3.2 Secure Infrastucture Flashcards

1
Q

Device placement

A

Every network is different
– There are often similarities
* Firewalls
– Separate trusted from untrusted
– Provide additional security checks
* Other services may require their own security technologies
– Honeypots, jump server, load balancers, sensors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security zones

A

Zone-based security technologies
– More flexible (and secure) than IP address ranges
* Each area of the network is associated with a zone
– Trusted, untrusted
– Internal, external
– Inside, Internet, Servers, Databases, Screened
* This simplifies security policies
– Trusted to Untrusted
– Untrusted to Screened
– Untrusted to Trusted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Attack surface

A

How many ways into your home?
– Doors, windows, basements
* Everything can be a vulnerability
– Application code
– Open ports
* Authentication process
– Human error
* Minimize the surface
– Audit the code
– Block ports on the firewall
– Monitor network traffic in real-time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Connectivity

A

Everything contributes to security
– Including the network connection
* Secure network cabling
– Protect the physical drops
* Application-level encryption
– The hard work has already been done
* Network-level encryption
– IPsec tunnels, VPN connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Failure modes

A

We hope for 100% uptime
– This obviously isn’t realistic
– Eventually, something will break
* Fail-open
– When a system fails, data continues to flow
* Fail-closed
– When a system fails, data does not flow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Device connections

A

Active monitoring
– System is connected inline
– Data can be blocked in real-time as it passes by
– Intrusion prevention is commonly active
* Passive monitoring
– A copy of the network traffic is examined using a
tap or port monitor
– Data cannot be blocked in real-time
– Intrusion detection is commonly passive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Intrusion Prevention System (IPS)

A

Intrusion Prevention System
– Watch network traffic
* Intrusions
– Exploits against operating systems, applications, etc.
– Buffer overflows, cross-site scripting, other vulnerabilities
* Detection vs. Prevention
– Intrusion Detection System (IDS) – Alarm or alert
– Prevention – Stop it before it gets into the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Jump server

A

Access secure network zones
– Provides an access mechanism to a protected network
* Highly-secured device
– Hardened and monitored
* SSH / Tunnel / VPN to the jump server
– RDP, SSH, or jump from there
* A significant security concern
– Compromise of the jump server is a significant breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Proxies

A

Sits between the users and the external network
* Receives the user requests and sends the request on
their behalf (the proxy)
* Useful for caching information, access control, URL
filtering, content scanning
* Applications may need to know how to use the proxy
(explicit)
* Some proxies are invisible (transparent)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Forward Proxy

A

An “internal proxy”
* Commonly used to
protect and control
user access
to the Internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Reverse Proxy

A

Inbound traffic from
the Internet to your
internal service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Open Proxy

A

A third-party,
uncontrolled proxy
* Can be a significant
security concern
* Often used to
circumvent existing
security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Application proxies

A

One of the simplest “proxies” is NAT
– A network-level proxy
* Most proxies in use are application proxies
– The proxy understands the way the application works
* A proxy may only know one application
– HTTP
* Many proxies are multipurpose proxies
– HTTP, HTTPS, FTP, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Balancing the load

A

Distribute the load
– Multiple servers
– Invisible to the end-user
* Large-scale implementations
– Web server farms, database farms
* Fault tolerance
– Server outages have no effect
– Very fast convergence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Active/active load balancing

A

Configurable load - Manage across servers
* TCP offload - Protocol overhead
* SSL offload - Encryption/Decryption
* Caching - Fast response
* Prioritization - QoS
* Content switching - Application-centric balancing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Active/passive load balancing

A

Some servers are active
– Others are on standby
* If an active server fails, the passive server takes its place

16
Q

Sensors and collectors

A

Aggregate information from network devices
– Built-in sensors, separate devices
– Integrated into switches, routers, servers, firewalls, etc.
* Sensors
– Intrusion prevention systems, firewall logs,
authentication logs, web server access logs,
database transaction logs, email logs
* Collectors
– Proprietary consoles (IPS, firewall),
– SIEM consoles, syslog servers
– Many SIEMs include a correlation engine to compare
diverse sensor data

17
Q

Port security

A

We’ve created many authentication methods through
the years
– A network administrator has many choices
* Use a username and password
– Other factors can be included
* Commonly used on wireless networks
– Also works on wired networks

18
Q

EAP

A

Extensible Authentication Protocol (EAP)
– An authentication framework
* Many different ways to authenticate based on RFC
standards
– Manufacturers can build their own EAP methods
* EAP integrates with 802.1X
– Prevents access to the network until the
authentication succeeds

19
Q

IEEE 802.1X

A

IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network until you
authenticate
* EAP (Extensible Authentication Protocol)
– 802.1X prevents access to the network until the
authentication succeeds
* Used in conjunction with an authentication database
– RADIUS, LDAP, TACACS+, Kerberos, etc.

20
Q

IEEE 802.1X and EAP

A

Supplicant - the client
* Authenticator - The device that provides access
* Authentication server - Validates the client credentials

21
Q

The universal security control

A

Standard issue
– Home, office, and in your operating system
* Control the flow of network traffic
– Everything passes through the firewall
* Corporate control of outbound and inbound data
– Sensitive materials
* Control of inappropriate content
– Not safe for work, parental controls
* Protection against evil
– Anti-virus, anti-malware

22
Q

Network-based firewalls

A

Filter traffic by port number or application
– OSI layer 4 vs. OSI layer 7
– Traditional vs. NGFW firewalls
* Encrypt traffic
– VPN between sites
* Most firewalls can be layer 3 devices (routers)
– Often sits on the ingress/egress of the network
– Network Address Translation (NAT) functionality
– Authenticate dynamic routing communication

23
Q

UTM / All-in-one security appliance

A

Unified Threat Management (UTM) /
– Web security gateway
* URL filter / Content inspection
– Malware inspection
* Spam filter
– CSU/DSU
* Router, Switch
– Firewall
* IDS/IPS
– Bandwidth shaper
– VPN endpoint

24
Next-generation firewall (NGFW)
The OSI Application Layer – All data in every packet * Can be called different names – Application layer gateway – Stateful multilayer inspection – Deep packet inspection * Requires some advanced decodes – Every packet must be analyzed and categorized before a security decision is determined
25
NGFWs
Network-based Firewalls – Control traffic flows based on the application – Microsoft SQL Server, Twitter, YouTube * Intrusion Prevention Systems – Identify the application – Apply application-specific vulnerability signatures to the traffic * Content filtering – URL filters – Control website traffic by category
26
Web application firewall (WAF)
Not like a “normal” firewall – Applies rules to HTTP/HTTPS conversations * Allow or deny based on expected input – Unexpected input is a common method of exploiting an application * SQL injection – Add your own commands to an application’s SQL query * A major focus of Payment Card Industry Data Security Standard (PCI DSS)
27
VPNs
Virtual Private Networks – Encrypted (private) data traversing a public network * Concentrator – Encryption/decryption access device – Often integrated into a firewall * Many deployment options – Specialized cryptographic hardware – Software-based options available * Used with client software - Sometimes built into the OS
28
Encrypted tunnel
Keep data private across the public Internet – Encryption is the key * Encrypt your data - Add new headers and trailers * Decrypt on the other side - Original data is delivered
28
SSL/TLS VPN (Secure Sockets Layer VPN)
Uses common SSL/TLS protocol (tcp/443) – (Almost) No firewall issues! * No big VPN clients – Usually remote access communication * Authenticate users – No requirement for digital certificates or shared passwords (like IPSec) * Can be run from a browser or from a (usually light) VPN client – Across many operating systems
28
SSL/TLS VPN
On-demand access from a remote device – Software connects to a VPN concentrator * Some software can be configured as always-on
29
Site-to-site IPsec VPN
Always-on – Or almost always * Firewalls often act as VPN concentrators – Probably already have firewalls in place
30
SD-WAN
Software Defined Networking in a Wide Area Network – A WAN built for the cloud * The data center used to be in one place – The cloud has changed everything * Cloud-based applications communicate directly to the cloud – No need to hop through a central point
31
Secure Access Service Edge (SASE)
Update secure access for cloud services – Securely connect from different locations * Secure Access Service Edge (SASE) – A “next generation” VPN * Security technologies are in the cloud – Located close to existing cloud services * SASE clients on all devices – Streamlined and automatic
32
Selection of effective controls
Many different security options – Selecting the right choice can be challenging * VPN – SSL/TLS VPN for user access – IPsec tunnels for site-to-site access * SD-WAN – Manage the network connectivity to the cloud – Does not adequately address security concerns * SASE – A complete network and security solution – Requires planning and implementation