HIT · CS Concentrations

COURSE · CY2

Network Security

אבטחת רשתות

layered network defense, authenticated channels, and the theory of intrusion detection

Securing networks with protocols, perimeters, and attack detection.

Year 313 weeks2h lecture + 2h practiceProject-based

About this course

Secure networks and communication channels against interception, tampering, and intrusion across the protocol stack.

Course format. Thirteen weeks, four contact hours each: a two-hour lecture (concepts and theory) and a two-hour practice session. The course is project-based; teams carry one running project end to end and present it three times, in weeks 5, 8, and 13.
What you will build

Built a progressively defended virtual network lab in containers with a hardened TLS 1.3 endpoint, nftables and pfSense microsegmentation, Suricata and Zeek detection sensors, IPsec and WireGuard tunnels, and a Wazuh SIEM correlation pipeline, validated in a live red-versus-blue exercise.

Expected outcomes

  • Explain the layered security model and threats at each layer of the network stack.
  • Analyze the TLS 1.3 handshake, its cryptographic foundations, and its formal security goals.
  • Design secure protocol deployments using certificates, cipher suites, and forward secrecy.
  • Configure and reason about firewalls, network segmentation, and zero-trust boundaries.
  • Deploy and tune intrusion detection and prevention systems with signature and anomaly rules.
  • Build VPNs using IPsec and WireGuard and evaluate their trust and key-management models.
  • Capture and dissect traffic to detect reconnaissance, exfiltration, and protocol abuse.
  • Detect and explain common attacks: spoofing, MITM, downgrade, and denial of service.
  • Apply detection-engineering principles to write and validate effective alert rules.
  • Assess the security of a network architecture against a structured threat model.

Key topics

  • TLS & secure protocols
  • Firewalls & IDS/IPS
  • VPNs & network segmentation
  • Attack detection

Theoretical foundations

The concepts and results this course rests on.

  • the layered network stack and per-layer threat models
  • confidentiality, integrity, and availability as security goals
  • authenticated key exchange and forward secrecy
  • the public-key infrastructure trust model and chains of trust
  • signature-based versus anomaly-based detection theory
  • the security association and tunneling model of IPsec
  • defense in depth and zero-trust segmentation principles

Prerequisites

This is a Year-3 course. It assumes the mandatory CS core: data structures and algorithms, operating systems, computer networks, databases, software engineering, and the core mathematics (linear algebra, probability and statistics, calculus, discrete mathematics). It additionally requires the specific prior courses listed below.

Course-specific prerequisites:

  • Computer networks
  • Operating systems

Weekly schedule 13 weeks · lecture + practice

Foundations
Wk 1
Network threat models and the security stack
LectureReview the OSI and TCP/IP stacks, attacker capabilities at each layer, and the goals of confidentiality, integrity, and availability.
PracticeBuild a lab network in containers or VMs and map its attack surface with reconnaissance tools.
ProjectStand up the lab topology and document the initial threat model.
WatchOSI Model Explained with a Real World Example
Secure protocols
Wk 2
Transport security and TLS internals
LectureWalk through the TLS 1.3 handshake, key schedule, AEAD record layer, and forward secrecy guarantees.
PracticeTrace a real TLS 1.3 handshake byte by byte in Wireshark and identify each message.
ProjectAdd an instrumented TLS endpoint to the lab and capture its handshakes.
WatchTLS Handshake Explained (Computerphile) · TLS Essentials 14: TLS 1.3 Wireshark Analysis
Wk 3
Certificates, PKI, and protocol downgrade
LectureCover certificate validation, chains of trust, OCSP, and downgrade and stripping attacks on secure protocols.
PracticeRun sslyze and testssl.sh against the endpoint and exploit a deliberately weakened configuration.
ProjectHarden the lab TLS endpoint and record before-and-after scan results.
WatchWhat Is Public Key Infrastructure (PKI)?
Perimeter defense
Wk 4
Firewalls and network segmentation
LectureExplain stateful filtering, default-deny policy, segmentation, and the zero-trust architecture model.
PracticeConfigure nftables and pfSense rules to segment the lab and verify enforcement with port scans.
ProjectAdd firewall segmentation between the lab zones with a documented ruleset.
WatchWhat is a Firewall?
Wk 5
Designing the defended architecturePresentation
LectureDiscuss defense in depth, choke points, and how detection and prevention fit into network design.
PracticeTeam presentation: each team defends its network security specification and detection plan.
ProjectFreeze the network architecture and detection specification document.
WatchWhat is Defense in Depth? Definition, Examples, and Strategy
Detection
Wk 6
Intrusion detection fundamentals
LectureCompare signature-based and anomaly-based detection, and the IDS versus IPS placement trade-offs.
PracticeDeploy Suricata in the lab and write a first signature to catch a known exploit pattern.
ProjectAdd an IDS sensor to the lab with an initial rule set.
WatchIntroduction To Suricata IDS
Wk 7
Traffic analysis and protocol forensics
LectureCover flow analysis, encrypted-traffic fingerprinting, and indicators of reconnaissance and exfiltration.
PracticeAnalyze a malicious pcap with Zeek and Wireshark to reconstruct an attack timeline.
ProjectAdd a Zeek-based flow logging pipeline to the lab.
WatchHow to use Zeek for PCAP Analysis
Wk 8
Detection engineering and tuningPresentation
LectureExplain rule quality, false-positive management, and validation of detection coverage.
PracticeTeam presentation: interim demo of the lab detecting a live simulated attack end to end.
ProjectDemonstrate the interim detection pipeline against a scripted attack.
VPNs
Wk 9
IPsec and VPN architecture
LecturePresent IKE, IPsec tunnels, the security associations model, and site-to-site versus remote-access designs.
PracticeBuild an IPsec tunnel between lab zones and inspect the negotiated parameters.
ProjectAdd an encrypted IPsec tunnel connecting two lab segments.
Wk 10
Modern VPNs and key management
LectureCompare WireGuard's cryptographic design with IPsec and discuss key distribution and rotation.
PracticeDeploy WireGuard, then attempt and detect a key-compromise scenario in the lab.
ProjectAdd a WireGuard overlay and a key-rotation procedure to the lab.
WatchWireGuard VPN Tutorial: Fast, Secure and Simple Setup Guide
Attacks
Wk 11
Active network attacks and mitigations
LectureAnalyze ARP and DNS spoofing, man-in-the-middle, and denial-of-service techniques and their defenses.
PracticeLaunch a controlled MITM and DoS against the lab and confirm the detection rules fire.
ProjectValidate that the detection layer catches active attacks and tune the rules.
WatchARP Poisoning: Man-in-the-Middle Attack · Secret Key Exchange (Diffie-Hellman) (Computerphile)
Operations
Wk 12
Centralized monitoring and response
LectureCover log aggregation, SIEM correlation, alert triage, and incident escalation workflows.
PracticeShip lab logs into a SIEM, build correlation alerts, and run a triage exercise.
ProjectIntegrate a SIEM dashboard and alerting into the lab.
WatchIntroduction To Wazuh SIEM
Capstone
Wk 13
Final architecture and red-team defensePresentation
LectureReview the complete defended architecture and the detection coverage achieved across the term.
PracticeTeam presentation: final red-team-versus-blue-team demonstration with oral defense of the design.
ProjectDeliver the complete monitored, segmented, attack-resilient lab with documentation.
AI tools in this course.

Students use AI assistants to generate and tune detection content for the lab: drafting Suricata and Zeek signatures from an attack description, refactoring nftables and pfSense rulesets, and writing the Python and Lua glue that ships logs into the Wazuh SIEM. They paste captured pcaps and TLS handshakes into the assistant to explain each record and to propose Wireshark display filters, and they vibe-code the attack scripts (ARP and DNS spoofing, downgrade, DoS) used to exercise the blue-team rules. AI helps generate correlation logic and triage summaries from raw alerts, and students drive lab tools and MCP-style automation through it, but they validate every generated rule against real traffic and measure its false-positive rate, since an AI signature that looks right but never fires is a graded failure.

Student project

Teams build and progressively defend a realistic virtual network, adding secure protocols, segmentation, VPNs, and a full detection and monitoring stack. Each week introduces an attack and a corresponding mitigation that must be demonstrated. The capstone is a live red-versus-blue exercise defended orally.

Requirements

  • Build a working system, not a set of disconnected exercises.
  • Be original: a new system that solves a real problem, not a re-implementation of a tutorial or course demo.
  • Show real depth: real data, real users or realistic load, and engineering trade-offs that are measured rather than assumed.
  • Carry one running project from specification to a deployed, defensible result across the whole term.
  • Work in a team of three or four and defend the design at each of the three presentations (weeks 5, 8, and 13).

Example projects

Segmented enterprise labZero-trust microsegmentation demoTLS hardening pipelineIDS detection-rule suiteEncrypted multi-site VPN meshSIEM correlation dashboardDNS-exfiltration detectorRed-versus-blue range

Assessment & grading

Grading is project-based, with no written exam. Teams of three or four present one running project three times.

ComponentWhat it coversWeight
Project · SpecificationPresentation 1 (week 5): problem, objectives, and architecture20%
Project · InterimPresentation 2 (week 8): the working system demonstrated live30%
Project · FinalPresentation 3 (week 13): end-to-end demo with oral defense50%

Tools & platforms

  • Wireshark: packet capture and protocol dissection
  • Suricata: signature and anomaly intrusion detection
  • Snort: alternative IDS/IPS rule engine
  • Zeek: network flow analysis and security logging
  • nftables: stateful Linux firewall configuration
  • pfSense: firewall and routing appliance for the lab
  • WireGuard: modern VPN tunneling
  • strongSwan: IPsec and IKE VPN implementation
  • testssl.sh: TLS configuration auditing
  • Wazuh: SIEM, log correlation, and alerting

Free online courses

Existing free, video-based courses this course can build on, for self-study or as a teaching basis.

In Hebrew · בעברית

Primary literature

Seminal works to read for graduate-level depth.

References

Books and resources link to an online or publisher page.

Role in each concentration

ConcentrationRole
Intelligent Software SystemsElective
Networking & Cyber SecurityCore · Semester 1
AI & RoboticsElective
AI and Quantum Computing for FinanceElective
Immersive Systems & Game DevelopmentElective
Defense Technologies & Autonomous SystemsElective
← CY1 · Applied CryptographyCY3 · Hardware & Embedded Systems Security →