← Back to Module

NET-PROTO-01, NET-SCAN-01 & NET-DNS-01

Network Security Fundamentals

CMU540: Cyber Security - Session 11

Birmingham Newman University

Lecturer: James Williams

Understanding protocol security, port scanning, and DNS security analysis

3-hour session • 38 slides • 2 interactive tasks

Session Timeline:

  • 10 min: Registration & waiting
  • 20 min: Opening slides
  • 45 min: Task 1
  • 15 min: Break/Catch up
  • 20 min: Secondary slides
  • 45 min: Task 2
  • Remaining: Self-study

Learning Objectives

  • Understand network protocol security fundamentals
  • Learn port scanning techniques and detection
  • Analyze DNS security vulnerabilities
  • Practice vulnerability discovery using OS³ Studio
  • Implement secure network configurations
  • Explore career opportunities in network security

Network Security Fundamentals

NET-PROTO-01: Protocol security focuses on securing network communication protocols

NET-SCAN-01: Port scanning techniques for reconnaissance and vulnerability assessment

NET-DNS-01: DNS security analysis and protection against DNS-based attacks

Key Areas:

  • Protocol vulnerabilities and attacks
  • Network reconnaissance techniques
  • DNS security and DNSSEC
  • Network monitoring and detection

Real-World Impact

Notable Network Attacks:

  • Mirai Botnet (2016): IoT devices compromised via weak protocols
  • Dyn DNS Attack (2016): DNS DDoS attack took down major websites
  • SolarWinds (2020): Supply chain attack via network monitoring tools

Impact: Service disruption, data breaches, infrastructure compromise

Common Protocol Security Vulnerabilities

1. Weak Encryption Protocols

<!-- VULNERABLE: Weak protocols -->
SSH-1.0 # Weak encryption
SSL 2.0/3.0 # Deprecated protocols
WEP (WiFi) # Easily cracked
Telnet # Plaintext transmission

<!-- SECURE: Strong protocols -->
SSH-2.0 # Strong encryption
TLS 1.2/1.3 # Modern protocols
WPA3 (WiFi) # Strong authentication
SSH/HTTPS # Encrypted transmission

2. Protocol Implementation Flaws

<!-- VULNERABLE: Implementation flaws -->
Heartbleed (OpenSSL) # Buffer overflow
POODLE (SSL 3.0) # Padding oracle
BEAST (TLS 1.0) # Block cipher attack
CRIME (TLS) # Compression attack

<!-- SECURE: Proper implementation -->
Regular security updates
Proper input validation
Secure random number generation
Memory-safe programming

Port Scanning Techniques

1. TCP Scanning Methods

<!-- TCP Connect Scan -->
nmap -sT target.com

<!-- TCP SYN Scan (Stealth) -->
nmap -sS target.com

<!-- TCP FIN Scan -->
nmap -sF target.com

<!-- TCP NULL Scan -->
nmap -sN target.com

<!-- TCP XMAS Scan -->
nmap -sX target.com

2. UDP Scanning

<!-- UDP Scan -->
nmap -sU target.com

<!-- UDP Scan with Service Detection -->
nmap -sU -sV target.com

<!-- Common UDP Ports -->
53 - DNS
67 - DHCP
123 - NTP
161 - SNMP
500 - IKE

Advanced Scanning Techniques

1. Service Detection

<!-- Service Version Detection -->
nmap -sV target.com

<!-- OS Detection -->
nmap -O target.com

<!-- Script Scanning -->
nmap --script vuln target.com

<!-- Aggressive Scan -->
nmap -A target.com

2. Stealth and Evasion

<!-- Timing Control -->
nmap -T0 target.com # Paranoid (slowest)
nmap -T5 target.com # Insane (fastest)

<!-- Fragmentation -->
nmap -f target.com

<!-- Decoy Scanning -->
nmap -D decoy1,decoy2,ME target.com

<!-- Source Port Spoofing -->
nmap --source-port 53 target.com

DNS Security Vulnerabilities

1. DNS Cache Poisoning

<!-- DNS Cache Poisoning Attack -->
1. Attacker queries DNS server for non-existent subdomain
2. DNS server queries authoritative server
3. Attacker floods with fake responses
4. DNS server caches fake response

<!-- Example -->
Query: nonexistent.example.com
Fake Response: example.com A 192.168.1.100
Result: All queries to example.com redirected

2. DNS Amplification Attacks

<!-- DNS Amplification -->
1. Attacker spoofs victim's IP address
2. Sends small DNS queries to open resolvers
3. Open resolvers send large responses to victim
4. Amplification factor: 50-100x

<!-- Mitigation -->
- Disable open DNS resolvers
- Implement rate limiting
- Use DNS response size limits

DNS Security Measures

1. DNSSEC Implementation

<!-- DNSSEC Zone Signing -->
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
dnssec-signzone -o example.com example.com.db

<!-- DNSSEC Validation -->
dig +dnssec example.com
dig +cdflag example.com

<!-- DNSSEC Chain of Trust -->
Root Zone → TLD → Domain → Subdomain

2. DNS Filtering and Monitoring

<!-- DNS Filtering -->
# Block malicious domains
*.malware.com A 0.0.0.0
*.phishing.com A 0.0.0.0

<!-- DNS Monitoring -->
# Log DNS queries
logging {
  channel security {
    file "/var/log/dns-security.log";
    severity info;
  };
};

Network Monitoring and Detection

1. Intrusion Detection Systems

<!-- Snort IDS Rules -->
alert tcp any any -> any 22 (msg:"SSH Brute Force"; threshold:type both, track by_src, count 5, seconds 60;)

alert udp any any -> any 53 (msg:"DNS Query"; content:"|01 00 00 01|"; depth:4;)

alert tcp any any -> any 80 (msg:"Web Attack"; content:"/etc/passwd"; nocase;)

<!-- Suricata Rules -->
alert http any any -> any any (msg:"Suspicious User Agent"; content:"sqlmap"; http_user_agent;)

2. Network Traffic Analysis

<!-- Wireshark Filters -->
tcp.port == 22 and tcp.flags.syn == 1
dns.qry.name contains "malware"
http.request.uri contains "admin"
ip.src == 192.168.1.100

<!-- tcpdump Commands -->
tcpdump -i eth0 port 22
tcpdump -i eth0 host 192.168.1.100
tcpdump -i eth0 -w capture.pcap

Career Opportunities in Network Security

Network Security Roles:

  • Network Security Engineer: £40,000 - £80,000
  • Penetration Tester: £35,000 - £70,000
  • Security Analyst: £30,000 - £60,000
  • Network Administrator: £25,000 - £50,000
  • Security Consultant: £50,000 - £100,000

Skills Needed: Network protocols, Security tools, Penetration testing, Risk assessment

OS³ Newman Cyber Security Lab

NET-PROTO-01, NET-SCAN-01 & NET-DNS-01 Lab Environment

Our OS³ Studio provides hands-on experience with:

  • Network protocols and their vulnerabilities
  • Port scanning and reconnaissance tools
  • DNS security testing and analysis
  • Network monitoring and detection systems

Access: Available through university portal

Web Demos and Tools

Network Security Tools:

  • Nmap - Network discovery and security auditing
  • Wireshark - Network protocol analyzer
  • Snort - Intrusion detection system
  • Suricata - Network threat detection engine
  • Nessus - Vulnerability scanner

Case Study: Mirai Botnet

2016 Mirai Botnet Attack

  • Impact: 600,000+ IoT devices compromised
  • Method: Default credentials and weak protocols
  • Targets: Cameras, routers, DVRs
  • Result: Major DDoS attacks on Dyn DNS

Lesson: Weak network protocols and default credentials create massive attack surfaces

Summary: Common Network Security Issues

Key Vulnerabilities to Look For:

  1. Weak or deprecated protocols
  2. Open ports and services
  3. DNS cache poisoning vulnerabilities
  4. Unencrypted network traffic
  5. Missing network monitoring
  6. Insufficient access controls
  7. Default credentials and configurations

Task 1: Network Security Vulnerability Discovery

Objective:

Use OS³ Studio to identify network protocol vulnerabilities, perform port scanning, and analyze DNS security.

Instructions:

  1. Access the OS³ Studio network lab environment
  2. Perform comprehensive port scanning on target systems
  3. Identify weak protocols and services
  4. Test DNS security and cache poisoning
  5. Analyze network traffic for anomalies
  6. Test for protocol implementation flaws
  7. Document all findings with proof of concept
  8. Prepare a network security assessment report

Time: 45 minutes

Focus on systematic network reconnaissance and vulnerability assessment

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Secure implementation and Task 2

Secure Protocol Implementation

1. Protocol Hardening

<!-- SECURE: SSH Configuration -->
# /etc/ssh/sshd_config
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

<!-- SECURE: TLS Configuration -->
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

2. Network Segmentation

<!-- SECURE: VLAN Configuration -->
# DMZ Network
vlan 10
name DMZ
# Internal Network
vlan 20
name Internal
# Guest Network
vlan 30
name Guest

<!-- Firewall Rules -->
# Allow DMZ to Internet
permit ip 192.168.10.0/24 any
# Block Guest to Internal
deny ip 192.168.30.0/24 192.168.20.0/24

Secure DNS Configuration

1. DNS Server Hardening

<!-- SECURE: BIND Configuration -->
options {
  listen-on port 53 { 127.0.0.1; 192.168.1.10; };
  allow-query { localnets; };
  allow-recursion { localnets; };
  recursion no;
  version "Not disclosed";
  hide-identity yes;
  hide-version yes;
};

<!-- DNSSEC Configuration -->
zone "example.com" {
  type master;
  file "example.com.signed";
  dnssec-enable yes;
  dnssec-validation yes;
};

2. DNS Filtering and Monitoring

<!-- SECURE: DNS Filtering -->
# Block malicious domains
zone "malware.com" {
  type master;
  file "blocked.zone";
};

<!-- DNS Logging -->
logging {
  channel security {
    file "/var/log/dns-security.log";
    severity info;
  };
  category security { security; };
};

Network Monitoring Implementation

1. IDS/IPS Configuration

<!-- SECURE: Snort Configuration -->
# /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET

# Enable rules
include $RULE_PATH/local.rules
include $RULE_PATH/web-attacks.rules

# Output configuration
output unified2: filename snort.log, limit 128

<!-- Custom Rules -->
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force"; threshold:type both, track by_src, count 5, seconds 60;)

2. Network Traffic Analysis

<!-- SECURE: Traffic Monitoring -->
# Monitor suspicious traffic
tcpdump -i eth0 -w suspicious.pcap host 192.168.1.100

# Analyze DNS queries
tcpdump -i eth0 port 53 -n

# Monitor failed connections
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-rst) != 0'

# Real-time analysis
tshark -i eth0 -f "port 80" -T fields -e ip.src -e ip.dst

Access Control Implementation

1. Network Access Control (NAC)

<!-- SECURE: 802.1X Configuration -->
# Switch Configuration
interface GigabitEthernet0/1
  switchport mode access
  authentication port-control auto
  authentication host-mode multi-domain
  authentication violation restrict

<!-- RADIUS Configuration -->
radius-server host 192.168.1.100
radius-server key secretkey
aaa authentication dot1x default group radius
dot1x system-auth-control

2. Firewall Rules

<!-- SECURE: iptables Rules -->
# Default deny policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from specific networks
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

# Block suspicious traffic
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

Career Development in Network Security

Next Steps:

  • Advanced Certifications: CCNA Security, CCNP Security, CISSP
  • Specialized Training: Network security, Penetration testing
  • Hands-on Practice: Network labs, CTF competitions
  • Industry Networking: Security conferences, meetups
  • Research: New attack techniques, Defense methods

Resources: Cisco | SANS | Nmap

Task 2: Secure Network Configuration Implementation

Objective:

Use OS³ Studio to implement secure network configurations and monitoring systems.

Instructions:

  1. Access the OS³ Studio secure implementation environment
  2. Configure secure network protocols and services
  3. Implement DNS security with DNSSEC
  4. Set up network monitoring and IDS
  5. Configure firewall rules and access controls
  6. Implement network segmentation
  7. Test the secure implementation
  8. Document the security improvements

Time: 45 minutes

Focus on implementing industry-standard network security practices

Further Activity: Code Inspection

Advanced Students - Code Analysis:

For students with additional time, explore the source code to understand:

  • How network protocols are implemented securely
  • DNS server configuration and DNSSEC setup
  • Network monitoring and IDS configuration
  • Firewall rules and access control implementation
  • Network segmentation and security policies

Deliverable: Code review report with network security recommendations

Session Summary

Key Takeaways:

  • Network protocol security is fundamental to overall security
  • Port scanning provides valuable reconnaissance information
  • DNS security requires proper configuration and monitoring
  • OS³ Studio provides hands-on network security testing
  • Secure implementation requires multiple layers of protection
  • Career opportunities in network security are growing

Next Steps

Continue Learning:

  • Complete the OS³ Studio tasks
  • Explore additional network security topics
  • Practice with security testing tools
  • Consider industry certifications
  • Join cybersecurity communities

Next Session: NET-TRAFFIC-01, NET-FIREWALL-01 & Final Assessment