3.2 Secure Infrastucture Flashcards
Device placement
Every network is different
– There are often similarities
* Firewalls
– Separate trusted from untrusted
– Provide additional security checks
* Other services may require their own security technologies
– Honeypots, jump server, load balancers, sensors
Security zones
Zone-based security technologies
– More flexible (and secure) than IP address ranges
* Each area of the network is associated with a zone
– Trusted, untrusted
– Internal, external
– Inside, Internet, Servers, Databases, Screened
* This simplifies security policies
– Trusted to Untrusted
– Untrusted to Screened
– Untrusted to Trusted
Attack surface
How many ways into your home?
– Doors, windows, basements
* Everything can be a vulnerability
– Application code
– Open ports
* Authentication process
– Human error
* Minimize the surface
– Audit the code
– Block ports on the firewall
– Monitor network traffic in real-time
Connectivity
Everything contributes to security
– Including the network connection
* Secure network cabling
– Protect the physical drops
* Application-level encryption
– The hard work has already been done
* Network-level encryption
– IPsec tunnels, VPN connections
Failure modes
We hope for 100% uptime
– This obviously isn’t realistic
– Eventually, something will break
* Fail-open
– When a system fails, data continues to flow
* Fail-closed
– When a system fails, data does not flow
Device connections
Active monitoring
– System is connected inline
– Data can be blocked in real-time as it passes by
– Intrusion prevention is commonly active
* Passive monitoring
– A copy of the network traffic is examined using a
tap or port monitor
– Data cannot be blocked in real-time
– Intrusion detection is commonly passive
Intrusion Prevention System (IPS)
Intrusion Prevention System
– Watch network traffic
* Intrusions
– Exploits against operating systems, applications, etc.
– Buffer overflows, cross-site scripting, other vulnerabilities
* Detection vs. Prevention
– Intrusion Detection System (IDS) – Alarm or alert
– Prevention – Stop it before it gets into the network
Jump server
Access secure network zones
– Provides an access mechanism to a protected network
* Highly-secured device
– Hardened and monitored
* SSH / Tunnel / VPN to the jump server
– RDP, SSH, or jump from there
* A significant security concern
– Compromise of the jump server is a significant breach
Proxies
Sits between the users and the external network
* Receives the user requests and sends the request on
their behalf (the proxy)
* Useful for caching information, access control, URL
filtering, content scanning
* Applications may need to know how to use the proxy
(explicit)
* Some proxies are invisible (transparent)
Forward Proxy
An “internal proxy”
* Commonly used to
protect and control
user access
to the Internet
Reverse Proxy
Inbound traffic from
the Internet to your
internal service
Open Proxy
A third-party,
uncontrolled proxy
* Can be a significant
security concern
* Often used to
circumvent existing
security controls
Application proxies
One of the simplest “proxies” is NAT
– A network-level proxy
* Most proxies in use are application proxies
– The proxy understands the way the application works
* A proxy may only know one application
– HTTP
* Many proxies are multipurpose proxies
– HTTP, HTTPS, FTP, etc.
Balancing the load
Distribute the load
– Multiple servers
– Invisible to the end-user
* Large-scale implementations
– Web server farms, database farms
* Fault tolerance
– Server outages have no effect
– Very fast convergence
Active/active load balancing
Configurable load - Manage across servers
* TCP offload - Protocol overhead
* SSL offload - Encryption/Decryption
* Caching - Fast response
* Prioritization - QoS
* Content switching - Application-centric balancing
Active/passive load balancing
Some servers are active
– Others are on standby
* If an active server fails, the passive server takes its place
Sensors and collectors
Aggregate information from network devices
– Built-in sensors, separate devices
– Integrated into switches, routers, servers, firewalls, etc.
* Sensors
– Intrusion prevention systems, firewall logs,
authentication logs, web server access logs,
database transaction logs, email logs
* Collectors
– Proprietary consoles (IPS, firewall),
– SIEM consoles, syslog servers
– Many SIEMs include a correlation engine to compare
diverse sensor data
Port security
We’ve created many authentication methods through
the years
– A network administrator has many choices
* Use a username and password
– Other factors can be included
* Commonly used on wireless networks
– Also works on wired networks
EAP
Extensible Authentication Protocol (EAP)
– An authentication framework
* Many different ways to authenticate based on RFC
standards
– Manufacturers can build their own EAP methods
* EAP integrates with 802.1X
– Prevents access to the network until the
authentication succeeds
IEEE 802.1X
IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network until you
authenticate
* EAP (Extensible Authentication Protocol)
– 802.1X prevents access to the network until the
authentication succeeds
* Used in conjunction with an authentication database
– RADIUS, LDAP, TACACS+, Kerberos, etc.
IEEE 802.1X and EAP
Supplicant - the client
* Authenticator - The device that provides access
* Authentication server - Validates the client credentials
The universal security control
Standard issue
– Home, office, and in your operating system
* Control the flow of network traffic
– Everything passes through the firewall
* Corporate control of outbound and inbound data
– Sensitive materials
* Control of inappropriate content
– Not safe for work, parental controls
* Protection against evil
– Anti-virus, anti-malware
Network-based firewalls
Filter traffic by port number or application
– OSI layer 4 vs. OSI layer 7
– Traditional vs. NGFW firewalls
* Encrypt traffic
– VPN between sites
* Most firewalls can be layer 3 devices (routers)
– Often sits on the ingress/egress of the network
– Network Address Translation (NAT) functionality
– Authenticate dynamic routing communication
UTM / All-in-one security appliance
Unified Threat Management (UTM) /
– Web security gateway
* URL filter / Content inspection
– Malware inspection
* Spam filter
– CSU/DSU
* Router, Switch
– Firewall
* IDS/IPS
– Bandwidth shaper
– VPN endpoint
