Networks and transport
By the end of this module you will be able to:
- Explain the difference between stateful and stateless firewalls and when each is appropriate
- Describe how a VPN provides confidentiality and integrity for data in transit
- Summarise what TLS 1.3 provides and why earlier versions are considered insecure
- Apply the principle of defence in depth to explain why layered controls matter
Real-world incident · 7 May 2021
The VPN was supposed to be the security control. It became the entry point.
On 7 May 2021, Colonial Pipeline, operator of the largest fuel pipeline in the United States, shut down 5,500 miles of pipeline after discovering ransomware on its systems. The shutdown triggered fuel shortages across the south-eastern United States, price spikes, and panic buying. President Biden declared a state of emergency.
The attackers, a group known as DarkSide, gained initial access through a VPN (Virtual Private Network) account that was no longer in active use. The account had no MFA (Multi-Factor Authentication) enabled and used a compromised password found in a leaked credential database. The VPN was intended to be a security control, providing encrypted remote access. Instead, it became the entry point because it was misconfigured and inadequately managed.
Colonial Pipeline paid approximately $4.4 million in ransom, of which the FBI (Federal Bureau of Investigation) later recovered roughly $2.3 million. The incident is a practical demonstration that network security controls only work when correctly configured, actively monitored, and layered with other defences. This module examines the three primary network-layer controls and explains why none of them works in isolation.
The attacker used a legitimate VPN account with a real password. No exploit code was needed. What does this reveal about the limits of encrypted tunnels as a security control?
Module 3 covered data classification, integrity controls, and the cryptographic mechanisms that detect tampering. This module shifts to the infrastructure that carries data between systems: the network. Three controls form the backbone of network-layer security, and the Colonial Pipeline incident demonstrates what happens when they are deployed without proper management.
With the learning outcomes established, this module begins by examining firewalls: stateless and stateful in depth.
4.1 Firewalls: stateless and stateful
A firewall is one of the oldest and most fundamental network security controls. Its job is to decide which network traffic is permitted to pass and which is blocked, based on rules defined by an administrator. It sits between trusted and untrusted network zones and enforces a policy about which communications are allowed.
A stateless firewall examines each network packet individually, without memory of previous packets. It applies rules based on fixed attributes: source IP (Internet Protocol) address, destination IP address, port number, and protocol. Stateless firewalls are fast and simple, appropriate for high-speed filtering of known-bad traffic such as blocking all traffic from a specific IP range. Their limitation is that they cannot distinguish between a legitimate response to a request your system made and an unsolicited packet arriving on the same port.
A stateful firewall maintains a table of active connections. When your browser requests a webpage, the firewall records that outbound connection. When the server's response arrives, the firewall checks whether it corresponds to a recorded outbound request. If it does not, the response is dropped. This makes stateful inspection significantly stronger against spoofed or unsolicited packets.
“A stateful packet filter maintains a state table that records the state of each session traversing the firewall. It verifies that each incoming packet is part of an established, permitted session before allowing it through.”
NIST SP 800-41 Rev.1, Guidelines on Firewalls and Firewall Policy - Section 3.2, Types of Firewalls
NIST SP 800-41 Rev.1 is the US government's reference guide for firewall deployment. It establishes stateful inspection as the minimum acceptable standard for perimeter firewalls protecting networked systems. Stateless firewalls are appropriate only for specific high-speed filtering scenarios, not as primary perimeter controls.
With an understanding of firewalls: stateless and stateful in place, the discussion can now turn to vpns: encrypted tunnels and their limits, which builds directly on these foundations.
4.2 VPNs: encrypted tunnels and their limits
A VPN creates an encrypted tunnel between two endpoints, protecting data in transit from interception and modification. Remote access VPNs allow employees to connect to office systems from home. Site-to-site VPNs link two office networks over the internet without exposing traffic to interception.
IPsec (Internet Protocol Security), defined in NIST SP 800-77 Rev.1, is the established standard for VPN encryption. It operates at the network layer and can run in transport mode (encrypting only the packet payload, leaving the header visible) or tunnel mode (encrypting the entire original packet, used for site-to-site connections where source and destination addresses should be hidden).
WireGuard is a modern alternative added to the Linux kernel in 2020. Its design philosophy prioritises a small, auditable codebase (approximately 4,000 lines, compared to OpenVPN's roughly 400,000) using modern cryptographic primitives: Curve25519 for key exchange, ChaCha20-Poly1305 for symmetric encryption, and BLAKE2s for hashing. Smaller codebases have fewer places for vulnerabilities to hide.
Common misconception
“Having a VPN means network access is secure.”
The Colonial Pipeline attack illustrates this directly. The VPN was present and functional. It became the entry point because an inactive account with no MFA and a leaked password was never disabled. A VPN provides an encrypted channel; it does not authenticate users robustly unless combined with strong credential hygiene and multi-factor authentication. An encrypted tunnel with a stolen key is still a breach.
With an understanding of vpns: encrypted tunnels and their limits in place, the discussion can now turn to tls 1.3 and why versions matter, which builds directly on these foundations.
4.3 TLS 1.3 and why versions matter
TLS (Transport Layer Security) is the cryptographic protocol that secures HTTPS connections, email, and most modern internet communications. The padlock icon in a browser's address bar indicates TLS is active. TLS provides three properties: authentication (confirming you are connected to the intended server), confidentiality (encrypting traffic so intermediaries cannot read it), and integrity (detecting any modification in transit).
TLS 1.3, defined in RFC 8446 (published August 2018), is the current standard. It improves on TLS 1.2 in three critical ways. The handshake completes in one round trip (1-RTT) rather than two, reducing latency. All weak cipher suites, including MD5, SHA-1, RC4, and 3DES, are removed. And forward secrecy is mandatory: even if a server's long-term private key is later compromised, past sessions cannot be decrypted because each session used ephemeral keys that no longer exist.
“TLS 1.3 removes features that have been shown to be insecure, including compression, renegotiation, non-AEAD ciphers, and non-PFS key exchange modes.”
RFC 8446, The Transport Layer Security (TLS) Protocol Version 1.3 - Section 1, Introduction
RFC 8446 defines TLS 1.3. The removal of non-PFS (Perfect Forward Secrecy) key exchange modes is the most significant security improvement over TLS 1.2. Forward secrecy ensures that session keys are derived from ephemeral key exchanges that are discarded after the session, meaning captured traffic cannot be decrypted retrospectively.
Common misconception
“Accepting TLS 1.0 or 1.1 for backwards compatibility is an acceptable trade-off.”
No current browser supports TLS 1.0 or 1.1. If a legacy system requires them, that system should be treated as high-risk and isolated rather than used as justification for weakening the server configuration for all users. Known attacks against these protocol versions include POODLE (CVE-2014-3566), which allows decryption of data by exploiting CBC padding. Backwards compatibility is not a valid justification for deploying deprecated cryptographic protocols.
With an understanding of tls 1.3 and why versions matter in place, the discussion can now turn to defence in depth, which builds directly on these foundations.
4.4 Defence in depth
The Colonial Pipeline incident reinforces a principle that runs throughout professional security practice: no single control is sufficient. Defence in depth is the strategy of layering multiple independent controls so that the failure of any one layer does not result in a complete compromise.
The principle operates across three dimensions:
- People controls: security awareness training, access policies, phishing simulation, and incident reporting culture.
- Process controls: patching schedules, access reviews, change management, account lifecycle management (which would have caught Colonial Pipeline's unused VPN account), and incident response procedures.
- Technology controls: firewalls, encryption, intrusion detection, endpoint protection, and logging.
A stateless firewall is configured to block all traffic from IP addresses in a specific country. An attacker uses a compromised server inside the permitted IP range. Which limitation of stateless filtering does this illustrate?
Your organisation's security team discovers a legacy VPN account for an employee who left two years ago. The account has no MFA enabled. Which risk treatment is most appropriate?
A developer argues that a new internal service can use TLS 1.2 with the RC4 cipher suite for compatibility with an old client application. Evaluate this argument.
Key takeaways
- Stateful firewalls track connection context; stateless firewalls only check packet attributes. Stateful inspection is the minimum standard for perimeter controls.
- VPNs provide encrypted tunnels. They do not authenticate users robustly on their own. A VPN without MFA and good credential hygiene is a secure tunnel with an unlocked door.
- TLS 1.3 removes all weak cipher suites and mandates forward secrecy. TLS 1.0 and 1.1 have known practical attacks and must not be deployed.
- Defence in depth layers people, process, and technology controls. The failure of one layer should not cause complete compromise.
You now understand the network controls that carry and protect data: firewalls, VPNs, TLS, and the defence-in-depth principle that ties them together. The next module returns to the CIA triad introduced in Module 1 and asks: given real attack techniques, how do you classify which property each one targets? Module 5 introduces STRIDE and maps common attack types to the framework.
Standards and sources cited in this module
RFC 8446, The Transport Layer Security (TLS) Protocol Version 1.3
Section 1, Introduction
Defines TLS 1.3 and its improvements over TLS 1.2. Cited in Section 4.3.
NIST SP 800-77 Rev.1, Guide to IPsec VPNs
Section 3, IPsec Architecture
Defines IPsec VPN architecture, transport and tunnel modes. Referenced in Section 4.2.
NIST SP 800-41 Rev.1, Guidelines on Firewalls and Firewall Policy
Section 3.2, Types of Firewalls
Authoritative reference for stateful vs stateless firewall types. Cited in Section 4.1.
CISA, 'Colonial Pipeline Cyber Incident' analysis (2021)
Incident analysis
Source for the Colonial Pipeline attack detail. Used as the opening case study.
NCSC UK, '10 Steps to Cyber Security' (2022)
Step 6: Network security
UK-specific guidance on defence in depth. Referenced in Section 4.4.
Module 4 of 25 · Cybersecurity Foundations