3.2 Given a scenario, implement secure network architecture concepts. Flashcards
Zones/Topologies
Firewalls allow the network administrator to divide the network into different network segments known as zones.
Zones/Topologies - DMZ
The DMZ is an area between two firewalls (typically referred to as external and internal firewalls) that allows selected traffic from the Internet to pass through the external firewall into systems within the DMZ. The purpose of the internal firewall is to not allow any traffic originating from the Internet to pass through it. The DMZ is where you place any servers that need to be reached by the general public, such as a web server, SMTP server, FTP server, or DNS server.
Zones/Topologies - Extranet
An extranet zone includes servers that you want to make accessible to selected organizations via the Internet or other public
zones.
Zones/Topologies - Intranet
The firewall placed in front of the private LAN ensures that no traffic from any other network is sent through the firewall to the private LAN. Note that this zone could be called the private zone, private LAN, or intranet zone.
Zones/Topologies - Wireless
The wireless network could be placed in a network zone of its own, which gives the firewall administrator the opportunity to control which zones the wireless client can access. For example, you may not want the wireless network to access the intranet or extranet zones.
Zones/Topologies - Guest
The guest zone is designed for visitors to your office location. Visitors typically do not need access to the private network or even the extranet zone; they typically just need Internet access to check e-mail and surf the Internet. You can create a guest zone that has access to the public Internet zone, but does not have access to any of the other zones.
Zones/Topologies - Honeynets
Sun Tzu famously wrote in The Art of War, “All warfare is based on deception,” and “Know your enemies.” Cyberwarfare is occurring daily and security professionals on the front lines of network and system attacks recognize that these attacks mimic warfare in many ways. Honeypots and honeynets provide these professionals with some additional tools to use in this war.
A honeynet is a group of honeypots within a separate network or zone, but accessible from an organization’s primary network. Security professionals often create honeynets using multiple virtual servers contained within a single physical server. The servers within this network are honeypots and the honeynet mimics the functionality of a live network.
Honeypots and honeynets attempt to divert attackers from live networks. They give security personnel an opportunity to observe current methodologies used in attacks and gather intelligence on these attacks.
Zones/Topologies - NAT
Many firewall solutions provide network address translation (NAT), which allows you to use a private address range on the inside of the network that is then translated to a public address used on the NAT device.
This is accomplished by the NAT device having one of its interfaces connected to the Internet (known as the public interface), while the other interfaces are connected to the private network (known as private interfaces).
The public interface is connected to the Internet and gets an IP address (a public IP address). The other interfaces on the NAT device are assigned private addresses, and all systems inside the network have a private address in that same range.
When someone on the private network tries to surf the Internet, for example, the packet first goes from the client computer to the NAT device, which switches the private source IP address of the packet to the IP address of the public interface on the NAT device. The packet is then sent out on the Internet so that as far as anyone on the Internet is concerned, it is the NAT device surfing the Internet. The rest of the systems remain hidden on the private network.
Zones/Topologies - Ad hoc
Ad hoc networking involves a topology with no central server or device to create the network; you simply connect two devices together, such as two laptops on the fly, to create a network. A good example of this is an ad hoc wireless network where there is no wireless access point, just two laptops with wireless network cards that connect directly with one another so that the laptop users can share information.
Segregation/Segmentation/Isolation
.
Segregation/Segmentation/Isolation - Physical
One way to implement control on communication is to break your
network up into multiple physical network segments. A network segment can be created in a few different ways depending on what your goals are. For
example:
Multiple collision domains
If your goal is to have multiple collision domains, then you can segment the traffic by using a bridge, switch, or router. Each interface on each of these devices creates a collision domain, which is a group of systems that can have their data collide with one another.
Each of these collision domains is also known as a network segment, with the security benefit being that a hacker monitoring traffic while on a network segment by default can capture only traffic on that segment.
Multiple broadcast domains If you want to control how far your broadcast messages go on the network, you can use routers to break the network into multiple broadcast domains. The benefit of breaking the network into multiple broadcast domains with routers is that you can then use access control lists on the routers to control what traffic can enter or leave each of the networks
Segregation/Segmentation/Isolation - Logical (VLAN)
If you wanted to create communication boundaries by dividing your network into different broadcast domains without using multiple routers, you could do so by using virtual LANs (VLANs) on a network switch. Once a system is connected to a port on a switch that is part of a particular VLAN, the system cannot communicate with systems in other VLANs unless a router is used to route the data from one VLAN to another VLAN.
Segregation/Segmentation/Isolation - Virtualization
Virtualization products nowadays allow you to segment traffic using virtual networks. With virtual networking, you can place virtual machines on different network segments and control which VMs can talk to one another.
Segregation/Segmentation/Isolation - Air gaps
Air gap in the context of network segmentation is a conceptual term meaning a network has no connection point between two networks. For example, in highly secure environments, there may be a secret network and a nonsecret network. Due to the sensitivity of the secret network, there is to be no physical connection linking the two networks, thus creating an air gap.
Tunneling/VPN
VPNs technology enables you to encrypt communication between two parties across an untrusted network such as the Internet
Another scenario where VPN can be used is with wireless networks. Because wireless security protocols are known to have flaws, you can treat the wireless network as an untrusted network and have a wireless client create a VPN connection to the server before allowing the wireless client to access the corporate network.
