Network Security

IB Syllabus: A2.4.1 – Effectiveness of firewalls, A2.4.2 – Network vulnerabilities (HL), A2.4.3 – Network countermeasures (HL)

Table of Contents

  1. Key Concepts
    1. Firewalls (A2.4.1)
      1. How Firewalls Work
      2. Strengths of Firewalls
      3. Limitations of Firewalls
      4. NAT for Security (A2.4.1)
    2. Common Network Vulnerabilities (A2.4.2)
    3. Common Network Countermeasures (A2.4.3)
      1. Additional Security Measures
      2. Wireless Security
  2. Worked Examples
    1. Example 1: Firewall Rule Evaluation
    2. Example 2: Vulnerability and Countermeasure Matching (HL)
  3. Quick Check
  4. Trace Exercise
  5. Spot the Error
  6. Fill in the Blanks
  7. Predict the Output
  8. Practice Exercises
    1. Core
    2. Extension
    3. Challenge
  9. Connections

Key Concepts

Firewalls (A2.4.1)

A firewall is a security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network (like the internet).

How Firewalls Work

  • Packet inspection: examines the header of each packet (source IP, destination IP, port number, protocol)
  • Rule-based filtering: applies a set of rules to decide whether to allow or block traffic
  • Whitelists: explicitly allowed traffic (e.g., “allow all traffic from 10.0.0.x”)
  • Blacklists: explicitly blocked traffic (e.g., “block all traffic from known malicious IPs”)

Types:

  • Hardware firewall: dedicated physical device positioned between the network and the internet. Protects the entire network.
  • Software firewall: program running on individual devices. Protects only that device.

Strengths of Firewalls

  • Block unauthorised access from external networks
  • Filter traffic based on IP addresses, ports, and protocols
  • Log traffic for auditing and forensic analysis
  • Can prevent outbound data leaks (blocking sensitive data leaving the network)

Limitations of Firewalls

  • Cannot protect against threats that bypass the firewall (e.g., USB malware, insider threats)
  • Cannot inspect encrypted traffic without additional tools (encrypted packets hide their contents)
  • Cannot prevent social engineering attacks (e.g., phishing – the user voluntarily provides credentials)
  • Rules must be kept updated – outdated rules may miss new threats
  • Can create bottlenecks if not properly sized for network traffic

Exam tip: “Discuss” is a high-level command term. When asked to “discuss the effectiveness of firewalls,” you must present both strengths AND limitations with examples. A balanced answer is essential.

NAT for Security (A2.4.1)

NAT (Network Address Translation) enhances network security by:

  • Hiding internal IP addresses: external attackers cannot directly target devices behind a NAT router
  • Acting as a basic firewall: unsolicited incoming connections are dropped because the NAT router has no entry in its translation table for them
  • NAT is NOT a replacement for a firewall – it does not inspect traffic content or apply security rules

Common Network Vulnerabilities (A2.4.2)

HL Only – Network vulnerabilities are assessed at HL only.

Vulnerability Description Example
DDoS (Distributed Denial of Service) Overwhelming a server with traffic from many compromised devices (botnet) to make it unavailable Thousands of bots flooding a website with requests, crashing the server
Insecure protocols Using unencrypted protocols that expose data in transit HTTP transmits data in plaintext; anyone on the network can read passwords
Malware Malicious software designed to damage, disrupt, or gain unauthorised access Viruses, worms, trojans, ransomware – spread via email, downloads, USB
MitM (Man-in-the-Middle) Attacker intercepts communication between two parties without their knowledge Attacker on public Wi-Fi intercepts login credentials between user and server
Phishing Fraudulent communications (email, website) that trick users into revealing sensitive information Fake bank email asking user to “verify” their password via a fake login page
SQL injection Inserting malicious SQL code into input fields to manipulate a database Typing ' OR 1=1 -- into a login form to bypass authentication
XSS (Cross-Site Scripting) Injecting malicious scripts into web pages viewed by other users Embedding JavaScript in a forum post that steals session cookies
Unpatched software Software with known vulnerabilities that have not been updated Failing to install security updates, leaving known exploits open
Weak authentication Passwords that are easy to guess or reuse across multiple sites Password “123456” or using the same password for email and banking
Zero-day exploits Attacks that exploit unknown vulnerabilities before a patch is available Attackers discover and exploit a flaw before the software vendor knows about it

Common Network Countermeasures (A2.4.3)

HL Only – Network countermeasures are assessed at HL only.

Countermeasure Description What It Protects Against
Content security policies Rules that control which resources a web page can load (e.g., only allow scripts from trusted domains) XSS attacks
Complex password policies Requirements for password length, complexity, and rotation (e.g., minimum 12 chars, uppercase, number, symbol) Weak authentication, brute-force attacks
DDoS mitigation tools Services that detect and absorb/redirect DDoS traffic (e.g., Cloudflare, rate limiting) DDoS attacks
Email filtering Scanning incoming email for spam, phishing links, and malicious attachments Phishing, malware
Encrypted protocols Using HTTPS, SSH, SFTP instead of HTTP, Telnet, FTP Insecure protocols, MitM
Input validation Checking and sanitising user input (filtering special characters, whitelisting acceptable values) SQL injection, XSS
IDS (Intrusion Detection System) Monitors network traffic for suspicious patterns and alerts administrators General intrusion, anomalous behaviour
IPS (Intrusion Prevention System) Like IDS but can also automatically block detected threats Active attacks, real-time threats
MFA (Multifactor Authentication) Requires two or more verification methods (password + phone code + biometric) Weak authentication, credential theft
SSL/TLS certificates Digital certificates that enable encrypted HTTPS connections Data interception, MitM
Update software Regularly installing security patches and updates Unpatched software, zero-day exploits
VPNs Encrypted tunnels that protect data in transit over public networks Data interception, MitM on public Wi-Fi

Additional Security Measures

  • Regular security testing: penetration testing and vulnerability scanning to identify weaknesses before attackers do
  • Employee training: educating staff about phishing, social engineering, and security best practices – humans are often the weakest link

Wireless Security

  • MAC filtering: only allowing devices with approved MAC addresses to connect
  • Access control policies: restricting which users/devices can access the wireless network
  • Whitelists and blacklists for MAC addresses

This goes beyond the IB syllabus but helps build understanding.

Wi-Fi security evolution:

  • WEP (Wired Equivalent Privacy) – original standard, now broken and insecure (easily cracked in minutes)
  • WPA (Wi-Fi Protected Access) – improved on WEP but still vulnerable
  • WPA2 – current standard, uses AES encryption, much more secure
  • WPA3 – latest standard, stronger encryption, protection against offline dictionary attacks

Always use WPA2 or WPA3 on wireless networks. Never use WEP.

Worked Examples

Example 1: Firewall Rule Evaluation

A company firewall has the following rules (evaluated in order):

Rule # Direction Source Destination Port Action
1 Inbound Any Internal 443 Allow
2 Inbound Any Internal 80 Allow
3 Inbound 10.0.0.0/8 Internal 22 Allow
4 Inbound Any Internal Any Block
5 Outbound Internal Any Any Allow

Evaluate each scenario:

# Scenario Rule Matched Result
1 External user accesses company website (HTTPS, port 443) Rule 1 Allowed
2 External user tries to SSH into a company server (port 22) Rule 4 Blocked (source is not 10.0.0.0/8)
3 Internal employee browses the web (outbound, port 443) Rule 5 Allowed
4 Internal device on 10.0.0.5 tries to SSH into the server Rule 3 Allowed
5 External user tries to access an internal database (port 3306) Rule 4 Blocked

Example 2: Vulnerability and Countermeasure Matching (HL)

# Attack Scenario Vulnerability Best Countermeasure
1 A user receives a fake email from “their bank” asking to verify credentials Phishing Email filtering + employee training
2 An attacker enters '; DROP TABLE users; -- into a search box SQL injection Input validation (sanitisation)
3 A website is overwhelmed by traffic from 100,000 compromised devices DDoS DDoS mitigation tools (rate limiting)
4 An attacker intercepts data on a public Wi-Fi network MitM VPN + encrypted protocols (HTTPS)
5 A user’s password “password123” is guessed by an attacker Weak authentication Complex password policies + MFA

Quick Check

Q1. What is the primary function of a firewall?

Q2. Which of the following is a limitation of firewalls?

Q3. How does NAT enhance network security?

Q4. (HL) Which vulnerability involves an attacker intercepting communication between two parties without their knowledge?

Q5. (HL) Which countermeasure requires users to verify their identity using two or more different methods?

Trace Exercise

Trace how a company firewall evaluates incoming connection requests. The firewall has three rules, evaluated in order:

  1. Allow port 443 from any source
  2. Allow port 80 from any source
  3. Block all other incoming traffic

For each incoming request, identify the rule that matches and the result.

Trace: Firewall Rule Evaluation

For each incoming request, type the rule that matches (e.g., "Rule 1") and the result ("Allowed" or "Blocked").

StepIncoming RequestPortRule MatchedResult
1 HTTPS web request 443
2 HTTP web request 80
3 SSH connection attempt 22
4 Database connection 3306

Spot the Error

A student wrote revision notes about network security. One line contains an error. Click the line with the error, then pick the correct fix.

1Firewalls inspect all encrypted traffic to detect threats inside packets 2NAT hides internal IP addresses from external attackers 3IDS monitors traffic and automatically blocks threats 4MFA requires multiple verification methods for authentication

Pick the correct fix for line 3:

Fill in the Blanks

Complete the summary of network security concepts by filling in the correct term for each description.

Fill in the blanks to complete the network security summary:

NETWORK SECURITY
================
A  inspects and filters network traffic based on whitelists, blacklists, and rules.

 hides internal IP addresses from external attackers by translating to a public address.

A  attack overwhelms a server with traffic from many compromised devices.

 requires two or more verification methods, such as a password and a phone code.

An  can automatically block detected threats, unlike an IDS which only monitors and alerts.

Predict the Output

A firewall has a default rule of "block all incoming traffic" with one exception: "allow port 443 from any source." An external user tries to access a website on port 80 (HTTP). Is the connection allowed or blocked?

Type Allowed or Blocked:

An employee uses the password "CompanyName2024!" for their work account and also uses the same password for their personal email. An attacker breaches the personal email service. Can the attacker now access the employee's work account?

Type Yes or No:

Practice Exercises

Core

  1. Firewall Functions – Describe how a firewall protects a network. In your answer, explain what whitelists and blacklists are and give an example of each.

  2. NAT for Security – Explain how NAT provides an additional layer of security beyond just conserving IP addresses. Include a specific scenario showing how NAT prevents an attack.

  3. Firewall Limitations – Name three limitations of firewalls and for each, describe a type of threat that the firewall cannot prevent.

Extension

  1. Vulnerability Analysis (HL) – For each of the following vulnerabilities, describe how the attack works and recommend the most effective countermeasure: (a) phishing, (b) SQL injection, (c) DDoS, (d) man-in-the-middle.

  2. IDS vs IPS (HL) – Compare intrusion detection systems and intrusion prevention systems. For each, explain how it works, one advantage, and one disadvantage. Which would you recommend for a school network and why?

Challenge

  1. Security Audit (HL) – A small company has the following security setup: a software firewall on each computer, passwords with a minimum of 6 characters, no MFA, HTTP-only website, no employee security training, and no intrusion detection. Identify five security weaknesses and for each, recommend a specific countermeasure. Prioritise your recommendations and explain which weakness should be addressed first and why.

Connections

  • Prerequisites: Network Fundamentals – understanding network devices (hardware firewalls, gateways) and their role in security
  • Prerequisites: Data Transmission – NAT and packet structure are key to understanding how firewalls inspect traffic
  • Related: OS Fundamentals – the OS provides software firewalls, authentication, and authorisation mechanisms
  • Forward: Encryption – encrypted protocols (HTTPS, SSL/TLS) are a key countermeasure; encryption protects data that firewalls cannot inspect

Back to top

© EduCS.me — A resource hub for IB Computer Science

This site uses Just the Docs, a documentation theme for Jekyll.