Module 03 · Cyberspace Tech Solutions Cybersecurity Curriculum
System and Network Security
~60 minutes covering Firewalls, IDS/IPS, VPNs, and Secure Network Design — with 20 interview Q&As, 25 MCQs, and 4 interactive simulations.
20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes
Learning Outcomes
- Implement network security measures — configure and manage firewalls and IDS/IPS
- Design secure network architectures using DMZ, VLANs, and Zero Trust principles
- Configure and evaluate VPN solutions for secure remote access
Topics Covered
| # | Topic | Time | Type |
|---|---|---|---|
| 1 | Core Concepts — Firewalls, IDS/IPS, VPN, Secure Design | 10 min | Reading |
| 2 | Interview Questions & Answers (20) | 20 min | Q&A |
| 3 | MCQ Quiz (25 questions) | 15 min | Quiz |
| 4 | Firewall Rule Builder | 5 min | Simulation |
| 5 | IDS Alert Analyser | 4 min | Simulation |
| 6 | VPN Scenario Selector | 3 min | Simulation |
| 7 | Network Design Quiz | 3 min | Simulation |
💡 System and Network Security is Module 03 — building directly on Networking Fundamentals. These topics appear in almost every security analyst and architect interview.
Core Concepts · ~10 min
System & Network Security Fundamentals
Firewall Types
| Type | OSI Layer | How it works | Limitation |
|---|---|---|---|
| Packet Filtering | 3–4 | Inspects each packet header (IP, port, protocol) against static ACLs | No state tracking; vulnerable to IP spoofing, fragmentation |
| Stateful Inspection | 3–4 | Tracks connection state table — knows if packet belongs to valid session | Cannot inspect payload content |
| Application (WAF) | 7 | Inspects HTTP/HTTPS payload — blocks SQLi, XSS, CSRF | Costly; limited to web traffic |
| NGFW | 3–7 | Deep packet inspection, app identification, IDS/IPS, SSL decryption, user identity | Expensive; high processing overhead |
IDS vs IPS
| Feature | IDS (Intrusion Detection) | IPS (Intrusion Prevention) |
|---|---|---|
| Action | Detect and alert only | Detect and actively block |
| Placement | Out-of-band (passive tap) | Inline (traffic passes through) |
| Risk | False negatives — misses attacks | False positives — may block legitimate traffic |
| Detection methods | Signature-based (known patterns) | Anomaly-based (deviation from baseline) | Heuristic/Behaviour | |
💡 Signature-based IDS cannot detect zero-day attacks (no signature yet). Anomaly-based can, but generates more false positives. Modern systems use both (hybrid).
VPN Types
| Type | Use Case | Protocol |
|---|---|---|
| Remote Access VPN | Individual user connects securely from remote location | SSL/TLS, IPSec |
| Site-to-Site VPN | Two office networks connected over internet | IPSec (tunnel mode) |
| SSL VPN | Browser-based access — no client software needed | TLS (port 443) |
| IPSec Tunnel Mode | Full packet (including header) encrypted between gateways | IPSec |
| IPSec Transport Mode | Only payload encrypted — used between two end-hosts | IPSec |
Secure Network Design Principles
- DMZ (Demilitarised Zone): A subnet exposed to the internet (web servers, email) — separated from internal network by firewalls on both sides.
- Network Segmentation: Divide network into zones (user LAN, server VLAN, IoT VLAN, DMZ) with controlled inter-zone traffic.
- Zero Trust: "Never trust, always verify" — every access request authenticated, authorised, and validated regardless of network location.
- Defence in Depth: Multiple layered controls so failure of one does not compromise everything.
- Microsegmentation: Granular workload-level isolation within a datacenter or cloud (software-defined).
- Least Privilege: Network ACLs grant only required access between segments.
Interview Q&A · ~20 min · 20 Questions
Interview Questions & Model Answers
Click to expand. Difficulty: Easy Medium Hard
1What is the difference between IDS and IPS?Easy▼
- IDS (Intrusion Detection System): Monitors and analyses traffic, generates alerts when suspicious activity is detected. It is passive — sits out-of-band and does NOT block traffic. Risk: attacker may cause damage before an analyst responds.
- IPS (Intrusion Prevention System): Sits inline — all traffic passes through it. Can actively block, drop, or reset connections matching threat signatures or anomalies in real-time.
- Signature-based: Match traffic against a database of known attack patterns. Fast, low FP rate, but blind to zero-days.
- Anomaly-based: Baseline normal traffic → flag deviations. Can catch zero-days but higher false positive rate.
- Heuristic/Behaviour: Rule-based logic about attack patterns regardless of exact signature.
💡 Interview angle: Explain the false positive / false negative trade-off. An IPS that generates too many FPs will be bypassed or disabled by frustrated admins — defeating its purpose.
2Explain the different types of firewalls.Medium▼
- Packet-Filtering: Checks IP, port, protocol on each packet. Stateless — doesn't track connections. Fast but limited (can't detect fragmentation attacks or spoofed IPs in isolation).
- Stateful Inspection: Tracks TCP/UDP connection state. Knows if a packet belongs to an established session. Blocks unsolicited inbound packets. Standard in modern edge firewalls.
- Application-layer / Proxy Firewall: Operates at Layer 7. Understands specific protocols (HTTP, FTP, DNS). Can inspect and filter application content. Slower but highly granular.
- WAF (Web Application Firewall): Specialised application firewall for HTTP/HTTPS. Protects against OWASP Top 10 (SQLi, XSS, CSRF). Deployed in front of web servers.
- NGFW (Next-Generation Firewall): Combines stateful + DPI + IDS/IPS + SSL inspection + app identification + user identity. Products: Palo Alto, Fortinet, Check Point.
💡 Most enterprise deployments combine a stateful NGFW at the perimeter with a WAF for specific web applications — layered protection.
3What is a DMZ in network security?Easy▼
A DMZ (Demilitarised Zone) is a network segment that sits between the internet and the internal corporate network, containing publicly accessible services (web servers, email gateways, DNS servers).
Architecture:
Architecture:
- Internet → External Firewall → DMZ → Internal Firewall → Internal LAN
- The external firewall allows inbound traffic to DMZ servers only (e.g., port 80, 443).
- The internal firewall blocks all traffic from the DMZ to the internal LAN (unless explicitly allowed for specific services).
💡 A single-firewall DMZ uses three interfaces (external, DMZ, internal). A dual-firewall DMZ uses two separate physical firewalls — more secure, harder to misconfigure in one shot.
4How does a VPN work?Easy▼
A VPN (Virtual Private Network) creates an encrypted tunnel between two endpoints over an untrusted network (internet), making the communication appear as if both are on the same private network.
How it works:
How it works:
- Client initiates connection to VPN gateway/server.
- Mutual authentication (certificates, pre-shared keys, username/password + MFA).
- Keys are exchanged (Diffie-Hellman) to establish a shared session key.
- All traffic is encrypted (AES-256) and encapsulated in VPN packets.
- VPN gateway decapsulates, decrypts, and forwards to the destination network.
💡 A VPN protects data in transit but does NOT protect the endpoint. If a user's laptop is compromised, the VPN provides the attacker the same network access as the user — hence why Zero Trust is replacing traditional VPN architectures.
5What is the difference between IPSec tunnel mode and transport mode?Hard▼
| Feature | Tunnel Mode | Transport Mode |
|---|---|---|
| What's encrypted | Entire original IP packet (header + payload) | Only the payload (data); original header intact |
| New header | New outer IP header added | No new header — uses original |
| Use case | Site-to-site VPNs between gateways | Host-to-host (e.g., two servers communicating) |
| Hides source/dest | Yes (original header encrypted) | No (original header visible) |
💡 IPSec has two protocols: AH (Authentication Header — integrity, no encryption) and ESP (Encapsulating Security Payload — encryption + integrity). ESP is almost always used in practice.
6What is network segmentation and how does it improve security?Medium▼
Network segmentation divides a flat network into multiple isolated zones with controlled inter-zone traffic. It improves security by:
- Limiting lateral movement: Compromising one zone doesn't grant access to others.
- Containing breaches: Ransomware can't spread from an infected workstation to a server VLAN if traffic is blocked.
- Isolating sensitive assets: Payment systems, industrial controls, and databases in dedicated zones.
- Improving detection: Inter-zone traffic passes control points — anomalies are detectable.
- Compliance: PCI-DSS, HIPAA require segmentation to reduce audit scope.
💡 Flat networks are the attacker's best friend — once inside, they can reach everything. WannaCry spread so effectively in 2017 largely because target organisations had flat networks.
7What is Zero Trust Architecture?Medium▼
Zero Trust is a security model based on the principle: "Never trust, always verify". It eliminates the concept of a trusted internal network — every access request is authenticated, authorised, and continuously validated, regardless of where it originates.
Core principles:
Core principles:
- Verify explicitly — authenticate and authorise based on all available data points (identity, device, location, service, data classification).
- Use least privilege access — limit user access with JIT/JEA, risk-based adaptive policies.
- Assume breach — minimise blast radius, segment access, encrypt end-to-end, use analytics to detect anomalies.
💡 Zero Trust is a strategy, not a product. It was popularised by Google's BeyondCorp initiative after the 2009 Operation Aurora attack, and is now recommended by NIST (SP 800-207) and CISA.
8What is the difference between signature-based and anomaly-based IDS?Medium▼
| Feature | Signature-based | Anomaly-based |
|---|---|---|
| Detection method | Match traffic to known attack patterns (signatures/rules) | Establish baseline of "normal" — flag deviations |
| Zero-day coverage | No (needs known signature) | Yes (flags unknown abnormal behaviour) |
| False positive rate | Low | Higher (legitimate anomalies flagged) |
| Maintenance | Requires regular signature updates | Requires careful baseline tuning |
| Examples | Snort, Suricata (rule-based) | Darktrace, Vectra AI, UEBA tools |
9What is a honeypot and how is it used?Medium▼
A honeypot is a decoy system designed to look like a real, valuable target — intentionally left vulnerable to lure and trap attackers.
Uses:
Uses:
- Detection: Any interaction with a honeypot is suspicious — real users have no reason to access it.
- Intelligence gathering: Study attacker TTPs (tools, techniques, procedures), malware samples.
- Distraction: Keep attackers occupied while real systems are protected.
- Early warning: Alerts security teams to active reconnaissance or exploitation attempts.
💡 Legal consideration: deploying a honeypot to catch attackers is generally legal, but "entrapment" concerns apply. Ensure honeypots cannot be used as a pivot to attack external systems.
10What is SSL/TLS and how does the TLS handshake work?Medium▼
TLS (Transport Layer Security) is the cryptographic protocol that secures communications over a network. SSL was its predecessor — deprecated; TLS 1.3 is current (2024).
TLS 1.3 Handshake (simplified):
TLS 1.3 Handshake (simplified):
- ClientHello: Client sends supported TLS version, cipher suites, random value.
- ServerHello: Server selects cipher suite, sends its certificate (containing public key).
- Client verifies the server certificate against trusted CAs.
- Key Exchange: Both parties use Diffie-Hellman to derive a shared session key (without transmitting it).
- Finished: Both exchange Finished messages encrypted with the session key — handshake complete.
- All subsequent data is encrypted using the symmetric session key (AES-256-GCM).
💡 TLS provides: Confidentiality (encryption), Integrity (HMAC), Authentication (certificates). TLS 1.3 removes weak ciphers and enables 0-RTT resumption. Disable TLS 1.0 and 1.1.
11What is port scanning and which tools are used?Easy▼
Port scanning is the technique of probing a host to discover which TCP/UDP ports are open, filtered, or closed — revealing what services are running.
Scan types:
Scan types:
- TCP Connect scan: Full three-way handshake — detectable in logs.
- SYN (Half-open) scan: Send SYN, don't complete handshake — less detectable.
- UDP scan: Slower — probe UDP ports, wait for ICMP unreachable replies.
- Service/Version scan (-sV): Probe to identify the exact service and version.
- OS detection (-O): Fingerprint the target OS via TCP/IP stack behaviour.
💡 Port scanning without authorisation is illegal in most jurisdictions. In a pentest context, it's the first step of reconnaissance. Defenders detect port scans via IDS rules and firewall logs.
12What is network hardening?Medium▼
Network hardening is the process of reducing the attack surface of network devices and infrastructure:
- Disable unused services, ports, and protocols (close all ports not in use).
- Change default credentials on all network devices (routers, switches, firewalls).
- Apply firmware/OS updates and security patches promptly.
- Use encrypted management protocols (SSH instead of Telnet, HTTPS instead of HTTP for device admin).
- Implement 802.1X port authentication — prevent unauthorised devices on network.
- Enable logging and SNMP v3 (not v1/v2 — they use plaintext community strings).
- Disable ICMP echo (ping) on internet-facing interfaces where not needed.
- Use ACLs to restrict management access to specific admin IPs only.
💡 CIS Benchmarks and DISA STIGs provide detailed hardening guidance for every major OS and network device. Always reference these in interviews.
13What is a SIEM and what is it used for?Medium▼
SIEM (Security Information and Event Management) is a platform that aggregates, normalises, correlates, and analyses log data from across the IT environment to detect threats and support incident response.
Core functions:
Core functions:
- Log aggregation: Collects logs from firewalls, IDS, endpoints, servers, applications.
- Normalisation: Converts diverse log formats into a consistent schema.
- Correlation: Applies rules to detect attack patterns spanning multiple sources (e.g., brute-force → successful login → lateral movement).
- Alerting: Generates alerts for SOC analysts to investigate.
- Dashboards & reporting: Compliance reports, threat visibility.
- Forensics: Historical search for post-incident investigation.
💡 SIEM alone is not enough — it requires well-tuned correlation rules and skilled analysts. Poorly tuned SIEMs generate alert fatigue, causing real alerts to be missed.
14What is the difference between a personal firewall and a network firewall?Easy▼
- Personal/Host-based Firewall: Software running on an individual device (Windows Defender Firewall, iptables on Linux). Controls inbound/outbound traffic for that specific device. Protects the host regardless of where it connects (home, office, public Wi-Fi). Part of endpoint security.
- Network Firewall: Hardware or virtual appliance protecting the entire network perimeter. Sits between network segments or at the internet edge. Controls traffic flows between networks. Manages policy centrally for many devices at once.
💡 Interview tip: Explain this is not either/or — both serve different purposes in a layered security model. Laptops need host-based firewalls especially when working remotely outside the network perimeter.
15How do you detect a Man-in-the-Middle attack on a network?Hard▼
Detection methods:
- ARP table inspection: Check for multiple IPs mapping to the same MAC, or gateway MAC changed unexpectedly. Tools: arpwatch, XArp.
- SSL/TLS certificate warnings: MitM attackers often present invalid certificates — browser warnings or failed certificate pinning checks.
- Latency spikes: MitM adds processing time — anomalous round-trip times on previously stable connections.
- DNS anomalies: DNS response IPs changed, unexpected TTL values.
- Network traffic analysis: Unexpected hosts appearing in traffic paths, duplicate IP/MAC combos in packet captures (Wireshark).
- IDS signatures: ARP spoofing signatures, SSL stripping detection.
💡 Prevention is better than detection: use TLS everywhere, certificate pinning, DNSSEC, HSTS, Dynamic ARP Inspection (DAI) on switches, and VPNs on untrusted networks.
16What is 802.1X and why is it important?Medium▼
IEEE 802.1X is a network access control standard that requires devices to authenticate before they can access any network resources — even the LAN.
Components:
Importance: Prevents rogue devices from connecting to the network. Visitor or unknown devices are blocked even if physically plugged in.
Components:
- Supplicant: The client device requesting access.
- Authenticator: The network switch or wireless access point.
- Authentication Server: RADIUS server (e.g., Microsoft NPS, FreeRADIUS) that validates credentials.
Importance: Prevents rogue devices from connecting to the network. Visitor or unknown devices are blocked even if physically plugged in.
💡 Without 802.1X, any device physically plugged into a wall port (or joining Wi-Fi) gets network access. This is a critical control for preventing insider threats and physical intrusion.
17What is microsegmentation?Hard▼
Microsegmentation is a fine-grained network security technique that applies access controls at the individual workload or application level — rather than at the subnet or VLAN level.
How it differs from traditional segmentation:
Security benefit: An attacker who compromises one workload cannot reach adjacent workloads on the same VLAN — severely limiting lateral movement.
How it differs from traditional segmentation:
- Traditional segmentation: firewall between subnets. Traffic within a subnet flows freely.
- Microsegmentation: controls traffic between individual VMs, containers, or even processes — "east-west" traffic within the same subnet or datacenter is also controlled.
Security benefit: An attacker who compromises one workload cannot reach adjacent workloads on the same VLAN — severely limiting lateral movement.
💡 Microsegmentation is a core component of Zero Trust Architecture. It's especially important in cloud and container environments where traditional perimeter-based segmentation doesn't apply.
18What is a packet capture (PCAP) and which tool is used?Easy▼
A packet capture (PCAP) records all network traffic at a point in the network — capturing the raw bytes of every packet including headers and payload. The file format is .pcap or .pcapng.
Primary tool: Wireshark — the industry-standard GUI packet analyser. Also: tcpdump (CLI), tshark (CLI version of Wireshark).
Uses:
Primary tool: Wireshark — the industry-standard GUI packet analyser. Also: tcpdump (CLI), tshark (CLI version of Wireshark).
Uses:
- Troubleshoot network issues (slow connections, dropped packets).
- Security forensics — analyse captured attack traffic.
- Verify encryption is working (confirm no plaintext credentials).
- Detect anomalies, lateral movement, C2 communication.
💡 Wireshark filters:
http (HTTP traffic), ip.addr==10.0.0.1 (specific host), tcp.flags.syn==1 (SYN packets — detect port scans). Essential for SOC analyst roles.19What are the risks of using public Wi-Fi?Easy▼
- Eavesdropping: Unencrypted traffic can be intercepted by anyone on the network with a packet sniffer.
- Evil Twin / Rogue AP: Attacker sets up an access point with the same SSID as the legitimate one — clients connect to the attacker's AP instead.
- Man-in-the-Middle: Attacker intercepts and potentially modifies traffic between client and destination.
- Malware distribution: Rogue AP injects malicious code into unencrypted downloads.
- Session hijacking: Stealing authentication cookies from unencrypted HTTP sessions.
💡 Even HTTPS helps significantly on public Wi-Fi — content is encrypted. The remaining risk is metadata exposure, evil twin attacks, and certificate validation failures.
20What is Network Access Control (NAC)?Medium▼
NAC is a security solution that enforces policies on devices before and while they are connected to the network — ensuring only authorised, compliant devices gain access.
NAC enforcement checks:
NAC enforcement checks:
- Device identity (certificate, 802.1X authentication).
- Compliance posture: Is the device patched? Is AV up-to-date? Is the firewall enabled?
- User identity and role.
- Device type (corporate-managed vs BYOD vs IoT).
💡 NAC is especially valuable for BYOD policies and IoT device management — ensuring only known, compliant devices access sensitive network segments.
MCQ Quiz · ~15 min · 25 Questions
Multiple Choice Questions
MCQ Progress:
0 / 25
Simulation 1 · ~5 min
Firewall Rule Builder
Add firewall rules and then simulate whether a test packet would be allowed or denied.
Rules are evaluated top-to-bottom. First match wins. A default DENY ALL is applied at the bottom.
Source IPDest IPPortProtoAction
Simulate a packet:
Simulation 2 · ~4 min
IDS Alert Analyser
Review each IDS alert and classify it: True Positive (real attack), False Positive (legitimate traffic misidentified), or correctly describe the scenario.
Simulation 3 · ~3 min
VPN Scenario Selector
Read each scenario and select the most appropriate VPN type.
Simulation 4 · ~3 min
Secure Network Design Quiz
Answer questions about where to place security controls in a network design.
🎉
Module Complete!
You've completed System and Network Security. Use the sidebar to revisit any section.