Course overview

How to Design and Secure Computer Networks

49 modules
198 lessons
Part 1

Appendices

  1. Appendix A - Diagram Templates by StepSign in

  2. Appendix B - Mapping to Real-World Tech Stacks (Without Prescribing Products)Sign in

  3. Appendix C - Readiness Checklists (Step N to Step N+1)Sign in

  4. Appendix D - GlossarySign in

Part 2

Course Setup and the Incremental Ladder

  1. Course Setup and the Incremental LadderSign in

  2. Why "Packets to Exploits"Sign in

  3. How to Use This CourseSign in

  4. The Incremental Ladder (Step 0 -> Step 7)Sign in

  5. The Course LensesSign in

  6. Diagram Legend and Notation TypesSign in

Part 3

Networks as Systems

  1. Networks as SystemsSign in

  2. Networks as GraphsSign in

  3. Data, Control, and Management PlanesSign in

  4. Where Security Actually LivesSign in

Part 4

The OSI and TCP/IP Models

  1. The OSI and TCP/IP ModelsSign in

  2. OSI vs TCP/IPSign in

  3. Mapping Real Protocols to LayersSign in

  4. Layer Models as Troubleshooting ToolsSign in

Part 5

Packets, Frames, and Encapsulation

  1. Packets, Frames, and EncapsulationSign in

  2. Encapsulation and DecapsulationSign in

  3. Ethernet, IP, TCP/UDP, PayloadsSign in

  4. MTU, Fragmentation, PerformanceSign in

Part 6

The Security Mindset for Network Designers

  1. The Security Mindset for Network DesignersSign in

  2. Attack Surface and RiskSign in

  3. Defense-in-DepthSign in

  4. Balancing Usability, Performance, SecuritySign in

Part 7

Diagramming Network and Security Architectures

  1. Diagramming Network and Security ArchitecturesSign in

  2. Physical vs Logical TopologiesSign in

  3. Layered Diagrams and App FlowsSign in

  4. Trust Boundaries and Data-Flow DiagramsSign in

Part 8

Layer 1–2: Links, MACs, and Local Networks

  1. Layer 1–2: Links, MACs, and Local NetworksSign in

  2. Media and Links (Conceptual)Sign in

  3. MAC Addressing and ARP-Like ResolutionSign in

  4. Broadcast Domains and Simple SwitchingSign in

Part 9

Layer 3–4: IP Addressing and Transport

  1. Layer 3–4: IP Addressing and TransportSign in

  2. IPv4 Subnets and GatewaysSign in

  3. TCP vs UDPSign in

  4. Ports, Sockets, and the Connection Lifecycle (Conceptual)Sign in

Part 10

Basic Connectivity Troubleshooting

  1. Basic Connectivity TroubleshootingSign in

  2. Reachability Checking (High Level)Sign in

  3. Common Failure PointsSign in

  4. A Minimal Debugging ChecklistSign in

Part 11

Switches, VLANs, and Layer 2 Design

  1. Switches, VLANs, and Layer 2 DesignSign in

  2. VLAN Segmentation (Conceptual)Sign in

  3. Loop Avoidance (High Level)Sign in

  4. L2 Failure DomainsSign in

Part 12

Routers, Routing Protocols, and Layer 3 Design

  1. Routers, Routing Protocols, and Layer 3 DesignSign in

  2. Static vs Dynamic Routing (High Level)Sign in

  3. Default Gateways and Path SelectionSign in

  4. WAN vs LAN PatternsSign in

Part 13

NAT, Firewalls (Basic), and Edge Connectivity

  1. NAT, Firewalls (Basic), and Edge ConnectivitySign in

  2. NAT/PAT ConceptsSign in

  3. Basic Firewall RulesSign in

  4. Internet Edge RiskSign in

Part 14

Common Small Network Topologies

  1. Common Small Network TopologiesSign in

  2. Small Office/Home PatternsSign in

  3. Branch/Campus BasicsSign in

  4. DMZ-Style Intro PatternSign in

Part 15

DNS and Naming

  1. DNS and NamingSign in

  2. Resolution FlowSign in

  3. Internal vs External DNSSign in

  4. DNS as Attack SurfaceSign in

Part 16

Web and API Protocols

  1. Web and API ProtocolsSign in

  2. HTTP Request/ResponseSign in

  3. TLS (Conceptual)Sign in

  4. Load Balancers and Proxies (Conceptual)Sign in

Part 17

Email, Directory, and Remote Access Protocols

  1. Email, Directory, and Remote Access ProtocolsSign in

  2. Email FlowsSign in

  3. Directory and Identity Protocols (High Level)Sign in

  4. Remote Access ModelsSign in

Part 18

Application Protocols as Security Boundaries

  1. Application Protocols as Security BoundariesSign in

  2. Secure Protocol vs Secure Deployment: How Good Protocols Fail Under Bad PlacementSign in

  3. Where to Terminate TLS and Enforce Auth: Turning Boundaries into Concrete Enforcement PointsSign in

  4. Mapping Services to Zones: Aligning App Surfaces with Segmentation StrategySign in

Part 19

Logical Segmentation and Zoning

  1. Logical Segmentation and ZoningSign in

  2. Zones by Function: User/Server/Management/External as Different Risk ProfilesSign in

  3. Micro vs Macro Segmentation: Operational Cost Versus Blast-Radius ReductionSign in

  4. Business Domains to Network Domains: Mapping Organizational Boundaries into Network BoundariesSign in

Part 20

Perimeter, DMZ, and Hybrid Border Patterns

  1. Perimeter, DMZ, and Hybrid Border PatternsSign in

  2. Perimeter Models: What They Assume About "Inside" and Why Those Assumptions BreakSign in

  3. DMZ Placement: Controlling Exposure and Constraining DependenciesSign in

  4. Hybrid Borders: Remote Access, VPN-like Connectivity, and Policy Consistency ProblemsSign in

Part 21

Data Center, Campus, and Cloud Network Designs

  1. Data Center, Campus, and Cloud Network DesignsSign in

  2. Common Design Families (Conceptual): core-distribution-access and leaf-spine as failure-domain choicesSign in

  3. Cloud VPC/VNet Concepts: virtual segmentation and routing as software-defined boundariesSign in

  4. Hybrid Connectivity: linking failure and trust domains across on-prem and cloudSign in

Part 22

Segmentation for Security and Containment

  1. Segmentation for Security and ContainmentSign in

  2. Limiting Lateral Movement: why segmentation is a primary defensive controlSign in

  3. Least Privilege for Networks: making "who can talk to whom" explicit and reviewableSign in

  4. ACLs, Firewalls, Security Groups (Conceptual): choosing enforcement points and avoiding policy sprawlSign in

Part 23

Identity-Aware and Zero-Trust-Inspired Approaches

  1. Identity-Aware and Zero-Trust-Inspired ApproachesSign in

  2. From Location Trust to Identity Decisions: what changes when "inside" is no longer trustedSign in

  3. Contextual Inputs: strong auth, device posture, and policy evaluation as architectureSign in

  4. Architectural Implications: where policy engines sit and how traffic is forced through themSign in

Part 24

Security Objectives and Policy

  1. Security Objectives and PolicySign in

  2. CIA and Beyond: confidentiality, integrity, availability, auditability as system propertiesSign in

  3. Policy and Classification: translating organizational intent into technical requirementsSign in

  4. Policy to Controls: mapping words to enforcement points and measurable outcomesSign in

Part 25

Trust Boundaries and Threat Modeling Basics

  1. Trust Boundaries and Threat Modeling BasicsSign in

  2. Assets, Entry Points, Boundaries: defining what matters before choosing controlsSign in

  3. STRIDE Categories (High Level): a vocabulary for "how this could fail"Sign in

  4. Data-Flow Diagrams for Threat Modeling: tracing trust transitions and identifying control gapsSign in

Part 26

Authentication, Authorization, and Accounting

  1. Authentication, Authorization, and AccountingSign in

  2. Identity Provider Patterns (Conceptual): centralizing identity and distributing enforcementSign in

  3. RBAC and ABAC: roles and attributes as different policy machinesSign in

  4. Accounting and Audit: logging privileged actions as a control, not just telemetrySign in

Part 27

Security Controls Across Network Layers

  1. Security Controls Across Network LayersSign in

  2. L2-L3 Controls (Conceptual): port security and admission ideas as boundary enforcementSign in

  3. L4-L7 Controls: gateways, proxies, and inspection as policy executionSign in

  4. Endpoint and Network Controls Together: avoiding gaps caused by assuming one layer "covers" anotherSign in

Part 28

Resilience and Availability as Security Concerns

  1. Resilience and Availability as Security ConcernsSign in

  2. DoS and DDoS (Conceptual): availability failures as adversarial outcomesSign in

  3. Redundancy and Failover: designing continuity under partial compromise or partial failureSign in

  4. Graceful Degradation: keeping critical functions alive when the network is under stressSign in

Part 29

The Attack Lifecycle

  1. The Attack LifecycleSign in

  2. Stages and Objectives: recon to impact as a planning modelSign in

  3. Mapping Objectives to Paths: how attackers traverse network boundariesSign in

  4. Layered Defenses by Stage: designing controls that interrupt progress, not just block entrySign in

Part 30

Reconnaissance and Discovery (High-Level)

  1. Reconnaissance and Discovery (High-Level)Sign in

  2. Discovery Categories: what can be learned from exposure and misconfigurationSign in

  3. Reducing exposed surface: minimizing what is discoverable by defaultSign in

  4. Monitoring and rate limiting: turning recon into detectable, bounded behaviorSign in

Part 31

Initial Access and Perimeter Breaches

  1. Initial Access and Perimeter BreachesSign in

  2. High-Level Entry Categories: misconfiguration, credential abuse, vulnerable services as architectural risksSign in

  3. Defensive Baselines: patching, hardening, and secure defaults as repeatable practiceSign in

  4. Segmentation After Breach: assuming compromise and limiting blast radiusSign in

Part 32

Lateral Movement and Internal Recon

  1. Lateral Movement and Internal ReconSign in

  2. Conceptual Movement Mechanics: how compromised identity or hosts become pivotsSign in

  3. Flat Networks as Fuel: why implicit trust is the real exploitSign in

  4. Detecting and Limiting Movement: policy, logging, and anomaly detection tied to segmentationSign in

Part 33

Common Attack Categories and Mitigation Patterns

  1. Common Attack Categories and Mitigation PatternsSign in

  2. Broad Classes: spoofing, man-in-the-middle, protocol misuse, weak auth abuseSign in

  3. Defensive Building Blocks: encryption, mutual auth, integrity checks, secure configurationSign in

  4. Secure Defaults as Architecture: how platforms eliminate whole classes of operator mistakesSign in

Part 34

Security Testing and Validation (High-Level)

  1. Security Testing and Validation (High-Level)Sign in

  2. Scanning and Review Concepts: finding misconfigurations and exposure patternsSign in

  3. Red/Blue/Purple Team Models: aligning learning with operational readinessSign in

  4. Turning Findings into Design Changes: closing the loop from discovery to architectureSign in

Part 35

Network Telemetry and Observability

  1. Network Telemetry and ObservabilitySign in

  2. Device and Service Logs: what they reveal and what they omitSign in

  3. Flow Data (Conceptual): why flows scale better than packets for many questionsSign in

  4. Packet Capture as Deep Diagnosis: when you need it and how to scope it responsiblySign in

Part 36

IDS/IPS and Network Security Sensors

  1. IDS/IPS and Network Security SensorsSign in

  2. Signature vs Anomaly (High Level): what each class can detect reliablySign in

  3. Placement Trade-offs: taps/SPAN, inline vs out-of-band and failure impactsSign in

  4. Tuning for Value: reducing noise and focusing on high-fidelity signalsSign in

Part 37

Centralized Logging and Correlation

  1. Centralized Logging and CorrelationSign in

  2. Aggregation and Normalization (Conceptual): why schema matters for security investigationsSign in

  3. Correlation and Alerting: building detections that align with threat modelsSign in

  4. Retention and Forensics: designing logging for investigations, not just dashboardsSign in

Part 38

Threat Hunting and Anomaly Detection

  1. Threat Hunting and Anomaly DetectionSign in

  2. Hypothesis-Driven Hunting: searching with intent rather than reacting to alertsSign in

  3. Baselines and Deviations: how "normal" becomes an operational dependencySign in

  4. Using Hunts to Improve Architecture: hunting outcomes as feedback into segmentation and controlsSign in

Part 39

Monitoring for Performance and Reliability

  1. Monitoring for Performance and ReliabilitySign in

  2. Health and Capacity Metrics: keeping networks stable so security signals remain meaningfulSign in

  3. Security-Reliability Interactions: why outages can be incidents and incidents can be outagesSign in

  4. Dashboards and Alerts for Two Audiences: aligning NOC and SOC needs without duplicationSign in

Part 40

Incident Response Lifecycle

  1. Incident Response LifecycleSign in

  2. The IR Phases: preparation through lessons learned as a repeatable operating loopSign in

  3. Network-Specific IR Tasks: evidence capture, isolation, and indicator blocking as boundary operationsSign in

  4. Coordination and Communication: aligning technical containment with stakeholder needsSign in

Part 41

Containment Strategies in Network Incidents

  1. Containment Strategies in Network IncidentsSign in

  2. Quarantine and Blocking Patterns: isolating hosts and segments without collapsing the businessSign in

  3. Continuity vs Containment: making trade-offs explicit and time-boundedSign in

  4. Playbooks and Decision Trees: reducing improvisation under pressureSign in

Part 42

Hardening Network Infrastructure

  1. Hardening Network InfrastructureSign in

  2. Secure Configuration Concepts: minimizing administrative exposure and unsafe defaultsSign in

  3. Baselines and Golden Configs: making "known good" repeatable and reviewableSign in

  4. Patch and Lifecycle Planning: managing vendor and device lifecycles as security realitySign in

Part 43

Designing Secure and Resilient Architectures

  1. Designing Secure and Resilient ArchitecturesSign in

  2. Defense-in-Depth Across Layers: composing controls so single failures are survivableSign in

  3. Redundancy and Diversity: avoiding shared-mode failures that drop both security and availabilitySign in

  4. Recoverability by Design: building systems that can be restored quickly and safelySign in

Part 44

Governance, Compliance, and Continuous Improvement

  1. Governance, Compliance, and Continuous ImprovementSign in

  2. Standards as Feedback: turning policy into design review, not paperworkSign in

  3. Audits as Signals: using findings to improve architecture and operationsSign in

  4. Metrics and Maturity: measuring progress in visibility, containment, and reliabilitySign in

Part 45

Reference Architectures for Secure Networks

  1. Reference Architectures for Secure NetworksSign in

  2. Organization Archetypes (High Level): small org, distributed org, cloud-heavy org, OT/IT boundarySign in

  3. Mapping the Ladder to Roadmaps: sequencing investments without skipping essential boundariesSign in

  4. Trade-off Narratives: when complexity pays off and when it becomes the riskSign in

Part 46

Network Design Patterns

  1. Network Design PatternsSign in

  2. Topology Patterns: hub-and-spoke, mesh, leaf-spine as reliability and blast-radius choicesSign in

  3. Redundant Paths and HA Pairs: designing for failure without creating control-plane fragilitySign in

  4. Management and Out-of-Band Access: separating operator paths from production flowsSign in

Part 47

Security Architecture Patterns

  1. Security Architecture PatternsSign in

  2. DMZ and Tiered Applications: aligning exposure with controlled dependenciesSign in

  3. Zero-Trust-Inspired Per-Request Checks (High Level): enforcing identity and context at the right boundarySign in

  4. Isolation for High-Risk Systems: patterns for constraining compromise and enabling recoverySign in

Part 48

Operational Patterns and Anti-Patterns

  1. Operational Patterns and Anti-PatternsSign in

  2. Change and Peer Review: preventing configuration drift from becoming vulnerabilitySign in

  3. Anti-Patterns: snowflake configs, flat networks, implicit trust as incident multipliersSign in

  4. Automation and IaC-Like Approaches: reducing operator error and improving auditabilitySign in

Part 49

Design Checklists for Secure Networked Systems

  1. Design Checklists for Secure Networked SystemsSign in

  2. Connectivity and Boundary Review: ensuring the architecture matches intended trustSign in

  3. Auth, Logging, Monitoring Coverage: making detection and investigation feasibleSign in

  4. Resilience and IR Readiness: ensuring recovery is planned, tested, and executableSign in