Networking 4.1 Network Security

Is any information actively traveling across a network, whether wired or wireless. Because it moves between devices, it’s vulnerable to interception, so encryption like TLS or IPsec is used to protect it.

Data in Transit

Information stored on disks, databases, or storage systems. Since it isn’t moving, security focuses on encryption and access controls to prevent unauthorized access.

A: Important files locked inside a filing cabinet.

Data at Rest

The system that creates, manages, and trusts digital certificates and encryption keys. It allows users and devices to verify identities securely across a network.

A: A trusted ID office that issues verified IDs.

PKI (Public Key Infrastructure)

Controls who can access systems, data, and resources. It ensures users are authenticated, authorized, and monitored when accessing information.

A: Security badges deciding who can enter which rooms.

IAM (Identity and Access Management)

Users only get the access they need to do their job — nothing more. This reduces damage if an account is compromised.

A: Giving someone only the keys they actually need.

Least Privilege

Assigns permissions based on job roles instead of individuals. Users inherit access based on their role in the organization.

A: Job titles determine which doors open.

RBAC (Role-Based Access Control)

Restricts access based on physical location. Users may gain or lose access depending on where they connect from.

Geofencing

Is a digital certificate created and signed by the same entity using it. It encrypts traffic, but it is not trusted by default because no third-party Certificate Authority (CA) verifies it.

A: It’s like writing your own ID card. It proves who you say you are, but others don’t automatically trust it.

Self-signed certificate

It is the process of proving you are really who you say you are. This is done using private information like a password, MFA code, biometric, or token.

Authentication

Determines what resources you are allowed to access after authentication. Permissions are based on your role, account, or group membership.

Authorization

Records user activity such as logins, logouts, failed attempts, and actions performed. This is used for auditing, security, and troubleshooting.

A:Security cameras and entry logs tracking movement.

Accounting

A ____ Server stores credentials and validates authentication requests. Devices like VPNs, firewalls, and Wi-Fi controllers send login requests to the server for approval.

AAA

Allows users to authenticate once and access multiple systems without logging in again for a set period of time (often 24 hours).It is what the user experiences.

Single Sign-On (SSO)

It is a widely used authentication protocol that allows devices to communicate with a AAA server. Commonly used for VPNs, Wi-Fi (802.1X), and network access control.

A: A phone call to security asking, “Is this user approved?”

RADIUS (Remote Authentication Dial-In User Service)

It is used to read and write information from a centralized directory. It stores users, devices, roles, and attributes, giving more context than just usernames and passwords.

A: A company phone directory with job titles and departments.

LDAP (Lightweight Directory Access Protocol)

It is an open standard or protocol for authentication and authorization that uses tokens. It allows users to authenticate once and access multiple web applications securely.

A: A stamped hand that proves you already paid.

SAML (Security Assertion Markup Language)

Is an authentication protocol commonly used for managing network devices like routers and switches. It separates authentication, authorization, and accounting.

TACACS+ (Terminal Access Controller Access Control System Plus)

Requires two or more authentication factors to prove identity, making access much more secure than a password alone.

A: ATM card + PIN.

Multifactor Authentication (MFA)

Generates a temporary code that changes every few seconds. Both client and server use time synchronization to validate the code.

A: A countdown safe code that keeps changing.

TOTP (Time-Based One-Time Password)

Are decoy systems or single decoy systems designed to attract attackers so you can study their behavior

A: Leaving out a jar of honey to catch a bear

Honeypots

Are larger, more complex networks of decoy systems to trap and monitor attacks.

A: The bigger the honey setup, the more you can learn.

Honeynets

Is a weakness in a system.

A: Unlocked door

Vulnerability

It is when someone takes advantage of a weakness within a company, system, etc.

A:Burglar breaking in

Exploit

Is any potential cause that could harm the system, intentional or accidental.

A: The possibility of burglary or fire

Threat

The three pillars of IT security:

Confidentiality = keep data secret

Integrity = keep data accurate

Availability = keep systems accessible

CIA Triad (Confidentiality, Integrity, Availability)

Is a European Union regulation that protects personal data of EU citizens. It ensures data is stored properly, gives individuals control over their data, and allows them to request deletion.

GDPR (General Data Protection Regulation)

Requires that data collected in a country must remain within that country unless legally allowed to move.

Data localization/locality

Is a standard that protects credit card information. It focuses on secure networks, protecting cardholder data, managing vulnerabilities, controlling access, monitoring systems, and maintaining security policies.

PCI DSS (Payment Card Industry Data Security Standard)

______networks let visitors access the internet without touching internal company systems. Often protected with passphrases or login portals.

A: A lobby in a building where visitors can wait, but not enter private offices.

Guest/Guest Network Segmentation

Bring Your Own Device policies separate personal devices from corporate systems. Company data stays secure while personal data remains private.

A: A locker in a gym—your stuff is private, but you can still use the facility safely.

BYOD (Bring Your Own Device) Segementation

_____ devices like smart home gadgets, sensors, or wearables—are segmented onto their own network to protect sensitive data and prevent them from accessing critical systems. This limits the damage if a device is compromised.

IoT Network Segmentation

_____ devices are industrial machines that communicate with each other in factories, hospitals, or energy plants. Segmentation ensures critical operations continue safely and prevents outside devices from interfering.

IIoT Segmentation

Systems monitor and control industrial processes like energy, water, or manufacturing. Segmentation ensures only authorized personnel access these systems, preventing accidental or malicious disruption.

A: A control room with restricted doors—only trained operators can enter and control the machinery.

Supervisory Control and Data Acquisition (SCADA) Segmentation

Manages the operation of industrial equipment and processes. Segmentation ensures that these systems are isolated from business networks, protecting uptime and preventing external attacks.

A: A factory floor fenced off from the office area—machines keep running without interference from office devices.

Industrial Control System (ICS) Segmentation

Includes systems that control critical infrastructure, like electricity grids, traffic lights, or hospital machinery. Segmentation ensures operational continuity and safety, even if other networks are compromised.

A: Critical infrastructure in a secure bunker—operations continue safely no matter what happens outside.

Operational Technology (OT) Segmentation