0% found this document useful (0 votes)

34 views18 pages

?security Fundamentals

The document outlines essential security fundamentals, including threats, vulnerabilities, and attacks, as well as various security measures such as password security, SSH, port security, access control lists, firewalls, and VPNs. It provides real-life examples and practical implementations for securing networks in different environments like banks, offices, and hospitals. Additionally, it emphasizes the importance of continuous monitoring, incident response, and layered security strategies to protect against cyber threats.

Uploaded by

ABDUL WASAY

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

34 views18 pages

?security Fundamentals

Uploaded by

ABDUL WASAY

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Security Fundamentals

1. Threats, Vulnerabilities aur Attacks

Ye kya hain?

• Threat: Koi bhi cheez jo aapke network ko nuksaan pohcha sake

• Vulnerability: System mein koi kamzori jise hacker use kar sake

• Attack: Jab koi sachchi mein aapke system par hamla kare

Rozana ki Misalen:

Misal 1: Bank ka Mamla

Asli Kahani: Karachi ke ek bank mein kya hua:

• Threat: Hackers logon ke accounts se paise churana chahte the

• Vulnerability: Bank ke customers kamzor password use karte the ("123456")

• Attack: Hackers ne mushkil programs use kar ke weak passwords crack kiye aur accounts
hack kar diye

Misal 2: Office ka Network

Situation: ABC Company mein kya hua:

• Threat: Competitors company ka secret data churana chahte the

• Vulnerability: Office ka Wi-Fi bina password ke tha

• Attack: Koi banda parking mein baitha aur saara company ka data sun raha tha

Misal 3: Ghar ka Wi-Fi

Daily Life: Aapke ghar mein:

• Threat: Neighbors aapka internet free mein use karna chahte hain

• Vulnerability: Router par default password (admin/admin) lagaya hua hai

• Attack: Neighbor ne guess kar ke router mein ghus kar saari settings change kar deen

2. Password Security aur Device Access

Access ke Types:

1. Console Access: Jab device se direct cable laga kar connect karte hain

2. VTY Access: Jab ghar baith kar remotely access karte hain

3. Enable Password: Jab admin rights chahiye

Asli Scenario:
Bank Network Setup: Ek bank ke paas multiple cities mein routers hain. Har router ko secure access
control chahiye.

cisco

! Console access ki security

Router(config)# line console 0

Router(config-line)# password BankSecure123

Router(config-line)# login

! Remote access ke liye VTY

Router(config)# line vty 0 4

Router(config-line)# password RemoteBank456

Router(config-line)# login

! Admin access ke liye enable secret

Router(config)# enable secret AdminBank789

Real Example:

Hospital Network: Karachi mein IT admin ko Lahore wale hospital ka router manage karna hai. Travel
karne ki zaroorat nahi - VTY access se secure password ke saath remote se control kar sakta hai.

3. SSH (Secure Shell) - Secure Remote Access

SSH kyun Telnet se behtar hai?

• Telnet: Data plain text mein bhejta hai (jaise khula khat)

• SSH: Saara data encrypt kar ke bhejta hai (jaise locked box)

Real Life Example:

University Network: Professor ghar se university server access karna chahta hai.

Telnet ke saath (Khatarnak):

Username: professor_ahmad

Password: mypassword123

Koi bhi network monitor kar ke password dekh sakta hai!

SSH ke saath (Safe):

Saara data encrypted: #$%@#$%@#$%@#$%

Koi nahi padh sakta actual password

SSH Configuration:

cisco

Router(config)# hostname UniversityRouter

Router(config)# ip domain-name university.edu.pk

Router(config)# crypto key generate rsa modulus 2048

Router(config)# username professor_ahmad password SecurePass123

Router(config)# line vty 0 4

Router(config-line)# login local

Router(config-line)# transport input ssh

Practical Implementation:

E-commerce Company: Online store ke servers multiple cities mein hain. Saari remote access SSH se
hoti hai taake password chori na ho aur PCI compliance maintain rahe.

4. Port Security

Concept:

Control karna ke specific switch ports par koun se devices connect ho sakte hain.

Asli Zindagi ki Misalen:

Misal 1: Office Environment

Scenario: ABC Company mein 50 employees hain, har ek ka apna workstation hai.

Problem: Employee apna personal laptop laya aur company network se connect kar diya - virus aa
gaya.

Solution: Port Security

cisco

interface FastEthernet0/1

switchport mode access

switchport port-security

switchport port-security maximum 1

switchport port-security mac-address sticky

switchport port-security violation shutdown

Misal 2: School Computer Lab

Scenario: School mein 30 computers ka lab hai students ke liye.

Problem: Students apne mobile aur laptops connect kar rahe hain.
Solution: Port security se sirf assigned PC hi connect ho sakta hai har port par.

Misal 3: Hospital Patient Rooms

Scenario: Har patient room mein network port hai medical equipment ke liye.

Problem: Visitors apne devices connect kar rahe hain hospital network se.

Solution: Port security se sirf authorized medical devices hi connect ho sakte hain.

Violation Actions:

• Shutdown: Port bilkul band (most secure)

• Restrict: Packets drop karo but port chalu rakho

• Protect: Chup chap packets drop karo

5. Access Control Lists (ACLs)

Purpose:

Traffic ko filter karna based on source, destination, protocols, ya ports.

Real-Life Examples:

Misal 1: School Network

Scenario: School chahta hai ke students educational sites access karein lekin social media block ho.

cisco

! Facebook aur social media block karo

access-list 100 deny tcp any host 157.240.0.0 eq 80

access-list 100 deny tcp any host 157.240.0.0 eq 443

! Educational sites allow karo

access-list 100 permit tcp any host 8.8.8.8 eq 80

access-list 100 permit tcp any host 8.8.8.8 eq 443

! Interface par apply karo

interface FastEthernet0/0

ip access-group 100 in

Misal 2: Corporate Network

Scenario: Company mein internet access sirf office hours (9 AM - 5 PM) mein allow hai.

cisco

! Time-based ACL

time-range WORK-HOURS
periodic weekdays 9:00 to 17:00

access-list 110 permit ip 192.168.1.0 0.0.0.255 any time-range WORK-HOURS

access-list 110 deny ip any any

Misal 3: Banking Network

Scenario: Banking server ko sirf specific IP addresses access kar sakte hain.

cisco

! Sirf bank employees server access kar sakte hain

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny any

interface FastEthernet0/1

ip access-group 10 in

6. Firewalls

Definition:

Trusted internal network aur untrusted external network ke beech ek barrier.

Asli Zindagi ki Misalen:

Misal 1: Ghar ka Network

Scenario: Aapka ghar ka Wi-Fi router firewall ka kaam karta hai.

• Internal: Aapke family ke devices (bharosa wale)

• External: Internet (na bharosa wale)

• Function: Internet se unauthorized access attempts block karta hai

Misal 2: Company Network

Scenario: 500 employees wali company.

• DMZ: Web servers jo internet se accessible hain

• Internal LAN: Employee computers (restricted access)

• Management Network: Network equipment (bohat restricted)

Misal 3: Hospital Network

Scenario: Medical facility patient data ke saath.

• Patient Network: Medical devices

• Staff Network: Hospital computers

• Guest Network: Visitors ka Wi-Fi

• Critical Systems: Life support equipment (bilkul isolated)

Firewall Rules Example:

Rule 1: HTTP/HTTPS allow karo kisi se bhi DMZ tak

Rule 2: SSH allow karo admin network se sabhi tak

Rule 3: Saari social media sites block karo

Rule 4: Email allow karo (port 25, 110, 143)

Rule 5: Baaki saari traffic deny karo

7. VPN (Virtual Private Network)

Purpose:

Public internet par secure tunnel banana.

Real-Life Examples:

Misal 1: Work From Home

Scenario: Employee ghar se office files access karna chahta hai.

VPN ke bina:

Ghar ka Computer → Internet → Company Server

(Data unencrypted travel karta hai, koi intercept kar sakta hai)

VPN ke saath:

Ghar ka Computer → VPN Tunnel → Company Server

(Data encrypted, secure tunnel)

Misal 2: Branch Office Connection

Scenario: Bank ka main office Karachi mein, branch Lahore mein.

Traditional Solution: Mehnga leased line VPN Solution: Internet par secure tunnel (cost-effective)

cisco

! VPN Configuration

crypto isakmp policy 10

encryption aes 256

authentication pre-share

group 14
!

crypto isakmp key SecretKey123 address 203.0.113.1

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

crypto map MYMAP 10 ipsec-isakmp

set peer 203.0.113.1

set transform-set MYSET

match address 101

Misal 3: Public Wi-Fi Protection

Scenario: Businessman airport ka Wi-Fi use kar ke banking kar raha hai.

Risk: Airport Wi-Fi public hai, koi bhi data intercept kar sakta hai Solution: VPN saari traffic encrypt
kar deta hai, public Wi-Fi par bhi

8. Layer 2 Attacks aur Protection

Common Layer 2 Attacks:

1. MAC Flooding Attack

Kaise hota hai: Attacker hazaron fake MAC addresses bhejta hai switch ko. Result: Switch ka MAC
table bhar jata hai, hub ki tarah kaam karta hai.

Real-Life Example: Computer lab mein koi malicious student switch ko fake MAC addresses se flood
kar deta hai. Ab saare students ek dusre ka traffic dekh sakte hain.

Protection:

cisco

interface range FastEthernet0/1-24

switchport port-security

switchport port-security maximum 2

switchport port-security violation shutdown

2. DHCP Starvation Attack

Kaise hota hai: Attacker saare available IP addresses request kar leta hai. Result: Legitimate users ko
IP addresses nahi milte.

Real-Life Example: Coffee shop mein hacker saare DHCP addresses khatam kar deta hai, customers
Wi-Fi connect nahi kar sakte.

Protection:
cisco

ip dhcp snooping

ip dhcp snooping vlan 1

interface FastEthernet0/1

ip dhcp snooping trust

3. VLAN Hopping

Kaise hota hai: Attacker un VLANs mein access kar jata hai jahan usse nahi hona chahiye.

Real-Life Example: University mein student administrative VLAN access karne ki koshish karta hai.

Protection:

cisco

! DTP (Dynamic Trunking Protocol) disable karo

interface FastEthernet0/1

switchport mode access

switchport nonegotiate

9. Device Hardening

Security Measures:

1. Default Passwords Change Karo

Galt Tareeqa: Router par admin/admin Sahi Tareeqa: Strong, unique passwords

2. Unused Services Disable Karo

cisco

! Ghair zarroori services band karo

no ip http server

no ip finger

no service pad

no cdp run

3. Logging Enable Karo

cisco

! Security monitoring ke liye logging enable karo

logging buffered 16384

logging host 192.168.1.100

service timestamps log datetime msec

4. Login Controls Implement Karo

cisco

! Login attempts limit karo

login block-for 300 attempts 3 within 60

login quiet-time 300

Real-Life Example - Bank Network Hardening:

cisco

! 1. Strong passwords

username admin privilege 15 secret $1$Salt$HashedPassword

! 2. Unused services disable

no ip http server

no ip finger

no service pad

! 3. Logging enable

logging buffered 16384

logging host 192.168.1.100

service timestamps log datetime msec

! 4. Access control

login block-for 300 attempts 3 within 60

access-list 10 permit 192.168.1.0 0.0.0.255

line vty 0 4

access-class 10 in

transport input ssh

10. Wireless Security

Security Protocols:
1. WEP (Kamzor)

• Status: Deprecated, aasani se crack ho jata hai

• Real-Life: Jaise transparent glass privacy ke liye use karna

2. WPA/WPA2 (Behtar)

• Status: Industry standard

• Real-Life: Jaise frosted glass - kaafi behtar privacy

3. WPA3 (Sabse Behtar)

• Status: Latest standard

• Real-Life: Jaise one-way mirror - maximum privacy

Real-Life Example - Office Wi-Fi Setup:

Network: CompanyWiFi

Security: WPA2-Enterprise

Authentication: RADIUS server

Fayde:

- Har user ke individual credentials

- Centralized management

- Detailed logging

Guest Network Setup:

Network: CompanyGuest

Security: WPA2-PSK

Isolation: Enabled

Bandwidth: 1 Mbps tak limited

Fayde:

- Visitors company resources access nahi kar sakte

- Limited bandwidth se abuse nahi hota

11. Network Monitoring aur Incident Response

Real-Life Scenario - E-commerce Website:

Normal Din:

9 AM: 100 users online

12 PM: 500 users online (lunch break)

8 PM: 800 users online (peak shopping)

Attack wala Din:

2 AM: 50,000 connection attempts (DDoS attack)

Alert: System ne admin ko notification bheja

Response: Automatic rate limiting activate ho gaya

Monitoring Tools:

• SNMP: Simple Network Management Protocol

• Syslog: Centralized logging

• Flow Analysis: Traffic pattern monitoring

Incident Response Plan:

1. Detection: Automated alerts

2. Analysis: Attack type determine karo

3. Containment: Affected systems isolate karo

4. Recovery: Normal operations restore karo

5. Documentation: Incident details record karo

Security Implementation Checklist

Chhote Office ke liye (10-50 employees):

• Saare devices par default passwords change karo

• SSH enable karo, Telnet disable karo

• Basic ACLs configure karo

• Switches par port security enable karo

• Guest Wi-Fi network setup karo

• Firewall install karo

• Logging enable karo

• Regular backup configurations

Medium Business ke liye (50-200 employees):

• Saare chhote office items +

• Network segmentation ke liye VLANs implement karo

• Remote access ke liye VPN setup karo

• Centralized authentication (RADIUS) deploy karo

• Network monitoring implement karo

• Security policies banao

• Regular security assessments

• Employee security training

Large Enterprise ke liye (200+ employees):

• Saare medium business items +

• Multi-layered security architecture

• Advanced threat detection

• Redundant security systems

• Compliance management

• 24/7 security operations center

• Regular penetration testing

• Incident response team

Khaas Baten

1. Security layered hoti hai: Koi ek solution complete protection nahi deta

2. Regular updates: Passwords aur configurations current rakhiye

3. Continuously monitor: Unusual activity dekhtay rahiye

4. Users ko train karo: Human error aksar sabse kamzor link hota hai

5. Incidents ke liye plan: Response procedures ready rakhiye

6. Sab kuch document karo: Security policies aur procedures maintain karo

Yaad rakhiye: Security destination nahi hai, journey hai!

Practical Commands Summary

Router Basic Security:

cisco

! Password security

enable secret MyStrongPassword123

line console 0

password ConsolePass123

password VTYPass123

transport input ssh

! SSH setup

hostname MyRouter

ip domain-name company.com

crypto key generate rsa modulus 2048

username admin password AdminPass123

line vty 0 4

Switch Port Security:

cisco

! Basic port security

interface FastEthernet0/1

switchport mode access

switchport port-security

switchport port-security maximum 1

switchport port-security mac-address sticky

switchport port-security violation shutdown

Basic ACL:

cisco

! Standard ACL

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 10 deny any

interface FastEthernet0/0

ip access-group 10 in

! Extended ACL

access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80

access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443

access-list 100 deny ip any any

Device Hardening:

cisco

! Unnecessary services disable

no ip http server

no ip finger

no service pad

no cdp run

! Logging enable

logging buffered 16384

service timestamps log datetime msec

! Login security

login block-for 300 attempts 3 within 60

Yeh saare commands real-world mein use hote hain! Practice karo aur samjho ke har command ka
kya maqsad hai.
Fundamentals (15%) topic CCNA labs diye ja rahe hain — jo tum Cisco Packet Tracer aur CLI par
practice + implement kar sakte ho. Yeh realistic, exam-ready, and practical labs hain.