Network defense begins with understanding how data moves between devices and where adversaries can intercept, alter, or block that movement.
Core attacks covered include ARP poisoning, MAC flooding, DNS poisoning, and smurf attacks, each exploiting a specific protocol that networks rely on to function.
Defensive thinking shifts from individual device hardening (Unit 2 territory) to architectural choices: how networks are divided, where firewalls sit, and what rules govern traffic.
Managerial controls (router, switch, VPN, and wireless policies) establish the minimum baseline that technical controls then enforce on the wire.
Segmentation strategies, including screened subnets (DMZs), subnetting, and VLANs, contain damage by ensuring a single compromised device cannot freely reach the rest of the network.
Firewall configuration is treated as a precise, ordered activity: access control lists (ACLs) follow strict rule precedence, and reversing two rules can flip a network from secure to wide open.
Detection rounds out the unit, introducing NIDS, NIPS, and SIEM tools, along with signature-based, anomaly-based, and hybrid approaches to spotting indicators of compromise (IoCs).
AI-assisted threat detection is presented as a probabilistic layer on top of traditional tools, with thresholds tuned to balance missed attacks against alert fatigue.
Together, the topics map the full defensive lifecycle: identify vulnerabilities, set policy, segment, filter, detect, and respond.
Key Concepts and Terms
ARP poisoning: An on-path attack in which falsified ARP packets trick a default gateway into linking a target's IP address to the adversary's MAC address, routing traffic through the attacker.
MAC spoofing: Falsifying a device's hardware (MAC) address to impersonate another device on a LAN.
MAC flooding: Overwhelming a switch with frames bearing many different MAC addresses, forcing it into broadcast mode so all traffic can be sniffed.
DNS poisoning: Planting fake DNS records so user browsers are redirected to attacker-controlled sites, typically for credential harvesting.
Smurf attack: A denial-of-service technique that floods a victim with ICMP replies by sending spoofed ICMP requests to a network's broadcast address.
DoS / DDoS: Attacks that make a resource unavailable to legitimate users, with DDoS using many coordinated sources.
Rogue access point: An unauthorized wireless access point plugged into an internal network port, giving adversaries wireless entry past the firewall.
Screened subnet (DMZ): A network segment between the public internet and the internal LAN, typically holding public-facing servers behind one firewall and the LAN behind another.
VLAN: A logical grouping of switch ports that separates traffic among devices sharing the same physical switch.
Stateless firewall: Filters traffic based on packet header fields (IP, port, protocol) without tracking connection state.
Stateful firewall: Tracks the state of connections passing through it, enabling rules that consider whether a packet belongs to an established session.
Next-generation firewall (NGFW): A firewall combining stateful filtering with deep packet inspection, intrusion prevention, and application-aware filtering.
Access control list (ACL): An ordered set of permit and deny rules a firewall applies to inbound and outbound traffic; the first matching rule wins.
NIDS / NIPS: A network intrusion detection system alerts on suspicious traffic; an intrusion prevention system can also block ports, IPs, or protocols in response.
SIEM: A security information and event management platform that aggregates logs from many sources and correlates them to detect attack patterns.
Signature-based detection: Matches traffic against a database of known IoCs; fast and accurate for known threats but blind to novel attacks.
Anomaly-based detection: Compares current activity to a baseline of normal behavior; catches new attacks but produces more false positives.
Indicator of compromise (IoC): An observable artifact (malicious IP, unusual port use, traffic spike) suggesting an attack is occurring or has occurred.
Network Attacks and the Protocols They Exploit
ARP exists to map IP addresses to MAC addresses at the local network layer, and it trusts any device that responds.
In an ARP poisoning attack, the adversary's machine claims the IP of the gateway or target, sitting silently between two parties as a man-in-the-middle.
MAC flooding targets the limited memory of a switch's CAM table.
Once the table fills, the switch fails open into broadcast (hub-like) behavior, exposing all frames to a connected sniffer.
DNS poisoning weaponizes the name resolution system users implicitly trust.
A poisoned record sending users from bank.com to a lookalike login page is a classic credential harvesting setup.
Smurf attacks abuse ICMP echo and broadcast addressing.
Spoofing the victim's IP in pings sent to a broadcast address turns every responding host into an unwitting attacker.
Wireless attacks include eavesdropping on beacon frames, breaking weak encryption, and standing up evil twins or rogue access points.
An evil twin broadcasts an SSID resembling a legitimate one (e.g., "Starbucks_Free_WiFi") to lure clients into connecting through the attacker.
Physical access amplifies every attack: an open Ethernet jack in a lobby plus no port security equals an instant foothold.
Risk Assessment for Networks
Network vulnerabilities threaten all three legs of the CIA triad: interception harms confidentiality, tampering harms integrity, and DoS harms availability.
Automated vulnerability scanners enumerate known weaknesses across devices, applications, and configurations, reporting severity and recommended fixes.
High-risk scenarios typically combine multiple weaknesses, such as a flat unsegmented LAN reachable over weak WiFi while hosting a sensitive web application.
Moderate-risk findings often involve information disclosure, like an external firewall that allows ICMP and reveals which hosts are live.
Low-risk findings are difficult to exploit or carry minor impact, such as a WAP that broadcasts its SSID and protocol in beacon frames.
Likelihood is shaped by attacker skill required; a vulnerability needing nation-state-level expertise is rated differently than one exploitable with a public script.
Managerial Controls and Network Segmentation
Router and switch security policies forbid local accounts, require central authentication, disable unused services like Telnet, and mandate port security and MAC filtering.
VPN policies define who may connect remotely, require strong authentication (public/private keys or MFA), and typically prohibit split tunneling so all employee traffic flows through corporate inspection.
Wireless policies require EAP-based authentication, AES encryption with a minimum key length, and disabling beacon frames where appropriate.
WPA3 is the current strong standard; WEP, WPS, and original WPA all have known breaks and should not be used.
Segmentation divides one large network into isolated zones using subnets, VLANs, and screened subnets.
A retailer might place its public web server in a DMZ, point-of-sale terminals on a PCI VLAN, and corporate workstations on a separate internal subnet, each with its own firewall rules.
Segmentation contains breaches: a compromised guest WiFi device cannot pivot into finance servers if the two segments are firewalled apart.
Port security on switches limits how many MAC addresses can appear on a single port, defeating MAC flooding and unauthorized device connections.
Firewalls and Access Control Lists
A firewall, whether standalone appliance or software inside a router, decides which traffic crosses a network boundary.
Stateless firewalls inspect each packet in isolation, filtering on IP, port, and protocol; stateful firewalls remember connection state and can allow return traffic for established sessions.
Next-generation firewalls add deep packet inspection, intrusion prevention, and application-layer awareness (recognizing Zoom traffic versus generic HTTPS, for example).
Firewalls belong at every boundary: between the internet and the LAN, between segments, and around any zone with distinct security needs.
ACL rules specify direction, criteria (IP, port, service, application), and action (permit or deny).
ALLOW inbound TCP port 22 from ALL; opens SSH to the world.
DENY inbound TCP port 80 from 192.168.1.0/24; blocks a specific subnet from reaching a web server.
Rule order is decisive because the first match executes.
Allowing SSH then denying all TCP works; reversing the two rules kills SSH along with everything else.
Detection, Logging, and AI-Assisted Analysis
NIDS monitors and alerts; NIPS monitors and acts, blocking IPs, closing ports, or dropping protocols when an attack is recognized.
SIEM platforms (Splunk, QRadar, and similar) ingest logs from firewalls, IDS/IPS, servers, and applications, correlating events that look harmless in isolation.
Signature-based detection is fast and produces few false positives but cannot see zero-day attacks; its signature database must be continually updated.
Anomaly-based detection learns a baseline of normal traffic and flags deviations; it catches novel attacks but generates more false alarms and needs consistent traffic patterns to work well.
Hybrid detection blends both and is reserved for high-value networks because it is the most expensive and most alert-heavy option.
Tradeoffs to weigh: detection speed, hardware and licensing cost, false positive rate (which drives alert fatigue), and false negative rate (which lets attackers slip past).
AI models score traffic with a probability of maliciousness, and organizations choose a threshold balancing missed detections against analyst overload.
Network logs reveal attack-specific footprints:
Duplicate-MAC ARP packets suggest ARP poisoning.
A sudden flood of distinct MAC addresses at one switch port suggests MAC flooding.
An unexplained drop in inbound web traffic may indicate DNS poisoning redirecting users elsewhere.
A surge of ICMP to a broadcast address points to a smurf attack.
Connections to known-malicious IPs, unauthorized scans, or mismatched port-application pairings (e.g., non-HTTP traffic on TCP 80) are all common IoCs in packet captures.
