

## **Unit 4: Network Security**

* **Access Control Lists**
* **Authentication, Authorization and Accounting (AAA)**
* **Securing Data with IPsec** and **VPN**
* **Generic Routing Encapsulation**

***



---

# **UNIT 4: NETWORK SECURITY**

**Network Security:**
It is the practice of protecting a network and its data from unauthorized access, misuse, or attacks using tools like firewalls, encryption, and authentication.

### **Firewall**

A firewall is a security system that monitors and controls data entering or leaving a network.
It acts like a gatekeeper that blocks harmful traffic and allows only safe and approved communication.

### **Encryption**

Encryption is a method of protecting data by converting it into a coded format.
Only the person who has the correct key can decode and read the original information, ensuring privacy during storage or transmission.

### **Authentication**

Authentication is the process of verifying the identity of a user or device.
It ensures that only authorized people can access the network, usually through passwords, OTP, biometrics, or security tokens.

---

## **1. Access Control Lists (ACLs)**

### **Definition**

An **Access Control List (ACL)** is a set of rules that control **network traffic flow** and help **secure networks** by permitting or denying packets based on conditions like IP address, protocol, or port.

### **Purpose**

* To **filter traffic** entering or leaving a network.
* To **control access** to network resources.
* To **enhance network security** by blocking unauthorized users.

### **Where ACLs Are Applied**

* On **routers** or **firewalls**.
* Can be applied on **inbound** or **outbound** interfaces.

### **Types of ACL**

1. **Standard ACL**

   * Filters traffic **based on source IP address only**.  
   * Syntax:  
     `access-list <number> permit|deny <source> <wildcard-mask>`   
     Example:  
     `access-list 10 permit 192.168.1.0 0.0.0.255`

2. **Extended ACL**

   * Filters traffic based on **source & destination IP**, **protocol**, and **port number**.
   * Syntax:  
     `access-list <number> permit|deny <protocol> <source> <wildcard> <destination> <wildcard> [eq <port>]`  
   * Example:  
     `access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 80`

3. **Named ACL**

   * Uses a **custom name** instead of a number for easier management.  
     Example:

     ```
     ip access-list extended WebAccess
     permit tcp any any eq 80
     deny ip any any
     ```

### **ACL Placement**

* **Standard ACL**: Placed **close to the destination** (to avoid blocking too much traffic).
* **Extended ACL**: Placed **close to the source** (to stop unwanted traffic early).

### **Wildcard Mask**

Used to match IP ranges.

* `0` = exact match
* `1` = ignore

Example:
`192.168.1.0 0.0.0.255` matches all IPs from 192.168.1.0 to 192.168.1.255.

### **Benefits**

* Improves **network security**.
* Controls **traffic flow** efficiently.
* Helps in **troubleshooting** and monitoring.

---

## **2. Authentication, Authorization, and Accounting (AAA)**

### **Definition**

AAA is a **security framework** that controls who can access the network, what they can do, and keeps records of their activities.

### **1. Authentication**

* Verifies the **identity** of a user or device before allowing access.
* Common methods:

  * **Password-based**
  * **Token-based**
  * **Biometric**
  * **Two-factor authentication**
* Example: Logging into a network using a username and password.

### **2. Authorization**

* Determines **what actions or resources** a user is allowed to access after authentication.
* Example: An admin user can configure routers, while a guest can only browse the internet.

### **3. Accounting**

* Keeps a **record of user activity**: login time, duration, commands used, data transferred.
* Used for **monitoring, auditing, and billing**.

### **AAA Protocols**

1. **RADIUS (Remote Authentication Dial-In User Service)**

   * Uses **UDP (ports 1812/1813)**.
   * Combines authentication and authorization in one process.
   * Widely used for **Wi-Fi** and **remote access servers**.

2. **TACACS+ (Terminal Access Controller Access-Control System Plus)**

   * Uses **TCP (port 49)**.
   * Separates authentication, authorization, and accounting.
   * Preferred in **enterprise and Cisco networks**.

### **Benefits of AAA**

* Centralized user control.
* Strong authentication and logging.
* Flexible management of user privileges.

---

### **Why AAA is important**

* Protects a network from unauthorized access and misuse.
* Ensures users get only the level of access they need — nothing more.
* Helps track user actions to detect misuse or troubleshoot issues.

### **Where AAA is used**

* Corporate networks and data centers.
* Cloud platforms.
* VPN and remote access systems.
* Wi-Fi authentication in colleges, offices, and hotels.
* Network devices like routers, firewalls, and switches.

### **How AAA works (flow at a glance)**

1. User tries to access the network.
2. **Authentication** confirms identity.
3. **Authorization** assigns allowed permissions.
4. **Accounting** logs the activity for records.

### **Difference between RADIUS and TACACS+ (quick comparison)**

| Feature            | RADIUS                        | TACACS+                      |
| ------------------ | ----------------------------- | ---------------------------- |
| Transport Protocol | UDP                           | TCP                          |
| Security           | Encrypts only password        | Encrypts full message        |
| Usage              | Wi-Fi & remote access         | Enterprise device management |
| AAA Separation     | Combined auth + authorization | Separates all 3              |

### **Benefits (extra points)**

* Improves security through strict access control.
* Avoids manual management of individual devices — users can be centrally managed.
* Helpful for investigating security incidents due to detailed logs.
* Supports large organizations where multiple users need different access roles.

---

---

## **3. Securing Data with IPsec and VPN**

### **A. IPsec (Internet Protocol Security)**

### **Definition**

**IPsec** is a suite of protocols that **secure IP communications** by authenticating and encrypting each IP packet in a communication session.

### **Key Features**

* Works at **Network Layer (Layer 3)**.
* Provides **confidentiality, integrity, authentication, and anti-replay protection**.
* Can be used in **tunnel mode** or **transport mode**.

### **Modes of IPsec**

1. **Transport Mode**

   * Encrypts only the **payload** of the IP packet.
   * Used for **end-to-end** communication (e.g., host-to-host).

2. **Tunnel Mode**

   * Encrypts the **entire IP packet**.
   * Used between **gateways** (e.g., router-to-router or site-to-site VPN).

### **IPsec Protocols**

1. **AH (Authentication Header)**

   * Provides authentication and integrity.
   * No encryption.

2. **ESP (Encapsulating Security Payload)**

   * Provides encryption, authentication, and integrity.
   * Ensures confidentiality of data.

3. **IKE (Internet Key Exchange)**

   * Handles key management and negotiation for secure communication.

### **Benefits**

* Strong encryption ensures data privacy.
* Verifies sender authenticity.
* Protects against replay and modification attacks.

---

### **B. VPN (Virtual Private Network)**

### **Definition**

A **VPN** creates a secure, encrypted connection over a public network (like the Internet), enabling remote users or branches to connect to a private network safely.

### **Types of VPN**

1. **Remote Access VPN**

   * Used by individuals to securely connect to a company network from remote locations.
   * Example: Employees accessing company resources from home.

2. **Site-to-Site VPN**

   * Connects entire networks (e.g., branch offices) over the Internet using **IPsec tunnel**.

3. **SSL VPN**

   * Uses **HTTPS (SSL/TLS)** for encryption.
   * Requires only a browser, no special software.

### **VPN Components**

* **VPN Client:** Installed on user’s device.
* **VPN Gateway:** Router or firewall managing VPN traffic.
* **Encryption Protocols:** IPsec, SSL/TLS, PPTP, L2TP.

### **Benefits**

* Protects data during transmission.
* Enables secure remote access.
* Cost-effective compared to leased lines.

---

## **4. Generic Routing Encapsulation (GRE)**

### **Definition**

**GRE** is a tunneling protocol developed by Cisco that **encapsulates any network layer protocol** inside IP tunnels, creating virtual point-to-point links.

### **Purpose**

Used to transport **multicast, broadcast, and non-IP protocols** over IP networks.

### **How GRE Works**

* GRE adds an **outer IP header** and a **GRE header** to the original packet.
* The packet travels through the tunnel between two endpoints.
* The receiving router removes the extra headers and forwards the packet.

### **Structure of GRE Packet**

| Header              | Description                                      |
| ------------------- | ------------------------------------------------ |
| **Outer IP Header** | Contains source and destination tunnel endpoints |
| **GRE Header**      | Identifies GRE protocol type                     |
| **Payload**         | Original packet data                             |

### **Key Features**

* **Encapsulates** various network protocols (IP, IPX, AppleTalk).
* Supports **multicast traffic** (unlike IPsec alone).
* Can be combined with **IPsec for encryption** (IPsec + GRE).

### **Advantages**

* Enables **virtual private networks** across the Internet.
* **Protocol-independent**.
* Easy to implement for **site-to-site** communication.

### **Limitations**

* No encryption or authentication by default.
* Adds extra header overhead, slightly reducing performance.

---

# **Summary Table**

| Topic     | Function                                  | Protocol/Layer    | Key Benefits                        |
| --------- | ----------------------------------------- | ----------------- | ----------------------------------- |
| **ACL**   | Filters traffic based on rules            | Layer 3–4         | Controls access, improves security  |
| **AAA**   | Authentication, Authorization, Accounting | Application Layer | Centralized user control            |
| **IPsec** | Secure IP communication                   | Layer 3           | Encryption, authentication          |
| **VPN**   | Secure remote connection                  | Layer 3 / 7       | Safe data transfer over Internet    |
| **GRE**   | Encapsulates various protocols            | Layer 3           | Virtual tunnels, supports multicast |

---
