← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 03 · Cyberspace Tech Solutions Cybersecurity Curriculum

System and Network Security

~60 minutes covering Firewalls, IDS/IPS, VPNs, and Secure Network Design — with 20 interview Q&As, 25 MCQs, and 4 interactive simulations.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Implement network security measures — configure and manage firewalls and IDS/IPS
  • Design secure network architectures using DMZ, VLANs, and Zero Trust principles
  • Configure and evaluate VPN solutions for secure remote access

Topics Covered

#TopicTimeType
1Core Concepts — Firewalls, IDS/IPS, VPN, Secure Design10 minReading
2Interview Questions & Answers (20)20 minQ&A
3MCQ Quiz (25 questions)15 minQuiz
4Firewall Rule Builder5 minSimulation
5IDS Alert Analyser4 minSimulation
6VPN Scenario Selector3 minSimulation
7Network Design Quiz3 minSimulation
💡 System and Network Security is Module 03 — building directly on Networking Fundamentals. These topics appear in almost every security analyst and architect interview.
Core Concepts · ~10 min

System & Network Security Fundamentals

Firewall Types

TypeOSI LayerHow it worksLimitation
Packet Filtering3–4Inspects each packet header (IP, port, protocol) against static ACLsNo state tracking; vulnerable to IP spoofing, fragmentation
Stateful Inspection3–4Tracks connection state table — knows if packet belongs to valid sessionCannot inspect payload content
Application (WAF)7Inspects HTTP/HTTPS payload — blocks SQLi, XSS, CSRFCostly; limited to web traffic
NGFW3–7Deep packet inspection, app identification, IDS/IPS, SSL decryption, user identityExpensive; high processing overhead

IDS vs IPS

FeatureIDS (Intrusion Detection)IPS (Intrusion Prevention)
ActionDetect and alert onlyDetect and actively block
PlacementOut-of-band (passive tap)Inline (traffic passes through)
RiskFalse negatives — misses attacksFalse positives — may block legitimate traffic
Detection methodsSignature-based (known patterns) | Anomaly-based (deviation from baseline) | Heuristic/Behaviour
💡 Signature-based IDS cannot detect zero-day attacks (no signature yet). Anomaly-based can, but generates more false positives. Modern systems use both (hybrid).

VPN Types

TypeUse CaseProtocol
Remote Access VPNIndividual user connects securely from remote locationSSL/TLS, IPSec
Site-to-Site VPNTwo office networks connected over internetIPSec (tunnel mode)
SSL VPNBrowser-based access — no client software neededTLS (port 443)
IPSec Tunnel ModeFull packet (including header) encrypted between gatewaysIPSec
IPSec Transport ModeOnly payload encrypted — used between two end-hostsIPSec

Secure Network Design Principles

  • DMZ (Demilitarised Zone): A subnet exposed to the internet (web servers, email) — separated from internal network by firewalls on both sides.
  • Network Segmentation: Divide network into zones (user LAN, server VLAN, IoT VLAN, DMZ) with controlled inter-zone traffic.
  • Zero Trust: "Never trust, always verify" — every access request authenticated, authorised, and validated regardless of network location.
  • Defence in Depth: Multiple layered controls so failure of one does not compromise everything.
  • Microsegmentation: Granular workload-level isolation within a datacenter or cloud (software-defined).
  • Least Privilege: Network ACLs grant only required access between segments.
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click to expand. Difficulty: Easy Medium Hard

1What is the difference between IDS and IPS?Easy
  • IDS (Intrusion Detection System): Monitors and analyses traffic, generates alerts when suspicious activity is detected. It is passive — sits out-of-band and does NOT block traffic. Risk: attacker may cause damage before an analyst responds.
  • IPS (Intrusion Prevention System): Sits inline — all traffic passes through it. Can actively block, drop, or reset connections matching threat signatures or anomalies in real-time.
Detection methods both use:
  • Signature-based: Match traffic against a database of known attack patterns. Fast, low FP rate, but blind to zero-days.
  • Anomaly-based: Baseline normal traffic → flag deviations. Can catch zero-days but higher false positive rate.
  • Heuristic/Behaviour: Rule-based logic about attack patterns regardless of exact signature.
💡 Interview angle: Explain the false positive / false negative trade-off. An IPS that generates too many FPs will be bypassed or disabled by frustrated admins — defeating its purpose.
2Explain the different types of firewalls.Medium
  • Packet-Filtering: Checks IP, port, protocol on each packet. Stateless — doesn't track connections. Fast but limited (can't detect fragmentation attacks or spoofed IPs in isolation).
  • Stateful Inspection: Tracks TCP/UDP connection state. Knows if a packet belongs to an established session. Blocks unsolicited inbound packets. Standard in modern edge firewalls.
  • Application-layer / Proxy Firewall: Operates at Layer 7. Understands specific protocols (HTTP, FTP, DNS). Can inspect and filter application content. Slower but highly granular.
  • WAF (Web Application Firewall): Specialised application firewall for HTTP/HTTPS. Protects against OWASP Top 10 (SQLi, XSS, CSRF). Deployed in front of web servers.
  • NGFW (Next-Generation Firewall): Combines stateful + DPI + IDS/IPS + SSL inspection + app identification + user identity. Products: Palo Alto, Fortinet, Check Point.
💡 Most enterprise deployments combine a stateful NGFW at the perimeter with a WAF for specific web applications — layered protection.
3What is a DMZ in network security?Easy
A DMZ (Demilitarised Zone) is a network segment that sits between the internet and the internal corporate network, containing publicly accessible services (web servers, email gateways, DNS servers).

Architecture:
  • Internet → External Firewall → DMZ → Internal Firewall → Internal LAN
  • The external firewall allows inbound traffic to DMZ servers only (e.g., port 80, 443).
  • The internal firewall blocks all traffic from the DMZ to the internal LAN (unless explicitly allowed for specific services).
Purpose: If a DMZ server is compromised, attackers cannot directly reach the internal network — they face a second firewall.
💡 A single-firewall DMZ uses three interfaces (external, DMZ, internal). A dual-firewall DMZ uses two separate physical firewalls — more secure, harder to misconfigure in one shot.
4How does a VPN work?Easy
A VPN (Virtual Private Network) creates an encrypted tunnel between two endpoints over an untrusted network (internet), making the communication appear as if both are on the same private network.

How it works:
  1. Client initiates connection to VPN gateway/server.
  2. Mutual authentication (certificates, pre-shared keys, username/password + MFA).
  3. Keys are exchanged (Diffie-Hellman) to establish a shared session key.
  4. All traffic is encrypted (AES-256) and encapsulated in VPN packets.
  5. VPN gateway decapsulates, decrypts, and forwards to the destination network.
💡 A VPN protects data in transit but does NOT protect the endpoint. If a user's laptop is compromised, the VPN provides the attacker the same network access as the user — hence why Zero Trust is replacing traditional VPN architectures.
5What is the difference between IPSec tunnel mode and transport mode?Hard
FeatureTunnel ModeTransport Mode
What's encryptedEntire original IP packet (header + payload)Only the payload (data); original header intact
New headerNew outer IP header addedNo new header — uses original
Use caseSite-to-site VPNs between gatewaysHost-to-host (e.g., two servers communicating)
Hides source/destYes (original header encrypted)No (original header visible)
💡 IPSec has two protocols: AH (Authentication Header — integrity, no encryption) and ESP (Encapsulating Security Payload — encryption + integrity). ESP is almost always used in practice.
6What is network segmentation and how does it improve security?Medium
Network segmentation divides a flat network into multiple isolated zones with controlled inter-zone traffic. It improves security by:

  • Limiting lateral movement: Compromising one zone doesn't grant access to others.
  • Containing breaches: Ransomware can't spread from an infected workstation to a server VLAN if traffic is blocked.
  • Isolating sensitive assets: Payment systems, industrial controls, and databases in dedicated zones.
  • Improving detection: Inter-zone traffic passes control points — anomalies are detectable.
  • Compliance: PCI-DSS, HIPAA require segmentation to reduce audit scope.
💡 Flat networks are the attacker's best friend — once inside, they can reach everything. WannaCry spread so effectively in 2017 largely because target organisations had flat networks.
7What is Zero Trust Architecture?Medium
Zero Trust is a security model based on the principle: "Never trust, always verify". It eliminates the concept of a trusted internal network — every access request is authenticated, authorised, and continuously validated, regardless of where it originates.

Core principles:
  • Verify explicitly — authenticate and authorise based on all available data points (identity, device, location, service, data classification).
  • Use least privilege access — limit user access with JIT/JEA, risk-based adaptive policies.
  • Assume breach — minimise blast radius, segment access, encrypt end-to-end, use analytics to detect anomalies.
Key technologies: Identity (MFA + IAM), Microsegmentation, Endpoint health checks, Continuous monitoring, SASE.
💡 Zero Trust is a strategy, not a product. It was popularised by Google's BeyondCorp initiative after the 2009 Operation Aurora attack, and is now recommended by NIST (SP 800-207) and CISA.
8What is the difference between signature-based and anomaly-based IDS?Medium
FeatureSignature-basedAnomaly-based
Detection methodMatch traffic to known attack patterns (signatures/rules)Establish baseline of "normal" — flag deviations
Zero-day coverageNo (needs known signature)Yes (flags unknown abnormal behaviour)
False positive rateLowHigher (legitimate anomalies flagged)
MaintenanceRequires regular signature updatesRequires careful baseline tuning
ExamplesSnort, Suricata (rule-based)Darktrace, Vectra AI, UEBA tools
9What is a honeypot and how is it used?Medium
A honeypot is a decoy system designed to look like a real, valuable target — intentionally left vulnerable to lure and trap attackers.

Uses:
  • Detection: Any interaction with a honeypot is suspicious — real users have no reason to access it.
  • Intelligence gathering: Study attacker TTPs (tools, techniques, procedures), malware samples.
  • Distraction: Keep attackers occupied while real systems are protected.
  • Early warning: Alerts security teams to active reconnaissance or exploitation attempts.
Types: Low-interaction (emulated services — safer), High-interaction (real OS — richer intel, more risk), Honeynets (network of honeypots).
💡 Legal consideration: deploying a honeypot to catch attackers is generally legal, but "entrapment" concerns apply. Ensure honeypots cannot be used as a pivot to attack external systems.
10What is SSL/TLS and how does the TLS handshake work?Medium
TLS (Transport Layer Security) is the cryptographic protocol that secures communications over a network. SSL was its predecessor — deprecated; TLS 1.3 is current (2024).

TLS 1.3 Handshake (simplified):
  1. ClientHello: Client sends supported TLS version, cipher suites, random value.
  2. ServerHello: Server selects cipher suite, sends its certificate (containing public key).
  3. Client verifies the server certificate against trusted CAs.
  4. Key Exchange: Both parties use Diffie-Hellman to derive a shared session key (without transmitting it).
  5. Finished: Both exchange Finished messages encrypted with the session key — handshake complete.
  6. All subsequent data is encrypted using the symmetric session key (AES-256-GCM).
💡 TLS provides: Confidentiality (encryption), Integrity (HMAC), Authentication (certificates). TLS 1.3 removes weak ciphers and enables 0-RTT resumption. Disable TLS 1.0 and 1.1.
11What is port scanning and which tools are used?Easy
Port scanning is the technique of probing a host to discover which TCP/UDP ports are open, filtered, or closed — revealing what services are running.

Scan types:
  • TCP Connect scan: Full three-way handshake — detectable in logs.
  • SYN (Half-open) scan: Send SYN, don't complete handshake — less detectable.
  • UDP scan: Slower — probe UDP ports, wait for ICMP unreachable replies.
  • Service/Version scan (-sV): Probe to identify the exact service and version.
  • OS detection (-O): Fingerprint the target OS via TCP/IP stack behaviour.
Tools: Nmap (most common), Masscan (ultra-fast), Zmap, Shodan (internet-wide scanning).
💡 Port scanning without authorisation is illegal in most jurisdictions. In a pentest context, it's the first step of reconnaissance. Defenders detect port scans via IDS rules and firewall logs.
12What is network hardening?Medium
Network hardening is the process of reducing the attack surface of network devices and infrastructure:

  • Disable unused services, ports, and protocols (close all ports not in use).
  • Change default credentials on all network devices (routers, switches, firewalls).
  • Apply firmware/OS updates and security patches promptly.
  • Use encrypted management protocols (SSH instead of Telnet, HTTPS instead of HTTP for device admin).
  • Implement 802.1X port authentication — prevent unauthorised devices on network.
  • Enable logging and SNMP v3 (not v1/v2 — they use plaintext community strings).
  • Disable ICMP echo (ping) on internet-facing interfaces where not needed.
  • Use ACLs to restrict management access to specific admin IPs only.
💡 CIS Benchmarks and DISA STIGs provide detailed hardening guidance for every major OS and network device. Always reference these in interviews.
13What is a SIEM and what is it used for?Medium
SIEM (Security Information and Event Management) is a platform that aggregates, normalises, correlates, and analyses log data from across the IT environment to detect threats and support incident response.

Core functions:
  • Log aggregation: Collects logs from firewalls, IDS, endpoints, servers, applications.
  • Normalisation: Converts diverse log formats into a consistent schema.
  • Correlation: Applies rules to detect attack patterns spanning multiple sources (e.g., brute-force → successful login → lateral movement).
  • Alerting: Generates alerts for SOC analysts to investigate.
  • Dashboards & reporting: Compliance reports, threat visibility.
  • Forensics: Historical search for post-incident investigation.
Products: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM, LogRhythm.
💡 SIEM alone is not enough — it requires well-tuned correlation rules and skilled analysts. Poorly tuned SIEMs generate alert fatigue, causing real alerts to be missed.
14What is the difference between a personal firewall and a network firewall?Easy
  • Personal/Host-based Firewall: Software running on an individual device (Windows Defender Firewall, iptables on Linux). Controls inbound/outbound traffic for that specific device. Protects the host regardless of where it connects (home, office, public Wi-Fi). Part of endpoint security.
  • Network Firewall: Hardware or virtual appliance protecting the entire network perimeter. Sits between network segments or at the internet edge. Controls traffic flows between networks. Manages policy centrally for many devices at once.
Both are needed — network firewall provides perimeter protection; host firewall provides defence if the perimeter is breached (defence in depth).
💡 Interview tip: Explain this is not either/or — both serve different purposes in a layered security model. Laptops need host-based firewalls especially when working remotely outside the network perimeter.
15How do you detect a Man-in-the-Middle attack on a network?Hard
Detection methods:
  • ARP table inspection: Check for multiple IPs mapping to the same MAC, or gateway MAC changed unexpectedly. Tools: arpwatch, XArp.
  • SSL/TLS certificate warnings: MitM attackers often present invalid certificates — browser warnings or failed certificate pinning checks.
  • Latency spikes: MitM adds processing time — anomalous round-trip times on previously stable connections.
  • DNS anomalies: DNS response IPs changed, unexpected TTL values.
  • Network traffic analysis: Unexpected hosts appearing in traffic paths, duplicate IP/MAC combos in packet captures (Wireshark).
  • IDS signatures: ARP spoofing signatures, SSL stripping detection.
💡 Prevention is better than detection: use TLS everywhere, certificate pinning, DNSSEC, HSTS, Dynamic ARP Inspection (DAI) on switches, and VPNs on untrusted networks.
16What is 802.1X and why is it important?Medium
IEEE 802.1X is a network access control standard that requires devices to authenticate before they can access any network resources — even the LAN.

Components:
  • Supplicant: The client device requesting access.
  • Authenticator: The network switch or wireless access point.
  • Authentication Server: RADIUS server (e.g., Microsoft NPS, FreeRADIUS) that validates credentials.
Process: Device connects → switch blocks all traffic → device authenticates via EAP (username/password, certificate, smart card) → RADIUS approves → switch opens the port.

Importance: Prevents rogue devices from connecting to the network. Visitor or unknown devices are blocked even if physically plugged in.
💡 Without 802.1X, any device physically plugged into a wall port (or joining Wi-Fi) gets network access. This is a critical control for preventing insider threats and physical intrusion.
17What is microsegmentation?Hard
Microsegmentation is a fine-grained network security technique that applies access controls at the individual workload or application level — rather than at the subnet or VLAN level.

How it differs from traditional segmentation:
  • Traditional segmentation: firewall between subnets. Traffic within a subnet flows freely.
  • Microsegmentation: controls traffic between individual VMs, containers, or even processes — "east-west" traffic within the same subnet or datacenter is also controlled.
Implementation: Software-defined networking (SDN), hypervisor-level policies (VMware NSX, Illumio, Guardicore), cloud security groups (AWS SGs, Azure NSGs).

Security benefit: An attacker who compromises one workload cannot reach adjacent workloads on the same VLAN — severely limiting lateral movement.
💡 Microsegmentation is a core component of Zero Trust Architecture. It's especially important in cloud and container environments where traditional perimeter-based segmentation doesn't apply.
18What is a packet capture (PCAP) and which tool is used?Easy
A packet capture (PCAP) records all network traffic at a point in the network — capturing the raw bytes of every packet including headers and payload. The file format is .pcap or .pcapng.

Primary tool: Wireshark — the industry-standard GUI packet analyser. Also: tcpdump (CLI), tshark (CLI version of Wireshark).

Uses:
  • Troubleshoot network issues (slow connections, dropped packets).
  • Security forensics — analyse captured attack traffic.
  • Verify encryption is working (confirm no plaintext credentials).
  • Detect anomalies, lateral movement, C2 communication.
💡 Wireshark filters: http (HTTP traffic), ip.addr==10.0.0.1 (specific host), tcp.flags.syn==1 (SYN packets — detect port scans). Essential for SOC analyst roles.
19What are the risks of using public Wi-Fi?Easy
  • Eavesdropping: Unencrypted traffic can be intercepted by anyone on the network with a packet sniffer.
  • Evil Twin / Rogue AP: Attacker sets up an access point with the same SSID as the legitimate one — clients connect to the attacker's AP instead.
  • Man-in-the-Middle: Attacker intercepts and potentially modifies traffic between client and destination.
  • Malware distribution: Rogue AP injects malicious code into unencrypted downloads.
  • Session hijacking: Stealing authentication cookies from unencrypted HTTP sessions.
Mitigations: Use a VPN on public Wi-Fi, only access HTTPS sites, avoid accessing sensitive accounts, disable auto-connect to open networks, use mobile data instead.
💡 Even HTTPS helps significantly on public Wi-Fi — content is encrypted. The remaining risk is metadata exposure, evil twin attacks, and certificate validation failures.
20What is Network Access Control (NAC)?Medium
NAC is a security solution that enforces policies on devices before and while they are connected to the network — ensuring only authorised, compliant devices gain access.

NAC enforcement checks:
  • Device identity (certificate, 802.1X authentication).
  • Compliance posture: Is the device patched? Is AV up-to-date? Is the firewall enabled?
  • User identity and role.
  • Device type (corporate-managed vs BYOD vs IoT).
Actions based on policy: Full access, Guest VLAN, Quarantine VLAN (remediation), Deny. Products: Cisco ISE, Forescout, Aruba ClearPass.
💡 NAC is especially valuable for BYOD policies and IoT device management — ensuring only known, compliant devices access sensitive network segments.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

MCQ Progress:
0 / 25
Simulation 1 · ~5 min

Firewall Rule Builder

Add firewall rules and then simulate whether a test packet would be allowed or denied.

Rules are evaluated top-to-bottom. First match wins. A default DENY ALL is applied at the bottom.

Source IPDest IPPortProtoAction
Simulate a packet:
Simulation 2 · ~4 min

IDS Alert Analyser

Review each IDS alert and classify it: True Positive (real attack), False Positive (legitimate traffic misidentified), or correctly describe the scenario.

Simulation 3 · ~3 min

VPN Scenario Selector

Read each scenario and select the most appropriate VPN type.

Simulation 4 · ~3 min

Secure Network Design Quiz

Answer questions about where to place security controls in a network design.

🎉

Module Complete!

You've completed System and Network Security. Use the sidebar to revisit any section.