3.2 Secure Infrastucture

Question 1

Device placement

Answer 1

Every network is different
– There are often similarities
* Firewalls
– Separate trusted from untrusted
– Provide additional security checks
* Other services may require their own security technologies
– Honeypots, jump server, load balancers, sensors

Question 2

Security zones

Answer 2

Zone-based security technologies
– More flexible (and secure) than IP address ranges
* Each area of the network is associated with a zone
– Trusted, untrusted
– Internal, external
– Inside, Internet, Servers, Databases, Screened
* This simplifies security policies
– Trusted to Untrusted
– Untrusted to Screened
– Untrusted to Trusted

Question 3

Attack surface

Answer 3

How many ways into your home?
– Doors, windows, basements
* Everything can be a vulnerability
– Application code
– Open ports
* Authentication process
– Human error
* Minimize the surface
– Audit the code
– Block ports on the firewall
– Monitor network traffic in real-time

Question 4

Connectivity

Answer 4

Everything contributes to security
– Including the network connection
* Secure network cabling
– Protect the physical drops
* Application-level encryption
– The hard work has already been done
* Network-level encryption
– IPsec tunnels, VPN connections

Question 5

Failure modes

Answer 5

We hope for 100% uptime
– This obviously isn’t realistic
– Eventually, something will break
* Fail-open
– When a system fails, data continues to flow
* Fail-closed
– When a system fails, data does not flow

Question 6

Device connections

Answer 6

Active monitoring
– System is connected inline
– Data can be blocked in real-time as it passes by
– Intrusion prevention is commonly active
* Passive monitoring
– A copy of the network traffic is examined using a
tap or port monitor
– Data cannot be blocked in real-time
– Intrusion detection is commonly passive

Question 7

Intrusion Prevention System (IPS)

Answer 7

Intrusion Prevention System
– Watch network traffic
* Intrusions
– Exploits against operating systems, applications, etc.
– Buffer overflows, cross-site scripting, other vulnerabilities
* Detection vs. Prevention
– Intrusion Detection System (IDS) – Alarm or alert
– Prevention – Stop it before it gets into the network

Question 7

Jump server

Answer 7

Access secure network zones
– Provides an access mechanism to a protected network
* Highly-secured device
– Hardened and monitored
* SSH / Tunnel / VPN to the jump server
– RDP, SSH, or jump from there
* A significant security concern
– Compromise of the jump server is a significant breach

Question 8

Proxies

Answer 8

Sits between the users and the external network
* Receives the user requests and sends the request on
their behalf (the proxy)
* Useful for caching information, access control, URL
filtering, content scanning
* Applications may need to know how to use the proxy
(explicit)
* Some proxies are invisible (transparent)

Question 9

Forward Proxy

Answer 9

An “internal proxy”
* Commonly used to
protect and control
user access
to the Internet

Question 10

Reverse Proxy

Answer 10

Inbound traffic from
the Internet to your
internal service

Question 11

Open Proxy

Answer 11

A third-party,
uncontrolled proxy
* Can be a significant
security concern
* Often used to
circumvent existing
security controls

Question 12

Application proxies

Answer 12

One of the simplest “proxies” is NAT
– A network-level proxy
* Most proxies in use are application proxies
– The proxy understands the way the application works
* A proxy may only know one application
– HTTP
* Many proxies are multipurpose proxies
– HTTP, HTTPS, FTP, etc.

Question 13

Balancing the load

Answer 13

Distribute the load
– Multiple servers
– Invisible to the end-user
* Large-scale implementations
– Web server farms, database farms
* Fault tolerance
– Server outages have no effect
– Very fast convergence

Question 14

Active/active load balancing

Answer 14

Configurable load - Manage across servers
* TCP offload - Protocol overhead
* SSL offload - Encryption/Decryption
* Caching - Fast response
* Prioritization - QoS
* Content switching - Application-centric balancing

Question 15

Active/passive load balancing

Answer 15

Some servers are active
– Others are on standby
* If an active server fails, the passive server takes its place

Question 16

Sensors and collectors

Answer 16

Aggregate information from network devices
– Built-in sensors, separate devices
– Integrated into switches, routers, servers, firewalls, etc.
* Sensors
– Intrusion prevention systems, firewall logs,
authentication logs, web server access logs,
database transaction logs, email logs
* Collectors
– Proprietary consoles (IPS, firewall),
– SIEM consoles, syslog servers
– Many SIEMs include a correlation engine to compare
diverse sensor data

Question 17

Port security

Answer 17

We’ve created many authentication methods through
the years
– A network administrator has many choices
* Use a username and password
– Other factors can be included
* Commonly used on wireless networks
– Also works on wired networks

Question 18

EAP

Answer 18

Extensible Authentication Protocol (EAP)
– An authentication framework
* Many different ways to authenticate based on RFC
standards
– Manufacturers can build their own EAP methods
* EAP integrates with 802.1X
– Prevents access to the network until the
authentication succeeds

Question 19

IEEE 802.1X

Answer 19

IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network until you
authenticate
* EAP (Extensible Authentication Protocol)
– 802.1X prevents access to the network until the
authentication succeeds
* Used in conjunction with an authentication database
– RADIUS, LDAP, TACACS+, Kerberos, etc.

Question 20

IEEE 802.1X and EAP

Answer 20

Supplicant - the client
* Authenticator - The device that provides access
* Authentication server - Validates the client credentials

Question 21

The universal security control

Answer 21

Standard issue
– Home, office, and in your operating system
* Control the flow of network traffic
– Everything passes through the firewall
* Corporate control of outbound and inbound data
– Sensitive materials
* Control of inappropriate content
– Not safe for work, parental controls
* Protection against evil
– Anti-virus, anti-malware

Question 22

Network-based firewalls

Answer 22

Filter traffic by port number or application
– OSI layer 4 vs. OSI layer 7
– Traditional vs. NGFW firewalls
* Encrypt traffic
– VPN between sites
* Most firewalls can be layer 3 devices (routers)
– Often sits on the ingress/egress of the network
– Network Address Translation (NAT) functionality
– Authenticate dynamic routing communication

Question 23

UTM / All-in-one security appliance

Answer 23

Unified Threat Management (UTM) /
– Web security gateway
* URL filter / Content inspection
– Malware inspection
* Spam filter
– CSU/DSU
* Router, Switch
– Firewall
* IDS/IPS
– Bandwidth shaper
– VPN endpoint

Question 24

Next-generation firewall (NGFW)

Answer 24

The OSI Application Layer
– All data in every packet
* Can be called different names
– Application layer gateway
– Stateful multilayer inspection
– Deep packet inspection
* Requires some advanced decodes
– Every packet must be analyzed and categorized
before a security decision is determined

Question 25

NGFWs

Answer 25

Network-based Firewalls
– Control traffic flows based on the application
– Microsoft SQL Server, Twitter, YouTube
* Intrusion Prevention Systems
– Identify the application
– Apply application-specific vulnerability signatures to
the traffic
* Content filtering
– URL filters
– Control website traffic by category

Question 26

Web application firewall (WAF)

Answer 26

Not like a “normal” firewall
– Applies rules to HTTP/HTTPS conversations
* Allow or deny based on expected input
– Unexpected input is a common method of exploiting
an application
* SQL injection
– Add your own commands to an application’s SQL query
* A major focus of Payment Card Industry Data Security
Standard (PCI DSS)

Question 27

VPNs

Answer 27

Virtual Private Networks
– Encrypted (private) data traversing a public network
* Concentrator
– Encryption/decryption access device
– Often integrated into a firewall
* Many deployment options
– Specialized cryptographic hardware
– Software-based options available
* Used with client software - Sometimes built into the OS

Question 28

Encrypted tunnel

Answer 28

Keep data private across the public Internet
– Encryption is the key
* Encrypt your data - Add new headers and trailers
* Decrypt on the other side - Original data is delivered

Question 28

SSL/TLS VPN (Secure Sockets Layer VPN)

Answer 28

Uses common SSL/TLS protocol (tcp/443)
– (Almost) No firewall issues!
* No big VPN clients
– Usually remote access communication
* Authenticate users
– No requirement for digital certificates or shared
passwords (like IPSec)
* Can be run from a browser or from a (usually light)
VPN client
– Across many operating systems

Question 28

SSL/TLS VPN

Answer 28

On-demand access from a remote device
– Software connects to a VPN concentrator
* Some software can be configured as always-on

Question 29

Site-to-site IPsec VPN

Answer 29

Always-on
– Or almost always
* Firewalls often act as VPN concentrators
– Probably already have firewalls in place

Question 30

SD-WAN

Answer 30

Software Defined Networking in a Wide Area Network
– A WAN built for the cloud
* The data center used to be in one place
– The cloud has changed everything
* Cloud-based applications communicate directly
to the cloud
– No need to hop through a central point

Question 31

Secure Access Service Edge (SASE)

Answer 31

Update secure access for cloud services
– Securely connect from different locations
* Secure Access Service Edge (SASE)
– A “next generation” VPN
* Security technologies are in the cloud
– Located close to existing cloud services
* SASE clients on all devices
– Streamlined and automatic

Question 32

Selection of effective controls

Answer 32

Many different security options
– Selecting the right choice can be challenging
* VPN
– SSL/TLS VPN for user access
– IPsec tunnels for site-to-site access
* SD-WAN
– Manage the network connectivity to the cloud
– Does not adequately address security concerns
* SASE
– A complete network and security solution
– Requires planning and implementation