3.3 Secure Network Designs Flashcards

1
Q
• Distribute the load
– Multiple servers
– Invisible to the end-user
• Large-scale implementations
– Web server farms, database farms
• Fault tolerance
– Server outages have no effect
– Very fast convergence
A

Balancing the load

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
• Configurable load
– Manage across servers
• TCP offload
– Protocol overhead
• SSL offload
– Encryption/Decryption
• Caching
– Fast response
• Prioritization
– QoS
• Content switching
– Application-centric balancing
A

Load balancer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
• Round-robin
– Each server is selected in turn
• Weighted round-robin
– Prioritize the server use
• Dynamic round-robin
– Monitor the server load and distribute to the server
with the lowest use
• Active/active load balancing
A

Scheduling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

• Affinity
– A kinship, a likeness
• Many applications require communication to the same
instance
– Each user is “stuck” to the same server
– Tracked through IP address or session IDs
– Source affinity / sticky session / session persistence

A

Affinity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

• Some servers are active
– Others are on standby
• If an active server fails, the passive server takes its place

A

Active/passive load balancing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

• Physical, logical, or virtual segmentation
– Devices, VLANs, virtual networks
• Performance
– High-bandwidth applications
• Security
– Users should not talk directly to database servers
– The only applications in the core are SQL and SSH
• Compliance
– Mandated segmentation (PCI compliance)
– Makes change control much easier

A

Segmenting the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

• Devices are physically separate - Air gap between
Switch A and Switch B
• Must be connected to provide communication
– Direct connect, or another switch or router
• Web servers in one rack - Database servers on another
• Customer A on one switch, customer B on another
– No opportunity for mixing data
• Separate devices
– Multiple units, separate infrastructure

A

Physical segmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

• Virtual Local Area Networks (VLANs)
– Separated logically instead of physically
– Cannot communicate between VLANs without
a Layer 3 device / router

A

Logical segmentation with VLANs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

• Previously known as the demilitarized zone (DMZ)
– An additional layer of security between
the Internet and you
– Public access to public resources

A

Screened subnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

• A private network for partners
– Vendors, suppliers
• Usually requires additional authentication
– Only allow access to authorized users

A

Extranet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

• Private network - Only available internally
• Company announcements, important documents,
other company business
– Employees only
• No external access
– Internal or VPN access only

A

Intranet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

• Traffic flows within a data center
– Important to know where traffic starts and ends
• East-west
– Traffic between devices in the same data center
– Relatively fast response times
• North-south traffic
– Ingress/egress to an outside device
– A different security posture than east-west traffic

A

East-west traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

• Many networks are relatively open on the inside
– Once you’re through the firewall, there are few
security controls
• Zero trust is a holistic approach to network security
– Covers every device, every process, every person
• Everything must be verified
– Nothing is trusted
– Multifactor authentication, encryption, system
permissions, additional firewalls, monitoring and
analytics, etc.

A

Zero-trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
• Virtual Private Networks
– Encrypted (private) data traversing a public network
• Concentrator
– Encryption/decryption access device
– Often integrated into a firewall
• Many deployment options
– Specialized cryptographic hardware
– Software-based options available
• Used with client software
– Sometimes built into the OS
A

VPNs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
• Uses common SSL/TLS protocol (tcp/443)
– (Almost) No firewall issues!
• No big VPN clients
– Usually remote access communication
• Authenticate users
– No requirement for digital certificates or shared
passwords (like IPSec)
• Can be run from a browser or from a
(usually light) VPN client
– Across many operating systems
A

SSL VPN (Secure Sockets Layer VPN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
• On-demand access
from a remote device
– Software
connects to a VPN
concentrator
• Some software can
be configured as
always-on
A

Remote access VPN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

• Layer 2 Tunneling Protocol
– Connecting sites over a layer 3 network as if they
were connected at layer 2
• Commonly implemented with IPsec
– L2TP for the tunnel, IPsec for the encryption
– L2TP over IPsec (L2TP/IPsec)

A

L2TP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

• Security for OSI Layer 3
– Authentication and encryption for every packet
• Confidentiality and integrity/anti-replay
– Encryption and packet signing
• Very standardized
– Common to use multi-vendor implementations
• Two core IPSec protocols
– Authentication Header (AH)
– Encapsulation Security Payload (ESP)

A

IPSec (Internet Protocol Security)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
• Data integrity
• Origin authentication
• Replay attack protection
• Keyed-hash mechanism
• No confidentiality/encryption
-
• Hash of the packet and a shared key
– SHA-2 is common
– Adds the AH to the packet header
• This doesn’t provide encryption
– Provides data integrity (hash)
– Guarantees the data origin (authentication)
– Prevents replay attacks (sequence numbers)
A

AH (Authentication Header)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
• Data confidentiality (encryption)
• Limited traffic flow confidentiality
• Data integrity
• Anti-replay protection
--

• Encrypts and authenticates the tunneled data
– Commonly uses SHA-2 for hash, AES for encryption
– Adds a header, a trailer, and an Integrity Check Value
• Combine with Authentication Header (AH) for integrity
and authentication of the outer header

A

ESP (Encapsulating Security Payload)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
IPsec Transport mode and Tunnel mode
AH and ESP
• Combine the data integrity of AH
with the confidentiality of ESP
--
IPsec Transport mode and Tunnel mode
• Tunnel mode is the most common
– Transport mode may not even be an option
A

IPsec Transport mode and Tunnel mode - AH and ESP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

• Hypertext Markup Language version 5
– The language commonly used in web browsers
• Includes comprehensive API support
– Application Programming Interface
– Web cryptography API
• Create a VPN tunnel without a separate VPN application
– Nothing to install
• Use an HTML5 compliant browser
– Communicate directly to the VPN concentrator

A

HTML5 VPNs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
• There’s a lot of security that happens at the
physical switch interface
– Often the first and last point of transmission
• Control and protect
– Limit overall traffic
– Control specific traffic types
– Watch for unusual or unwanted traffic
• Different options are available
– Manage different security issues
A

Port security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

• Send information to everyone at once
– One frame or packet, received by everyone
– Every device must examine the broadcast
• Limited scope - The broadcast domain
• Routing updates, ARP requests - Can add up quickly
• Malicious software or a bad NIC
– Not always normal traffic
• Not used in IPv6
– Focus on multicast

A

Broadcasts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

• The switch can control broadcasts
– Limit the number of broadcasts per second
• Can often be used to control multicast and unknown
unicast traffic
– Tight security posture
• Manage by specific values or by percentage
– Or the change over normal traffic patterns

A

Broadcast storm control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

• Connect two switches to each other
– They’ll send traffic back and forth forever
– There’s no “counting” mechanism at the MAC layer
• This is an easy way to bring down a network
– And somewhat difficult to troubleshoot
– Relatively easy to resolve
• IEEE standard 802.1D to prevent loops in bridged
(switched) networks (1990)
– Created by Radia Perlman
– Used practically everywhere

A

Loop protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

• Spanning tree takes time to determine if a switch port
should forward frames
– Bypass the listening and learning states
– Cisco calls this PortFast
• BPDU (Bridge Protocol Data Unit)
– The spanning tree control protocol
• If a BPDU frame is seen on a PortFast configured
interface (i.e., a workstation), shut down the interface
– This shouldn’t happen - Workstations don’t send BPDUs

A

BPDU Guard

28
Q

• IP tracking on a layer 2 device (switch)
– The switch is a DHCP firewall
– Trusted: Routers, switches, DHCP servers
– Untrusted: Other computers, unofficial DHCP servers
• Switch watches for DHCP conversations
– Adds a list of untrusted devices to a table
• Filters invalid IP and DHCP information
– Static IP addresses
– Devices acting as DHCP servers
– Other invalid traffic patterns

A

DHCP Snooping

29
Q

• Media Access Control
– The “hardware” address
• Limit access through the physical hardware address
– Keeps the neighbors out
– Additional administration with visitors
• Easy to find working MAC addresses through wireless
LAN analysis
– MAC addresses can be spoofed
– Free open-source software
• Security through obscurity

A

MAC filtering

30
Q

• DNS had no security in the original design
– Relatively easy to poison a DNS
• DNSSEC
– Domain Name System Security Extensions
• Validate DNS responses
– Origin authentication
– Data integrity
• Public key cryptography
– DNS records are signed with a trusted third party
– Signed DNS records are published in DNS

A

Domain Name Resolution

31
Q
• Stop end users from visiting dangerous sites
– The DNS resolves to a sinkhole address
• A query to a known-malicious address can identify
infected systems
– And prevent further exploitation
• Content filtering
– Prevent DNS queries to unwanted or
suspicious sites
A

Using a DNS for security

32
Q

• The network isn’t available
– Or the device isn’t accessible from the network
• Most devices have a separate management interface
– Usually a serial connection / USB
• Connect a modem
– Dial-in to manage the device
• Console router / comm server
– Out-of-band access for multiple devices
– Connect to the console router, then choose
where you want to go

A

Out-of-band management

33
Q

• Many different devices
– Desktop, laptop, VoIP phone, mobile devices
• Many different applications
– Mission critical applications, streaming video,
streaming audio
• Different apps have different network requirements
– Voice is real-time
– Recorded streaming video has a buffer
– Database application is interactive
• Some applications are “more important” than others
– Voice traffic needs to have priority over YouTube

A

The need for QoS

34
Q

• Prioritize traffic performance
– Voice over IP traffic has priority over web-browsing
– Prioritize by maximum bandwidth, traffic rate,
VLAN, etc.
• Quality of Service
– Describes the process of controlling traffic flows
• Many different methods
– Across many different topologies

A

QoS (Quality of Service)

35
Q
• More IP address space
– More difficult to IP/port scan (but not impossible)
– The tools already support IPv6
• No need for NAT
– NAT is not a security feature
• Some attacks disappear
– No ARP, so no ARP spoofing
• New attacks will appear
– For example, Neighbor Cache Exhaustion
• IPsec built in / IPsec ready
A

IPv6 security is different

36
Q

• Intercept network traffic
– Send a copy to a packet capture device
• Physical taps
– Disconnect the link, put a tap in the middle
– Can be an active or passive tap
• Port mirror
– Port redirection, SPAN (Switched Port ANalyzer)
– Software-based tap
– Limited functionality, but can work well in a pinch

A

Taps and port mirrors

37
Q
• Constant cybersecurity monitoring
– Ongoing security checks
– A staff of cybersecurity experts at a
Security Operations Center (SoC)
• Identify threats
– A broad range of threats across many different
organizations
• Respond to events
– Faster response time
• Maintain compliance
– Someone else ensures PCI DSS, HIPAA compliance, etc.
A

Monitoring services

38
Q
• Some files change all the time
– Some files should NEVER change
• Monitor important operating system and application files
– Identify when changes occur
• Windows - SFC (System File Checker)
• Linux - Tripwire
• Many host-based IPS options
A

FIM (File Integrity Monitoring)

39
Q
• Standard issue
– Home, office, and in your operating system
• Control the flow of network traffic
– Everything passes through the firewall
• Corporate control of outbound and inbound data
– Sensitive materials
• Control of inappropriate content
– Not safe for work, parental controls
• Protection against evil
– Anti-virus, anti-malware
A

The universal security control

40
Q

• Filter traffic by port number or application
– Traditional vs. NGFW firewalls
• Encrypt traffic - VPN between sites
• Most firewalls can be layer 3 devices (routers)
– Often sits on the ingress/egress of the network
– Network Address
– Translation (NAT) functionality
– Authenticate dynamic routing communication

A

Network-based firewalls

41
Q

• Does not keep track of traffic flows
– Each packet is individually examined, regardless
of past history
– Traffic sent outside of an active session will
traverse a stateless firewall

A

Stateless firewall

42
Q

• Stateful firewalls remember the “state” of the session

– Everything within a valid flow is allowed

A

Stateful firewall

43
Q
  • Unified Threat Management (UTM) /
  • Web security gateway
  • URL filter / Content inspection
  • Malware inspection
  • Spam filter
  • CSU/DSU
  • Router, Switch
  • Firewall
  • IDS/IPS
  • Bandwidth shaper
  • VPN endpoint
A

UTM / All-in-one security appliance

44
Q
• The OSI Application Layer
– All data in every packet
• Can be called different names
– Application layer gateway
– Stateful multilayer inspection
– Deep packet inspection
• Requires some advanced decodes
– Every packet must be analyzed and categorized
before a security decision is determined
--
NGFWs
• Network-based Firewalls
– Control traffic flows based on the application
– Microsoft SQL Server, Twitter, YouTube
• Intrusion Prevention Systems
– Identify the application
– Apply application-specific vulnerability signatures
to the traffic
• Content filtering
– URL filters
– Control website traffic by category
A

Next-generation firewall (NGFW)

45
Q
• Not like a “normal” firewall
– Applies rules to HTTP/HTTPS conversations
• Allow or deny based on expected input
– Unexpected input is a common method of
exploiting an application
• SQL injection
– Add your own commands to an application’s
SQL query
• A major focus of Payment Card Industry
– Data Security Standard (PCI DSS)
A

Web application firewall (WAF)

46
Q
• Access control lists (ACLs)
– Allow or disallow traffic based on tuples
– Groupings of categories
– Source IP, Destination IP, port number, time of day,
application, etc.
• A logical path
– Usually top-to-bottom
• Can be very general or very specific
– Specific rules are usually at the top
• Implicit deny
– Most firewalls include a deny at the bottom
– Even if you didn’t put one
A

Firewall rules

47
Q

• Open-source vs. proprietary
– Open-source provides traditional firewall functionality
– Proprietary features include application control and
high-speed hardware
• Hardware vs. software
– Purpose-built hardware provides efficient and
flexible connectivity options
– Software-based firewalls can be installed
almost anywhere
• Appliance vs. host-based vs. virtual
– Appliances provide the fastest throughput
– Host-based firewalls are application-aware and
can view non-encrypted data
– Virtual firewalls provide valuable East/West
network security

A

Firewall characteristics

48
Q

• Control at the edge
– Your Internet link
– Managed primarily through firewall rules
– Firewall rules rarely change
• Access control
– Control from wherever you are - Inside or outside
– Access can be based on many rules
– By user, group, location, application, etc.
– Access can be easily revoked or changed
– Change your security posture at any time

A

Edge vs. access control

49
Q

• You can’t trust everyone’s computer
– BYOD (Bring Your Own Device)
– Malware infections / missing anti-malware
– Unauthorized applications
• Before connecting to the network, perform a health check
– Is it a trusted device?
– Is it running anti-virus? Which one? Is it updated?
– Are the corporate applications installed?
– Is it a mobile device?
– Is the disk encrypted?
– The type of device doesn’t matter - Windows, Mac,
Linux, iOS, Android

A

Posture assessment

50
Q
• Persistent agents
– Permanently installed onto a system
– Periodic updates may be required
• Dissolvable agents
– No installation is required
– Runs during the posture assessment
– Terminates when no longer required
• Agentless NAC
– Integrated with Active Directory
– Checks are made during login and logoff
– Can’t be scheduled
A

Health checks/posture assessment

51
Q

• What happens when a posture
assessment fails?
– Too dangerous to allow access
• Quarantine network, notify administrators
– Just enough network access to fix the issue
• Once resolved, try again
– May require additional fixes

A

Failing your assessment

52
Q

• Sits between the users and the external network
• Receives the user requests and sends the request
on their behalf (the proxy)
• Useful for caching information, access control,
URL filtering, content scanning
• Applications may need to know
how to use the proxy (explicit)
• Some proxies are invisible (transparent)

A

Proxies

53
Q
  • One of the simplest “proxies” is NAT
  • A network-level proxy
  • Most proxies in use are application proxies
  • The proxy understands the way the application works
  • A proxy may only know one application
  • HTTP
  • Many proxies are multipurpose proxies
  • HTTP, HTTPS, FTP, etc.
A

Application proxies

54
Q
• An “internal proxy”
• Commonly used to
protect and control
user access
to the Internet
A

Forward Proxy

55
Q

• Inbound traffic from
the Internet to your
internal service

A

Reverse Proxy

56
Q
• A third-party,
uncontrolled proxy
• Can be a significant
security concern
• Often used to
circumvent existing
security controls
A

Open Proxy

57
Q
• Intrusion Detection System /
– Intrusion Prevention System
– Watch network traffic
• Intrusions
– Exploits against operating systems,
applications, etc.
– Buffer overflows, cross-site scripting, other
vulnerabilities
• Detection vs. Prevention
– Detection – Alarm or alert
– Prevention – Stop it before it gets into
the network
A

NIDS and NIPS

58
Q

• Examine a copy of the traffic
– Port mirror (SPAN), network tap
• No way to block (prevent) traffic

A

Passive monitoring

59
Q

• When malicious traffic is identified,
– IPS sends TCP RST (reset) frames
– After-the-fact
– Limited UDP response available

A

Out-of-band-response

60
Q

• IDS/IPS sits physically inline

– All traffic passes through the IDS/IPS

A

Inline monitoring

61
Q

• Malicious traffic is immediately identified
– Dropped at the IPS
– Does not proceed through the network

A

In-band response

62
Q
• Signature-based
– Look for a perfect match
• Anomaly-based
– Build a baseline of what’s “normal”
• Behavior-based
– Observe and report
• Heuristics
– Use artificial intelligence to identify
A

Identification technologies

63
Q
• High-end cryptographic hardware
– Plug-in card or separate hardware device
• Key backup
– Secured storage
• Cryptographic accelerators
– Offload that CPU overhead
from other devices
• Used in large environments
Clusters, redundant power
A

Hardware Security Module (HSM)

64
Q
• Access secure network zones
– Provides an access mechanism
to a protected network
• Highly-secured device
– Hardened and monitored
• SSH / Tunnel / VPN to
the jump server
– RDP, SSH, or jump from there
• A significant security concern
– Compromise to the
jump server is
a significant breach
A

Jump server

65
Q

• Aggregate information from network devices
– Built-in sensors, separate devices
– Integrated into switches, routers, servers, firewalls, etc.
• Sensors
– Intrusion prevention systems, firewall logs,
authentication logs, web server access logs, database
transaction logs, email logs
• Collectors
– Proprietary consoles (IPS, firewall),
– SIEM consoles, syslog servers
– Many SIEMs include a correlation engine to
compare diverse sensor data

A

Sensors and collectors