Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 2

Cybersecurity II, Unit 2: Advanced Networking and Network Defense

VLANs, segmentation, NAT, firewall rule design, IDS/IPS concepts, VPN, and zero trust at the level a defender actually uses. Students design and defend a segmented network.

Length
300 min
Level
intermediate
Track
Cyber II
Cadence
Semester 2

Career paths

Network Defender
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 2: Advanced Networking and Network Defense

Lesson at a glance

| Item | Detail | | --------------------- | ------------------------------------------------------------------------------------- | | Suggested length | 5 × 60 minutes | | Recommended placement | Week 2 of Cyber II | | Prerequisite | Cyber I Unit 4; Cyber II Unit 1 | | Materials | pfSense or OPNsense VM (firewall), three lab subnets, Suricata or Snort, sample PCAPs |

Safety: All firewall and IDS testing happens inside the host-only lab. Never apply student-built rules to school production infrastructure.

Standards & credential alignment

  • OffSec PEN-100: networking fundamentals for offensive/defensive ops.
  • NIST SP 800-41: firewall guidelines.
  • CIS Controls v8: Control 12 (Network Infrastructure Management), Control 13 (Network Monitoring).

Learning objectives

By the end of this unit, students can:

  1. Design a 3-tier segmented network (DMZ, internal, management) on paper.
  2. Build the design in a lab firewall (pfSense or equivalent).
  3. Write firewall rules in default-deny posture with explicit allow-list exceptions.
  4. Distinguish IDS (passive) from IPS (active) and from EDR.
  5. Configure Suricata to alert on a known signature.
  6. Recognize Zero Trust concepts: explicit verification, least privilege, assume breach.

Vocabulary

  • VLAN - Virtual LAN. Logical segmentation on a switch.
  • DMZ - Demilitarized zone; semi-trusted zone facing the internet.
  • NAT - Network Address Translation; many private IPs share one public.
  • Stateful firewall - Tracks connection state; allows reply traffic for outbound.
  • Default-deny - Block everything; explicitly allow what's needed.
  • IDS / IPS - Detection (alerts only) / Prevention (blocks).
  • VPN - Virtual Private Network; encrypted tunnel.
  • Zero Trust - Architecture that verifies every request, regardless of network location.

Pacing

| Day | Focus | Deliverable | | --- | --------------------------- | --------------------------------------------------------- | | 1 | Network segmentation design | Network diagram | | 2 | Build pfSense firewall | Working firewall with three interfaces | | 3 | Firewall rules + NAT | Documented rule set with default-deny | | 4 | IDS/IPS concepts + Suricata | One Suricata alert on known traffic | | 5 | Zero Trust + VPN concepts | Written response: how would Zero Trust change the design? |

Day 1 - Design the network

Pairs design a small enterprise:

       Internet
          |
       [Edge firewall / NAT]
          |
   +------+------+------+
   |             |      |
 [DMZ]      [Internal] [Mgmt]
 web/      finance/   admins
 mail      HR         IT only
 server    files      jump box

Rules to defend in writing:

  • Internet → DMZ: allow 80/443 to web, 25/465/587 to mail.
  • Internet → Internal: deny.
  • DMZ → Internal: deny except specific service paths.
  • Internal → DMZ: allow specific.
  • Mgmt → Internal/DMZ: allow admin protocols (SSH/RDP) on a need-to basis.
  • All zones → Internet: allow 443 outbound only; everything else logged and reviewed.

Day 2 - Build it in pfSense

Walk through:

  1. Boot pfSense VM with three interfaces (WAN/LAN/OPT1).
  2. Assign interfaces in the console.
  3. Web UI on the LAN side.
  4. Configure WAN as DHCP client (or static if your lab uses static).
  5. Configure LAN and DMZ as separate subnets.
  6. Confirm hosts in each subnet pull DHCP correctly.

Day 3 - Firewall rules

Implement default-deny:

  • Block everything by default at each interface.
  • Add rules per the design from Day 1.
  • Apply, test, screenshot the rule list.
  • Try to break it: from DMZ host, attempt to reach Internal host on SMB. Confirm blocked. Adjust if you intended to allow.

Day 4 - Suricata IDS

Install Suricata on the firewall (or on a dedicated monitoring VM with port mirror). Add the ET Open ruleset.

Generate known traffic: download the EICAR test string over HTTP from a controlled source. Confirm Suricata alerts. Read the alert: signature ID, source/dest, reasoning.

Day 5 - Zero Trust + VPN

Mini-lecture (20 min): NIST SP 800-207 Zero Trust core tenets.

  • No implicit trust based on network location.
  • Authenticate and authorize every request.
  • Assume breach.

Activity (35 min): students write a 1-page memo describing how their Day 1 design changes under Zero Trust. Hint: the "internal" zone stops being a free-pass zone; identity becomes the perimeter.

Common misconceptions

  • "Inside the firewall is safe." - Lateral movement is the dominant attack pattern. Internal segmentation matters as much as the perimeter.
  • "IPS is always better than IDS." - IPS that mis-fires breaks production. Tune in IDS mode first; promote to IPS only when confident.

Assessment

  • Day 1 design - rubric scored.
  • Day 3 rule set - submitted with annotations.
  • Day 4 alert - screenshot + paragraph explanation.
  • Day 5 Zero Trust memo - 1 page, rubric scored.

Career connection

Network security engineers $90K–$140K. Firewall and IDS specialists are in chronic short supply.

Homework

Read CISA Zero Trust Maturity Model 2.0 (or the executive summary). One paragraph reflection: which pillar is your school weakest on?

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum