Secure Enterprise Network

Infrastructure
Introduction to Network basics, Common Network
Infrastructure and Transport protocols.
Syllabus
NSE 4 – FGT 7 Exam details
Exam Name: Fortinet Network Security Expert 4 – FortiOS 6.4/7
• Exam Number: NSE 4 – FGT 6.4/7
• Exam Price: (Students will have access to the Fortinet lab environment as well as the
training material at no extra charge. Towards the end of the semester, vouchers will be
provided in order to take Fortinet’s NSE4 certification exam for free.)
• Duration: 105 minutes (actual)
• Number of Questions: 60-70
• Passing Score: 60%, maybe higher
NSE 4 exam syllabus
You will be tested on 5 syllabus as shown below:
Deployment and System configuration
Firewall and authentication
Content inspection
Routing and L2 switching
VPN
After taking the exam, you will only get pass or fail for each syllabus and the overall pass or
fail.
Breakdown
● Networking basics
○ OSI model
○ TCP/IP
○ Ports
○ IPV4/IPV6
● Common Network Infrastructure
○ Routers, Switches
○ Firewalls, IDS
● Transport Protocols
○ UDP, ICMP, maybe some others
○ Multicast, Unicast

● Network Security
● Traditional Firewalls vs NGFW
● Traditional WAN Architecture vs. SD-WAN
Networking Basics:
OSI model
● 7 Layers
● Layered like an onion - layer 1 is the
innermost layer
● If you don’t like onions. You can think of
those layers as envelopes inserted inside
other (bigger) envelopes
● The OSI model did not end up being
adopted as the standard and lost to the
TCP/IP model
Networking Basics:
TCP/IP model
● Combines many of the OSI model layers
that are commonly combined anyways
● Used in physical implementations of
networking infrastructure

● TCP/IP is what is ACTUALLY

implemented. However, the OSI model
was a strong competitor to TCP/IP and
was long believed to be the model to be
adopted. Regardless, most of the
networking world will still refer to the OSI
model as it adds more layers in the
application layer[1]

[1]: https://spectrum.ieee.org/osi-the-internet-that-wasnt#toggle-gdpr
Link Layer
● 2 layers in OSI, 1 in TCP/IP
● Operates only within the local
network
● Covers the communication between
physical devices in the same
network (have multiple devices
behind a router)
● Uses physical/MAC addresses
Network Layer
● 1 layer in OSI, 1 in TCP/IP
● Covers the communication between
devices using the IP addressing
system
● Used to route packets between your
home network and the rest of the
internet
Transport Layer
● 1 layer in OSI, 1 in TCP/IP
● The transport layer protocol
determines how two devices
communicate with each other
● Establishes communication
channels

● The two primary transport layer

protocols are: TCP (for reliable
communication) and UDP (for fast
communication)
Application Layer
● 3 layers in OSI, 1 in TCP/IP
● Communicates data over the
connection established using the
transport layer
● Data can be in a variety of different
formats, determined by the protocol
in use

● These are protocols created in order

to let applications: talk to each other,
manage how the data is presented
to them as well as keeping track of a
session (if needed)
Wireshark Example
Physical (MAC) Addresses
● Physical Address used to identify a network adapter
● While your device might have many different IP addresses, it’s mac address is usually static (Universally
administered addresses)

● In recent years however, devices manufacturers are making devices

use random locally administered addresses per network by default for
privacy reasons.
● This makes is harder to track a device using its MAC address across
different networks.

Unicast: Send frame to a single destination

Multicast: Send frame to a group of devices

Broadcast: Send frame to all devices on the LAN (FFFF.FFFF.FFFF.FFFF)

IPV4 Addresses - Notation
In essence: A 32 bit address, commonly written as 4 octets
IPV4 Addresses - CIDR & Subnetting

xxx.xxx.xxx/n (For example 192.168.0.1/24)

Where n is the number of bits in the network mask.

What’s a network mask? Simply put, it’s what will divide

the network portion of your address and the host portion
of it.

For example, the CIDR notation for the IP address on

the right would be: 192.168.10.10/24

cidr.xyz - Useful website to calculate and visualize CIDR notation.

Special IPs / IP Ranges
● 127.0.0.1: Loopback (specifies the current device)
● 127.0.0.0/8: Restricted to local services
● 0.0.0.0: All interfaces on current device (used for listening ports)
● 192.168.0.0/16 and 10.0.0.0/8 : Private IP ranges

See RFC1918 spec (private/public ip ranges)

IPV6 Addresses
Turns out 4,294,967,296 addresses wasn’t enough. Let’s use a BIGGER number!
Let’s upgrade to 128 bits and change up the way we write it to make it readable:

2a03:2880:f01c:0601:face:b00c:0000:0001
2a03:2880:f01c:601:face:b00c::1
IPV6 Address Types

Global Unicast 2000::/3 Publicly routable

Unique Local FC00::/7 Routable in the LAN

Link Local FE80::/10 Not routable

Multicast FF00::/8 Addresses for groups

Anycast 2000::/3 Shared address

IPv6 Subnet Calculator - Vultr.com

Source: P.VO - https://people.scs.carleton.ca/~paulv/toolsjewels.html
Networking Infrastructure
Routers / Switches Firewalls,
Intrusion detection systems (IDS),
● Routers route data using the network layer Intrusion prevention systems (IPS)
● Switches “route” (switch) data using the
link layer ● Common network security devices
● Firewalls block connections based on a
ruleset
● IDS / IPS also detect malicious traffic
based on a ruleset
● IDS / IPS are usually the same system
Routers External IP
Internal IP

● Routers connect the WAN (wide

area network) to the LAN (local
area network).
● Routers have different IP’s for
communication with the WAN
and LAN
● To translate between traffic on
the WAN side and the LAN
side, routers employ network
address translation (NAT)
NAT
● Network Address Translation (NAT) is a
method of translating one IP address
space into another
● When sending traffic to the WAN, the
router needs to change the packets
source address to its WAN address.
This way, the packet can be routed
back.

● By tracking identifiers such as destination address and source port, a router can identify which internal
address any incoming packets are intended for, and modify the destination address of the packet as it
enters the LAN.

● This is the functionality of basic one-to-many NAT used by routers, but there are much more complex
forms of NAT employed by networking infrastructure.
Switches
● Switches are responsible for
routing packets to the correct
device when multiple are
connected
● They operate on the link layer
(L2), so they know the MAC
address of the device on each
physical port
● To route packets, switches look
at the destination MAC address
of a frame and sends it out to
the appropriate physical port of
the switch
Transport Layer
Protocols
TCP / UDP
TCP / UDP In Wireshark
ICMP
● Used for network diagnostics - determining which hosts have connectivity,
how packets are getting routed, etc...
Unicast Multicast
Unicast is the method of routing that we have Multicast is the method of sending one message
used up until this point, it communicates to multiple recipient devices at the same time.
between one source device and one destination By using a special address on the:
device.
● link layer (FF:FF:FF:FF:FF)
● IP layer (255.255.255.255)

Devices can indicate that a message is intended

for every device on the internal network, and
switches will in turn send the message to every
connected device.
Firewall Basics
What do Firewalls do?
● Performs an action on network traffic based on admin-defined firewall rules
(also called firewall policies)
● They do nothing more than what they are configured to do (highly
configurable)
● Actions can include allowing traffic, blocking traffic, sending a connection
reset packet, or others dependent on the firewall being used
● Default rule is implicit deny (block all traffic that doesn’t match a
user-defined rule)
Firewall Configuration Example
Firewalls Cont’d
● All traffic is implicitly denied unless explicitly allowed.
● To create a firewall policy a set of rules needs to be defined for the policy. By checking
the policy rules against each packet the firewall can match each packet to one firewall
policy.

● Rules include data such as source and destination interface, ip address range,
source and destination port etc.

● But what if I want to allow most traffic, and deny something specific?
Firewalls Cont’d
● Firewall policy priority allows you to define in what order the policy checks
apply.
Firewalls Cont’d: Packet- filtering firewalls (Legacy)
● Performs allow, deny based on each packet header info.

● No awareness of sessions or state of a connection

● Easy to maintain/manage

● Fast & Efficient

● Can operate at wire speed

● Not very effective for modern threats

● Does not inspect data portion of packet, just headers.

● Effectively Operates on a blind trust model based on source/destination IP

● Can play a useful role in a multilayer protection strategy

Firewalls Cont’d: Circuit-level Gateways
● Will allow sessions initiated from trusted networks

● Monitoring packet headers for a valid TCP handshake

● Trusts all traffic for established sessions

● Fast & Efficient

● Can operate at wire speed

● Not very effective for modern threats

● Does not inspect data portion of packet, just headers.

● Effectively Operates on a blind trust model based on source of session origination

● Can play a useful role in a multilayer protection strategy

Firewalls Cont’d: Application-level Gateways
● Effectively act as a man-in-the-middle to transport traffic.

● More likely to impact network performance at high load.

● Decrypts and encrypts traffic and acts as the source destination for a network connection rather
than a pass through.

● May also inspect data portion for Malware or other malicious payloads

● Traditionally signature-based inspection

● Offers significant protection when implemented correctly

● Provides a single system with full visibility into higher level protocols for ease of reporting and
granular access control of applications.
Intrusion Detection / Prevention System
What is an IDS/IPS?
● The IDS/IPS term is aged, as modern systems typically serve both purposes
and do much more
● They are used to observe the content of network traffic at a much more
granular level than firewalls
● They typically have three actions that can be performed on their rules: allow,
alert, and block
● IDS / IPS rules focus more on the content of network traffic rather than the
source or destination
Example: Snort
● Snort is a modern, open source IDS / IPS that can be installed on anything
(There’s even a docker image!)
● While firewalls focus on network segregation and policy matching with
minimal packet inspection, snort allows you to dig deep into a packet when
defining a rule.
The Modern Context of Network Security
What is an Network Security?
● Threat landscape is expanding: There are many different cyber threats, each becoming
more sophisticated daily: malware, Ransomware attacks, Zero-day vulnerabilities …
● Today’s networks are highly complex environments whose borders are constantly
changing multifaceted and multidevice environments with no identifiable perimeter:
• Mobile workforce
• Partners accessing your network services
• Public and private clouds
• Internet of things (IoT)
• Bring your own device (BYOD)

● Security solutions are expected to perform different functions within a network

● Security solutions should be more than gatekeepers on the network perimeter
Traditional FW vs NGFW
Next-gen Firewalls:
● Frequent or Real time threat signature pushed from a centralized source
● Integrated IDS/IPS focused on both vulnerability and threat facing signatures
● Web/URL filtering services tightly integrated
● Botnet Detection based on known C&C systems
● Replacement for your Edge Router with support for routing protocols (BGP, OSPF, etc.)
● Full protocol stack visibility and application identification
● Ability to generate and issue, push-out security certificates to end-points for true seamless proxy
operation
● Able to enforce policy independent of port and protocol (key)
● Integration with Directory Services (AD, LDAP, NIS, X.500)
● Able to map user accounts to systems and network activity for event and security correlation
● Can make suggestions based on IPS activity
● Heuristic analysis dynamically modifies trust level based on network traffic
FortiGate as an Example:
Traditional Architecture vs. SD-WAN
Traditional Architecture:
● Most applications moved to the Cloud.
● BYOD is now an expectation
● How to manage Guests?
● More things are connected to the internet.
● Centralized Breakdown aren’t optimal to access the cloud.
● Increasing private link capability is not scalable way forward.
SD-WAN:
● Software Defined WAN provides a software defined approach of managing Wide Area Network.
● In SD WAN network configuration is done by automatically without requiring human
intervention.
● It provides low cost and high-speed connectivity.
● Data centers are not limited based on underlying hardware that comprises the network.
● It simplifies the complexity associated with management, configuration and infrastructure
arrangement of WANs.
Fortinet Product Line-UP
Line-UP: