PROPOSED BY AZOBOU CEDRIC

CHAPTER3: Principal of Network

Security
Objectives:

• Gain an understanding of the core concepts of network security.

• Learn about common threats and attacks in networked environments.

Content:

• Overview of network threats (e.g., DoS, MITM, spoofing, sniffing).

• Introduction to cryptography and its role in network security (encryption, hashes, digital signatures).

• Understanding firewalls, VPNs, and intrusion detection/prevention systems (IDS/IPS).

• The concept of defense in depth and security layers

1. Overview of Network Threats

Network threats come in different forms and target various vulnerabilities in communication
systems. Below are some of the most common types:

1.1 Denial-of-Service (DoS) and Distributed DoS (DDoS) Attacks

Description
A Denial-of-Service (DoS) attack aims to disrupt the normal functioning of a network,
service, or server by overwhelming it with excessive traffic, rendering it inaccessible to
legitimate users. When this attack is executed from multiple compromised devices across
various locations, it's termed a Distributed Denial-of-Service (DDoS) attack. DDoS attacks
often utilize botnets—a network of malware-infected computers or IoT devices—to amplify
their impact.
In January 2025, Cloudflare reported mitigating a record-breaking DDoS attack that peaked
at 5.6 terabits per second (Tbps). This attack targeted an internet service provider (ISP) in
Eastern Asia and originated from a Mirai-based botnet comprising approximately 13,000
compromised devices. Despite the unprecedented scale, Cloudflare successfully managed and
mitigated the attack without human intervention.
This incident underscores the evolving sophistication and scale of DDoS attacks,
highlighting the necessity for robust cybersecurity measures to protect critical infrastructure.
To summarize: About DoS or DDos,
• Attackers flood a network or service with excessive traffic, causing disruption.
• DDoS uses multiple compromised systems (botnets) to launch an attack.
Practice:
1. Use hping3 or LOIC (in a controlled lab) to simulate a DoS attack on a test server.
2. Implement rate-limiting rules using iptables to mitigate DoS attacks.

Page 1 of 19
 PROPOSED BY AZOBOU CEDRIC

Simulating a Denial-of-Service (DoS) Attack Using hping3 and LOIC

⚠ Disclaimer: These commands should only be used in a controlled lab environment with
explicit permission. Unauthorized use against live systems is illegal and unethical.
1. Using hping3 for a DoS Attack
hping3 is a command-line tool that can generate custom network packets for testing network
security.
Command to Launch a DoS Attack with hping3
sudo hping3 -S --flood -p 80 <TARGET_IP>
Explanation:
• sudo → Runs with administrative privileges.
• hping3 → The tool name.
• -S → Sends SYN packets to simulate a SYN flood attack.
• --flood → Sends packets as fast as possible without waiting for a response.
• -p 80 → Targets port 80 (HTTP service).
• <TARGET_IP> → Replace with the target’s IP address.

Stooping the attack

Press CTRL + C to stop sending packets.

2. Using LOIC (Low Orbit Ion Cannon) for a DoS Attack

LOIC is a graphical tool that allows users to send massive amounts of traffic to a target.
Steps to Use LOIC
1. Download LOIC
o LOIC is available on GitHub, but it is often flagged as malicious. Only use it in
a controlled test environment.
2. Launch LOIC
o Open the LOIC application.
3. Set Target
o Enter the target IP or domain name.
4. Configure Attack Settings:
o Choose TCP, UDP, or HTTP attack mode.
o Set the number of threads (higher values increase attack intensity).
5. Start the Attack
o Click "IMMA CHARGIN MAH LAZER" to initiate the attack.

Page 2 of 19
 PROPOSED BY AZOBOU CEDRIC

6. Stop the Attack

o Click "STOP FLOOD" when testing is complete.

3. Preventive Measures Against DoS Attacks

• Implement rate-limiting rules with iptables
sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j
ACCEPT
Breakdown of the Command Components:
• sudo → Runs the command with superuser (root) privileges.
• iptables → Firewall management tool to filter network traffic.
• -A INPUT → Appends a rule to the INPUT chain (applies to incoming packets).
• -p tcp → Specifies the rule applies only to TCP traffic.
• --dport 80 → Targets port 80, which is typically used for HTTP web traffic.
• -m limit → Uses the limit module, which controls the rate of packet acceptance.
• --limit 25/minute → Allows a maximum of 25 connections per minute.
• --limit-burst 100 → Initially allows a burst of 100 packets before the rate limit takes
effect.
• -j ACCEPT → Accepts packets that meet the limit conditions.
How It Works:
1. Burst Control: The rule starts by allowing up to 100 packets at once.
2. Rate Limiting: After the burst limit is exhausted, only 25 packets per minute will be
accepted.
3. Filtering Effect: If more than 25 connections per minute occur after the initial burst,
additional packets will be dropped.

1.2 Man-in-the-Middle (MITM) Attacks

Description:
A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts, relays,
and potentially alters communication between two parties who believe they are communicating
directly. This allows the attacker to steal sensitive data, manipulate messages, or inject
malicious content.
How Does a MITM Attack Work?
✓ Interception:

Page 3 of 19
 PROPOSED BY AZOBOU CEDRIC

• The attacker positions themselves between the sender and receiver, capturing data
transmitted over a network.
✓ Eavesdropping or Modification:
• The attacker can passively listen to the communication or actively alter messages
before forwarding them to the intended recipient.
✓ Forwarding Data:
• Both parties continue communicating without realizing that their conversation is
being monitored or manipulated.
Common MITM Attack Techniques
Attack type Description
ARP Spoofing Attacker sends fake ARP messages to redirect traffic through their
device.
DNS Spoofing Attacker manipulates DNS responses to redirect users to malicious
websites.
Wi-Fi Eavesdropping Attacker sets up a rogue Wi-Fi hotspot to intercept traffic.
SSL Stripping Attacker forces a downgrade from HTTPS to HTTP, exposing
sensitive data.
Session Hijacking Attacker steals session cookies to gain unauthorized access to
accounts.

Example of a MITM Attack:

Scenario:
A hacker sets up a fake Wi-Fi hotspot in a public café. A user connects to it and logs
into their online banking account. The attacker captures login credentials and later uses them to
access the victim’s bank account fraudulently.
How to Prevent MITM Attacks
Use HTTPS Everywhere: Ensure websites use SSL/TLS encryption (https://).

Enable Two-Factor Authentication (2FA): Adds an extra security layer beyond

passwords.

Avoid Public Wi-Fi: Use a VPN if necessary.

Use Secure DNS: Prevents DNS spoofing attacks.

Verify Digital Certificates: Watch for SSL/TLS warnings in browsers.

Practice:
1. Use ettercap or Wireshark to sniff traffic.
2. Implement HTTPS and TLS certificates to prevent MITM attacks.

Page 4 of 19
 PROPOSED BY AZOBOU CEDRIC

Practical Guide: Using Ettercap and Wireshark to Simulate a MITM Attack and Sniff Traffic
⚠ Disclaimer: This guide is for educational and ethical hacking purposes only in a controlled
lab environment with permission. Unauthorized use against real networks is illegal.
1. Setting Up the Lab Environment
Before starting, ensure you have:

A Kali Linux machine (or any Linux distro with ettercap and wireshark installed).

A target machine on the same local network (LAN or Wi-Fi)

Root or sudo access.

2. Using Ettercap to Perform ARP Spoofing (MITM Attack)

Step 1: Install Ettercap (if not already installed)
sudo apt update && sudo apt install ettercap-text-only -y
Step 2: Enable IP Forwarding (Allows intercepted traffic to reach the intended recipient)
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
Step 3: Start Ettercap in Graphical or CLI Mode
• GUI Mode:
sudo ettercap -G
• CLI Mode: (for command-line users)
sudo ettercap -T -M arp:remote /<Gateway_IP>/ /<Target_IP>/
• Replace <Gateway_IP> with the router’s IP (e.g., 192.168.1.1).
• Replace <Target_IP> with the victim’s IP (e.g., 192.168.1.100).

Step 4: Launch the MITM Attack

• GUI Mode:
1. Select "Sniff" → "Unified Sniffing".
2. Choose the network interface (eth0 for wired, wlan0 for Wi-Fi).
3. Click "Hosts" → "Scan for Hosts" to find connected devices.
4. Click "Hosts" → "Host List" and select the target IP.
5. Go to "Mitm" → "ARP Poisoning", check "Sniff remote connections", and
click OK.
6. Start packet capture with "Start Sniffing".

Page 5 of 19
 PROPOSED BY AZOBOU CEDRIC

3. Using Wireshark to Capture and Analyze Network Traffic

Once the MITM attack is active, use Wireshark to monitor and analyze packets.

Step 1: Open Wireshark

sudo wireshark
• Select the network interface (eth0 or wlan0).
• Click "Start Capture".
Step 2: Apply Filters to Focus on Credentials
• To capture HTTP login credentials: http contains "POST"
• To monitor ARP spoofing activity: arp
• To extract plain-text passwords (if not using HTTPS): tcp contains "password"
Step 3: Stop Capture and Analyze Data
• Click "Stop Capture" after collecting enough traffic.
• Look for sensitive information (unencrypted credentials, visited websites, etc.).

4. How to Stop the MITM Attack

Once testing is complete, restore the network:
➢ Stop Ettercap : sudo killall ettercap
➢ Disable IP Forwarding: echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward
➢ Flush ARP Cache (Optional): sudo ip -s -s neigh flush all

5. How to Protect Against MITM Attacks

Use HTTPS and TLS encryption.

Enable ARP Spoofing Detection (on enterprise networks).

Use VPNs to encrypt traffic.

Set static ARP tables to prevent spoofing.

1.3 Spoofing Attacks

Description:
1. What is a Spoofing Attack?
A spoofing attack is a type of cyberattack where an attacker disguises themselves as a
trusted entity to deceive systems or users. The goal is to gain unauthorized access, steal sensitive
data, or disrupt network operations.
Key Characteristics of Spoofing Attacks:

Page 6 of 19
 PROPOSED BY AZOBOU CEDRIC

• Involves forging identity (IP address, MAC address, DNS, etc.).

• Often used in Man-in-the-Middle (MITM) attacks to intercept communication.
• Can be used to bypass authentication mechanisms.
2. Types of Spoofing Attacks
There are several types of spoofing attacks based on the entity being impersonated.
2.1 IP Spoofing
• Description: The attacker forges the source IP address in packets to appear as a trusted
device.
• Purpose:
o Evade detection while launching Denial-of-Service (DoS) attacks.
o Impersonate a trusted system for unauthorized access.
• Example Attack:
o An attacker spoofs a bank's IP address to send phishing emails pretending to be
from the bank.
• Protection Measures:
o Enable ingress/egress filtering on firewalls.
o Use packet authentication mechanisms (e.g., IPsec).
2.2 ARP Spoofing
• Description: The attacker sends fake ARP (Address Resolution Protocol) messages
on a LAN, linking their MAC address to a legitimate IP address.
• Purpose:
o Redirect network traffic through the attacker's system (Man-in-the-Middle
Attack).
o Steal sensitive data such as login credentials.
• Example Attack:
o An attacker poisons the ARP cache of a target, making the victim's machine send
traffic to the attacker instead of the gateway.
• Protection Measures:
o Enable Dynamic ARP Inspection (DAI) on network switches.
o Use static ARP entries for critical devices.
2.3 DNS Spoofing (DNS Cache Poisoning)
• Description: The attacker modifies DNS records to redirect users to malicious
websites.
• Purpose:

Page 7 of 19
 PROPOSED BY AZOBOU CEDRIC

o Redirect users from legitimate websites to phishing pages.

o Disrupt online services by sending traffic to fake servers.
• Example Attack:
o A victim types www.bank.com into their browser but is redirected to a fake
banking website controlled by the attacker.
• Protection Measures:
o Use DNSSEC (Domain Name System Security Extensions).
o Flush DNS cache regularly (ipconfig /flushdns on Windows).
2.4 Email Spoofing
• Description: The attacker fakes the sender’s email address to appear as a trusted
entity.
• Purpose:
o Trick users into clicking malicious links (phishing attacks).
o Deliver malware through email attachments.
• Example Attack:
o A hacker sends an email pretending to be from support@paypal.com, asking
users to reset their password through a fake link.
• Protection Measures:
o Implement SPF, DKIM, and DMARC to verify email authenticity.
o Educate users to verify email headers and URLs.
2.5 Caller ID Spoofing
• Description: The attacker manipulates the phone number displayed on the
recipient’s caller ID.
• Purpose:
o Impersonate trusted contacts (scam calls).
o Bypass phone-based authentication (e.g., OTP verification).
• Example Attack:
o A scammer calls a victim pretending to be from a bank, asking for account
details.
• Protection Measures:
o Verify suspicious calls through official channels.
o Use call-blocking services and report fraudulent numbers.

Page 8 of 19
 PROPOSED BY AZOBOU CEDRIC

3. How Spoofing Attacks Are Executed

1. Reconnaissance: The attacker gathers information (IP addresses, DNS records, ARP
tables).
2. Crafting Fake Packets: Using tools like hping3, arpspoof, or dnsspoof to inject
malicious packets.
3. Redirection or Interception: Victim's traffic is redirected to an attacker-controlled
device.
4. Exploitation: The attacker can steal credentials, modify traffic, or launch further
attacks.

4. Example of an ARP Spoofing Attack Using Ettercap

➢ Enable IP Forwarding (so the victim’s traffic passes through the attacker): echo 1 |
sudo tee /proc/sys/net/ipv4/ip_forward
➢ Start Ettercap and Perform ARP Poisoning: sudo ettercap -T -q -i eth0 -M arp:remote
/192.168.1.1/ /192.168.1.100/
• eth0 → Network interface.
• 192.168.1.1 → Router (Gateway IP).
• 192.168.1.100 → Victim’s IP.
➢ Use Wireshark to Capture Traffic: sudo wireshark Filter packets using http or tcp
contains "password" to extract credentials.

5 Use arpspoof to launch an ARP spoofing attack.

⚠ Warning: ARP spoofing is an offensive security technique. Only perform this in a controlled
lab environment with permission. Unauthorized use is illegal and unethical.
1. Understanding ARP Spoofing
How ARP Works:
• ARP (Address Resolution Protocol) translates IP addresses to MAC addresses within
a network.
• Devices maintain an ARP table to store IP-to-MAC mappings.
• Attackers can send forged ARP replies to trick devices into associating the wrong MAC
address with a given IP.
Goal of an ARP Spoofing Attack:
• Redirect network traffic through the attacker’s machine (Man-in-the-Middle attack).
• Capture or modify traffic before forwarding it to the intended recipient.

Page 9 of 19
 PROPOSED BY AZOBOU CEDRIC

2. Setting Up the Lab Environment

Prerequisites:
• A network with at least three devices:
o Attacker: Kali Linux (or any Linux system with arpspoof installed).
o Victim: Any computer or virtual machine.
o Gateway (Router): The network router (e.g., 192.168.1.1).
Required Tools:
• arpspoof (part of the dsniff package)
• Wireshark (for packet capture)
• iptables (to forward packets)
To install the necessary tools: sudo apt update && sudo apt install dsniff wireshark -y
3. Steps to Launch an ARP Spoofing Attack
Step 1: Enable IP Forwarding
Since the attacker needs to forward traffic between the victim and the router, enable IP
forwarding: echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
This allows the attacker's machine to act as a router and forward traffic.
Step 2: Identify Network Details
Find the IP and MAC addresses of the devices:
ip a # List all network interfaces and IPs
arp -a # View ARP table with IP-MAC mappings
Example:
• Victim IP: 192.168.1.100
• Gateway IP: 192.168.1.1
Step 3: Start ARP Spoofing
To send fake ARP packets:
Poison the Victim’s ARP Cache (Make victim believe attacker is the router)
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
• -i eth0 → Interface to use.
• -t 192.168.1.100 → Target victim.
• 192.168.1.1 → Fake MAC for the router.
Poison the Router’s ARP Cache (Make router think attacker is the victim)
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.100

Page 10 of 19
 PROPOSED BY AZOBOU CEDRIC

Step 4: Capture Traffic Using Wireshark

Start Wireshark and filter for HTTP traffic (or passwords):
1. Open Wireshark: sudo wireshark
2. Set filter to: http || tcp contains "password"
3. If victim enters credentials on an insecure website, they appear in plain text.
4. Stopping the Attack & Cleaning Up
To restore normal ARP operation:
1. Kill arpspoof processes : sudo pkill arpspoof
2. Flush ARP tables:
1. On Linux: sudo ip -s -s neigh flush all
2. On Windows: arp -d *
3. Disable IP forwarding: echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward
5. How to Defend Against Spoofing Attacks
General Protection Strategies
1. Use Strong Authentication
o Implement multi-factor authentication (MFA).
o Prefer HTTPS over HTTP for encrypted communication.
2. Implement Network Security Measures
o Enable firewalls and intrusion detection systems (IDS/IPS).
o Use VPNs to encrypt sensitive traffic.
3. Monitor and Detect Spoofing Attacks
o Use ARP monitoring tools like arpwatch:
sudo apt install arpwatch
sudo arpwatch -i eth0
o Enable logging and alerts for suspicious activities

1.4 Packet Sniffing

Description:
Packet sniffing is the process of intercepting and analyzing network traffic to monitor
data packets transmitted over a network. It can be used for network troubleshooting,
performance monitoring, and security auditing. However, attackers also use it for malicious
purposes, such as capturing sensitive information like passwords and credit card details.

Page 11 of 19
 PROPOSED BY AZOBOU CEDRIC

How Packet Sniffing Works

A packet sniffer (also called a network analyzer) captures data packets traveling across a
network. These tools operate in two modes:
• Promiscuous Mode: The network interface captures all packets, even those not
intended for the machine.
• Non-Promiscuous Mode: The network interface only captures packets addressed to the
machine.
Step-by-Step Explanation of Packet Sniffing
Step 1: Understanding Network Packets
• Data is broken into small packets before being transmitted.
• Each packet contains:
o Header: Source and destination IP addresses, protocol information.
o Payload: The actual data being transmitted.
o Trailer: Error-checking mechanisms (e.g., CRC).
Step 2: Choosing a Packet Sniffing Tool
Popular tools include:
• Wireshark (GUI-based)
• tcpdump (Command-line based)
• Ettercap (Used for MITM attacks and sniffing)
Step 3: Setting Up the Packet Sniffer
Using Wireshark:
1. Download and install Wireshark from wireshark.org.
2. Run Wireshark with administrator privileges.
3. Select a network interface (Wi-Fi or Ethernet).
4. Start capturing packets by clicking the "Start" button.
Using tcpdump (Linux/macOS):
1. Open a terminal.
2. Use the command: sudo tcpdump -i eth0 This captures packets on the eth0 network
interface.
Step 4: Capturing Network Traffic
• Once started, the packet sniffer records all data packets traveling over the network.
• Filters can be applied to focus on specific packets, such as HTTP traffic or packets from
a particular IP.

Page 12 of 19
 PROPOSED BY AZOBOU CEDRIC

Step 5: Analyzing Packets

• Inspect packet details such as source/destination IPs, protocols (HTTP, HTTPS, DNS,
etc.), and payload data.
• Identify suspicious packets that may indicate network attacks or data leaks.
Step 6: Applying Filters (Optional but Important)
Filtering packets helps in analyzing specific data efficiently.
• In Wireshark, apply filters like:
o http → Show only HTTP traffic
o ip.src == 192.168.1.1 → Show packets from a specific IP
o tcp.port == 443 → Show only HTTPS traffic
• In tcpdump, use filters like: sudo tcpdump -i eth0 port 80 This captures only HTTP
traffic on port 80.
Practice: Hands-on Packet Sniffing
Lab 1: Capturing Network Traffic with Wireshark
Objective:
• Learn to capture and analyze real network traffic.
Steps:
1. Open Wireshark and select your active network interface.
2. Click “Start” to begin capturing packets.
3. Open a web browser and visit a non-HTTPS website (e.g., http://example.com).
4. In Wireshark, apply the filter: http This will display only HTTP packets.
5. Identify the GET and POST requests and analyze the transmitted data.
Lab 2: Monitoring Specific Protocols with tcpdump
Objective:
• Use tcpdump to monitor network traffic on a specific port.
Steps:
1. Open a terminal and start capturing packets: sudo tcpdump -i eth0 port 80
2. Open a web browser and visit a website using HTTP.
3. Observe the captured packets in real-time.
Lab 3: Detecting Unencrypted Credentials
Objective:
• Understand the risk of sending unencrypted credentials over HTTP.

Page 13 of 19
 PROPOSED BY AZOBOU CEDRIC

Steps:
1. Start Wireshark and capture packets.
2. Login to a test website that uses HTTP (not HTTPS).
3. Use the Wireshark filter: http.request.method == "POST" Look at the payload data and
check if the username/password is visible.
Defensive Measures Against Packet Sniffing
1. Use HTTPS Instead of HTTP
o Encrypts communication between the client and server.
2. Use VPNs
o Encrypts network traffic, preventing eavesdropping (it refers to the unauthorized
interception of communication between two parties. It involves secretly
listening to or capturing data being transmitted over a network.).
3. Enable MAC Address Filtering
o Restricts network access to known devices.
4. Use Encrypted Protocols
o Replace Telnet with SSH, and FTP with SFTP.
5. Monitor Network Activity
o Use IDS/IPS systems to detect suspicious activity.

2. Introduction to Cryptography and Its Role in Network Security

Cryptography is the science of securing information through mathematical techniques
that ensure confidentiality, integrity, authenticity, and non-repudiation of data. It plays a
fundamental role in network security by protecting data from unauthorized access and
tampering during transmission and storage. More specifically, Cryptography focuses on
designing encryption algorithms, hashing functions, and authentication mechanisms to ensure
data confidentiality, integrity, and authenticity. It is a broad field of Cryptology which is the
study of secure communication techniques that protect information from unauthorized access.
The last broad field of cryptology is Cryptanalysis which involves analyzing and breaking
cryptographic systems to identify weaknesses and improve security.
Modern cryptographic methods, such as symmetric encryption (DES, AES) and
asymmetric encryption (RSA, ECC: Elliptic Curve Cryptography), enable secure
communication over untrusted networks. Hashing algorithms (SHA-256, MD5) ensure data
integrity, while digital signatures and certificates provide authentication in secure protocols like
TLS/SSL. Cryptography underpins essential security mechanisms, including VPNs, HTTPS,
and end-to-end encrypted messaging, safeguarding sensitive data against cyber threats such as
eavesdropping, man-in-the-middle attacks, and identity theft. Understanding cryptographic
principles is crucial for designing secure systems and defending against evolving cyber threats.

Page 14 of 19
 PROPOSED BY AZOBOU CEDRIC

3. Understanding Firewalls, VPNs, and IDS/IPS

These security measures help in monitoring and controlling network traffic.

3.1 Firewalls
A firewall is a security system that monitors and controls incoming and outgoing
network traffic based on predefined security rules. It acts as a barrier between a trusted internal
network and an untrusted external network (e.g., the internet).
Types of Firewalls
1. Packet Filtering Firewall – Inspects packets based on IP addresses, ports, and
protocols.
2. Stateful Inspection Firewall – Tracks active connections and makes decisions based
on session history.
3. Application Layer Firewall (Proxy Firewall) – Filters traffic based on application data
(e.g., HTTP, FTP).
4. Next-Generation Firewall (NGFW) – Includes deep packet inspection (DPI), intrusion
prevention, and more.
Practical: Setting Up a Firewall (Windows/Linux)
On Windows:
Open Windows Defender Firewall → Click Advanced Settings.
Create a new Inbound Rule → Block traffic for a specific port (e.g., Port 21 for FTP).
Test by attempting an FTP connection and verify it is blocked.
Open Command Prompt

• Press Win + R, type cmd, and hit Enter.

Use the FTP command

• Type ftp <server_address> Replace <server_address> with the actual FTP server
domain or IP.

Enter login credentials

• If prompted, enter the username and password for authentication.

• If the server allows anonymous access, try using "anonymous" as the username and
press Enter.

Use FTP commands

• Some basic FTP commands:
dir (Lists directory contents)

Page 15 of 19
 PROPOSED BY AZOBOU CEDRIC

cd <directory_name> (Changes directory)

get <filename> (Downloads a file)
put <filename> (Uploads a file)
bye (Exits FTP session)

On Linux (Using UFW - Uncomplicated Firewall):

1. Enable UFW sudo ufw enable
2. Block incoming SSH connections sudo ufw deny ssh
3. Allow web traffic (HTTP/HTTPS): sudo ufw allow 80/tcp then sudo ufw allow 443/tcp
4. Check firewall rules: sudo ufw status

2. Virtual Private Network (VPN): Secure Remote Access

A VPN encrypts internet traffic, creating a secure tunnel between a user’s device and a
remote server. It protects data from eavesdropping and allows secure access to private networks
over public internet connections.
Types of VPNs
1. Remote Access VPN – Used by individuals to securely connect to a private network.
2. Site-to-Site VPN – Connects entire networks securely over the internet.
3. SSL VPN – Browser-based VPN for secure remote access without requiring a dedicated
VPN client.
Practical: Setting Up a VPN (Using OpenVPN on Windows/Linux)
1. Install OpenVPN:
o On Linux sudo apt install openvpn
o On Windows: Download and install OpenVPN.
2. Connect to a VPN server using provided credentials.
3. Check if the IP address has changed using curl ifconfig.me If the IP differs from your
local network, the VPN is working correctly.

3. Intrusion Detection & Prevention Systems (IDS/IPS)

Intrusion Detection System (IDS) – Monitors network traffic for suspicious activity and
alerts administrators.
Intrusion Prevention System (IPS) – Detects and actively blocks threats in real time.
Types of IDS/IPS
1. Network-based IDS (NIDS) – Monitors network traffic (e.g., Snort, Suricata).

Page 16 of 19
 PROPOSED BY AZOBOU CEDRIC

2. Host-based IDS (HIDS) – Monitors activity on a single machine (e.g., OSSEC).

3. Hybrid IDS/IPS – Combines network and host-based monitoring
Practical: Setting Up an IDS (Using Snort on Linux)
1. Install Snort: sudo apt install snort
2. Run Snort in live packet capture mode: sudo snort -A console -i eth0 -c
/etc/snort/snort.conf
3. Generate test traffic by pinging a website: ping google.com
4. Snort will log detected network activity.

4. Concept of Defense in Depth and Security Layers

Defense in Depth (DiD) is a cybersecurity strategy that uses multiple layers of security
controls to protect data, networks, and systems. Instead of relying on a single defense
mechanism, it ensures that if one layer is breached, additional layers continue to protect against
cyber threats.
Why is Defense in Depth Important?
• No security measure is 100% foolproof.
• Attackers may bypass a single security control, but multiple layers make it much harder.
• It reduces the risk of a single point of failure in security.
• Helps detect, delay, and respond to threats effectively.

Security Layers in Defense in Depth

1. Physical Security (First Layer) 🔒
Protects hardware, network devices, and sensitive areas from physical threats like unauthorized
access, theft, or damage.

🛡 Examples:

Security cameras (CCTV)

Access control systems (keycards, biometrics)

Locked server rooms

Guards and security personnel

2. Network Security 🌐
Protects the network from external and internal threats by monitoring and controlling traffic.

🛡 Examples:

Page 17 of 19
 PROPOSED BY AZOBOU CEDRIC

Firewalls – Block unauthorized access

Intrusion Detection Systems (IDS) – Detect threats

Intrusion Prevention Systems (IPS) – Block suspicious activities

Virtual Private Network (VPN) – Encrypts data for secure communication

3. Endpoint Security (Device Protection) 💻

Secures individual devices like computers, smartphones, and servers from malware and cyber
threats.

🛡 Examples:

Antivirus software – Detects and removes viruses

Endpoint Detection and Response (EDR) – Advanced threat detection for endpoints

Disk Encryption – Protects stored data (e.g., BitLocker, VeraCrypt)

Device control policies – Restrict use of USB drives and external devices

4. Application Security 🖥️
Protects software and applications from vulnerabilities and cyberattacks.

🛡 Examples:

Secure coding practices – Avoiding vulnerabilities like SQL injection and XSS

Web Application Firewall (WAF) – Protects web apps from attacks

Regular software updates and patches – Fix security vulnerabilities

Authentication mechanisms – Multi-Factor Authentication (MFA)

5. Data Security 📊
Ensures that sensitive information is encrypted and protected from unauthorized access or loss.

🛡 Examples:

Data Encryption (AES, RSA) – Protects data at rest and in transit

Access Control (Role-Based Access Control - RBAC) – Limits access to sensitive

information

Data Loss Prevention (DLP) – Prevents unauthorized sharing of sensitive data

Backups – Ensures data recovery in case of cyber incidents

Page 18 of 19
 PROPOSED BY AZOBOU CEDRIC

6. Identity and Access Management (IAM) 🆔

Manages user access and authentication to prevent unauthorized access to systems.

🛡 Examples:

Multi-Factor Authentication (MFA) – Requires multiple credentials for login

Single Sign-On (SSO) – Securely manages multiple applications with one login

Privileged Access Management (PAM) – Restricts high-level system access

7. Security Awareness and Policies 📚

Humans are often the weakest link in cybersecurity. Educating employees and users reduces
risks.

🛡 Examples:

Security awareness training – Phishing simulation exercises

Strong password policies – Encouraging complex and unique passwords

Incident response plan – Preparing for cybersecurity incidents

Page 19 of 19