3.3 Secure Network Designs Flashcards
• Distribute the load – Multiple servers – Invisible to the end-user • Large-scale implementations – Web server farms, database farms • Fault tolerance – Server outages have no effect – Very fast convergence
Balancing the load
• Configurable load – Manage across servers • TCP offload – Protocol overhead • SSL offload – Encryption/Decryption • Caching – Fast response • Prioritization – QoS • Content switching – Application-centric balancing
Load balancer
• Round-robin – Each server is selected in turn • Weighted round-robin – Prioritize the server use • Dynamic round-robin – Monitor the server load and distribute to the server with the lowest use • Active/active load balancing
Scheduling
• Affinity
– A kinship, a likeness
• Many applications require communication to the same
instance
– Each user is “stuck” to the same server
– Tracked through IP address or session IDs
– Source affinity / sticky session / session persistence
Affinity
• Some servers are active
– Others are on standby
• If an active server fails, the passive server takes its place
Active/passive load balancing
• Physical, logical, or virtual segmentation
– Devices, VLANs, virtual networks
• Performance
– High-bandwidth applications
• Security
– Users should not talk directly to database servers
– The only applications in the core are SQL and SSH
• Compliance
– Mandated segmentation (PCI compliance)
– Makes change control much easier
Segmenting the network
• Devices are physically separate - Air gap between
Switch A and Switch B
• Must be connected to provide communication
– Direct connect, or another switch or router
• Web servers in one rack - Database servers on another
• Customer A on one switch, customer B on another
– No opportunity for mixing data
• Separate devices
– Multiple units, separate infrastructure
Physical segmentation
• Virtual Local Area Networks (VLANs)
– Separated logically instead of physically
– Cannot communicate between VLANs without
a Layer 3 device / router
Logical segmentation with VLANs
• Previously known as the demilitarized zone (DMZ)
– An additional layer of security between
the Internet and you
– Public access to public resources
Screened subnet
• A private network for partners
– Vendors, suppliers
• Usually requires additional authentication
– Only allow access to authorized users
Extranet
• Private network - Only available internally
• Company announcements, important documents,
other company business
– Employees only
• No external access
– Internal or VPN access only
Intranet
• Traffic flows within a data center
– Important to know where traffic starts and ends
• East-west
– Traffic between devices in the same data center
– Relatively fast response times
• North-south traffic
– Ingress/egress to an outside device
– A different security posture than east-west traffic
East-west traffic
• Many networks are relatively open on the inside
– Once you’re through the firewall, there are few
security controls
• Zero trust is a holistic approach to network security
– Covers every device, every process, every person
• Everything must be verified
– Nothing is trusted
– Multifactor authentication, encryption, system
permissions, additional firewalls, monitoring and
analytics, etc.
Zero-trust
• Virtual Private Networks – Encrypted (private) data traversing a public network • Concentrator – Encryption/decryption access device – Often integrated into a firewall • Many deployment options – Specialized cryptographic hardware – Software-based options available • Used with client software – Sometimes built into the OS
VPNs
• Uses common SSL/TLS protocol (tcp/443) – (Almost) No firewall issues! • No big VPN clients – Usually remote access communication • Authenticate users – No requirement for digital certificates or shared passwords (like IPSec) • Can be run from a browser or from a (usually light) VPN client – Across many operating systems
SSL VPN (Secure Sockets Layer VPN)
• On-demand access from a remote device – Software connects to a VPN concentrator • Some software can be configured as always-on
Remote access VPN
• Layer 2 Tunneling Protocol
– Connecting sites over a layer 3 network as if they
were connected at layer 2
• Commonly implemented with IPsec
– L2TP for the tunnel, IPsec for the encryption
– L2TP over IPsec (L2TP/IPsec)
L2TP
• Security for OSI Layer 3
– Authentication and encryption for every packet
• Confidentiality and integrity/anti-replay
– Encryption and packet signing
• Very standardized
– Common to use multi-vendor implementations
• Two core IPSec protocols
– Authentication Header (AH)
– Encapsulation Security Payload (ESP)
IPSec (Internet Protocol Security)
• Data integrity • Origin authentication • Replay attack protection • Keyed-hash mechanism • No confidentiality/encryption - • Hash of the packet and a shared key – SHA-2 is common – Adds the AH to the packet header • This doesn’t provide encryption – Provides data integrity (hash) – Guarantees the data origin (authentication) – Prevents replay attacks (sequence numbers)
AH (Authentication Header)
• Data confidentiality (encryption) • Limited traffic flow confidentiality • Data integrity • Anti-replay protection --
• Encrypts and authenticates the tunneled data
– Commonly uses SHA-2 for hash, AES for encryption
– Adds a header, a trailer, and an Integrity Check Value
• Combine with Authentication Header (AH) for integrity
and authentication of the outer header
ESP (Encapsulating Security Payload)
IPsec Transport mode and Tunnel mode AH and ESP • Combine the data integrity of AH with the confidentiality of ESP -- IPsec Transport mode and Tunnel mode • Tunnel mode is the most common – Transport mode may not even be an option
IPsec Transport mode and Tunnel mode - AH and ESP
• Hypertext Markup Language version 5
– The language commonly used in web browsers
• Includes comprehensive API support
– Application Programming Interface
– Web cryptography API
• Create a VPN tunnel without a separate VPN application
– Nothing to install
• Use an HTML5 compliant browser
– Communicate directly to the VPN concentrator
HTML5 VPNs
• There’s a lot of security that happens at the physical switch interface – Often the first and last point of transmission • Control and protect – Limit overall traffic – Control specific traffic types – Watch for unusual or unwanted traffic • Different options are available – Manage different security issues
Port security
• Send information to everyone at once
– One frame or packet, received by everyone
– Every device must examine the broadcast
• Limited scope - The broadcast domain
• Routing updates, ARP requests - Can add up quickly
• Malicious software or a bad NIC
– Not always normal traffic
• Not used in IPv6
– Focus on multicast
Broadcasts
• The switch can control broadcasts
– Limit the number of broadcasts per second
• Can often be used to control multicast and unknown
unicast traffic
– Tight security posture
• Manage by specific values or by percentage
– Or the change over normal traffic patterns
Broadcast storm control
• Connect two switches to each other
– They’ll send traffic back and forth forever
– There’s no “counting” mechanism at the MAC layer
• This is an easy way to bring down a network
– And somewhat difficult to troubleshoot
– Relatively easy to resolve
• IEEE standard 802.1D to prevent loops in bridged
(switched) networks (1990)
– Created by Radia Perlman
– Used practically everywhere
Loop protection
• Spanning tree takes time to determine if a switch port
should forward frames
– Bypass the listening and learning states
– Cisco calls this PortFast
• BPDU (Bridge Protocol Data Unit)
– The spanning tree control protocol
• If a BPDU frame is seen on a PortFast configured
interface (i.e., a workstation), shut down the interface
– This shouldn’t happen - Workstations don’t send BPDUs
BPDU Guard
• IP tracking on a layer 2 device (switch)
– The switch is a DHCP firewall
– Trusted: Routers, switches, DHCP servers
– Untrusted: Other computers, unofficial DHCP servers
• Switch watches for DHCP conversations
– Adds a list of untrusted devices to a table
• Filters invalid IP and DHCP information
– Static IP addresses
– Devices acting as DHCP servers
– Other invalid traffic patterns
DHCP Snooping
• Media Access Control
– The “hardware” address
• Limit access through the physical hardware address
– Keeps the neighbors out
– Additional administration with visitors
• Easy to find working MAC addresses through wireless
LAN analysis
– MAC addresses can be spoofed
– Free open-source software
• Security through obscurity
MAC filtering
• DNS had no security in the original design
– Relatively easy to poison a DNS
• DNSSEC
– Domain Name System Security Extensions
• Validate DNS responses
– Origin authentication
– Data integrity
• Public key cryptography
– DNS records are signed with a trusted third party
– Signed DNS records are published in DNS
Domain Name Resolution
• Stop end users from visiting dangerous sites – The DNS resolves to a sinkhole address • A query to a known-malicious address can identify infected systems – And prevent further exploitation • Content filtering – Prevent DNS queries to unwanted or suspicious sites
Using a DNS for security
• The network isn’t available
– Or the device isn’t accessible from the network
• Most devices have a separate management interface
– Usually a serial connection / USB
• Connect a modem
– Dial-in to manage the device
• Console router / comm server
– Out-of-band access for multiple devices
– Connect to the console router, then choose
where you want to go
Out-of-band management
• Many different devices
– Desktop, laptop, VoIP phone, mobile devices
• Many different applications
– Mission critical applications, streaming video,
streaming audio
• Different apps have different network requirements
– Voice is real-time
– Recorded streaming video has a buffer
– Database application is interactive
• Some applications are “more important” than others
– Voice traffic needs to have priority over YouTube
The need for QoS
• Prioritize traffic performance
– Voice over IP traffic has priority over web-browsing
– Prioritize by maximum bandwidth, traffic rate,
VLAN, etc.
• Quality of Service
– Describes the process of controlling traffic flows
• Many different methods
– Across many different topologies
QoS (Quality of Service)
• More IP address space – More difficult to IP/port scan (but not impossible) – The tools already support IPv6 • No need for NAT – NAT is not a security feature • Some attacks disappear – No ARP, so no ARP spoofing • New attacks will appear – For example, Neighbor Cache Exhaustion • IPsec built in / IPsec ready
IPv6 security is different
• Intercept network traffic
– Send a copy to a packet capture device
• Physical taps
– Disconnect the link, put a tap in the middle
– Can be an active or passive tap
• Port mirror
– Port redirection, SPAN (Switched Port ANalyzer)
– Software-based tap
– Limited functionality, but can work well in a pinch
Taps and port mirrors
• Constant cybersecurity monitoring – Ongoing security checks – A staff of cybersecurity experts at a Security Operations Center (SoC) • Identify threats – A broad range of threats across many different organizations • Respond to events – Faster response time • Maintain compliance – Someone else ensures PCI DSS, HIPAA compliance, etc.
Monitoring services
• Some files change all the time – Some files should NEVER change • Monitor important operating system and application files – Identify when changes occur • Windows - SFC (System File Checker) • Linux - Tripwire • Many host-based IPS options
FIM (File Integrity Monitoring)
• Standard issue – Home, office, and in your operating system • Control the flow of network traffic – Everything passes through the firewall • Corporate control of outbound and inbound data – Sensitive materials • Control of inappropriate content – Not safe for work, parental controls • Protection against evil – Anti-virus, anti-malware
The universal security control
• Filter traffic by port number or application
– Traditional vs. NGFW firewalls
• Encrypt traffic - VPN between sites
• Most firewalls can be layer 3 devices (routers)
– Often sits on the ingress/egress of the network
– Network Address
– Translation (NAT) functionality
– Authenticate dynamic routing communication
Network-based firewalls
• Does not keep track of traffic flows
– Each packet is individually examined, regardless
of past history
– Traffic sent outside of an active session will
traverse a stateless firewall
Stateless firewall
• Stateful firewalls remember the “state” of the session
– Everything within a valid flow is allowed
Stateful firewall
- Unified Threat Management (UTM) /
- Web security gateway
- URL filter / Content inspection
- Malware inspection
- Spam filter
- CSU/DSU
- Router, Switch
- Firewall
- IDS/IPS
- Bandwidth shaper
- VPN endpoint
UTM / All-in-one security appliance
• The OSI Application Layer – All data in every packet • Can be called different names – Application layer gateway – Stateful multilayer inspection – Deep packet inspection • Requires some advanced decodes – Every packet must be analyzed and categorized before a security decision is determined -- NGFWs • Network-based Firewalls – Control traffic flows based on the application – Microsoft SQL Server, Twitter, YouTube • Intrusion Prevention Systems – Identify the application – Apply application-specific vulnerability signatures to the traffic • Content filtering – URL filters – Control website traffic by category
Next-generation firewall (NGFW)
• Not like a “normal” firewall – Applies rules to HTTP/HTTPS conversations • Allow or deny based on expected input – Unexpected input is a common method of exploiting an application • SQL injection – Add your own commands to an application’s SQL query • A major focus of Payment Card Industry – Data Security Standard (PCI DSS)
Web application firewall (WAF)
• Access control lists (ACLs) – Allow or disallow traffic based on tuples – Groupings of categories – Source IP, Destination IP, port number, time of day, application, etc. • A logical path – Usually top-to-bottom • Can be very general or very specific – Specific rules are usually at the top • Implicit deny – Most firewalls include a deny at the bottom – Even if you didn’t put one
Firewall rules
• Open-source vs. proprietary
– Open-source provides traditional firewall functionality
– Proprietary features include application control and
high-speed hardware
• Hardware vs. software
– Purpose-built hardware provides efficient and
flexible connectivity options
– Software-based firewalls can be installed
almost anywhere
• Appliance vs. host-based vs. virtual
– Appliances provide the fastest throughput
– Host-based firewalls are application-aware and
can view non-encrypted data
– Virtual firewalls provide valuable East/West
network security
Firewall characteristics
• Control at the edge
– Your Internet link
– Managed primarily through firewall rules
– Firewall rules rarely change
• Access control
– Control from wherever you are - Inside or outside
– Access can be based on many rules
– By user, group, location, application, etc.
– Access can be easily revoked or changed
– Change your security posture at any time
Edge vs. access control
• You can’t trust everyone’s computer
– BYOD (Bring Your Own Device)
– Malware infections / missing anti-malware
– Unauthorized applications
• Before connecting to the network, perform a health check
– Is it a trusted device?
– Is it running anti-virus? Which one? Is it updated?
– Are the corporate applications installed?
– Is it a mobile device?
– Is the disk encrypted?
– The type of device doesn’t matter - Windows, Mac,
Linux, iOS, Android
Posture assessment
• Persistent agents – Permanently installed onto a system – Periodic updates may be required • Dissolvable agents – No installation is required – Runs during the posture assessment – Terminates when no longer required • Agentless NAC – Integrated with Active Directory – Checks are made during login and logoff – Can’t be scheduled
Health checks/posture assessment
• What happens when a posture
assessment fails?
– Too dangerous to allow access
• Quarantine network, notify administrators
– Just enough network access to fix the issue
• Once resolved, try again
– May require additional fixes
Failing your assessment
• Sits between the users and the external network
• Receives the user requests and sends the request
on their behalf (the proxy)
• Useful for caching information, access control,
URL filtering, content scanning
• Applications may need to know
how to use the proxy (explicit)
• Some proxies are invisible (transparent)
Proxies
- One of the simplest “proxies” is NAT
- A network-level proxy
- Most proxies in use are application proxies
- The proxy understands the way the application works
- A proxy may only know one application
- HTTP
- Many proxies are multipurpose proxies
- HTTP, HTTPS, FTP, etc.
Application proxies
• An “internal proxy” • Commonly used to protect and control user access to the Internet
Forward Proxy
• Inbound traffic from
the Internet to your
internal service
Reverse Proxy
• A third-party, uncontrolled proxy • Can be a significant security concern • Often used to circumvent existing security controls
Open Proxy
• Intrusion Detection System / – Intrusion Prevention System – Watch network traffic • Intrusions – Exploits against operating systems, applications, etc. – Buffer overflows, cross-site scripting, other vulnerabilities • Detection vs. Prevention – Detection – Alarm or alert – Prevention – Stop it before it gets into the network
NIDS and NIPS
• Examine a copy of the traffic
– Port mirror (SPAN), network tap
• No way to block (prevent) traffic
Passive monitoring
• When malicious traffic is identified,
– IPS sends TCP RST (reset) frames
– After-the-fact
– Limited UDP response available
Out-of-band-response
• IDS/IPS sits physically inline
– All traffic passes through the IDS/IPS
Inline monitoring
• Malicious traffic is immediately identified
– Dropped at the IPS
– Does not proceed through the network
In-band response
• Signature-based – Look for a perfect match • Anomaly-based – Build a baseline of what’s “normal” • Behavior-based – Observe and report • Heuristics – Use artificial intelligence to identify
Identification technologies
• High-end cryptographic hardware – Plug-in card or separate hardware device • Key backup – Secured storage • Cryptographic accelerators – Offload that CPU overhead from other devices • Used in large environments Clusters, redundant power
Hardware Security Module (HSM)
• Access secure network zones – Provides an access mechanism to a protected network • Highly-secured device – Hardened and monitored • SSH / Tunnel / VPN to the jump server – RDP, SSH, or jump from there • A significant security concern – Compromise to the jump server is a significant breach
Jump server
• Aggregate information from network devices
– Built-in sensors, separate devices
– Integrated into switches, routers, servers, firewalls, etc.
• Sensors
– Intrusion prevention systems, firewall logs,
authentication logs, web server access logs, database
transaction logs, email logs
• Collectors
– Proprietary consoles (IPS, firewall),
– SIEM consoles, syslog servers
– Many SIEMs include a correlation engine to
compare diverse sensor data
Sensors and collectors
