Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Stateful and NGFW firewalls, Snort and Suricata IDS, IPSec AH/ESP, TLS 1.2/1.3 cipher suites, IPSec and WireGuard VPNs, Kerberos and Indian PKI, SIEM and the CERT-In 2022 Direction.
Network security is not a product list. It is a layered architecture where each layer fails differently and each layer's logs feed the next. A packet that survives the perimeter firewall is inspected by the intrusion detection system. A flow that the IDS approves is encrypted end-to-end by TLS. A user session inside that TLS is authenticated by Kerberos or by an X.509 certificate from a public-key infrastructure. Every event from every layer is shipped to a SIEM, where correlation rules and threat-intel feeds turn the noise into incidents. An examiner who works any single layer in isolation will lose the case at the seam.
This topic covers the architecture the digital forensics paper and NFSU MSc syllabus expect a network forensic examiner to know in working detail: firewall types from packet filter to NGFW, IDS and IPS deployment, IPSec and TLS as they appear on the wire, the VPN families used in Indian enterprise and consumer settings under the CERT-In Direction 2022, the Indian Public Key Infrastructure governed by the Controller of Certifying Authorities, and SIEM patterns including the 180-day log-retention mandate. Cross-links run to live packet capture, networking fundamentals and network attacks.
The perimeter is still where most attacks first meet a rule.
A packet filter inspects each packet against an access control list of source IP, destination IP, source port, destination port and protocol. The original 1988 DEC SEAL and the Cisco IOS access lists of the early 1990s are packet filters. They are stateless: the firewall does not know that packet 2 is part of the same conversation as packet 1, so the operator must write a return-path rule for every outbound rule. Stateless filters are still appropriate at very high speeds (BGP-edge ACLs, DDoS scrubbing fronts) where state tracking is too expensive.
Stateful packet inspection, introduced commercially by Check Point FireWall-1 in 1994, tracks the TCP state machine. The firewall sees the SYN, records the 5-tuple plus initial sequence number in a connection table, and permits the matching SYN-ACK and subsequent ACKed segments without re-evaluating the rule base. For UDP, which has no connection state in the protocol, the firewall uses idle timers as a proxy for state. SPI is the baseline for every production perimeter.
Application-layer firewalls, also called proxy firewalls, terminate the connection at the firewall, parse the application protocol (HTTP, SMTP, FTP), and reconstruct a new connection to the destination. The 1990s WinGate and the Squid HTTP proxy are the classic examples. The cost is latency and per-protocol code; the gain is full visibility into the application payload.
Next-generation firewalls combine SPI, application identification (App-ID in Palo Alto, FortiGuard in Fortinet), integrated IPS signatures, TLS inspection (the firewall acts as a controlled man-in-the-middle with a trusted-by-endpoint CA), user-identity mapping from Active Directory or LDAP, and threat-intel-fed URL and IP reputation. Web Application Firewalls are a specialised subset focused on HTTP and HTTPS at Layer 7, with rule sets like the OWASP ModSecurity Core Rule Set, AWS WAF managed rules, or Cloudflare's managed rule packs.
| Class | State tracking | App awareness | TLS inspection |
|---|
Detection is a rule set, prevention is an inline cable.
An IDS sits off the data path, typically on a SPAN or TAP port, and observes a copy of network traffic. Detection latency is irrelevant because the IDS is not blocking; the IDS produces alerts that humans or SOAR workflows act on. An IPS sits inline on the data path and either passes or drops each packet in real time. The functional engine is often the same software (Snort and Suricata both support inline mode); the deployment is what makes it an IDS or IPS.
Snort, written by Martin Roesch in 1998, is the original and still widely deployed. Its rule syntax is the de facto teaching standard. A Snort rule looks like alert tcp any any -> $HOME_NET 445 (msg:"SMB exploit attempt"; content:"|FF|SMB"; sid:1000001; rev:1;). The rule header is action, protocol, source, port, direction, destination, port. The options are content matches, regex, flow state and metadata. Subscribed rule sets from Cisco Talos (formerly VRT) and Emerging Threats keep the corpus current.
Suricata, first released in 2010, is the modern multi-threaded reimplementation with broad rule compatibility with Snort plus protocol-aware logging, file extraction and JSON output via the EVE format. The EVE JSON stream is the standard input to a SIEM. Zeek, originally Bro, is a different model entirely: instead of pattern-matching, Zeek scripts produce structured flow logs (conn.log, http.log, dns.log, ssl.log, x509.log, files.log) that an analyst queries. Zeek is detection by query, not detection by signature.
| Tool | Model | Mode | Output | Use case |
|---|---|---|---|---|
| Snort 3 | Signature | IDS / IPS | alert log, PCAP |
Two protocols, two layers, two different forensic shapes.
IPSec operates at Layer 3. It protects entire IP datagrams (transport mode protects the payload; tunnel mode wraps the whole original packet inside a new outer IP header). Authentication Header is the older choice and provides integrity plus origin authentication, computed across the IP header and payload. AH does not provide confidentiality. Encapsulating Security Payload is the standard choice and provides confidentiality (with an optional integrity tag) over the payload only (transport) or the inner packet (tunnel). Almost all modern deployments use ESP.
Key exchange in IPSec is Internet Key Exchange. IKEv1 (RFC 2409, 1998) is the legacy version with main mode and aggressive mode; aggressive mode is deprecated because it leaks the PSK hash in the clear. IKEv2 (RFC 7296, 2014) is the modern version with simpler state, EAP integration, and built-in NAT traversal. IKEv2 negotiates the SA parameters and the keying material; ESP carries the data once the SA is up.
Three flavours of tunnel and one Indian regulatory cliff.
Site-to-site VPNs are typically IPSec ESP in tunnel mode between two gateway routers or firewalls. Cisco IOS, FortiGate, Palo Alto, Juniper SRX and pfSense all interop on IKEv2 plus ESP. Configuration is identical in shape: phase 1 (IKE SA) negotiation parameters, phase 2 (IPSec SA) parameters, traffic selectors that name the source and destination subnets, plus a pre-shared key or X.509 certificate.
Remote-access VPNs come in three families. IPSec remote access (Cisco's classic AnyConnect predecessor, strongSwan, Windows built-in IKEv2) uses IKEv2 with EAP for user authentication. OpenVPN, originally an open-source community project, runs over TCP or UDP on a single configurable port (often 1194 or 443), uses TLS for the control channel and a separate symmetric session key for the data channel. WireGuard, designed by Jason Donenfeld and added to the Linux kernel in 5.6 (March 2020), is a deliberately minimal protocol: a single Noise-IK handshake, ChaCha20-Poly1305 AEAD, no negotiation, fewer than 5000 lines of kernel code. WireGuard is the modern default for new deployments where both ends are under operator control.
SSL VPNs are TLS-terminated at the gateway: the client speaks TLS to a portal (Cisco AnyConnect, Pulse Connect Secure, Citrix Gateway, Fortinet SSL VPN) and the gateway proxies traffic into the corporate network. The advantage is that TLS on TCP 443 traverses any firewall that allows web browsing. The disadvantage is the proxy gateway becomes a high-value target; CVE-2019-11510 (Pulse), CVE-2020-3452 (Cisco ASA) and CVE-2023-27997 (Fortinet) all demonstrated the cost when the SSL VPN gateway is the attacker's entry point.
Where the user becomes a principal the network can trust.
Password-only authentication has been considered insufficient on its own for production systems since at least the NIST SP 800-63 revisions of the mid-2010s. The replacements come in layers. Challenge-response protocols (CHAP, MS-CHAP-v2) avoid sending the password in the clear and prove possession to the server, but the captured exchange is offline-crackable; the eaphammer rogue-AP attack pattern from the wireless topic targets exactly this.
Kerberos is the dominant network authentication protocol on Windows networks because Active Directory is built on it. The Key Distribution Centre is the AD domain controller. A user authenticates once to the KDC and receives a Ticket Granting Ticket. To access a service (a file share, SQL server, web app on IIS), the user presents the TGT and asks the KDC for a service ticket scoped to that service's principal name. The service ticket is encrypted with the service account's long-term key. Replay protection is via timestamps and a clock-skew tolerance, which is why AD domains require their clocks aligned within 5 minutes; Kerberoasting and Pass-the-Ticket attacks exploit weaknesses in service-account keys and ticket lifetimes respectively.
LDAP is the directory protocol Kerberos rides on top of in AD. Each user, group and computer is an object in the directory with a distinguished name (DN) that names the path through organisational units (CN=ravi,OU=Mumbai,OU=Branches,DC=bank,DC=in). The schema defines what attributes exist on each object class. ldapsearch is the standard query tool; the LDAP filter language ((&(objectClass=user)(memberOf=CN=Admins,...))) is the language an examiner uses to enumerate accounts during incident response.
Logs without correlation are noise; correlation without context is alert fatigue.
Network segmentation prevents a compromise in one zone from spreading laterally. Classical segmentation uses VLANs to separate broadcast domains and a DMZ to isolate internet-facing services from the internal LAN. The DMZ holds the public web server, mail relay and reverse-proxy gateway; a compromise of any of these reaches the internal network only through firewalled paths the DMZ-to-internal rules explicitly allow.
Micro-segmentation pushes the boundary down to the workload. Each VM, container or even process gets its own policy, enforced by a host-resident agent (Illumio, Guardicore Centra, VMware NSX). The 2014 Google BeyondCorp paper and the subsequent zero-trust movement reframed the perimeter entirely: no implicit trust from network location, every request authenticated and authorised at the application layer, device posture continuously evaluated. NIST SP 800-207 (2020) is the canonical zero-trust architecture document. Indian government adoption of zero-trust is uneven; MeitY's 2023 cybersecurity guidance for critical sector entities references the model without mandating it.
NAC is the older bridge between network identity and physical access. 802.1X port-based authentication requires every device that plugs into a switch port (or associates with a corporate Wi-Fi BSSID) to authenticate via EAP before the port carries any non-EAP traffic. Posture assessment extends this: a device that authenticates but has out-of-date AV signatures or missing patches is placed in a remediation VLAN. Cisco Identity Services Engine and Aruba ClearPass are the dominant NAC platforms in the Indian enterprise.
| SIEM platform | Origin | Indian presence | Typical deployment |
|---|---|---|---|
| Splunk Enterprise / Cloud | Splunk Inc, USA | Large BFSI, telecom |
A perimeter firewall must support inspection of HTTPS traffic for App-ID and IPS signatures. The correct class of firewall is:
| Typical placement |
|---|
| Packet filter | No | No | No | Router edge ACL, DDoS scrubbing |
| Stateful (SPI) | Yes | No | No | Branch perimeter, internal segmentation |
| Application proxy | Yes | Yes (per protocol) | Terminates | Legacy SMTP / HTTP gateways |
| NGFW | Yes | Yes | Optional, in-firewall MITM | Internet perimeter, data centre edge |
| WAF | Per-request | HTTP / HTTPS only | Terminates | In front of web application |
The Indian anchor is the public-sector NGFW rollout under the MeitY-driven secure perimeter standards. RBI's master directions on Cyber Security for banks require NGFW deployment at internet-facing perimeters with logged TLS inspection where legally permissible. CERT-In's 2024 perimeter advisory for state DCs named Palo Alto PA-Series, Fortinet FortiGate and Check Point Quantum as conformant choices. A state SFSL examining a bank breach in 2024 found that the perimeter NGFW had logged the initial command-and-control beacon under the App-ID tor two weeks before the data exfiltration, but no SIEM correlation rule fired because the alert tier was set to informational.
| Classical signature detection, inline blocking |
| Suricata | Signature plus protocol | IDS / IPS | EVE JSON, PCAP, extracted files | SIEM-fed detection, multi-threaded high speed |
| Zeek (Bro) | Flow analysis | Detection only | structured logs per protocol | Threat hunting, retrospective analysis |
| OSSEC / Wazuh | Host-based | Detection | agent JSON to manager | HIDS: file integrity, log monitoring |
The HIDS versus NIDS split matters for placement and for the kind of evidence each produces. A NIDS sees what crosses the wire and is blind to encrypted payloads (unless TLS is terminated upstream). A HIDS sees process executions, file changes, login events and local logs on the endpoint, and is blind to traffic the host did not generate. OSSEC and its modern fork Wazuh are the dominant open-source HIDS agents, integrating with file integrity monitoring (which directories are monitored, what change triggered the alert), rootkit detection, and a manager that ships events to a SIEM.
Signature-based detection finds what you have already seen elsewhere. Anomaly-based detection (statistical baselines, machine-learning flow classifiers) finds deviations from learned normal. Anomaly detection has a higher false-positive cost and a higher operator-skill ceiling, which is why most Indian enterprise SOC teams run signature-driven Suricata or NGFW IPS as the primary engine and reserve anomaly detection (Darktrace, ExtraHop, in-house Zeek scripts) for the threat-hunting layer.
TLS operates at Layer 4 and above. Where IPSec wraps the IP packet, TLS wraps the application stream over a TCP connection (or a QUIC stream over UDP). TLS 1.0 (1999) and TLS 1.1 (2006) are deprecated and removed from modern browsers since 2020; they fell to BEAST and to known weaknesses in their MAC-then-encrypt construction with RC4 and CBC ciphers. SSL 3.0 (1996) fell to POODLE in 2014. TLS 1.2 (2008) remains widely supported and secure when configured with AEAD cipher suites (AES-GCM, ChaCha20-Poly1305) and modern key exchange (ECDHE).
TLS 1.3 (2018) is a near-rewrite. The handshake is a single round-trip in most cases (1-RTT, with 0-RTT for resumed sessions). All non-AEAD ciphers and all RSA key exchange are removed. Forward secrecy is mandatory. The cipher-suite namespace is reduced from over a hundred TLS 1.2 suites to five: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256. A cipher-suite string like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is unambiguously TLS 1.2 because TLS 1.3 strings have a different structure.
Certificate validation in TLS chains from the server's leaf certificate through one or more intermediates to a trusted root. Revocation is checked via Certificate Revocation Lists (long, slow, downloaded periodically) or Online Certificate Status Protocol (per-cert query at handshake time, with OCSP stapling allowing the server to attach a recent OCSP response so the client does not have to contact the CA at all). OCSP stapling is the modern default and is what an examiner expects to see in a clean TLS 1.3 capture.
The Indian anchor in this section is the Direction itself. Every Indian enterprise SOC has a documented logging baseline that maps each system class (firewall, IDS, server, VPN concentrator, AD controller) to the events required to meet the 180-day retention. CERT-In Form A and Form B templates name the categories of incident that trigger the 6-hour reporting clock (data breaches, unauthorised access, ransomware, identity theft, DDoS, large-scale spam, intrusion into critical information infrastructure). Failing to report is itself an offence under IT Act Section 70B.
PKI is the framework that makes asymmetric authentication usable at scale. A Certifying Authority (CA) signs subordinate intermediate CAs, which sign leaf certificates for users, servers and code-signing identities. The chain is validated by walking from the leaf back to a trusted root that the verifier already has installed. Revocation is via CRL or OCSP. The Indian anchor is the Controller of Certifying Authorities under MeitY, established under IT Act 2000 Section 17. The CCA issues licences to a small set of Indian CAs: eMudhra, Sify (now part of (n)Code Solutions), the National Informatics Centre's NICCA, Capricorn, Verasys (Vsign) and the Institute for Development and Research in Banking Technology's IDRBT. Class 2 and Class 3 Digital Signature Certificates issued by these CAs are what an Indian taxpayer or company director uses to sign income-tax returns, ROC filings and GST documents. Class 3 DSCs on hardware tokens (USB cryptographic tokens like ePass2003, mToken, ProxKey) are the practical implementation; private key extraction from a properly configured Class 3 token is computationally infeasible.
| On-premises and cloud; high licence cost per indexed GB |
| IBM QRadar | IBM, USA | PSU banks, defence-adjacent | On-premises appliance, mature correlation engine |
| Microsoft Sentinel | Microsoft, USA | Azure-first Indian enterprises | Cloud-native, Log Analytics workspace backend |
| Elastic Stack (ELK) | Elastic NV, Netherlands | Mid-market, government | Open-source core; self-hosted is common |
| Wazuh | Wazuh Inc, USA | Small enterprise, MSSP | Open-source HIDS plus SIEM; ELK backend |
| Graylog | Graylog Inc, USA / Germany | Mid-market, education | Open-source core; Mongo plus OpenSearch backend |
SIEM workflow has three layers. Collection: log shippers (Filebeat, Fluentd, Splunk Universal Forwarder, Wazuh agent) carry events from firewalls, IDS, servers, AD, VPN concentrators and cloud audit logs into the SIEM. Normalisation: events are parsed into a common schema (Elastic Common Schema, Splunk CIM, OCSF) so a "failed login" looks the same regardless of source. Correlation: rules and queries fire detections, often expressed in Sigma rules that translate into the platform's native query language (SPL for Splunk, KQL for Sentinel, EQL for Elastic). Threat-intel integration enriches events with IoC matches from MISP, OTX or commercial feeds.
The 180-day retention from the CERT-In Direction is a SIEM problem in practice: indexed log volume at an Indian Tier-1 bank runs to tens of terabytes per day, so the SIEM design splits hot storage (fast search, 30 to 60 days) from warm/cold storage (slower search, 180+ days) on object storage with tiered policies. The cross-link to live packet capture and traffic analysis covers the packet-level side that feeds the network logs into this stack.