3.3 Secure Network Designs

Question 1

Define East-West traffic

Answer 1

Network communication between devices in same data center or LAN

Question 2

Define North-South traffic

Answer 2

Network communication between local devices and WAN or extranet

Question 3

Define concept of zero-trust

Answer 3

Often internal network communication is less protected external communication. Zero-trust is placing the same authentication, encryption, etc policies that would be used for in-bound external network traffic

Question 4

Define VPN concentrator

Answer 4

Device that handles encrypting/decrypting VPN traffic, can be a stand-alone device or often integrated into another device like a firewall

Question 5

Define SSL VPN and 3 advantages of using it

Answer 5

1. VPN that uses SSL and port 443 since it is commonly an open port
2. VPN connectivity is always-on when the computer is started
3. Simple to implement and manage, doesn’t require digital certs
4. Often user can connect with just a password, multi-factor auth for more security

Question 6

Define HTML5 for VPN

Answer 6

HTML5 can be used to implement SSL VPN connectivity by simply opening the browser
*browser must support HTML5

Question 7

Distinguish between full & split tunnel VPN

Answer 7

Full-tunnel VPN: all traffic goes through the VPN concentrator first
Split-tunnel VPN: can designate some traffic to use VPN and others not, i.e. corporate network access goes through VPN, but web browsing traffic does not

Question 8

What does IPSec provide? (3)

Answer 8

1. Encryption/Confidentiality
2. Authentication
3. Anti-replay protection via digitally signed packets

Question 9

Define L2TP

Answer 9

Layer 2 Tunneling Protocol - connects 2 networks together as though they are a single network

Question 10

2 ways to secure DNS

Answer 10

1. DNSSEC - requires PKI
   2.DNS sinkhole

Question 11

Define NAC (3)

Answer 11

1. Network Access Control
2. Screens devices to determine if they should be allowed to the network or not, often allows to devices to connect to a limited network for remediation (quarantine)
3. Agent-based or agentless

Question 12

Define Agent-based NAC (2)

Answer 12

1. Software that is installed on devices to perform NAC verification
2. Can be persistent or dissolvable

Question 13

Define persistent and dissolvable agent-based NAC

Answer 13

1. Persistent - permanently installed on the device
2. Dissolvable - downloads to device upon connection and then is terminated after running

Question 14

Disadvantages of persistent agent-based NAC

Answer 14

Has to be maintained and updated on every device

Question 15

Define agentless NAC

Answer 15

Often integrated into the OS and runs automatically when system accesses network

Question 16

Disadvantage of agentless NAC

Answer 16

Inability to schedule regular health checks or scans for device compliance

Question 17

Define out-of-band management

Answer 17

Creation of a separate network, often with remote access, to manage infrastructure devices

Question 18

Broadcast storm what protocol is vulnerable to this and how to mitigate/prevent it

Answer 18

1. IPv4 is vulnerable to this, IPv6 uses multicast instead
2. Can use VLANs/network segmentation
3. Managed switches allowing setting limits for broadcast traffic

Question 19

Define BPDU guard

Answer 19

1. BDPU is Protocol used by Spanning Tree Protocol (STP) to prevent loops
2. Configured at the switch port level to monitor for BPDU packet transmissions from plugged in device and disables the port if BPDU is detected

Question 20

Define DHCP snooping

Answer 20

Layer 2 security integrated into switches to block rogue DHCP servers

Question 21

Other than DHCP snooping, how to prevent rogue DHCP servers

Answer 21

Configuring switch ports as untrusted blocks DHCP traffic

Question 22

Define MAC filtering (2)

Answer 22

1. Only allowing devices with known MAC addresses to be connected to the network
2. Not the best security because valid MAC addresses can be easily collected and then a device can spoof its MAC address

Question 23

Define jump server

Answer 23

A single device that is hardened and used only to provide external VPN/SSH access in order to allow management of other internal network devices

Question 24

Define forward proxy

Answer 24

Used to control internal access to the Internet

Question 25

Define reverse proxy

Answer 25

Used to filter external access to internal resources

Question 26

3 common uses of proxy servers

Answer 26

1. Caching
2. Authentication to control Internet access
3. URL Filtering/Content scanning

Question 27

Define NIDS/NIPS and 2 implementation methods

Answer 27

1. Network-based Intrusion Detection/Prevention System
2. Can be placed inline to actively review all network traffic and block malicious traffic
3. Can be placed on a switch port that mirrors network traffic to it for passive monitoring and then alert admins upon malicious detections

Question 28

Signature based detection in NIDS/NIPS

Answer 28

Identifies malicious traffic based on exact matches to known signatures

Question 29

Heuristic/Behavior based detection in NIDS/NIPS

Answer 29

Identifies malicious traffic based on what it is trying to do

Question 30

Anomaly based detection in NIDS/NIPS

Answer 30

Learns what normal network traffic is and then takes action upon detection of anomalies from this

Question 31

Example of Hardware Security Module (HSM)

Answer 31

TPM

Question 32

Define stateless firewall (3)

Answer 32

1. Can only allow/block traffic based on source/destination IP address, port #, TCP/UDP
2. To allow full request/response, 2 rules must be defined
3. Not very common

Question 33

Define stateful firewall

Answer 33

1. Extends stateless firewall by adding intelligence about sessions
2. i.e. only 1 rule needs to be added to deny/allow requests, the response will be allowed since the request initiated a session
3. Most common firewall

Question 34

Define UTM

Answer 34

1. Unified Threat Management
2. A device that combines a combination of security functions, such as firewall, routing, VPN, IDS/IPS, into a single devices

Question 35

Define Web Application Firewall (WAF) (2)

Answer 35

1. A firewall designed specifically to secure HTTP/HTTPS communications to a web server
2. Can monitor input and detect SQL Injection for example

Question 36

Define Sensors & Collectors (2)

Answer 36

1. Sensor collects information, such as logs, from a device and forwards it to a collector for analysis
2. SIEM is an example of a collector