.
- Lives in the target security level
- Accessed often via SSH, RDP, …
- Should be configured for a secure audit trail, with the audit trail living also somewhere else securely.
Load Balancing
- Modes
Active/Activedistribute equally across backend systemsActive/Passivebring backup backend systems online when an active system fails.
- Algorithms
round robinLeast connection- send to backend with least connectionsagent based- based on reporting of agents installed on the backend systems.Source IP hashing- randomized algorithm using the IP address of the clientweighted least connection-least connection+weightsto influence preferencefixed weights- fixed weights set per backend system.weighted response times- backend’s response time +weightsto influence preference
- Sticky Sessions - Let a client stick to a distinct backend for entire session,
- Network Level
- Layer 4: Transport level based load balancing - Is dumber
- Less overhead, but limited to protocol, port, IP address, etc…
- Layer 7: Application level load balancing - Can do smart stuff based on request level (e.g. inspect headers)
- more overhead, CPU, etc… has performance penalty
- Layer 4: Transport level based load balancing - Is dumber
- Modes
Proxy Servers
- Forward requests
- Due to centralization of forwarding requests, you can take actions on these requests or responses.
- Actions
- Filter
- modify
- cache
- Restrictions
- Forward Proxy between clients and servers
- Forward requests to servers.
- This hides original IP, so this is how you can get around geoblocking for example or other blocking based on source IP.
- Reverse Proxy between servers and clients
- Can act as load balancer and cache for static content.
- Features are quite broad
WebFilters
- aka Content Filters
- Centralized proxies or agent based tools to allow/block traffic based on consent rules.
- Content categorization allows for having various categories with different rules.
Data Protection
- Use Data Loss Protection (DLP) to avoid exfiltration points.
- Can send notifications, block traffic, encrypt data, …
- Use Data Loss Protection (DLP) to avoid exfiltration points.
Intrusion Detection (IDSs) and Intrusion Prevention Systems (IPSs)
- To either detect and/or block threats.
- Methods
Signature-Baseddetection rely on known hash/signatures of threatsAnomaly-Baseddetection rely on having a baseline and then spot anomalies.
- An IPS in passive mode just monitors and takes no action, acting as an IDS essentially.
Active/Inlinemode - All traffic flows THROUGH the IDS/IPS- Network dependency: If IDS fails, network traffic stops, although SOME have a
fail openpossibility.
- Network dependency: If IDS fails, network traffic stops, although SOME have a
Passive/Tapmode - IDS/IPS receives a COPY of network traffic- No network impact: If IDS fails, network traffic continues normally
Firewalls
- Next-Generation Firewalls (NGFW) can interact on level 4 (transport) and level 7 (application) of the network layers.
- Can be called
all-in-onenetwork security devices.- Can do IDS/IPS, deep inspectiom, antivirus/malware detections, overlap a bit with UTM, but typically faster cause it’s still a bit more focussed.
- More configuration and expertise required.
- Can be called
- Unified Threat Management (UTM) - firewall, IDS/IPS, antimalware, URL + Email filtering, DLP, VPN, security and analytics capabilities. EVERYTHING.
- “Out of the box”
- Deployed at network boundires.
Stateless- Just apply the filter rules, very basic.Stateful- They keep the state of flow, so they can make more overarching decisions.- Example: They can “recognize” a message that’s an egress response from a previously approved ingress request.
- Web Application Firewals (WAF)
- Works only on level 7 (application) and does even stuff like XSS/SQL injection and other scanning, so this is more specialized for distinct application. So firewall + IPS without other fancies.
- Screened Subnets
- So firewwalls allow creation of screend subnets. For example
public internet <-> Firewall <-> DMZ, the firewall made this seperation possible.
- So firewwalls allow creation of screend subnets. For example
- Example Rules
ALLOW TCP port ANY from 10.0.10.0/24 to 10.1.1.68/32 to TCP port 80
- Next-Generation Firewalls (NGFW) can interact on level 4 (transport) and level 7 (application) of the network layers.
Access Control Lists (ACLs)
- Simple rules: Often close to firewall rules, applied by any network device.
- Advanced rules: Advanced ACLS, time-based, dynamic, or other ACLs including conditionals.
- Example Cisco Rules
access-list 100 permit tcp any host 10.10.10.1 eq http - Often used in cloud a security groups and stuff.
Deception and Disruption Technology #
- Goal: Capture info about attackers + techniques they’re using => So you can disrupt ongoing attacks.
- Major Types
- Honeypots - Intentionally configured to appear vulnerable, but heavily instrumented and monitored systems, documenting everything an attacker does while keeping copies of every file and command used.
- GOAL: Adversial Research
- Honeynets - A group of honey pots to be even more tempting and more details on an attacker.
- Gives more insight on network attacks.
- GOAL: Adversial Research
- Honeyfile - Intentionally attractive file (With unique detectible data, fingerprinted), for if the attacker succeeds.
- GOAL: Intrusion Detection
- If you notice this data leaving the network or is found later outside the network, you know you’ve been breached.
- Have a DLP detect it would be awesone.
- Honeytokens - Intentionally attractive data but specificllay to allow for tracking data.
- GOAL: Intrusion Detection
- E.g. entries in database, files, directorictes,…
- IDS, IPS, DLP or other systems then watch for those data.
- Honeypots - Intentionally configured to appear vulnerable, but heavily instrumented and monitored systems, documenting everything an attacker does while keeping copies of every file and command used.
- See HoneyNet Project
Network Security, Services, and Management #
- Out-Of-Band Management - another way of accessing the admin interface
- Physical seperate port or vlan for the admin pannel of some device.
- Physical access itself is also option, but often far less realistic for frequent access.
- DNS - Can be poisoned, so an attacker can “impersonate”
- DNSSEC
- Provides authentication of DNS data
- Proper configuration
- Disable zone transfers
- DNS logging
- Requests to malicious DNS domains blocked
- DNS Filtering blocks malicious domains
- Often fed through threat, reputation and deny list feeds.
- DNSSEC
- Email Security
- DomainKeys Identified Mail (DKIM) - Public DNS record lists Public Key which can be used to verify all the emails from a given domain. All those email bodies and headers are signed with correlated Private Key.
- TL;DR; Signing of emails
- This helps those reveive your emails.
- Sender Policy Framework (SPF) - List all the allowed senders/servers where emails can be sent from
- Can be your on premise email servers and then the 3th party service that you want to sent emails on your behalf
- TL;DR; Is the sender allowed to send for given domain?
- This helps those reveive your emails.
- Domain Based Message Authentication Reporting and Conformance (DMARC) - If not authentic, what do I do ?
- TL;DR; Gives hints/tips/directions on what to do when DKIM/SPF fails.
- This helps those reveive your emails.
- Email Security Gateways (SEG) - filter inbound/outbound emails
- Phising protection, email protection, URL analysis, threat feed integration and all the checking of DKIM, SPF and DMARC above.
- DomainKeys Identified Mail (DKIM) - Public DNS record lists Public Key which can be used to verify all the emails from a given domain. All those email bodies and headers are signed with correlated Private Key.
- Secure Socket Layer (SSL)/Transport Layer Security(TLS)
- TLS used ephemeral keys, so a key per session.
- First there is a
diffie-helmankey exchange which estabilished then a connection specific “session key”.
- First there is a
- TLS used ephemeral keys, so a key per session.
- Simple Network Mangement Protocol (SNMP) monitor and manage network devices.
- Detailed Description
- When a deviced (configured to use SNMP) has a failure or error, it sends a
snmp trapmessage to the centralizedsnmpmanagwer. - events like
coldStart,warmStart,linkDown,linkUp,authenticationFailure, andegpNeighborLoss.
- Monitoring Servicers & Systems - health checks in essence
- Is a port responding?
- Is the service on the port responding correctly?
- File Integrity Monitors monitor important files against changess (e.g config files)
- Example: Tripwire
- Createe signagtures/fingerprints of files and then watches for any changes.
- Hardening Network Devices
- Same as endpoint hardening, follow Center for Internet Security (CIS) benchmarks for hardening guides.
- Protect the management console - use isolated vlan/network/jump server or VPMN.
Secure Protocols #
Using Secure Protocols #
- Scenario: Video/Voice/Videoconferencing (initially HTTP, SIP, RTP)
- Secure Protocol(s)/Alternatives: HTTPS, Session Initiation Protocol over TLS (SIPS), Secure Real Time Transport Protocol (SRTP)
- Scenario Network Time Protocol (NTP)
- Secure Protocol(s)/Alternatives: NTS (relies on TLS), does not protect the data, but provides authN and integrity reassurance. Not widely adopted though.
- Scenario Email/Web traffic
- Secure Protocol(s)/Alternatives: HTTPS, IMAPS, DMARC, DKIM, SPF
- Scenario FTP
- Secure Protocol(s)/Alternatives: HTTP, SFTP or FTPS
- Scenario LDAP
- Secure Protocol(s)/Alternatives:: LDAPS
- Scenario: Remote Access (Telnet)
- Secure Protocol(s)/Alternatives: SSH, RDS, HTTPS
- Scenario: Routing and switching protocol security - Border Gateway Protocol (BGP)
- Secure Protocol(s)/Alternatives: No secure alternative
- Scenario: Domain Name System (DNS)
- Secure Protocol(s)/Alternatives: DNSSEC and DNS reputation lists
- Scenario: Network address allocation (DHCP)
- Secure Protocol(s)/Alternatives: no alternative, rely on detection and response instead of deterrent
- Scenario: Subscription services and cloud tools (HTTPS)
- Secure Protocol(s)/Alternatives: N/A
Secure Protocols #
Note: Understand when you would recommend:
- To switch to the secure protocol
- If both protocols might coexist
- Other factors to take in account when implementing
DNSSECuses digital signatures for authentication and integrity.SNMPv3improves with authentication, integrity validation and encryption.- You can still run this on a lower security level, if you don’t use
authPriv, then it’s insecure, evenv3
- You can still run this on a lower security level, if you don’t use
sshis also used as tunneling protocol orsftp.- If you don’t use a password for the
ssh keys, it’s still less secure.
- If you don’t use a password for the
SRTPuses encryption and authentication- pairs with
Secure Real Time Control Protocol (SRTCP)that monitors theQoS
- pairs with
LDAPSis a TLS version of LDAP.Email Related Protocols
Secure Multipurpose Internet Mail Extension (S/MIME)allowsto encrypt and signmimedata, the format for email attachments.- Integrity, non-repudiation, confideniality, Authentication
- used less frequently cause you need certificate for each user from own KPI or CA.
- SMPT has no Secure option
File Transfer Protocols
FTPS=>FTPoverHTTPS=> as it uses might require extra ports.SFTP=>FTPoverSSH=> as it re-uses the SSH port, its often easer to set up
Internet Protocol Security (IPSec) used to encrypt and authenticate IP traffic
- More than jus a single protocol
- Authentication Header (AH): hashing + shared key to ensure integrity and authentication (like HMAC)
- Encapsualting Security Payload (ESP) like with VPNs:
tunnelmode: integrity + authentication for entire packet (headers + payload).transportmode: integrity + authentication for payload alone.
- Security Associations (SA): Provide parameters for AH and ESP to operate
- IPSec wiki
Network Attacks #
On-Path Attacks #
- aka Man-In-The-middle
- Attacker forces traffic to go through him, allowing for eavesdropping and/or altering the communication.
- Can be often done by using the Adress Resolution Protocol (IP to MAC mapping). The ARP was poisined with a malicious MAC address/location, so all traffic goes to that one.
- SSL Stripping for when someone is “on-path”
- How its done
- Victim types: https://bank.com
- Attacker intercepts, serves HTTP version of login page (forces downgrade)
- Victim submits credentials over HTTP (thinking it’s secure)
- Attacker captures plaintext credentials
- Attacker forwards request over HTTPS to real bank.com
- Attacker relays response back to victim (still over HTTP)
- Protection:
HTTP Strict Tansport Security (HSTS)- forces browsers to connect only via HTTPS using TLS- IMPORTANT: Only works after the user has visited the site AT LEAST ONCE (where the attack can already happen).
- Browsers and plugins can “force” any request to go over https, even if http was requested. (HTTPS Anywhere).
- Certificate pinning
- How its done
- Browser-based on-path attack Relies on Trojan in the user’s browser.
- Trojan can access bypass TLS encryption, it just needs to intercept requests/responsed before encrypting or after decrypting, so it can be modified, or injected with content see injection attacks
Domain Name System Attacks #
- Domain Hijacking - Stealing the domain, so they can be pointed to malicious systems
- By Social Engineering
- Technical Means
- People forgetting to renew
- DNS Poisining
- Method 1: On-Path attack where attacker supplies a altered DNS query with a destination to a malicious system.\
- Method 2: Poison thee DNS cache on a system (like the local OS/Browser cache)
- URL Redirection
- Popular Method: Insert alternate IP in hosts file.
- Can be scanned and checked for changes by antimalware tools.
- Popular Method: Insert alternate IP in hosts file.
- Domain Reputation can be also used to our benefit.
Credential Replay Attacks #
- Requires attacker to capture valid networkd data and re-send or delay.
- Usuallt on-path
- IoC: Modified gatwats or routes
Malicious Code #
- See Malware Types
- See IoC’s per type.
Distributed Denial-of-Service (DDoS) Attacks #
- Network DDoS - Most common form of DDoS
- Often uses botnets to conduct these attacks or commercial services for testing purposes.
- Protection(s)
- ISP might provide protection service.
- Your network border security devices.
- Categories of DDoS techniques
Volume-Based- Just sheer volume of traffic- Some use amplification techiques that leverage flaws/features in protocols to generate more traffic than the attack sends.
UDP Floods- UDP doesn’t use 3way handshake like TCP, so the host will just try to process it. UDP is also not rate limited.- Can be detected with IDS and IPS, or with a packet analyzer manually.
ICMP Floods- Sends manypingmessages, ICMP is ratelimited in modern systems- Many OS/Systems/network devices disable
ping/icmpsupport by default.
- Many OS/Systems/network devices disable
Amplified Denial-of-service attack- Use protocols that allow a small query to return large sets of data (e.g. DNS, NTP, SNMP, …)- Again, if you spoof the sender address (change it to your target), all these DNS resuls will be sent to the target.
Reflected Denial-of-service attackthis is more specificly about the spoofing, so the sender spoofs the sender IP to the target’s IP, which makes it also hard to dstop and track down.- Could be still same size requests.
- Some use amplification techiques that leverage flaws/features in protocols to generate more traffic than the attack sends.
Protocol-Based- TCP Based - they do use a 3 way handshake, process being
SYN > SYN/ACK > ACK.SYN floodsendsSYNmessages to server, server respond withSYN/ACKbut then the attacker never responds with the finalACKso the server meanwhile keeps waiting and blocking resources, hoping to receive theACK, eventually timing out. But this allows for many of these handshakes to open up but not close, causing a lot fo resources on the server side.- MOST COMMON
- Older
Ping of Death- Ping packet too large to handleSmurf attacks- Send a spoofed ping packet, and systems would respond back to this spoofed target address, overwelhmin it.Xmas/Christmas tree attack- Packets with all their TCP flags on
- TCP Based - they do use a 3 way handshake, process being
Others #
IPv6 #
- Basic format:
- 128-bit addresses (vs IPv4’s 32-bit)
- Hexadecimal notation: 2001:db8::1
- Address shortening: :: represents consecutive zeros
- Security implications:
- Larger attack surface: Huge address space makes scanning harder but networks more complex
- Dual-stack risks: Running IPv4 and IPv6 simultaneously creates more attack vectors
- Tunneling protocols: 6to4, Teredo can bypass security controls
- ICMPv6: More critical than ICMPv4 - blocking it breaks IPv6 functionality
Quality Of Service (QoS) #
- Prioritizes network traffic based on importance/type
- Bandwidth allocation and latency management
- Traffic shaping - controls data flow rates
Security implications (the important part): QoS bypasses:
- Attackers can mark traffic as high priority to bypass security controls
- DDoS amplification: Flood high-priority queues to impact critical services
- Covert channels: Hide data in QoS headers/markings
Network security integration:
- Firewall QoS rules - ensure security traffic gets priority
- VPN QoS: Critical security traffic shouldn’t be deprioritized
- Security tool performance: IDS/IPS need adequate bandwidth allocation
Basic mechanisms (just awareness level):
- DSCP marking: How traffic gets tagged for priority
- Traffic classes: Voice, video, data, background
- Bandwidth guarantee vs limiting
Real-world security context:
- VoIP security: Voice traffic prioritization can impact security monitoring
- Critical system access: Ensure management traffic has QoS priority
- Incident response: Security tools need guaranteed bandwidth during attacks