← Back to Module

NET-TRAFFIC-01, NET-FIREWALL-01 & Final Assessment

Traffic Analysis, Firewall Configuration & Comprehensive Security Assessment

CMU540: Cyber Security - Session 12

Birmingham Newman University

Lecturer: James Williams

Understanding traffic analysis, firewall configuration and comprehensive security assessment

3-hour session • 45 slides • 2 interactive tasks

Session Timeline:

  • 10 min: Registration & waiting
  • 20 min: Opening slides
  • 45 min: Task 1
  • 15 min: Break/Catch up
  • 20 min: Secondary slides
  • 45 min: Task 2
  • Remaining: Self-study

Learning Objectives

  • Understand network traffic analysis techniques
  • Learn firewall configuration and management
  • Perform comprehensive security assessments
  • Practice vulnerability discovery using OS³ Studio
  • Implement secure network configurations
  • Complete final assessment and course evaluation

Network Traffic Analysis

NET-TRAFFIC-01: Traffic analysis involves monitoring and analyzing network communications to detect threats

NET-FIREWALL-01: Firewall configuration provides network perimeter security and access control

Final Assessment: Comprehensive security assessment covering all course topics

Key Areas:

  • Traffic monitoring and analysis
  • Firewall rules and policies
  • Security assessment methodologies
  • Incident response and forensics

Real-World Impact

Notable Security Incidents:

  • SolarWinds (2020): Supply chain attack detected through traffic analysis
  • NotPetya (2017): Ransomware spread via network traffic
  • WannaCry (2017): Global ransomware attack affecting 200,000+ systems

Impact: Data breaches, service disruption, financial loss, reputation damage

Traffic Analysis Techniques

1. Packet Capture and Analysis

<!-- Wireshark Filters -->
# HTTP traffic
http
# HTTPS traffic
ssl
# DNS queries
dns
# Suspicious patterns
tcp.flags.syn == 1 and tcp.flags.ack == 0
# Source IP analysis
ip.src == 192.168.1.100
# Port scanning detection
tcp.port == 22 and tcp.flags.syn == 1

2. Flow Analysis

<!-- NetFlow Analysis -->
# High bandwidth flows
flow-export destination 192.168.1.100 2055
flow-export version 9
flow-export template timeout-rate 1

<!-- sFlow Configuration -->
sflow agent-ip 192.168.1.1
sflow collector-ip 192.168.1.100
sflow sampling-rate 1000
sflow polling-interval 20

Anomaly Detection

1. Statistical Analysis

<!-- Baseline Traffic Patterns -->
# Normal business hours
08:00-18:00: 1000-5000 packets/min
18:00-08:00: 100-500 packets/min

# Anomaly thresholds
Bandwidth: >200% of baseline
Connections: >500% of baseline
Failed logins: >10 per minute

# Alert conditions
if (traffic > baseline * 2) {
  trigger_alert("High traffic volume");
}

2. Behavioral Analysis

<!-- User Behavior Analysis -->
# Normal user patterns
- Login during business hours
- Access to authorized resources
- Normal data transfer volumes

# Suspicious patterns
- Login outside business hours
- Access to unauthorized resources
- Unusual data transfer patterns
- Multiple failed login attempts

Firewall Configuration

1. iptables Rules

<!-- Basic Firewall Rules -->
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from specific network
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

2. Advanced Firewall Rules

<!-- Rate Limiting -->
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

<!-- Port Knocking -->
iptables -A INPUT -p tcp --dport 1000 -m recent --set --name KNOCK1
iptables -A INPUT -p tcp --dport 2000 -m recent --rcheck --seconds 10 --name KNOCK1 -m recent --set --name KNOCK2
iptables -A INPUT -p tcp --dport 3000 -m recent --rcheck --seconds 10 --name KNOCK2 -j ACCEPT

Firewall Management

1. Zone-Based Firewalls

<!-- Cisco Zone-Based Firewall -->
# Define zones
zone security INSIDE
zone security OUTSIDE
zone security DMZ

# Define zone pairs
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
zone-pair security OUTSIDE-DMZ source OUTSIDE destination DMZ

# Apply policies
class-map type inspect INSIDE-OUTSIDE
match access-group 100
policy-map type inspect INSIDE-OUTSIDE-POLICY
class INSIDE-OUTSIDE
inspect

2. Application-Aware Firewalls

<!-- Application Control -->
# Block specific applications
application-control
  block facebook
  block youtube
  allow business-apps

# Deep Packet Inspection
dpi
  inspect http
  inspect https
  inspect ftp
  inspect smtp

Security Assessment Methodology

1. Assessment Phases

<!-- Security Assessment Process -->
1. Planning and Preparation
  - Define scope and objectives
  - Obtain authorization
  - Gather information

2. Reconnaissance
  - Network discovery
  - Service enumeration
  - Vulnerability scanning

3. Vulnerability Assessment
  - Manual testing
  - Automated scanning
  - Risk analysis

4. Reporting
  - Document findings
  - Risk prioritization
  - Remediation recommendations

2. Testing Techniques

<!-- Testing Techniques -->
# Network Testing
- Port scanning
- Service enumeration
- Protocol analysis
- Traffic analysis

# Application Testing
- Web application scanning
- Authentication testing
- Input validation testing
- Session management testing

# Social Engineering
- Phishing simulations
- Physical security testing
- Awareness assessment

Career Opportunities in Cybersecurity

Cybersecurity Roles:

  • Security Analyst: £30,000 - £60,000
  • Penetration Tester: £35,000 - £70,000
  • Security Engineer: £40,000 - £80,000
  • Security Consultant: £50,000 - £100,000
  • Security Manager: £60,000 - £120,000
  • CISO: £80,000 - £200,000+

Skills Needed: Security assessment, Risk management, Incident response, Compliance

OS³ Newman Cyber Security Lab

NET-TRAFFIC-01, NET-FIREWALL-01 & Final Assessment Lab Environment

Our OS³ Studio provides hands-on experience with:

  • Network traffic analysis and monitoring
  • Firewall configuration and management
  • Comprehensive security assessment scenarios
  • Incident response and forensics

Access: Available through university portal

Web Demos and Tools

Security Assessment Tools:

  • Wireshark - Network protocol analyzer
  • Nmap - Network discovery and security auditing
  • Nessus - Vulnerability scanner
  • Metasploit - Penetration testing framework
  • ELK Stack - Log analysis and visualization

Case Study: SolarWinds Supply Chain Attack

2020 SolarWinds Supply Chain Attack

  • Impact: 18,000+ organizations compromised
  • Method: Malicious code injected into software updates
  • Detection: Traffic analysis revealed unusual network activity
  • Response: Incident response teams activated worldwide

Lesson: Comprehensive monitoring and traffic analysis are essential for detecting sophisticated attacks

Summary: Comprehensive Security Assessment Areas

Key Assessment Areas:

  1. Network security and protocols
  2. Web application security
  3. Authentication and access control
  4. Data protection and encryption
  5. Incident response capabilities
  6. Compliance and governance
  7. Physical security controls

Task 1: Traffic Analysis and Firewall Configuration

Objective:

Use OS³ Studio to perform network traffic analysis and configure firewall rules.

Instructions:

  1. Access the OS³ Studio network lab environment
  2. Capture and analyze network traffic using Wireshark
  3. Identify suspicious traffic patterns and anomalies
  4. Configure firewall rules to block malicious traffic
  5. Test firewall effectiveness against various attacks
  6. Implement traffic monitoring and alerting
  7. Document all findings and configurations
  8. Prepare a network security assessment report

Time: 45 minutes

Focus on comprehensive network security analysis and implementation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Final Assessment and Task 2

Incident Response

1. Incident Response Process

<!-- Incident Response Phases -->
1. Preparation
  - Incident response plan
  - Team roles and responsibilities
  - Communication procedures

2. Identification
  - Detect security incidents
  - Analyze indicators of compromise
  - Assess impact and scope

3. Containment
  - Isolate affected systems
  - Prevent further damage
  - Preserve evidence

4. Eradication
  - Remove threats
  - Patch vulnerabilities
  - Strengthen defenses

5. Recovery
  - Restore systems
  - Monitor for reoccurrence
  - Validate security

6. Lessons Learned
  - Document incident
  - Update procedures
  - Improve security

2. Digital Forensics

<!-- Forensic Analysis -->
# Memory analysis
volatility -f memory.dump --profile=Win7SP1x64 pslist
volatility -f memory.dump --profile=Win7SP1x64 netscan

# Disk analysis
autopsy
sleuthkit

# Network forensics
wireshark
tshark -r capture.pcap -T fields -e ip.src -e ip.dst

# Timeline analysis
log2timeline.py timeline.csv /path/to/evidence

Security Monitoring

1. SIEM Implementation

<!-- ELK Stack Configuration -->
# Elasticsearch configuration
cluster.name: security-cluster
node.name: security-node-1
network.host: 0.0.0.0
http.port: 9200

# Logstash configuration
input {
  beats {
    port => 5044
  }
}

filter {
  if [fields][log_type] == "security" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{IP:source_ip} %{GREEDYDATA:message}" }
    }
  }
}

2. Threat Intelligence

<!-- Threat Intelligence Feeds -->
# IOC (Indicators of Compromise)
- IP addresses
- Domain names
- File hashes
- Email addresses

# Threat Intelligence Sources
- Commercial feeds
- Open source feeds
- Government sources
- Industry sharing

# Integration with SIEM
- Automated correlation
- Real-time alerts
- Historical analysis
- Trend analysis

Compliance and Governance

1. Security Frameworks

<!-- Security Frameworks -->
# NIST Cybersecurity Framework
- Identify: Asset management, Risk assessment
- Protect: Access control, Data security
- Detect: Monitoring, Detection processes
- Respond: Response planning, Communications
- Recover: Recovery planning, Improvements

# ISO 27001
- Information security management system
- Risk management
- Security controls
- Continuous improvement

# COBIT
- IT governance framework
- Process management
- Control objectives
- Maturity models

2. Risk Management

<!-- Risk Assessment Process -->
1. Asset Identification
  - Hardware assets
  - Software assets
  - Data assets
  - Human assets

2. Threat Analysis
  - External threats
  - Internal threats
  - Threat likelihood
  - Threat impact

3. Vulnerability Assessment
  - Technical vulnerabilities
  - Process vulnerabilities
  - Human vulnerabilities

4. Risk Calculation
  Risk = Threat × Vulnerability × Impact

5. Risk Treatment
  - Accept
  - Avoid
  - Mitigate
  - Transfer

Career Development in Cybersecurity

Next Steps:

  • Advanced Certifications: CISSP, CISM, CISA, OSCP
  • Specialized Training: Incident response, Digital forensics
  • Hands-on Practice: CTF competitions, Bug bounties
  • Industry Networking: Security conferences, meetups
  • Research: New attack techniques, Defense methods

Resources: ISC² | SANS | OWASP

Task 2: Final Comprehensive Security Assessment

Objective:

Use OS³ Studio to perform a comprehensive security assessment covering all course topics.

Instructions:

  1. Access the OS³ Studio final assessment environment
  2. Perform comprehensive vulnerability assessment
  3. Test all security controls and configurations
  4. Analyze network traffic and identify threats
  5. Assess web application security
  6. Evaluate authentication and access controls
  7. Test incident response procedures
  8. Prepare comprehensive security assessment report

Time: 45 minutes

Focus on demonstrating comprehensive understanding of all course topics

Course Summary

CMU540: Cyber Security - Complete Course Coverage:

  • Sessions 1-3: OWASP Top 10 (A01-A03)
  • Sessions 4-6: Web Security (SQL, XSS, CSRF, Config)
  • Sessions 7-9: Advanced Security (Components, Auth, Data, Logging, SSRF, Upload)
  • Sessions 10-12: Network Security (Protocols, Scanning, DNS, Traffic, Firewall)

Total: 12 sessions, 36 hours, comprehensive cybersecurity education

Further Activity: Advanced Security Analysis

Advanced Students - Comprehensive Analysis:

For students with additional time, explore advanced security topics:

  • Advanced persistent threats (APT) analysis
  • Zero-day vulnerability research
  • Advanced evasion techniques
  • Security architecture design
  • Threat hunting methodologies

Deliverable: Advanced security research report

Final Session Summary

Key Takeaways:

  • Network traffic analysis is essential for threat detection
  • Firewall configuration provides critical network protection
  • Comprehensive security assessments require systematic approach
  • OS³ Studio provides hands-on security testing experience
  • Incident response and forensics are critical skills
  • Career opportunities in cybersecurity are extensive

Course Completion

Congratulations!

  • CMU540: Cyber Security course completed
  • Comprehensive understanding of cybersecurity
  • Hands-on experience with OS³ Studio
  • Industry-standard security practices learned
  • Career pathways explored
  • Ready for advanced cybersecurity roles

Next Steps: Continue learning, practice with tools, consider certifications