SkillsAndDrills.org
AP Networking

From the inside out: monitoring and defending a large network

Attacks on large networks don't always come from outside. Users can misuse access they already have, physical intruders can bypass logical controls entirely, and malware can move laterally from one device to another. Defending a large network means layering controls across people, physical spaces, and network segments — and monitoring for the signals that something has gone wrong.

Go to practice page AP Networking topics

What this topic covers

  • 4.5.A — Common threats and vulnerabilities in managed networks
  • 4.5.B — Security controls to limit their impacts
  • 4.5.C — IDS and IPS: monitoring and interpreting logs for threats and performance issues
  • 4.5.D — Configuring and verifying VLANs

Defense in depth

No single control can protect a large network. A layered approach — combining policy, physical security, technical controls, and monitoring — reduces the likelihood that any single failure leads to a full compromise. Administrators evaluate the likelihood and impact of specific threats and select controls that are cost-effective and appropriate for the environment.

Common threats in managed networks (4.5.A)

User misuse

Accessing resources beyond one's role, mishandling data, or failing to follow secure procedures. May be accidental or intentional. Results in unauthorized access, data exposure, or service disruption.

Physical access

Tailgating (following someone through a secured door), piggybacking, or theft of devices. Bypasses logical controls entirely and may lead to data theft, equipment tampering, or internal compromise.

Lateral movement

An adversary or malware moves across a network after an initial compromise. More dangerous in networks that lack internal monitoring, access control boundaries, or containment. Can result in widespread data compromise and loss of administrative control.

Advertisement

Security controls (4.5.B)

Policies and procedures

  • AUPs — define acceptable use of network resources
  • Password / access control policies — strong authentication, account lockouts, user permission levels
  • Data handling guidelines — storage, transmission, and deletion of sensitive data

Physical security controls

  • › Fencing, cameras, and on-site security
  • › Card readers and access control vestibules
  • › Locking devices in secure rooms or server cabinets
  • › Cable locks to secure workstations and laptops
  • › Training staff to recognize social engineering tactics

Technical controls for unauthorized access

Strong passwords + lockout
Account lockout after failed attempts prevents brute-force attacks
Principle of least privilege
Users receive only the minimum access required for their role
Segmentation
Restricts access between device groups and limits lateral movement
Firewalls
Block unauthorized traffic from accessing protected systems
Network monitoring
Detects suspicious activity and generates alerts in real time
Advertisement

IDS and IPS (4.5.C)

IDS — Intrusion Detection System

Monitors network traffic and generates alerts when a threat is detected. Does not block traffic — it is a passive monitor that flags suspicious activity for review.

IPS — Intrusion Prevention System

Inspects traffic and can take immediate action to block suspicious traffic automatically. IPS sits inline in the network flow and acts as both a detector and an enforcer.

Security threat indicators

  • › Repeated failed login attempts
  • › Access attempts outside of business hours
  • › Connections to known malicious IP addresses
  • › Alerts for malware signatures or suspicious files
  • › Unauthorized network scans

Network performance issue indicators

  • › Sudden increases in traffic volume or packet rates
  • › Frequent packet drops or timeout errors
  • › Misuse of protocols or unexpected service behavior
  • › Repeated failed connections or service disruptions

Configuring and verifying VLANs (4.5.D)

VLANs logically separate devices into isolated groups — by department, role, or device type — on the same physical switch. Devices in different VLANs cannot communicate unless routing is configured. VLANs reduce broadcast traffic, limit congestion, and restrict access to sensitive systems.

Configuration steps

  1. Create a segmentation plan: group users or devices by function or security level
  2. Assign each VLAN a unique VLAN ID and an optional name
  3. Connect devices to switch ports and configure those ports with the corresponding VLAN ID

Port types

  • Access ports — connect individual devices to a single VLAN
  • Trunk ports — carry traffic from multiple VLANs between switches or routers; needed when VLANs span more than one switch

Verifying VLAN configuration

  • show vlan brief — displays VLAN IDs, names, and assigned ports to confirm correct configuration
  • ping and traceroute — test that devices on the same VLAN can communicate and, if routing is configured, that cross-VLAN communication works as expected