3.3 - Given a scenario, implement secure network designs. Flashcards
Load balancing
- Active/active
- Active/passive
- Scheduling
- Virtual IP
- Persistence
Network segmentation
VLAN
Virtual local area network
Chapple 365
Gibson 93
Weiss 342-345
- Screened subnet (previously
known as demilitarized zone)
Chapple
Gibson
Weiss
- East-west traffic
- Extranet
- Intranet
- Zero Trust
Virtual private network (VPN)
- Always-on
- Split tunnel vs. full tunnel
- Remote access vs. site-to-site
- IPSec
- SSL/TLS
- HTML5
- Layer 2 tunneling protocol (L2TP)
Out-of-band management
Port security
Port security - Broadcast storm prevention
- Bridge Protocol Data Unit (BPDU) guard
- Loop prevention
- Dynamic Host Configuration
Protocol (DHCP) snooping
- Media access control (MAC) filtering
Jump servers
Access secure network zones
– Provides an access mechanism
to a protected network
Highly-secured device
– Hardened and monitored
SSH / Tunnel / VPN to
the jump server
– RDP, SSH, or jump from there
A significant security concern
– Compromise to the
jump server is
a significant breach
Network appliances - Proxy servers
Proxy servers - Forward
Proxy servers - Reverse
Network appliances - Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS)
Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS) - - Signature-based
Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS) - Heuristic/behavior
Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS) - Anomaly
Network-based intrusion detection
system (NIDS)/network-based intrusion prevention system (NIPS) - Inline vs. passive
- HSM
Hardware Security Module (HSM)
* High-end cryptographic hardware
– Plug-in card or separate hardware device
* Key backup
– Secured storage
* Cryptographic accelerators
– Offload that CPU overhead
from other devices
* Used in large environments Clusters, redundant power
- Sensors
- Collectors
- Aggregators
Firewalls
Web application firewall (WAF)
-work at app layer
-sits in front of web serv. > receives all net. traffic headed to the serv.
> scrutinizes input headed to app/performing input validation b4 passing input to web serv.
-prevent mal. traffic from reaching web serv. + acts as part of layered defense against web app vulns.
- NGFW
- Stateful
- Stateless
- Unified threat management (UTM)
- Network address translation (NAT) gateway
- Content/URL filter
- Open-source vs. proprietary
- Hardware vs. software
- Appliance vs. host-based vs. virtual
ACL
Access control lists (ACLs)
– Allow or disallow traffic based on tuples
– Groupings of categories
– Source IP, Destination IP, port number, time of day,
application, etc.
Route security
Quality of service (QoS)
Implications of IPv6
Port spanning/port mirroring
Port spanning/port mirroring - Port taps
Monitoring services
File integrity monitors