# Firewalls and network security measures # Firewalls and network security measures

# Virtual private networks (VPNs)

# Security zones

# Subnetting and CIDR Earlier in this course, you learned about network segmentation, a security technique that divides networks into sections. A private network can be segmented to protect portions of the network from the internet, which is an unsecured global network. For example, you learned about the uncontrolled zone, the controlled zone, the demilitarized zone, and the restricted zone. Feel free to review the video about [security zones](https://www.coursera.org/learn/networks-and-network-security/lecture/GccYm/security-zones) for a refresher on how network segmentation can be used to add a layer of security to your organization’s network operations. Creating security zones is one example of a networking strategy called subnetting. ## Overview of subnetting **Subnetting** is the subdivision of a network into logical groups called subnets. It works like a network inside a network. Subnetting divides up a network address range into smaller subnets within the network. These smaller subnets form based on the IP addresses and network mask of the devices on the network. Subnetting creates a network of devices to function as their own network. This makes the network more efficient and can also be used to create security zones. If devices on the same subnet communicate with each other, the switch changes the transmissions to stay on the same subnet, improving speed and efficiency of the communications.

![Two subnets for two networks connected to one router.](https://d3c33hcgiwev3.cloudfront.net/imageAssetProxy.v1/vzbgwk8-RoCJ8Ppet89raA_1a225a330b8b4eaeb4a2b8bc5baaaef1_qvNCswL7ECbUiKTyL6rjp35BTSD-bbfoAoajmAyy4hHvmBJwwr22RU8T5aGDunmwKb1kvZ5TneMbG-nngVlkPXF6W-BTMap_a6XP-kAy5jgW13XvT5OTSCmI7U9YVNX4JzC1qn-zCkiZSXhbKjm2zq7SESzmANYH17_p4jub1mNikwElbJZECK0VuM_4Yrwljgfgdx2VpNad7gx2lFHMiu01wfeRKp-sjRa_kQ?expiry=1688169600000&hmac=P7eoUC0lmccZnEt0ygyr_SqgSwYImp3-f7vPw-87vyg)

## Classless Inter-Domain Routing notation for subnetting Classless Inter-Domain Routing (CIDR) is a method of assigning subnet masks to IP addresses to create a subnet. Classless addressing replaces classful addressing. Classful addressing was used in the 1980s as a system of grouping IP addresses into classes (Class A to Class E). Each class included a limited number of IP addresses, which were depleted as the number of devices connecting to the internet outgrew the classful range in the 1990s. Classless CIDR addressing expanded the number of available IPv4 addresses. CIDR allows cybersecurity professionals to segment classful networks into smaller chunks. CIDR IP addresses are formatted like IPv4 addresses, but they include a slash (“/’”) followed by a number at the end of the address, This extra number is called the IP network prefix. For example, a regular IPv4 address uses the 198.51.100.0 format, whereas a CIDR IP address would include the IP network prefix at the end of the address, 198.51.100.0/24. This CIDR address encompasses all IP addresses between 198.51.100.0 and 198.51.100.255. The system of CIDR addressing reduces the number of entries in routing tables and provides more available IP addresses within networks. You can try converting CIDR to IPv4 addresses and vice versa through an online conversion tool, like [IPAddressGuide](https://www.ipaddressguide.com/cidr) , for practice and to better understand this concept. **Note:** You may learn more about CIDR during your career, but it won't be covered in any additional depth in this certificate program. For now, you only need a basic understanding of this concept. ## Security benefits of subnetting Subnetting allows network professionals and analysts to create a network within their own network without requesting another network IP address from their internet service provider. This process uses network bandwidth more efficiently and improves network performance. Subnetting is one component of creating isolated subnetworks through physical isolation, routing configuration, and firewalls. ## Key takeaways Subnetting is a common security strategy used by organizations. Subnetting allows organizations to create smaller networks within their private network. This improves the efficiency of the network and can be used to create security zones. # Proxy servers

# Virtual networks and privacy This section of the course covered a lot of information about network operations. You reviewed the fundamentals of network architecture and communication and can now use this knowledge as you learn how to secure networks. Securing a private network requires maintaining the confidentiality of your data and restricting access to authorized users. In this reading, you will review several network security topics previously covered in the course, including virtual private networks (VPNs), virtual local area networks (VLANs), proxy servers, firewalls, tunneling, and security zones. You'll continue to learn more about these concepts and how they relate to each other as you continue through the course. ## **Common network protocols** Network protocols are used to direct traffic to the correct device and service depending on the kind of communication being performed by the devices on the network. Protocols are the rules used by all network devices that provide a mutually agreed upon foundation for how to transfer data across a network. There are three main categories of network protocols: communication protocols, management protocols, and security protocols.

1. Communication protocols are used to establish connections between servers. Examples include TCP, UDP, and Simple Mail Transfer Protocol (SMTP), which provides a framework for email communication. 2. Management protocols are used to troubleshoot network issues. One example is the Internet Control Message Protocol (ICMP). 3. Security protocols provide encryption for data in transit. Examples include IPSec and SSL/TLS.

Some other commonly used protocols are:

- HyperText Transfer Protocol (HTTP). HTTP is an application layer communication protocol. This allows the browser and the web server to communicate with one another. - Domain Name System (DNS). DNS is an application layer protocol that translates, or maps, host names to IP addresses. - Address Resolution Protocol (ARP). ARP is a network layer communication protocol that maps IP addresses to physical machines or a MAC address recognized on the local area network.

## **Wi-Fi** This section of the course also introduced various wireless security protocols, including WEP, WPA, WPA2, and WPA3. WPA3 encrypts traffic with the Advanced Encryption Standard (AES) cipher as it travels from your device to the wireless access point. WPA2 and WPA3 offer two modes: personal and enterprise. Personal mode is best suited for home networks while enterprise mode is generally utilized for business networks and applications. ## **Network security tools and practices** ### **Firewalls** Previously, you learned that firewalls are network virtual appliances (NVAs) or hardware devices that inspect and can filter network traffic before it’s permitted to enter the private network. Traditional firewalls are configured with rules that tell it what types of data packets are allowed based on the port number and IP address of the data packet. There are two main categories of firewalls.

- **Stateless:** A class of firewall that operates based on predefined rules and does not keep track of information from data packets - **Stateful:** A class of firewall that keeps track of information passing through it and proactively filters out threats. Unlike stateless firewalls, which require rules to be configured in two directions, a stateful firewall only requires a rule in one direction. This is because it uses a "state table" to track connections, so it can match return traffic to an existing session

Next generation firewalls (NGFWs) are the most technologically advanced firewall protection. They exceed the security offered by stateful firewalls because they include deep packet inspection (a kind of packet sniffing that examines data packets and takes actions if threats exist) and intrusion prevention features that detect security threats and notify firewall administrators. NGFWs can inspect traffic at the application layer of the TCP/IP model and are typically application aware. Unlike traditional firewalls that block traffic based on IP address and ports, NGFWs rules can be configured to block or allow traffic based on the application. Some NGFWs have additional features like Malware Sandboxing, Network Anti-Virus, and URL and DNS Filtering. ### **Proxy servers** A proxy server is another way to add security to your private network. Proxy servers utilize network address translation (NAT) to serve as a barrier between clients on the network and external threats. Forward proxies handle queries from internal clients when they access resources external to the network. Reverse proxies function opposite of forward proxies; they handle requests from external systems to services on the internal network. Some proxy servers can also be configured with rules, like a firewall. For example, you can create filters to block websites identified as containing malware. ### **Virtual Private Networks (VPN)** A VPN is a service that encrypts data in transit and disguises your IP address. VPNs use a process called encapsulation. Encapsulation wraps your encrypted data in an unencrypted data packet, which allows your data to be sent across the public network while remaining anonymous. Enterprises and other organizations use VPNs to help protect communications from users’ devices to corporate resources. Some of these resources include connecting to servers or virtual machines that host business applications. VPNs can also be used for personal use to increase personal privacy. They allow the user to access the internet without anyone being able to read their personal information or access their private IP address. Organizations are increasingly using a combination of VPN and SD-WAN capabilities to secure their networks. A software-defined wide area network (SD-WAN) is a virtual WAN service that allows organizations to securely connect users to applications across multiple locations and over large geographical distances. ### **Key takeaways** There are three main categories of network protocols: communication, management, and security protocols. In this reading, you learned the fundamentals of firewalls, proxy servers, and VPNs. More organizations are implementing a cloud-based approach to network security by incorporating a combination of VPN and SD-WAN capabilities as a service. # Glossary terms from week 2 # Glossary terms from week 2 ## Terms and definitions from Course 3, Week 2 **Address Resolution Protocol (ARP):** A network protocol used to determine the MAC address of the next router or device on the path **Cloud-based firewalls:** Software firewalls that are hosted by the cloud service provider **Controlled zone:** A subnet that protects the internal network from the uncontrolled zone **Domain Name System (DNS):** A networking protocol that translates internet domain names into IP addresses **Encapsulation:** A process performed by a VPN service that protects your data by wrapping sensitive data in other data packets **Firewall:** A network security device that monitors traffic to or from your network **Forward proxy server:** A server that regulates and restricts a person’s access to the internet **Hypertext Transfer Protocol (HTTP):** An application layer protocol that provides a method of communication between clients and website servers **Hypertext Transfer Protocol Secure (HTTPS):** A network protocol that provides a secure method of communication between clients and servers **IEEE 802.11 (Wi-Fi):** A set of standards that define communication for wireless LANs **Network protocols:** A set of rules used by two or more devices on a network to describe the order of delivery of data and the structure of data **Network segmentation:** A security technique that divides the network into segments **Port filtering:** A firewall function that blocks or allows certain port numbers to limit unwanted communication **Proxy server:** A server that fulfills the requests of its clients by forwarding them to other servers **Reverse proxy server:** A server that regulates and restricts the internet's access to an internal server **Secure File Transfer Protocol (SFTP):** A secure protocol used to transfer files from one device to another over a network **Secure shell (SSH):** A security protocol used to create a shell with a remote system **Security zone:** A segment of a company’s network that protects the internal network from the internet **Simple Network Management Protocol (SNMP):** A network protocol used for monitoring and managing devices on a network **Stateful:** A class of firewall that keeps track of information passing through it and proactively filters out threats **Stateless:** A class of firewall that operates based on predefined rules and does not keep track of information from data packets **Transmission Control Protocol (TCP):** An internet communication protocol that allows two devices to form a connection and stream data **Uncontrolled zone:** The portion of the network outside the organization **Virtual private network (VPN):** A network security service that changes your public IP address and masks your virtual location so that you can keep your data private when you are using a public network like the internet **Wi-Fi Protected Access (WPA):** A wireless security protocol for devices to connect to the internet # Course 3 resources and citations # # Week 1: Network architecture ## Resources [Helpful resources to get started](https://www.coursera.org/learn/automate-cybersecurity-tasks-with-python/supplement/u8Np0/helpful-resources-to-get-started) - [Coursera Code of Conduct](https://www.coursera.support/s/article/208280036-Coursera-Code-of-Conduct?language=en_US) - - [Coursera Honor Code](https://www.coursera.support/s/article/209818863-Coursera-Honor-Code?language=en_US) - - [Coursera: Edit my profile](https://www.coursera.org/account-profile) - - [Coursera: Learner Help Center](https://learner.coursera.help/hc/en-us) - - [Coursera’s Global Online Community](https://www.coursera.support/s/community?language=en_US) - - [Google: Common problems with labs](https://support.google.com/qwiklabs/answer/9133560?hl=en&ref_topic=9134804) - - [Google Docs help](https://support.google.com/docs/topic/9046002?hl=en&ref_topic=1382883) - - [Google Sheets help](https://support.google.com/docs/topic/9054603?hl=en&ref_topic=1382883) - - [How to use Google Slides](https://support.google.com/docs/answer/2763168?hl=en&co=GENIE.Platform%3DDesktop) - - [Microsoft Excel help and learning](https://support.microsoft.com/en-us/excel) - - [PowerPoint help and learning](https://support.microsoft.com/en-us/powerpoint) - - [Word help and learning](https://support.microsoft.com/en-us/word) - ## Citations [Network components, devices, and diagrams](https://www.coursera.org/learn/networks-and-network-security/supplement/AdErf/network-components-devices-and-diagrams) - Meyers, Mike, and Scott Jernigan. (2019) CompTIA A+ Certification All-in-One Exam Guide, (Exams 220-1001 & 220-1002). - Oluwatosin, H.S. (2014). Client-server model. *IOSR Journal of Computer Engineering*, *16*(1), 67-71. - Sulyman, Shakirat. (2014). Client-Server Model. IOSR Journal of Computer Engineering. 16. 57-71. 10.9790/0661-16195771. - GeeksforGeeks. (2022, March 21). [*Devices used in each layer of TCP/IP model*](https://www.geeksforgeeks.org/devices-used-in-each-layer-of-tcp-ip-model/) *.*[ ](https://www.geeksforgeeks.org/devices-used-in-each-layer-of-tcp-ip-model/) - [Cloud computing and software-defined networks](https://www.coursera.org/learn/networks-and-network-security/supplement/kNUaM/cloud-computing-and-software-defined-networks) - Rackspace Technology Colo Data Centers. (n.d.). [*What is colocation?*](https://www.rackspace.com/library/what-is-colocation) - - Fortinet. (n.d.). [*What is hybrid cloud?*](https://www.fortinet.com/resources/cyberglossary/what-is-hybrid-cloud) - [Learn more about the TCP/IP model](https://www.coursera.org/learn/networks-and-network-security/supplement/SXl0z/review-of-the-tcp-ip-model) - Clarke, Glen E. (2018). CompTIA Network+ Certification Study Guide: Exam N10-007. - International Business Machines. (2022, Nov 15). [*User datagram protocol*](https://www.ibm.com/docs/en/aix/7.2?topic=protocols-user-datagram-protocol) - *.* - International Business Machines. (2022, Nov 15). [*Transmission control protocol*](https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol) - *.* - Oracle. (n.d.). [*TCP/IP protocol architecture model*](https://docs.oracle.com/cd/E19683-01/806-4075/ipov-10/index.html) - *.* System administration guide, volume 3. - Study CCNA. (n.d.). [*OSI & TCP/IP models*](https://study-ccna.com/osi-tcp-ip-models/) - *.* [The OSI model](https://www.coursera.org/learn/networks-and-network-security/supplement/YbKL0/the-osi-model-explained) - Cloudflare. (n.d.). [*What is the OSI model?*](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) - - FreeCodeCamp. (2020, December 21). [*The OSI Model – The 7 Layers of Networking Explained in Plain English*](https://www.freecodecamp.org/news/osi-model-networking-layers-explained-in-plain-english/) - . - Imperva. (n.d.). [*OSI Model*](https://www.imperva.com/learn/application-security/osi-model/#:~:text=The%20session%20layer%20creates%20communication,closing%20them%20when%20communication%20ends) - *.* Application security. [Components of network layer communication](https://www.coursera.org/learn/networks-and-network-security/supplement/IRnxH/components-of-network-layer-communication) - Agnė Srėbaliūtė. (2022, Aug 2). [*IPv4 packet header: Format and structure*](https://www.ipxo.com/blog/ipv4-packet-header/) - . IPXO. - Rajinder Kaur (2009) [*IPv4 Header*](https://advancedinternettechnologies.wordpress.com/ipv4-header/) - . Advanced Internet Technologies. - Gsephrioth. (2017). [*The IP diagram*](https://gsephrioth.github.io/Ch8-IP-Datagram/) - *.* - Wright, Robert. (October 1998). *IP Routing Primer*. O’Reilly. # Week 2: Network operations ## Citations [Network protocols](https://www.coursera.org/learn/networks-and-network-security/lecture/PUGBB/network-protocols) - National Institute of Standards and Technology. (n.d.). [*Glossary*](https://csrc.nist.gov/glossary) - *.* Accessed December 2022. [Common network protocols](https://www.coursera.org/learn/networks-and-network-security/supplement/Tsifz/common-network-protocols) - Cloudflare. (n.d.). [*What is a protocol? | Network protocol definition*](https://www.cloudflare.com/learning/network-layer/what-is-a-protocol/) - *.* - CompTIA. (n.d.). [*What is a network protocol and how does it work?* ](https://www.comptia.org/content/guides/what-is-a-network-protocol) - - Oracle. (n.d.). [*TCP/IP protocol architecture model*](https://docs.oracle.com/cd/E19683-01/806-4075/ipov-10/index.html) - *.* System administration guide, volume 3. [Additional network protocols ](https://www.coursera.org/learn/networks-and-network-security/supplement/gh97f/additional-network-protocols) - IBM. (2022, Oct 17). [*TCP/IP address and parameter assignment - Dynamic host configuration protocol*](https://www.ibm.com/docs/en/aix/7.1?topic=tcpp-tcpip-address-parameter-assignment-dynamic-host-configuration-protocol) - . IBM AIX documentation. - Microsoft. (n.d.O). [*What are IMAP and POP?*](https://support.microsoft.com/en-us/office/what-are-imap-and-pop-ca2c5799-49f9-4079-aefe-ddca85d5b1c9) - Microsoft Support. - Microsoft. (2013, October 21). [*SMTP*](https://learn.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/aa494182(v=exchg.140)) - *.* [The evolution of wireless security protocols](http://coursera.org/learn/networks-and-network-security/supplement/x73QK/overview-of-wireless-security-protocols) - Asus. (2022, January 14). [*\[Wireless\] What is WPA3? What are the advantages of using WPA3?*](https://www.asus.com/support/FAQ/1042478/) - FAQ. - Britannica, T. Editors of Encyclopaedia (2022, February 3). [*Wi-Fi*](https://www.britannica.com/technology/Wi-Fi) - . *Encyclopedia Britannica*. - Cisco Press. (2010, April 9). [*Moving to WPA/WPA2-Enterprise wi-fi encryption*](https://www.ciscopress.com/articles/article.asp?p=1576225) - *.* [Firewalls and network security measures ](https://www.coursera.org/learn/networks-and-network-security/lecture/TrOAQ/firewalls-and-network-security-measures) - Cisco. (n.d.). [*What is a firewall?* ](https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html) - [Subnetting and CIDR](https://www.coursera.org/learn/networks-and-network-security/supplement/OObvl/subnetting-and-cidr) - Cloudflare. (n.d.).[ *What is a subnet?*](https://www.cloudflare.com/learning/network-layer/what-is-a-subnet/) - - Techopedia. (2017, July 18). [*Subnetting*](https://www.techopedia.com/definition/28328/subnetting) - *.* Dictionary. - IP Address Guide. (n.d.). [*CIDR to IPv4 Conversion*](https://www.ipaddressguide.com/cidr) - . IPV4 Tools. [Proxy servers](https://www.coursera.org/learn/networks-and-network-security/lecture/P0Wj5/securing-internal-networks-proxy-servers) - National Institute of Standards and Technology. (n.d.). [*Glossary*](https://csrc.nist.gov/glossary) - *.* Accessed December 2022. # Week 3: Secure against network intrusions ## Resources [Analyze network attacks](https://www.coursera.org/learn/networks-and-network-security/item/QHIX5) - [CompTIA](https://www.comptia.org/blog/cybersecurity-skills-to-counter-ddos-attacks.) - ## Citations [The case for securing networks ](https://www.coursera.org/learn/networks-and-network-security/lecture/ZnVPC/the-case-for-securing-networks) - Vinton, Kate. (2014, September 18). [*With 56 million cards compromised, Home Depot’s breach is bigger than Target’s*](https://www.forbes.com/sites/katevinton/2014/09/18/with-56-million-cards-compromised-home-depots-breach-is-bigger-than-targets/?sh=1514b8a53e74) - *.* Forbes. [Analyze network layer communication](https://www.coursera.org/learn/networks-and-network-security/quiz/6XQKU/activity-apply-os-hardening-techniques) - Lager, Nathan. (2020, April 3). [Network Troubleshooting with Packet Captures](https://www.redhat.com/sysadmin/network-packet-captures) - . Enable Sysadmin. - Oracle. (n.d.) [How the TCP/IP Protocols Handle Data Communications (System Administration Guide: IP Services](https://docs.oracle.com/cd/E19683-01/806-4075/ipov-100/index.html) - ). [Real-life DDoS attack](https://www.coursera.org/learn/networks-and-network-security/supplement/9ndLQ/real-life-ddos-attack) - Olenick, D. (2020, December 10) [*Guilty plea in 2016 Dyn DDos attack*](https://www.bankinfosecurity.com/guilty-plea-in-2016-dyn-ddos-attack-a-15567#:~:text=Federal%20prosecutors%20estimate%20the%20attack,million%20due%20to%20the%20attack.) - *.* Bank info security. - Young, K (2022, January 10) [*Cyber case study: The Mirai DDoS attack on Dyn*](https://coverlink.com/case-study/mirai-ddos-attack-on-dyn/#:~:text=On%20Oct.,systems%20and%20overwhelm%20its%20infrastructure) - . Coverlink. [Overview of interception attacks](https://www.coursera.org/learn/networks-and-network-security/supplement/zCdHP/overview-of-interception-tactics) - Engebretson, P. (2013). *The basics of hacking and penetration testing: ethical hacking and penetration testing made easy*. Elsevier. # Week 4: Security hardening ## Resources [Course 3 glossary ](https://www.coursera.org/learn/networks-and-network-security/supplement/lFqNR/course-3-glossary) [Apply OS hardening techniques](https://www.coursera.org/learn/networks-and-network-security/quiz/6XQKU/activity-apply-os-hardening-techniques) - [Opensource.com](https://opensource.com/article/18/10/introduction-tcpdump) - - [Iana.org](http://iana.org) - - [Geekflare](https://geekflare.com/tcpdump-examples/) - - [Packet Pushers](https://packetpushers.net/masterclass-tcpdump-interpreting-output/) - ## Citations [OS hardening practices ](https://www.coursera.org/learn/networks-and-network-security/lecture/sj35a/os-hardening-practices) - National Institute of Security Technology. (2018, October). [*Guide to securing macOS 10.12 systems for IT professionals*](https://csrc.nist.gov/CSRC/media/Publications/sp/800-179/rev-1/draft/documents/sp800-179r1-draft.pdf) - *.* Special publication 800-179, revision 1. Accessed December 2022. [Apply OS hardening techniques](https://www.coursera.org/learn/networks-and-network-security/quiz/6XQKU/activity-apply-os-hardening-techniques) - Doropoulos, N. (n.d.). [DNS Query Flood Attack. ](https://www.linkedin.com/pulse/dns-query-flood-attack-nicholas-doropoulos.) - Linkedin. [Use the NIST Cybersecurity Framework to respond to a security](https://www.coursera.org/learn/networks-and-network-security/exam/AFji2/portfolio-activity-use-the-nist-cybersecurity-framework-to-respond-to-a-security) - Bhardwaj, P. (2023, January 2). [How to detect an ICMP flood attack and protect your network.](https://www.makeuseof.com/how-to-detect-icmp-flood-attack/) - Firch, J. (2023, February 28). [How to prevent a ICMP flood attack. ](https://purplesec.us/prevent-ping-attacks/) Google, Android, Chronicle, Google Drive, Google Sites, and YARA are trademarks owned by Google LLC. All other trademarks belong to their respective owners and are not affiliated with Google LLC.