CS3690 Network Security

This course covers the concepts and technologies used to achieve confidentiality, integrity, and authenticity for information processed across networks. Topics include: fundamentals of TCP/IP-based networking, core network security principles, traffic filtering types and methodology, packet-level traffic analysis, employment of cryptography, tunneling/encapsulation, Public Key Infrastructure (PKI), remote authentication protocols, and virtual private networks based upon the IPSec, L2TP, and SSL protocols.

Prerequisite

CS3600 or consent of instructor.

Lecture Hours

4

Lab Hours

1

Course Learning Outcomes

  • Student will learn that protocol-based automation lies at the core of what all systems generally referred to as "cyber" are composed of.
  • Student will learn that virtually all cyber-enabling protocols are vulnerable to one or more of the elements of the CIA-Triad: confidentiality, integrity, availability.
  • Student will learn how the three information security objectives (CIA-Triad) can be used to characterize all four factors of the Risk Equation: threatsvulnerabilitiessecurity controls, and impact
  • Student will learn how the combination of protocols (e.g., IP, TCP, NAT, etc.), devices (e.g., switches, routers, servers, etc.), and addressing/naming schemes (e.g., MAC, IP, port, fqdn) work together to enable data-in-transit via automated systems and infrastructure (e.g., ARP, DNS, DHCP, BGP, etc.)
  • Student will learn how to "read" and interpret layers 2-4 of the TCP/IP protocol stack; with the goal of being capable of distinguishing "normal" (i.e., protocol- and behavior-compliant) traffic from that which is "abnormal", and thus indicative of either non-malicious errors or (intentional) malicious activity. 
  • Student will learn to appreciate the value that understanding "normal" protocol-enabled behavior brings to the network defender's ability to properly "filter" for enhanced security protection. 
  • Student will learn to convert high(er) level security policy statements/requirements into action via appropriate security device configuration. 
  • Student will learn the rudiments of applying protocol information to create appropriate traffic filters (e.g., router access-control lists) that combine both white- and black-listing techniques; with the end goal of creating and/or enhancing principle-of-least-privilege (POLP) based perimeter defenses.
  • Student will learn the fundamentals of cryptologic mechanisms, to include: key symmetry, PKI, digital signature, digital certificate, cross-certification, trust anchor, certification authority, message authentication code, bit-entropy, brute-force time estimation, Kerckhoff's Principle, Avalanche Principle, session key, key management infrastructure, key distribution complexity, and VPN types.
  • Student will learn to assess--at a high level--whether any particular combination of cryptologic mechanisms (e.g., hash, nonce, asymmetric encryption or symmetric encryption) provides one, both  or neither of confidentiality and integrity.
  • Student will learn the fundamental protocols by which digital authentication can be achieved via the proof-of-possession-of-secrets paradigm: using both TLS and IPsec as examples.
  • Student will learn the meaning of, and how to distinguish between, the terms: key establishment, key transport, key agreement and key derivation.
  • Student will learn what is meant by a "side-channel" attack; both in the general sense as well as a specific (cryptographic) example.
  • Student will learn about VPN split-tunneling, and considerations/concerns when VPN (tunneling) technology is integrated with firewall (filtering) technology.
  • Student will learn of the ROI potential of integrating trusted third-party infrastructure solutions for the purpose of dealing with the key management problem at scale.
  • Student will learn what Perfect-Forward Secrecy means, and what is required to achieve it. 
  • Student will learn the requirements of the three assurance levels that can be applied to each of the identification, authentication, and federation aspects of a digital authentication enterprise; as described by NIST in its SP800-63-3 publication. 
  • Student will learn the functional components and operation of IEEE 802.1X (port-based access-control), and IPsec based VPNs.