3.3 Secure Network Designs Flashcards
Define East-West traffic
Network communication between devices in same data center or LAN
Define North-South traffic
Network communication between local devices and WAN or extranet
Define concept of zero-trust
Often internal network communication is less protected external communication. Zero-trust is placing the same authentication, encryption, etc policies that would be used for in-bound external network traffic
Define VPN concentrator
Device that handles encrypting/decrypting VPN traffic, can be a stand-alone device or often integrated into another device like a firewall
Define SSL VPN and 3 advantages of using it
- VPN that uses SSL and port 443 since it is commonly an open port
- VPN connectivity is always-on when the computer is started
- Simple to implement and manage, doesn’t require digital certs
- Often user can connect with just a password, multi-factor auth for more security
Define HTML5 for VPN
HTML5 can be used to implement SSL VPN connectivity by simply opening the browser
*browser must support HTML5
Distinguish between full & split tunnel VPN
Full-tunnel VPN: all traffic goes through the VPN concentrator first
Split-tunnel VPN: can designate some traffic to use VPN and others not, i.e. corporate network access goes through VPN, but web browsing traffic does not
What does IPSec provide? (3)
- Encryption/Confidentiality
- Authentication
- Anti-replay protection via digitally signed packets
Define L2TP
Layer 2 Tunneling Protocol - connects 2 networks together as though they are a single network
2 ways to secure DNS
- DNSSEC - requires PKI
2.DNS sinkhole
Define NAC (3)
- Network Access Control
- Screens devices to determine if they should be allowed to the network or not, often allows to devices to connect to a limited network for remediation (quarantine)
- Agent-based or agentless
Define Agent-based NAC (2)
- Software that is installed on devices to perform NAC verification
- Can be persistent or dissolvable
Define persistent and dissolvable agent-based NAC
- Persistent - permanently installed on the device
- Dissolvable - downloads to device upon connection and then is terminated after running
Disadvantages of persistent agent-based NAC
Has to be maintained and updated on every device
Define agentless NAC
Often integrated into the OS and runs automatically when system accesses network
Disadvantage of agentless NAC
Inability to schedule regular health checks or scans for device compliance
Define out-of-band management
Creation of a separate network, often with remote access, to manage infrastructure devices
Broadcast storm what protocol is vulnerable to this and how to mitigate/prevent it
- IPv4 is vulnerable to this, IPv6 uses multicast instead
- Can use VLANs/network segmentation
- Managed switches allowing setting limits for broadcast traffic
Define BPDU guard
- BDPU is Protocol used by Spanning Tree Protocol (STP) to prevent loops
- Configured at the switch port level to monitor for BPDU packet transmissions from plugged in device and disables the port if BPDU is detected
Define DHCP snooping
Layer 2 security integrated into switches to block rogue DHCP servers
Other than DHCP snooping, how to prevent rogue DHCP servers
Configuring switch ports as untrusted blocks DHCP traffic
Define MAC filtering (2)
- Only allowing devices with known MAC addresses to be connected to the network
- Not the best security because valid MAC addresses can be easily collected and then a device can spoof its MAC address
Define jump server
A single device that is hardened and used only to provide external VPN/SSH access in order to allow management of other internal network devices
Define forward proxy
Used to control internal access to the Internet
Define reverse proxy
Used to filter external access to internal resources
3 common uses of proxy servers
- Caching
- Authentication to control Internet access
- URL Filtering/Content scanning
Define NIDS/NIPS and 2 implementation methods
- Network-based Intrusion Detection/Prevention System
- Can be placed inline to actively review all network traffic and block malicious traffic
- Can be placed on a switch port that mirrors network traffic to it for passive monitoring and then alert admins upon malicious detections
Signature based detection in NIDS/NIPS
Identifies malicious traffic based on exact matches to known signatures
Heuristic/Behavior based detection in NIDS/NIPS
Identifies malicious traffic based on what it is trying to do
Anomaly based detection in NIDS/NIPS
Learns what normal network traffic is and then takes action upon detection of anomalies from this
Example of Hardware Security Module (HSM)
TPM
Define stateless firewall (3)
- Can only allow/block traffic based on source/destination IP address, port #, TCP/UDP
- To allow full request/response, 2 rules must be defined
- Not very common
Define stateful firewall
- Extends stateless firewall by adding intelligence about sessions
- i.e. only 1 rule needs to be added to deny/allow requests, the response will be allowed since the request initiated a session
- Most common firewall
Define UTM
- Unified Threat Management
- A device that combines a combination of security functions, such as firewall, routing, VPN, IDS/IPS, into a single devices
Define Web Application Firewall (WAF) (2)
- A firewall designed specifically to secure HTTP/HTTPS communications to a web server
- Can monitor input and detect SQL Injection for example
Define Sensors & Collectors (2)
- Sensor collects information, such as logs, from a device and forwards it to a collector for analysis
- SIEM is an example of a collector
