CMU540

NET-TRAFFIC-01, NET-FIREWALL-01 & Final Assessment

Session 12

James Williams

jwilliams@staff.newman.ac.uk

Learning Objectives

Understand network traffic analysis techniques
Learn firewall configuration and management
Perform comprehensive security assessments
Practice vulnerability discovery using OS³ Studio
Implement secure network configurations
Complete final assessment and course evaluation

Network Traffic Analysis

NET-TRAFFIC-01: Traffic analysis involves monitoring and analyzing network communications to detect threats

NET-FIREWALL-01: Firewall configuration provides network perimeter security and access control

Final Assessment: Comprehensive security assessment covering all course topics

Key Areas:

Traffic monitoring and analysis
Firewall rules and policies
Security assessment methodologies
Incident response and forensics

Real-World Impact

Notable Security Incidents:

SolarWinds (2020): Supply chain attack detected through traffic analysis
NotPetya (2017): Ransomware spread via network traffic
WannaCry (2017): Global ransomware attack affecting 200,000+ systems

Impact: Data breaches, service disruption, financial loss, reputation damage

Traffic Analysis Techniques

1. Packet Capture and Analysis

<!-- Wireshark Filters -->
# HTTP traffic
http
# HTTPS traffic
ssl
# DNS queries
dns
# Suspicious patterns
tcp.flags.syn == 1 and tcp.flags.ack == 0
# Source IP analysis
ip.src == 192.168.1.100
# Port scanning detection
tcp.port == 22 and tcp.flags.syn == 1

2. Flow Analysis

<!-- NetFlow Analysis -->
# High bandwidth flows
flow-export destination 192.168.1.100 2055
flow-export version 9
flow-export template timeout-rate 1
<!-- sFlow Configuration -->
sflow agent-ip 192.168.1.1
sflow collector-ip 192.168.1.100
sflow sampling-rate 1000
sflow polling-interval 20

Anomaly Detection

1. Statistical Analysis

<!-- Baseline Traffic Patterns -->
# Normal business hours
08:00-18:00: 1000-5000 packets/min
18:00-08:00: 100-500 packets/min
# Anomaly thresholds
Bandwidth: >200% of baseline
Connections: >500% of baseline
Failed logins: >10 per minute
# Alert conditions
if (traffic > baseline * 2) {
  trigger_alert("High traffic volume");
}

2. Behavioral Analysis

<!-- User Behavior Analysis -->
# Normal user patterns
- Login during business hours
- Access to authorized resources
- Normal data transfer volumes
# Suspicious patterns
- Login outside business hours
- Access to unauthorized resources
- Unusual data transfer patterns
- Multiple failed login attempts

Firewall Configuration

1. iptables Rules

<!-- Basic Firewall Rules -->
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from specific network
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

2. Advanced Firewall Rules

<!-- Rate Limiting -->
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
<!-- Port Knocking -->
iptables -A INPUT -p tcp --dport 1000 -m recent --set --name KNOCK1
iptables -A INPUT -p tcp --dport 2000 -m recent --rcheck --seconds 10 --name KNOCK1 -m recent --set --name KNOCK2
iptables -A INPUT -p tcp --dport 3000 -m recent --rcheck --seconds 10 --name KNOCK2 -j ACCEPT

Firewall Management

1. Zone-Based Firewalls

<!-- Cisco Zone-Based Firewall -->
# Define zones
zone security INSIDE
zone security OUTSIDE
zone security DMZ
# Define zone pairs
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
zone-pair security OUTSIDE-DMZ source OUTSIDE destination DMZ
# Apply policies
class-map type inspect INSIDE-OUTSIDE
match access-group 100
policy-map type inspect INSIDE-OUTSIDE-POLICY
class INSIDE-OUTSIDE
inspect

2. Application-Aware Firewalls

<!-- Application Control -->
# Block specific applications
application-control
  block facebook
  block youtube
  allow business-apps
# Deep Packet Inspection
dpi
  inspect http
  inspect https
  inspect ftp
  inspect smtp

Security Assessment Methodology

1. Assessment Phases

<!-- Security Assessment Process -->
1. Planning and Preparation
  - Define scope and objectives
  - Obtain authorization
  - Gather information
2. Reconnaissance
  - Network discovery
  - Service enumeration
  - Vulnerability scanning
3. Vulnerability Assessment
  - Manual testing
  - Automated scanning
  - Risk analysis
4. Reporting
  - Document findings
  - Risk prioritization
  - Remediation recommendations

2. Testing Techniques

<!-- Testing Techniques -->
# Network Testing
- Port scanning
- Service enumeration
- Protocol analysis
- Traffic analysis
# Application Testing
- Web application scanning
- Authentication testing
- Input validation testing
- Session management testing
# Social Engineering
- Phishing simulations
- Physical security testing
- Awareness assessment

Career Opportunities in Cybersecurity

Cybersecurity Roles:

Security Analyst: £30,000 - £60,000
Penetration Tester: £35,000 - £70,000
Security Engineer: £40,000 - £80,000
Security Consultant: £50,000 - £100,000
Security Manager: £60,000 - £120,000
CISO: £80,000 - £200,000+

Skills Needed: Security assessment, Risk management, Incident response, Compliance

OS³ Newman Cyber Security Lab

NET-TRAFFIC-01, NET-FIREWALL-01 & Final Assessment Lab Environment

Our OS³ Studio provides hands-on experience with:

Network traffic analysis and monitoring
Firewall configuration and management
Comprehensive security assessment scenarios
Incident response and forensics

Access: Available through university portal

Web Demos and Tools

Security Assessment Tools:

Wireshark - Network protocol analyzer
Nmap - Network discovery and security auditing
Nessus - Vulnerability scanner
Metasploit - Penetration testing framework
ELK Stack - Log analysis and visualization

Case Study: SolarWinds Supply Chain Attack

2020 SolarWinds Supply Chain Attack

Impact: 18,000+ organizations compromised
Method: Malicious code injected into software updates
Detection: Traffic analysis revealed unusual network activity
Response: Incident response teams activated worldwide

Lesson: Comprehensive monitoring and traffic analysis are essential for detecting sophisticated attacks

Summary: Comprehensive Security Assessment Areas

                    Key Assessment Areas:
                    Network security and protocols
Web application security
Authentication and access control
Data protection and encryption
Incident response capabilities
Compliance and governance
Physical security controls

                

Task 1: Traffic Analysis and Firewall Configuration

Objective:

Use OS³ Studio to perform network traffic analysis and configure firewall rules.

Instructions:

Access the OS³ Studio network lab environment
Capture and analyze network traffic using Wireshark
Identify suspicious traffic patterns and anomalies
Configure firewall rules to block malicious traffic
Test firewall effectiveness against various attacks
Implement traffic monitoring and alerting
Document all findings and configurations
Prepare a network security assessment report

Time: 45 minutes

Focus on comprehensive network security analysis and implementation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Final Assessment and Task 2

Incident Response

1. Incident Response Process

<!-- Incident Response Phases -->
1. Preparation
  - Incident response plan
  - Team roles and responsibilities
  - Communication procedures
2. Identification
  - Detect security incidents
  - Analyze indicators of compromise
  - Assess impact and scope
3. Containment
  - Isolate affected systems
  - Prevent further damage
  - Preserve evidence
4. Eradication
  - Remove threats
  - Patch vulnerabilities
  - Strengthen defenses
5. Recovery
  - Restore systems
  - Monitor for reoccurrence
  - Validate security
6. Lessons Learned
  - Document incident
  - Update procedures
  - Improve security

2. Digital Forensics

<!-- Forensic Analysis -->
# Memory analysis
volatility -f memory.dump --profile=Win7SP1x64 pslist
volatility -f memory.dump --profile=Win7SP1x64 netscan
# Disk analysis
autopsy
sleuthkit
# Network forensics
wireshark
tshark -r capture.pcap -T fields -e ip.src -e ip.dst
# Timeline analysis
log2timeline.py timeline.csv /path/to/evidence

Security Monitoring

1. SIEM Implementation

<!-- ELK Stack Configuration -->
# Elasticsearch configuration
cluster.name: security-cluster
node.name: security-node-1
network.host: 0.0.0.0
http.port: 9200
# Logstash configuration
input {
  beats {
    port => 5044
  }
}
filter {
  if [fields][log_type] == "security" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{IP:source_ip} %{GREEDYDATA:message}" }
    }
  }
}

2. Threat Intelligence

<!-- Threat Intelligence Feeds -->
# IOC (Indicators of Compromise)
- IP addresses
- Domain names
- File hashes
- Email addresses
# Threat Intelligence Sources
- Commercial feeds
- Open source feeds
- Government sources
- Industry sharing
# Integration with SIEM
- Automated correlation
- Real-time alerts
- Historical analysis
- Trend analysis

Compliance and Governance

1. Security Frameworks

<!-- Security Frameworks -->
# NIST Cybersecurity Framework
- Identify: Asset management, Risk assessment
- Protect: Access control, Data security
- Detect: Monitoring, Detection processes
- Respond: Response planning, Communications
- Recover: Recovery planning, Improvements
# ISO 27001
- Information security management system
- Risk management
- Security controls
- Continuous improvement
# COBIT
- IT governance framework
- Process management
- Control objectives
- Maturity models

2. Risk Management

<!-- Risk Assessment Process -->
1. Asset Identification
  - Hardware assets
  - Software assets
  - Data assets
  - Human assets
2. Threat Analysis
  - External threats
  - Internal threats
  - Threat likelihood
  - Threat impact
3. Vulnerability Assessment
  - Technical vulnerabilities
  - Process vulnerabilities
  - Human vulnerabilities
4. Risk Calculation
  Risk = Threat × Vulnerability × Impact
5. Risk Treatment
  - Accept
  - Avoid
  - Mitigate
  - Transfer

Career Development in Cybersecurity

Next Steps:

Advanced Certifications: CISSP, CISM, CISA, OSCP
Specialized Training: Incident response, Digital forensics
Hands-on Practice: CTF competitions, Bug bounties
Industry Networking: Security conferences, meetups
Research: New attack techniques, Defense methods

Resources: ISC² | SANS | OWASP

Task 2: Final Comprehensive Security Assessment

Objective:

Use OS³ Studio to perform a comprehensive security assessment covering all course topics.

Instructions:

Access the OS³ Studio final assessment environment
Perform comprehensive vulnerability assessment
Test all security controls and configurations
Analyze network traffic and identify threats
Assess web application security
Evaluate authentication and access controls
Test incident response procedures
Prepare comprehensive security assessment report

Time: 45 minutes

Focus on demonstrating comprehensive understanding of all course topics

Course Summary

CMU540: Cyber Security - Complete Course Coverage:

Sessions 1-3: OWASP Top 10 (A01-A03)
Sessions 4-6: Web Security (SQL, XSS, CSRF, Config)
Sessions 7-9: Advanced Security (Components, Auth, Data, Logging, SSRF, Upload)
Sessions 10-12: Network Security (Protocols, Scanning, DNS, Traffic, Firewall)

Total: 12 sessions, 36 hours, comprehensive cybersecurity education

Further Activity: Advanced Security Analysis

Advanced Students - Comprehensive Analysis:

For students with additional time, explore advanced security topics:

Advanced persistent threats (APT) analysis
Zero-day vulnerability research
Advanced evasion techniques
Security architecture design
Threat hunting methodologies

Deliverable: Advanced security research report

Final Session Summary

                    Key Takeaways:
                    Network traffic analysis is essential for threat detection
Firewall configuration provides critical network protection
Comprehensive security assessments require systematic approach
OS³ Studio provides hands-on security testing experience
Incident response and forensics are critical skills
Career opportunities in cybersecurity are extensive

                

NET-TRAFFIC-01, NET-FIREWALL-01 & Final Assessment

Session 12

Learning Objectives

Network Traffic Analysis

Key Areas:

Real-World Impact

Notable Security Incidents:

Traffic Analysis Techniques

1. Packet Capture and Analysis

2. Flow Analysis

Anomaly Detection

1. Statistical Analysis

2. Behavioral Analysis

Firewall Configuration

1. iptables Rules

2. Advanced Firewall Rules

Firewall Management

1. Zone-Based Firewalls

2. Application-Aware Firewalls

Security Assessment Methodology

1. Assessment Phases

2. Testing Techniques

Career Opportunities in Cybersecurity

Cybersecurity Roles:

OS³ Newman Cyber Security Lab

NET-TRAFFIC-01, NET-FIREWALL-01 & Final Assessment Lab Environment

Web Demos and Tools

Security Assessment Tools:

Case Study: SolarWinds Supply Chain Attack

2020 SolarWinds Supply Chain Attack

Summary: Comprehensive Security Assessment Areas

Key Assessment Areas:

Task 1: Traffic Analysis and Firewall Configuration

Objective:

Instructions:

Break Time

15 Minutes

Incident Response

1. Incident Response Process

2. Digital Forensics

Security Monitoring

1. SIEM Implementation

2. Threat Intelligence

Compliance and Governance

1. Security Frameworks

2. Risk Management

Career Development in Cybersecurity

Next Steps:

Task 2: Final Comprehensive Security Assessment

Objective:

Instructions:

Course Summary

CMU540: Cyber Security - Complete Course Coverage:

Further Activity: Advanced Security Analysis

Advanced Students - Comprehensive Analysis:

Final Session Summary

Key Takeaways:

Course Completion