3.3 - Secure Network Designs Flashcards
Load Balancing
- Distribute incoming load across multiple severs which makes it more available than would be possible with just one server
- Invisible to the end user
- Can scale into very large implementations
- provides fault tolerance, service remains available
- Can configure it balance across multiple servers and you can also configure TCP offload to the load balancer instead of down to the individual server
- Can be used for SSL offload too (load balance could be performing the SSL encryption and sending decrypted info to the individual server)
- Can provide caching (fast response)
- Can provide prioritization (QoS)
- Can provide content switching (certain apps get switched to certain servers)
- Ex: web server farms, database farms
Fault tolerance
- Server outages have no effect
- Very fast convergence
Round Robin
- Type of scheduling in a load balancing
- Traffic from internet, through load balancer gets distributed to server A, then server B, etc
- ensures all servers get same amount of load across everyone across the network
Weighted Round Robin
- Prioritizes the server use
- might prioritize one server over the others (ex: server A gets half the load and the other three get the remaining portions)
Dynamic Round Robin
- Monitor the server load and distribute to the server with the lowest use
Active/ Active Load balancing
- Meaning you have multiple active server in use
- Round Robin, Weighted Round Robin and Dynamic Round Robin are all useful strategies
- If one server fails any one of the others can step up to continue operations
Affinity
- A kinship, likeness
- In the context of load balancing, A user communicating through a load balancer will always be connected to the same server
- can be accomplished via a session id or a IP Addresses + port numbers
- each user is “stuck” to the same server
- source affinity / sticky session / session persistence
Active / passive Load Balancing
- Some servers are active and some are on standby
- if an active server fails, other devices can become active
- this all takes place via the load balancer
Segmenting the network
- Options: Physical, logical, or virtual segmentation
- allowing /disallowing traffic b/c devices
- Some Considerations when choosing segmentation options:
- Sometimes common to segment application instances into their own segments (esp when they need high bandwidth and throughput)
- Security could be a factor (users should not talk directly to DB servers). Only applications in the core are SQL and SSH
- Compliance - Mandated segmentation (PCI compliance for credit cards). Makes change control easier
Physical segmentation
- Airgap b/n switch A and switch B
- If you need a connection, so that they can communicate, would need to run a cable between these switches
- or put a router or firewall in between
- Could also separate all the webservers on one switch and all the DB serves on another switch
- Or could put customer A on one switch and customer B on another (no direct connection b/n switches)
- Challenges with this design: separate power, upgrades, separately maintained.
- Disadvantages: Also you then probably have a number of interfaces on the switches are going unused, so spending a lot of money on switch and not using it to the fullest extend
Logical Segmentation with VLANs
- Virtual Local Area Network
- Same functionality (customer A on one part of the switch and then customer B on a different part of the same switch. But b/c of configurations in the VLAN the customers can’t communicate with each other)
- it’s like having 2 physical devices, but it’s one device with a logical separation
- if the two needed to communicate, would need a cable, router or firewall like physical segmentation
- Separated logically instead of physically
- Cannot communicate between VLANs without a Layer 3 device / router
Screened subnet
- Previously known as the DMZ (demilitarized zone)
- a separate network for incoming internet traffic
- People from internet come in (usually go through a firewall), which redirect them to the screened subnet switch (where they can get access to the services)
- The connection behind the firewall that goes to the internal network switch would have additional protections
- An additional layer of security between the internet and you
- Public asses to public resources
Extranet
- Similar configuration to a screened subnet
- A private network for partners (vendors, suppliers)
- Internet, communication goes through a firewall, and then the firewall directs them to the extranet (the internal network is a different connection)
- The extranet provides vendors etc with access to our internal resources (without giving them direct access)
- Unlike a screened subnet, an extranet usually has additional authentication (only allow access to authorized users, like your vendors or partners)
Intranet
- Private network, only available internally
- Very different than a screened subnet or extranet
- Only accessible from inside network (ex: from headquarters or remote site)
- Commonly has internal servers that can provide company announcement/ employee documents (only accessible by employees of the company)
- No external access (Internal or VPN only)
East-west traffic
- East-West: traffic between devices in the same data center
- Relatively fast response times (local)
- Traffic flows within a data center provide additional segmentation challenges
- Ex: sheer number of devices in data center and many users accessing them
- Important to know where traffic starts and ends (data flows).
North-South Traffic
- Is either inbound or outbound from data center
- Ingress/egress to an outside device
- a different security posture than east-west traffic (b/c often coming from unknown/ untrusted source)
Zero Trust
- New security posture for internal networks: trust no one in your network
- Zero trust is a holistic approach to network security (covers every device, every process, every person)
- Everything (devices, people, applications, etc.) must be verified (multifactor authentication, encryption, system permissions, additional firewalls, monitoring and analytics etc)
(- Traditionally, once you got inside the network, traditionally not a lot of security, there was an inherent trust
- Traditionally, once you’re through the firewall, there are few security controls)
VPN
- Virtual Private Netowrk
- Encrypted (private) data traversing a public network
- uses a concentrator
- Sometimes VPN client software is configured to be “always-on” or you may have to turn it on
Concentrator
- Encryption / decryption access device
- often integrated into a firewall
- The ‘workhorse of the VPN’
- many deployment options
- some are cryptographic hardware
- some are software-based options
- used with a client software (sometimes built into OS)
Remote access VPN
- Your laptop -> start VPN software, -> this creates an encrypted tunnel to the VPN concentrator (encrypted) -> and then on the other side of the VPN Concentrator it will decrypt and go to your corporate network
- ## this works in reverse too. Corporate info -> VPN concentrator (where it’s encrypted) -> through the tunnel to your laptop
SSL VPN
- Secure Sockets Layer VPN
- Uses common SSL / TLS protocol (tcp/ port 443)
- No big VPN clients (usually providing remote access to a single device using this SSL VPN)
- (Almost) no firewall issues!
- Authenticate users (no requirement for digital certificates or shared passwords (like IPSec)
- Don’t usually need complex VPN passwords
- Can often be run from browswer or from a (usually light) VPN client (across many OS)
HTML5 VPNs
- Hyper Text Markup Language version 5
- The language commonly used in web browsers
- Includes comprehensive API support
- Web cryptography API
- Nothing to install (Create a VPN tunnel without a separate VPN application). Start browswer, connect to network and that’s it you can use SSL VPN.
- Only thing you have to have is browswer that supports HTML5 (most modern browsers do)
Full Tunnel
- Everything that is being transported by a remote user is sent to the VPN concentrator, the VPN concentrator will then decide where the data will go
- User can’t break out of the tunnel to the VPN Concentrator
- Ex: If user on VPN wanted to go to another website, they’d have to go to the VPN concentrator, the VPN concentrator would go to the website and then pass it back to the remote user
Split Tunnel
- The VPN admin can configure some information to go through the tunnel and some to go outside in a split tunnel
- If a remote user wants to go to a non-corporate website, they can use a split in the tunnel to go to that website instead of going straight to the VPN concentrator
Site to site VPN
- Can have a VPN connection b/n remote locations
- Ex: A corporate network and a Remote site networks, they each have their own Firewall / VPN Concentrator and they have an encrypted tunnel between the two VPN Concentrators
- almost always “always-on” or dynamically connect to each other
- Often uses L2TP (layer 2 tunneling protocol)
L2TP
- Layer 2 Tunneling Protocol
- Connecting sites over a layer 3 network, as if they were connected at layer 2
- Commonly implemented with IPSec
- L2TP for the tunnel, add on IPsec for the encryption ( aka T2TP over IPsec (L2TP/IPSec) )
IPSec
- Internet Protocol Security
- Security for OSI Layer3
- Authentication and encryption for every packet
- Supports encryption and packet signing (so you can have security of data and anti-replay is built in)
- Very standardized (common to use, multivendor implementations)
- 2 core protocols: AH (Authentication Header) and ESP (Encapsulation Security Payload)
IP Sec Tunnel - how to send data
- 2 ways: Transport mode and tunnel mode
- Most configurations of IP Sec will include both AH (for integrity + authentication of outer header) and ESP (for encryption of data)
- 3.3 3rd video if need to re-reference graphics
Transport Mode
- One of the two ways to send data over an IPSec tunnel (other is tunnel mode)
- The original packet: IP Header - Data
- Transport mode:
- IP Header - IPSec Headers - Data (encrypted by the IPSec Header/Trailer) - IPSec Trailer
- Doesn’t protect everything bc the IPSec headers are sent in the clear
Tunnel Mode
- One of the two ways to send data over an IPSec tunnel (other is Transport mode)
- The original packet: IP Header - Data
- Tunnel mode: NewIP Header - IPSec Headers - IP Header - Data - IPSec Trailers
- Protects both the IP Header and the Data, creates a brand new IPSecHeader that goes to the VPN Concentrator on the other side
AH
- Authentication Header protocol
- Hash of the packet and the shared key (shared b/n the two IPSec concentrators)
- SHA-2 is common
- If you’re only concerned about the integrity of the data, may not need to authenticate, and AH is a good option
- Doesn’t provide encryption, but provides integrity (hash)
- Guarantees the data origin (authentication)
- Prevents reply attackers (sequence numbers)
- this is less common than ESP (Encapsulation Security Payload)
- Adds the AH to the packet header
- New IP Header - AH - Header - IP Header - Data
ESP
- Encapsulation Security Payload
- Encrypts and Authenticates across IPSec tunnel
- Commonly uses SHA-2 for hash, AES for encryption
- Adds a header, a trailer, and an Integrity Check Value (can change them in IPSec config tho)
- New IP Header - ESP Header - IP Header - Data - ESP Trailer - Integrity Check Value
- ESP Header -> ESP Trailer is authenticated
- IP Header -> ESP Trailer is Encrypted
Port Security
- There’s a lot of security that happens at the physical switch interface
- Control and protect, limit overall traffic, control specific traffic types, watch for unusual / unwanted traffic
- Different options available
- (In this particular usage, not talking about TCP or UDP ports - think of it is the physical port)
- Often the first and last point of transmission
Broadcasts
- Send information to everyone at once
- One frame or packet, received by everyone
- everyone must examine the broadcast
- fortunately they have a limited scope (limited to the broadcast domain)
- VLAN is a broadcast domain
- With IP Version 4, very common to see broadcasts (routing updates, ARP requests, can add up quickly)
- Unfortunately, can be malicious software or a bad NIC
- Need a way to control traffic
- IPV6 does not use IPV6 (it uses multicast, which are easier to manage, than broadcast)
Broadcast Controls
- The switch can control broadcasts (limit the number of broadcasts per second)
- Can often be used to control multicast and unknown unicast traffic (giving admins a tight level of control)
- Might be a way to limit broadcasts by specific values or percentage (or change over normal traffic patterns)