Network Protocols for Security Professionals

By Yoram Orzach , Deepanshu Khanna
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    Chapter 1: Data Centers and the Enterprise Network Architecture and its Components
About this book

With the increased demand for computer systems and the ever-evolving internet, network security now plays an even bigger role in securing IT infrastructures against attacks. Equipped with the knowledge of how to find vulnerabilities and infiltrate organizations through their networks, you’ll be able to think like a hacker and safeguard your organization’s network and networking devices. Network Protocols for Security Professionals will show you how.

This comprehensive guide gradually increases in complexity, taking you from the basics to advanced concepts. Starting with the structure of data network protocols, devices, and breaches, you’ll become familiar with attacking tools and scripts that take advantage of these breaches. Once you’ve covered the basics, you’ll learn about attacks that target networks and network devices. Your learning journey will get more exciting as you perform eavesdropping, learn data analysis, and use behavior analysis for network forensics. As you progress, you’ll develop a thorough understanding of network protocols and how to use methods and tools you learned in the previous parts to attack and protect these protocols.

By the end of this network security book, you’ll be well versed in network protocol security and security countermeasures to protect network protocols.

Publication date:
October 2022


Data Centers and the Enterprise Network Architecture and its Components

Communication networks have long been a critical part of any organization. Protecting them against risks of all kinds, especially security risks, is critical to the operation of the organization. Understanding the structure of data networks will help you understand network vulnerabilities, where they exist, and where and how we can protect against them.

This chapter provides a preview of a data network's structure and weak points. We will also describe the hardware, software, and protocols involved in the network, as well as their potential vulnerabilities. We will talk about the traditional structure of enterprise networks and data centers, network components and their connectivity, and understand the data flows in the network. Finally, we will explain the evolving Software-Defined Networking (SDN) and Network Function Virtualization (NFV) technologies and their impact on data networks, along with the networking and security considerations of cloud connectivity.

In this chapter, we're going to cover the following main topics:

  • Exploring networks and data flows
  • The data center, core, and user networks
  • Switching (L2) and routing (L3) topologies
  • The network perimeter
  • The data, control, and management planes
  • SDN and NFV
  • Cloud connectivity
  • Types of attacks and where they are implemented

Exploring networks and data flows

Network architecture is about how the building blocks of the networks are connected; data flows are about the information that flows through the network.

Understanding the network architecture will assist us in understanding the weak points of the network. Data flows can be manipulated by attackers to steal information from the network. By diverting them in the attacker's direction, the attacker can watch information running through the network and steal valuable information.

To eliminate this from happening, you must understand the structure of your network and the data that flows through it. A typical data network is built out of three parts:

  • The data center, which holds the organization's servers and applications.
  • The core network, which is the part of the network that is used to connect all the parts of the network, including the user's network, the data centers, remote networks, and the internet.
  • The user's network, which is the part of the network that is used for the user's connectivity. The user network is usually based on the distribution and access networks.

These parts are illustrated in the following diagram:

Figure 1.1 – Typical enterprise network

Figure 1.1 – Typical enterprise network

In the top-left corner, we can see the main data center, DC-1. The user's network is located in the data center site; that is, USERS-1. In the top-right corner, we can see a secondary data center, DC-2, with a user's network located on the secondary data center site. The two data centers are connected to the internet via two firewalls, which are located in the two data centers.

In the center of the diagram, we can see the Wide Area Network (WAN) connectivity, which includes the routers that connect to the Service Provider's (SP's) network and the SP network that establishes this connectivity.

In the lower part of the diagram, we can see the remote sites that connect to the center via the SP network.

Now, let's focus on the protocols and technologies that are implemented on each part of the network.


The data center, core, and user networks

First, let's see what the areas in the organization's data network are. The data center is the network that holds the majority of the organization's servers. In many cases, as shown in the following diagram, we have two data centers that work in high availability mode; that is, if one data center fails, the other one can fully or partially take its place.

The user networks depend on the size, geographical distribution, and the number of users in the organization. The core network is the backbone that connects the users to the data center, remote offices, and the internet. The distribution switches will be in central locations in the campus and the access switches are located in buildings and small areas.

The data center, core, and user networks are illustrated in the following diagram, which is of a typical mid-sized network:

Figure 1.2 – The data center, core, and user networks

Figure 1.2 – The data center, core, and user networks

At the top, we can see the data center switches, when every server is connected via two cables. This connectivity can be implemented as port redundancy for redundancy only or Link Aggregation (LAG) for redundancy and load sharing. A typical connection is implemented with two wires, copper or fiber, when heavy-duty servers on server blades can be connected with 2-4 wires or more.

In the center, we can see the core switches. As the name implies, they are the center of the network. They connect between the data center and the user network, and they connect to remote sites, the internet, and other networks. The connectivity between the core switches and the data center switches can be implemented in Layer 2 or Layer 3, with or without an overlay technology, as we will see later in this chapter.

The user network holds the distribution and access areas. The access layer holds the switches that connect to the users, while the distribution layer aggregates access switches. For example, in a campus network, there will be a distribution switch for every building or group of buildings, while the access switches are connected to the nearest one. Distribution switches are usually installed in a redundant topology – that is, two switches per site – when the access switches are connected to both.

In the next section, we will learn about Layer 2 and Layer 3 by examining the data flow and how data passes through the network. We will describe various design options and describe the pros and cons from a security point of view.


Switching (L2) and routing (L3) topologies

In this section, we will talk about the structure of a campus network.

Switching (L2) and routing (L3)

Layer 2 switches are devices that switch packets between ports, while Layer 3 switches or routers look at the Layer 3 header of the packet and make routing decisions. This can be seen in the following diagram.

At the top left, we can see a single LAN switch. We can see that a frame arrives at the switch. Then, the switch looks at the destination MAC address, makes a forwarding decision, and forwards the frame to the destination port; that is, port 3.

At the bottom left, we can see how a frame crosses a network of switches. The frame enters the left switch, which makes a forwarding decision and forwards it to port 3. Port 3 is connected to port 1 on the right switch, which looks at its MAC address and forwards it to the right switch; that is, port 4. The decision on how to forward the frames is done locally; that is, the decision is made on every switch without any connection to the other.

In routing, as shown to the right of the following diagram, a decision is made at Layer 3. When a packet enters the router, the router looks at the Layer 3 destination address, checks if the packet's destination is valid in the routing table, and then makes a routing decision and forwards the packet to the next hop:

Figure 1.3 – The data center, core, and user network

Figure 1.3 – The data center, core, and user network

Important Note

In the packets shown in the preceding diagram, D stands for destination address and S stands for source address. Although in Ethernet the destination address comes before the source, for convenience, it is presented in the same order – D and S for both L2 and L3.

While the basic building blocks of data networks are Layer 2 switches that the users connect to, we can also use Layer 3 switches in the higher levels – that is, the distribution, core, or data center level – to divide the network into different IP networks. Before we move on, let's see what Layer 3 switches are.

The following diagram shows a traditional router to the left and a Layer 3 switch to the right. In a traditional router, we assign an IP address to every physical port – that is, Int1, Int2, Int3, and Int4 – and connect a Layer 2 switch to each when devices, such as PCs in this example, are connected to the external switch.

In a Layer 3 switch, it is all in the same box. The Layer 3 interfaces (called Interface VLAN in Cisco) are software interfaces configured on the switch. VLANs are configured and an L3 interface is assigned to each. Then, the external devices are connected to the physical ports on the switch:

Figure 1.4 – The data center, core, and users network

Figure 1.4 – The data center, core, and users network

Dividing the network into different IP subnets provides many advantages: it provides us with more flexibility in the design in that every department can get an IP subnet with access rights to specific servers, routing protocols can be implemented, broadcasts will not cross routers so that only a small part of the network can be harmed, and many more.

L2 and L3 architectures

L3 can be implemented everywhere in the network. When we implement Layer 3 in the core switches, their IP addresses will be the default gateways of the users; when we implement Layer 3 in the data center switches, their addresses will be the default gateways of the servers.

The design considerations for a data network are not in the scope of this book. However, it is important to understand the structure of the network to understand where attacks can come from and the measures to take to achieve a high level of security.

The following diagram shows two common network topologies – L3 on the core and DC switches on the left, and L3 on the DC only on the right:

Figure 1.5 – L2/L3 network topologies

Figure 1.5 – L2/L3 network topologies

On the left, we have the following configuration:

  • Virtual LANs (VLANs) configured on the core switches: VLAN50 and VLAN60 are the user's VLANs. Each user VLAN holds several physical ports and one logical L3 Interface – the Interface VLAN in Cisco terminology. In this example, Interface VLAN50's IP address is, while Interface VLAN60's IP address is
  • VLANs configured on the DC switches: VLAN 10 and VLAN 20 are the server's VLANs. Each server VLAN holds several physical ports and one logical L3 Interface – Interface VLAN. For example, Interface VLAN 10's IP address is, while Interface VLAN 20's IP address is
  • The default gateways of the users in the and networks are and, respectively.

On the right, we can see a different topology, which is where all the Interface VLANs are on the DC switches:

  • All the VLANs are configured on the DC switches.
  • The core switches are only used as Layer 2 devices.
  • The default gateways of both the user's devices and servers are on the DC switches.

L2 and L3 architecture data flow

For the data flow, let's look at the following diagram:

Figure 1.6 – L2/L3 network topologies

Figure 1.6 – L2/L3 network topologies

In the left topology, we can see the following:

  • When sending packets from the users to the servers, users on VLAN 50 or VLAN 60 send packets to the default gateway; that is, the L3 Interface on the left core switch. From there, packets are routed to the L3 Interface on the left DC switch and the server.
  • When sending the packets back, the servers on VLAN 10 or VLAN 20 send packets to the default gateway of, which is on the left DC switch. The packets are routed to the L3 Interface on the left core switch and the user.

In the right topology, we can see the following:

  • The DC switches are the default gateways for the users and the servers, so packets from both are sent to the DC switches and routed internally in them.

L2 and L3 architecture data flow with redundancy

Now, let's see how packets flow through the network. This example is for the case when the user's L3 Interfaces are on the core switches.

In the following diagram, a PC with an address of is sending information to the server on Let's look at the main and redundant flows:

Figure 1-7 – Data flowing through the network

Figure 1-7 – Data flowing through the network

In a network under regular conditions – that is, when all the network components are functioning – the data flow will be as follows:

  • When PC2 sends packets to a server, they go to its default gateway (1); that is, on the lower left core switch.
  • From, the packets are forwarded to on the top left DC switch (2).
  • From, packets are forwarded to the upper server; that is, 10.60.100/16 (3).

When a failure occurs, as in the example in Figure 1.4, when the left DC switch (DC-SW-1) fails, the following happens:

  • The MAC address of the S1 server is now learned on the DC switch on the right (DC-SW-2), and from there it will be learned on the core switch on the right (CORE-SW-2).
  • Packets that are sent from PC2 to the server will be forwarded to the core switch on the right (a).
  • The core switch on the right forwards the packets to the next hop (b), which is the DC switch on the right (DC-SW-2).
  • The DC switch on the right forwards the packets to the server (c).

L2 and L3 topologies with firewalls

A common practice in network design is to add firewalls to two locations of the enterprise network – data center firewalls and core firewalls. Data center firewalls are more common and are used to protect the data center, while the core firewalls protect different users and areas in the network.

A typical network is illustrated in the following diagram:

Figure 1.8 – The data center, core, and users network (with firewalls)

Figure 1.8 – The data center, core, and users network (with firewalls)

In this case, we have firewalls with the following functionality:

  • Data center firewalls: These are firewalls that protect the data center. On these firewalls, we will usually have packet filtering, stateful inspection, intrusion detection, and application filtering.

    Important Note

    Packet filtering is a term that refers to filtering packets according to Layer 3 (IP) and Layer 4 (TCP/UDP) information. Stateful inspection is a mechanism that watches the direction of traffic crossing the firewall and allows traffic to be forwarded in the direction where the session started. Intrusion prevention is a mechanism that protects against intrusion attempts to the network. Application filtering is a mechanism that works on Layer 7 and filters sessions based on the application and its content. Further discussions on these mechanisms and others, as well as how to use them and harden them, will be provided later in this book.

  • Core firewalls: These are used to protect different areas of the network, such as different departments, different companies on the same campus, and so on.

The data flow in a firewall-protected network is as follows:

Figure 1.9 – Data flowing through the network (with firewalls)

Figure 1.9 – Data flowing through the network (with firewalls)

Data can flow in several directions, with several levels of protection:

  • In the first example, PC2, which has an address of, sends data to its default gateway; that is, the IP interface on its VLAN (1). From there, packets are routed to the DC firewall (FW1) at the top-left (2) and the required server (3).
  • A second option is when PC4, which is on the right, sends packets to the server. This happens when the packets go through the first level of security – core firewall FW4. Packets from the PC are sent to the default gateway; that is, the IP interface of the VLAN (a). From there, they are routed to the core firewall (FW4) (b), the DC firewall (FW2) (c), and the required server (d).
  • There are many other options here, including routing packets from the users through the core firewall to external networks, routing packets between users through the core firewalls, and so on.

L2 and L3 topologies with overlays

When building a traditional enterprise network, the network structure ensures one thing: that packets are forwarded from the source to the destination as fast as possible.

Important Note

As fast as possible, in terms of a data network, can be achieved with four parameters: bandwidth, delay, jitter, and packet loss. Bandwidth is defined as the number of bits per second that the network can provide. Delay is the Round-Trip Time (RTT) in seconds that it will take a packet to get to the destination and the response to arrive back to the sender. Jitter is defined as variations in delay and measured in percent. Packet loss is the percent of packets that were lost in transmission. Different applications require different parameters – some require high bandwidth; others are sensitive to delay and jitter, while some are sensitive to packet loss. A network attack on a communications line can cause degradation in the performance of one or all these parameters.

Overlay technologies provide additional functionality to the network, in the way that we establish a virtual network(s) over physical ones. In this case, the physical network is referred to as the underlay network, while the virtual network is referred to as the overlay network, as illustrated in the following diagram:

Figure 1.10 – Underlay/overlay network architecture

Figure 1.10 – Underlay/overlay network architecture

Here, we can see a standard network that is made up of routers with connectivity between them. The overlay network is made up of end-to-end tunnels that create a virtual network over the real one.

There are various overlay technologies, such as VxLAN, EVPN, and others. The principle is that the packets from the external network that are forwarded through the overlaid tunnels are encapsulated in the underlying packets, forwarded to the destination, and de-capsulated when exiting to the destination.

Since bits are eventually forwarded through the wires, attacks on both the underlay network and the overlay connectivity can influence and cause downtime on the network.

Now that we've talked about the organization network, let's talk about connectivity to the world; that is, the perimeter.


The network perimeter

The network perimeter is the boundary between the private locally managed enterprise network and public networks such as the internet.

A network perimeter, as shown in the following diagram, includes firewalls, Intrusion Detection and Prevention Systems (IDPSes), application-aware software, and sandboxes to prevent malware from being forwarded to the internal network:

Figure 1.11 – The perimeter architecture

Figure 1.11 – The perimeter architecture

There are three zones on the perimeter that act as boundaries between the organization's private network and the internet:

  • Internal zone: This is the area that is used for organizing users and servers. It is also referred to as the trusted zone. This is the zone with the highest level of security. No access is allowed from the external zones to the internal zone and all access, if any, should be through the DMZ.
  • Demilitarized Zone (DMZ): This is the area that users from the internet can access, under restrictions. Here will be, for example, mail relays, which receive emails from external servers and forward them to the internal server on the Secured Zone (SZ), as well as websites and proxies, which act as mediation devices for controlling access to important servers, and others.
  • External zone: This is the connection to external networks, such as Internet Service Providers (ISPs) and other external connections.

Usually, the architecture is more complex; there can be several DMZs for several purposes, several SZs for different departments in the organization, and so on. The firewall's cluster may also be distributed when each firewall is in a different location, and there can be more than two firewalls.

In the Zero-Trust architecture, created by John Kindervag from Forrester Research, we talk about deeper segmentation of the network, which is when we identify a protected surface made from the network's critical Data, Assets, Applications, and Services (DAAS), and designing the firewall topology and defenses according to it. In this architecture, we talk about the trusted area, which is for users and servers, the untrusted area, which is for external connections such as the internet, and the public areas, which is for frontend devices and services that are being accessed from the external world.

Additional software can be implemented in the perimeter: intrusion detection and prevention systems, sandboxes that run suspicious software that's been downloaded from the internet, web and mail filters, and others. These can be implemented as software on the firewall or as external devices.

Attacks from the perimeter are common. There will be malicious websites, emails with malicious attachments, intrusion attempts, and many others.

Data networks attacks can focus on the network itself or network components. Now that we've talked about the network topology, let's learn how the network components are built.


The data, control, and management planes

Network devices perform three different operations:

  • Process and forward the data in transit. This is referred to as the data plane.
  • Make forwarding decisions; that is, where to forward the data. This is referred to as the control plane.
  • Enable the administrator, or the management system, to give commands and read information from the device. This is referred to as the management plane.

The following diagram shows how these three planes function:

Figure 1.12 – The data, control, and management planes

Figure 1.12 – The data, control, and management planes

Here, we can see the objectives of the data, control, and management planes.

The data plane

The data plane is responsible for forwarding information. It receives instructions from the control plane, such as routing tables, and forward packets from port to port. The forwarding tables can learn from various control plane functions. For example, several routing protocols can run in the control plane, while the result of them will be a single routing table in the control plane that is translated into a single forwarding table on the data plane.

The data plane is responsible for processing and delivering packets, so it is implemented on network interfaces and device CPUs.

Attacks on the forwarding table can be achieved by overloading the network, such as link flooding attacks and Distributed Denial of Service (DDoS) attacks.

The control plane

The control plane is where we determine how data should be forwarded in the data plane. The control plane includes routing protocols that exchange information between routers, multicast protocols, Quality of Service (QoS) protocols, and any other protocol that the network devices use to exchange information and make forwarding decisions. These protocols are running in the control plane, and their result is a forwarding table that is built in the data plane.

The control plane is part of the network device software, and it runs in the device's CPU.

Several types of attacks can be performed on the control plane. Some of them simply try to load the device resources (such as CPU and memory), while others try to confuse the protocols running on the device by sending fake routing updates and trying to divert traffic, to flood the device's ARP caches so that packets will be forwarded in the wrong direction, and so on.

The management plane

The management plane is responsible for interacting with the network device, whether these are interactions with the management system via protocols such as SNMP or NetFlow, REST APIs, or any other method that the device can work with or via human interactions with a Command-line Interface (CLI), web interface, or a dedicated client.

The management plane is implemented entirely by software. Attacks on the management plane mostly try to break into the network device to log in, by human or by machine, and make settings in violation of the enterprise policy with the intent to disrupt or break into network activity.

Now that we've talked about network devices and their structure, let's talk about the new designs in data networks; that is, SDN and NFV.



SDN and NFV are technologies from the early 2010s that virtualize network operations. While SDN is a technology that came from the enterprise network and data centers, NFV came from the Network Service Provider (NSP) world. Let's see what they are and the security hazards for networks that implement them.

Software-defined networking (SDN)

SDN separates the data plane from the control plane, creating software-programmable network infrastructure that can be manually and automatically adapted to application requirements.

While in traditional networks, network devices exchange information between them, learn the network topology, and forward packets, in SDN, the switches are simple devices that forward packets according to commands they receive from the network controller.

Let's take, for example, a network of routers. The following happens in traditional networks:

  • In the control plane: Routing protocols exchange routing information between them, check restrictions such as Access Control Lists (ACLs) and QoS requirements, and fill in the routing tables.
  • In the data plane: From the routing tables, they build the forwarding tables. Then, when a packet enters the router, the router will forward it according to the forwarding tables.

The following diagram shows an example of an SDN network:

Figure 1.13 – SDN

Figure 1.13 – SDN

In this network, we have a central controller, which is the network's brain. This controller acts as the control plane for the entire network. When a new session is opened and packets are sent through the network, every switch receiving the first packet will send a request to the controller, asking how to forward it. Upon receiving the response, the switches will store it in their forwarding table. From now on, every packet will be forwarded according to it. This is done through the southbound interface using protocols such as OpenFlow or Netconf. Connections from the controller to the switches are established over the Transport Control Protocol (TCP), preferably with Transport Layer Security (TLS).

On the northbound interface, the controller sends and receives information to and from SDN applications via standard APIs such as RESTful. SDN applications can be applications that implement network functionalities such as routers, firewalls, load balancers, or any other network functionality. An example of an SDN application is a Software-Defined – Wide Area Network (SD-WAN), which provides connectivity between remote sites over private and internet lines.

An SDN domain is all the devices under the same SDN controller. A network orchestrator is used to control multiple SDN domains. For example, when enterprise LANs are connected through a private SD-WAN service, there will be three controllers – two controllers for the two LANs and one controller for the SD-WAN. The orchestrator controls its end-to-end connectivity.

Several security breaches can be used on an SDN network:

  • Attacks on the connections between the controller and the SDN switches that are implemented over a standard TCP connection with standard port numbers
  • Attacks on network controllers and orchestrators
  • Attacks on data plane switches

Later in this book, we will discuss these risks in more detail.

Network function virtualization (NFV)

NFV takes the concept of computing virtualization to the networking world. The concept is that instead of using dedicated hardware for every networking function, we use standard Off The Shelf (OTS) hardware, along with standard Virtual Machines (VMs), when the network functions are software running on these VMs. First, let's have a look at the platforms that host these applications:

Figure 1.14 – VMs and hypervisors

Figure 1.14 – VMs and hypervisors

The preceding diagram shows how the networking applications are installed. In the case of Linux containers, the virtual machines are implemented as Linux containers, while the applications are installed on the containers together or separately.

A Type 1 Hypervisor is installed directly over the hardware. Here, we can find the most common Hypervisors, such as VMWare ESX/ESXi, Microsoft Hyper-V, and Citrix XenServer.

A Type 2 Hypervisor is installed over the host operating system. Here, we can find PC-based Hypervisors such as VMWare workstations, Microsoft Virtual PC, and Oracle Virtual Box.

Important Note

A VM is an emulation of a computer system that provides the functionality of a physical computer. A Hypervisor is a piece of software that runs the VMs. There are two types of Hypervisors – Type 1, which runs directly over the system hardware, and Type 2, which runs over the host operating system. The first Hypervisor was developed in the 1960s by IBM, iVMWare ESX (later ESXi) came out in 1999, XEN from Citrix came out in 2003, and a year later, Hyper-V from Microsoft came out. In the Linux world, it started with traditional UNIX platforms such as Sun-Solaris before coming out as Linux KVMs and Dockers. The purpose of all of them is simple – to effectively carry many applications over different OSes that run independently over the same hardware.

Linux containers dominate the networking market in NFV. These can be routers, switches, firewalls, security devices, and other applications in the data center network. They can be also cellular network components that are installed on the same hardware. The NFV model is shown in the following diagram:

Figure 1.15 – NFV

Figure 1.15 – NFV

The NFV architecture is comprised of the following:

  • Computing hardware, including computing and storage resources
  • Virtual resources; that is, the resources that are allocated to the VMs
  • VNFs, which are the VMs and the applications installed on them – routers, firewalls, core cellular components, and other network functionalities
  • Element Managers (EMs), which manage the network's functionality
  • NFV Management and Orchestration (MANO), along with Operations Support Systems (OSSes) and Business Support Systems (BSSes)

When considering NFV application security hazards, we should consider potential attacks on the entire software stack, from the operating system to the Hypervisor, the VMs, and the applications.

SDN and NFV are about taking the transitions from hardware-based areas to virtual networks. Now, let's take this one step forward by going to the cloud and seeing how we can implement the network in it.


Cloud connectivity

There are various types of cloud services. The major ones are illustrated in the following diagram:

Figure 1.16 – Cloud-based services

Figure 1.16 – Cloud-based services

Let's look at the cloud computing services mentioned in the preceding diagram in detail:

  • Infrastructure as a Service (IaaS): These are cloud services that provide us with the hardware and VMs needed to run the environments. We only need to install, configure, and maintain operating systems, applications, data, and user access management when using IaaS.
  • Platform as a Service (PaaS): These are cloud services that provide the platform – that is, the hardware and the operating system – so that the user can install their applications directly.
  • Software as a Service (SaaS): These are cloud services that provide us with the necessary software so that we can connect to the software and work with it.

Now that we've covered the network structure and topologies, network virtualization and how it is implemented, and the different cloud service types and how we connect to the cloud, let's talk about the risks and what can go wrong in each part.


Type of attacks and where they are implemented

Now that we've learned about network structures and connectivity, let's have a look at potential threats, types of attacks, and their potential causes. Let's look at the following diagram and see what can go wrong:

Figure 1.17 – The data, control, and management planes

Figure 1.17 – The data, control, and management planes

The risks can be categorized as follows:

  • Threats that cause downtime to the entire IT environment or part of it. Here, the damage is in the unavailability of IT resources to the organization. Damage here can start from relatively minor issues such as the loss of working hours, but it can also be critical to organizations that depend on the network, and the loss of computing resources can cause unrecoverable damages.
  • Threats that cause damage to organization data. Here, we have risks involving the destruction or theft of the organization's data. This depends on the organization – in some cases, both are critical, in other cases, only one of them is, and in some cases, neither.

Various types of attacks can cause unavailability, while other types can damage the data. In the next section, we will look at a critical point in any organization's IT environment and what the results of such an attack are.

Attacks on the internet

Let's start with the internet. Every once in a while, we hear that "A third of the internet is under attack" (Science Daily, November 1, 2017), "China systematically hijacks internet traffic" (ITnews, October 26, 2018), "Russian Telco Hijacked Internet Traffic of Major Networks - Accident or Malicious Action?" (Security Week, April 7, 2020), "Russian telco hijacks internet traffic for Google, AWS, Cloudflare, and others. Ros Telecom involved in BGP hijacking incident this week impacting more than 200 CDNs and cloud providers." (ZDNet, April 5, 2020), and many more.

What is it? How does it work? Attacks on the internet network itself are usually attacks that deny or slow down access to the internet, along with attacks that divert traffic so that it will get to the destination through the attacker network or not get there at all.

In the first case, when the attacker tries to prevent users from using the internet, they will usually use DoS and DDoS types of attacks.

Important Note

DDoS attacks are a very wide range of attacks that intend to prevent users from using a service. A service can be a network, a server that provides several services, or a specific service. A DDoS targeting the network can be, for example, a worm that generates traffic that blocks communication lines, or sessions that are generated for attacking the routers that forward the traffic. A DDoS targeting a specific server can be, for example, loading the server interfaces with a huge amount of TCP sessions. A DDoS targeting a specific service can be traffic generated to a specific TCP port(s) of the service itself.

DDoS attacks on the internet can involve, for example, generating traffic to specific IP destinations, both from devices controlled by the attackers (referred to as direct attackers) and from third-party servers that are involuntarily used to reflect attack traffic (referred to as reflection attackers).

Another type of attack that can be performed on the internet is diverting traffic from its destination. This type of attack involves making changes to the internet routers so that traffic is diverted through the attacker network, as shown in the following diagram:

Figure 1.18 – Traffic diversion

Figure 1.18 – Traffic diversion

Here, we can see traffic being sent from Alice to Bob being diverted through Trudy's network. Normally, when Alice sends traffic to Bob, it will go through region A to region B and get to Bob. Under the attack, Trudy configures the routers in region B to pull the traffic in their direction, so that traffic from router A4 will be sent to B1. Inside region B, traffic will be forwarded to the point where it can be recorded and copied, and then it will be sent to router C3 in region C on the way to its destination.

Important Note

Bob, Alice, and Trudy (from the word intruder) are the common names of fictional characters commonly used for cyber security illustrations. Here, Bob and Alice are used as placeholders for the good guys that exchange information, while Trudy is used as a placeholder for the bad guy that tries to block, intrude, damage, or steal the data that's sent between Bob and Alice.

To divert the data that should be forwarded from A4 to C3 so that it can be sent to B1 in area B, router B1 must tell router A4 that it has a higher priority so that router A4 will see that the best route to the destination is through B1 and not through C3. In the case of the internet, it is configured in the Border Gateway Protocol (BGP), which we will look at in more detail in Chapter 12, Attacking Routing Protocols.

The traffic in this example is forwarded in two directions. I used an example with single-direction traffic for simplicity.

Attacks from the internet targeting organizational networks

Attacks from the internet can be of various types. They can be intrusion attempts, DDoS, scanning, and more. Let's look at some examples.

Intrusions attempts are discovered and blocked by identifying anomalies or well-known patterns. An anomaly is, for example, a sudden increase in traffic to or from an unknown source, while an intrusion pattern is, for example, port scanning. Further discussion on suspicious traffic patterns will be provided in Chapter 6, Finding Network-Based Attacks.

A nice website called Digital Attack Types provides a daily DDoS attacks world map. It can be found at

Attacks on firewalls

Attacks on firewalls usually take place when the attacker tries to penetrate the network. Penetrating the network can be done in several ways. It can be done by scanning the firewall to look for security breaches, such as ports that were left open so that we can open a connection through them to the internal network. Another method is to crash the firewall services so that the firewall will only continue to work as a router. We can also generate user login attempts to log in to the firewall as a VPN client and break into the secured network.

Another component we need to protect is the firewall management console. When the console is installed on an external device, make sure it is hidden from the internet and protected with strong passwords.

Attacks on servers

When attacking an organization's servers, the risk is to the organization's data, and sometimes, this is the most dangerous risk. In this book, we will talk about threats to networks and network services and how to secure them.

There are various types of attacks that can be carried on organization servers. Attacks can be on the availability of the servers, on the services that run on them, or their information. The following are some of the risks to servers:

  • Risks to servers and software such as HTTP, mail, IP, telephony, file servers, databases, and other attacks. This will be covered in the third part of this book.
  • Risks involving DDoS targeting servers to prevent users from accessing them.
  • Risks involving breaking into servers to try to steal or destroy the information running on them.
  • Risks involving impersonating users and data disruption.

Risks to network applications, services, and servers will be discussed in the third part of this book.

Attacks on local area networks (LANs)

Attacks on an organization's LANs can be implemented in several ways, but the intruder must be inside the LAN or break into the LAN from an external network.

The attacks here can be of several types:

  • Attacks network devices, as described in Chapter 7, Detecting Device-Based Attacks, such as attacks on LAN switches and CPUs to cause them to drop packets and get to the point of inactivity.
  • Attacks on network protocols, as described in Chapter 6, Finding Network-Based Attacks, and Chapter 7, Detecting Device-Based Attacks, such as attacks on Spanning Tree Protocol (STP), attacks on ARP caches, and many others.
  • Another category of attacks is eavesdropping and information theft. These types of attacks will be described in Chapter 8, Network Traffic Analysis and Eavesdropping.

Attacks on network routers and routing protocols

Attack on routers and routing protocols target the routers and the interactions between them. The following are some attacks that can be performed on routers networks:

  • Attacks on the router's hardware and software, as described in Chapter 7, Detecting Device-Based Attacks.
  • Attacks on routing protocols, misleading the routers to stop forwarding packets or sending packets in the wrong direction.
  • Attacks on protocols that are not routing protocols that come to serve other purposes such as Hot Standby Routing Protocol (HSRP)/Virtual Router Redundancy Protocol (VRRP), multicast protocols, and so on.
  • Another common attack to be carried out on routers and Wide Area Networks (WANs) is a DDoS, where, by flooding the communication lines, the attacker can prevent users from using the network.

We will learn how router networks can be jeopardized and how they can be protected in Chapter 12, Attacking Routing Protocols.

Attacks on wireless networks

Attacking wireless networks and protecting against these attacks, with an emphasis on Wi-Fi networks that are based on 802.11 standardization, is a major challenge both for the attackers and the organizations that defend against them.

There are several lines of protection here that will be described in Chapter 11, Implementing Wireless Network Security, which consists of several principles:

  1. Authenticate users with strong authentication when accessing the organization's Wi-Fi.
  2. Encrypt the information that's sent over the air between users and access points.
  3. Don't trust Steps 1 and 2 and connect the wireless networks through a firewall.

This is a simple set of rules regarding how to protect wireless networks, but if you forget one of them, the whole chain will be broken.

As a rule, when you send something over the air, it can be heard, and when you invite guests to your network, make sure they stay guests so that if you have a guest network(s), you can isolate them completely from the organization's network.



In this chapter, we talked about network architecture and the structure of an organization's network. We talked about the data center, which holds the organization's network, the user network, which the users connect to, and the core network, which connects everything. We also talked about the perimeter, which is the connection from the organization to the world.

Then, we talked about network virtualization in SDN and NFV, the advantages of these networks and their risks, and cloud services and how to connect to them.

After that, we talked about the risks that can occur at every point; risks can arise from attacks coming from the internet, from attacks on the organization's servers, attacks on network devices, and attacks on and from the wireless networks.

In the next chapter, we will talk about the network protocols that implement the topologies we talked about in this chapter, where they are implemented, and the potential risks of each.



Answer the following questions to test your knowledge of this chapter:

  1. What is the core network?
    1. The network that connects the servers to the internet
    2. The center of the network that connects the data center(s) and the user networks
    3. A general term for an enterprise network
    4. The network between the users and the internet
  2. In Figure 1.5, on the left, we can see a typical network topology. In this network, assuming they are on the same IP subnet, when PC1 pings PC5, the packets are forwarded through which of the following?
    1. Access switch ACC1, distribution switch DIST1, core switches CORE1 and CORE2, data center switches DC1 and DC2, distribution switch DIST2, and access switch ACC4.
    2. Access switch ACC1, distribution switch DIST1, core switches CORE1 and CORE2, distribution switch DIST2, and access switch ACC4.
    3. Answers (a) and (b) can both be correct, depending on the routing configuration.
    4. Answers (a) and (b) can both be correct, depending on the HSRP configuration.
  3. In the same figure (Figure 1.5) on the left, PC1 pings PC4. The packets will go through which of the following?
    1. ACC1, DIST1, CORE1, DIST2, and ACC3
    2. ACC1, DIST1, CORE2, DIST2, and ACC3
    3. ACC1, DIST1, CORE1, CORE2, DIST2, and ACC3
    4. ACC1, DIST1, CORE1, DC1, DC2, CORE2, DIST2, and ACC3
  4. Assuming PC1 is in VLAN50 and PC2 is in VLAN60, pings are sent from PC1 to PC2. Routing will be performed on which of the following?
    1. The left network is on CORE1 and the right network is on DC1.
    2. The left network is on CORE1 or CORE2, and the right network is on DC1 or DC2, depending on the routing protocol configuration.
    3. The left network is on CORE1 and the right network is on DC2.
    4. The left network is on CORE1 or CORE2, and the right network is on DC1 or DC2, depending on HSRP configuration.
  5. In Figure 1.8, on the left, the packets from PC4 that are sent to the servers will be forwarded through which of the following?
    1. ACC3, DIST2, CORE2, and DC2
    2. ACC3, DIST2, CORE2, FW2, DC2, and FW1
    3. ACC3, DIST2, CORE2, FW2, and DC2
    4. Any of the above, depending on the routing configuration.
  6. Which of the following is a characteristic of attacks that target the data plane?
    1. Changing routing tables to divert packets in the attacker's direction
    2. Flooding the network to stop users from using it
    3. Taking control of the device's console to change its configuration
    4. All the above
  7. Which of the following is a characteristic of attacks that target the control plane?
    1. Changing routing tables to divert packets toward the attacker's direction
    2. Flooding the network to stop users from using it
    3. Taking control of the device's console to change its configuration
    4. All the above
  8. What are DDoS attacks?
    1. Attacks that prevent access to the network
    2. Attacks that prevent access from network servers
    3. Attacks that prevent access from network services
    4. All of the above
About the Authors
  • Yoram Orzach

    Yoram Orzach is a senior networks and networks security advisor, providing network design and network security consulting services to a range of clients. Having spent thirty years in network and information security, Yoram has worked as a network and security engineer across many verticals in roles ranging from a network engineer, security consultant, and instructor. Yoram has gained his B.Sc. from the Technion in Haifa, Israel. Yoram's experience is both with corporate networks; service providers and Internet service providers' networks. His customers are Motorola solutions, Elbit Systems, 888, Taboola, Bezeq, PHI Networks, Cellcom, Strauss group, and many other hi-tech companies.

    Browse publications by this author
  • Deepanshu Khanna

    Deepanshu Khanna is a 29-year-old information security and cybercrime consultant and a pioneer in his country. The young and dynamic personality of Deepanshu has not only assisted him in handling information security and cybercrimes but also in creating awareness about these things. He’s a hacker appreciated by the Indian government, including the Ministry of Home Affairs and Defence, police departments, and many other institutes, universities, globally renowned IT firms, magazines, and newspapers. He started his career by presenting a popular hack of GRUB at HATCon. He also conducted popular research in the fields of IDS and AIDE and demonstrated MD5 collisions and Buffer overflows, among other things. His work has been published in various magazines such as pentestmag, Hakin9, e-forensics, SD Journal, and hacker5. He has been invited as a guest speaker to public conferences such as DEF CON, ToorCon, OWASP, HATCon, H1hackz, and many other universities and institutes.

    Browse publications by this author
Network Protocols for Security Professionals
Unlock this book and the full library FREE for 7 days
Start now