CS3690 Network Security

This course covers the concepts and technologies used to achieve confidentiality, integrity, and authenticity for information processed across networks. Topics include: fundamentals of TCP/IP-based networking, core network security principles, traffic filtering types and methodology, packet-level traffic analysis, employment of cryptography, tunneling/encapsulation, Public Key Infrastructure (PKI), remote authentication protocols, and virtual private networks based upon the IPSec, L2TP, and SSL protocols.


CS3600 or consent of instructor.

Lecture Hours


Lab Hours


Course Learning Outcomes

  • Student will learn that protocol-based automation lies at the core of what all systems generally referred to as "cyber" are composed of.
  • Student will learn that virtually all cyber-enabling protocols are vulnerable to one or more of the elements of the CIA-Triad: confidentiality, integrity, availability.
  • Student will learn how the three information security objectives (CIA-Triad) can be used to characterize all four factors of the Risk Equation: threatsvulnerabilitiessecurity controls, and impact
  • Student will learn how the combination of protocols (e.g., IP, TCP, NAT, etc.), devices (e.g., switches, routers, servers, etc.), and addressing/naming schemes (e.g., MAC, IP, port, fqdn) work together to enable data-in-transit via automated systems and infrastructure (e.g., ARP, DNS, DHCP, BGP, etc.)
  • Student will learn how to "read" and interpret layers 2-4 of the TCP/IP protocol stack; with the goal of being capable of distinguishing "normal" (i.e., protocol- and behavior-compliant) traffic from that which is "abnormal", and thus indicative of either non-malicious errors or (intentional) malicious activity. 
  • Student will learn to appreciate the value that understanding "normal" protocol-enabled behavior brings to the network defender's ability to properly "filter" for enhanced security protection. 
  • Student will learn to convert high(er) level security policy statements/requirements into action via appropriate security device configuration. 
  • Student will learn the rudiments of applying protocol information to create appropriate traffic filters (e.g., router access-control lists) that combine both white- and black-listing techniques; with the end goal of creating and/or enhancing principle-of-least-privilege (POLP) based perimeter defenses.
  • Student will learn the fundamentals of cryptologic mechanisms, to include: key symmetry, PKI, digital signature, digital certificate, cross-certification, trust anchor, certification authority, message authentication code, bit-entropy, brute-force time estimation, Kerckhoff's Principle, Avalanche Principle, session key, key management infrastructure, key distribution complexity, and VPN types.
  • Student will learn to assess--at a high level--whether any particular combination of cryptologic mechanisms (e.g., hash, nonce, asymmetric encryption or symmetric encryption) provides one, both  or neither of confidentiality and integrity.
  • Student will learn the fundamental protocols by which digital authentication can be achieved via the proof-of-possession-of-secrets paradigm: using both TLS and IPsec as examples.
  • Student will learn the meaning of, and how to distinguish between, the terms: key establishment, key transport, key agreement and key derivation.
  • Student will learn what is meant by a "side-channel" attack; both in the general sense as well as a specific (cryptographic) example.
  • Student will learn about VPN split-tunneling, and considerations/concerns when VPN (tunneling) technology is integrated with firewall (filtering) technology.
  • Student will learn of the ROI potential of integrating trusted third-party infrastructure solutions for the purpose of dealing with the key management problem at scale.
  • Student will learn what Perfect-Forward Secrecy means, and what is required to achieve it. 
  • Student will learn the requirements of the three assurance levels that can be applied to each of the identification, authentication, and federation aspects of a digital authentication enterprise; as described by NIST in its SP800-63-3 publication. 
  • Student will learn the functional components and operation of IEEE 802.1X (port-based access-control), and IPsec based VPNs.