8 - 2: Secure Networking Design Flashcards
Firewalls
Group systems into network segments
Three network interfaces of border firewalls
Exterior internet,
First border
Between the protected interior network and the outside internet. Only allows traffic screened against security policy
Second border
Connects to org intranet, subdividing systems based on use, including endpoints, guest access, devices, etc.
Third border
Connects to the DMZ
DMZ
Demilitarized zone, where org systems that must connect with the outside internet, such as email, are kept secured. Extra layer in case of their compromise, considering the extra risk they face. Also called a screen sub-layer
Zero trust
A newer approach replacing the DMZ method, where systems do not gain special privileges based on network location
Extranets
Special intranet segments that allow outsiders access for maintenance and support
Honeynets
Decoy networks security teams use to attract attackers to study their behavior and capability
Ad hoc networks
Temporary networks that emerge outside typical security design, typically for use on a certain project or use case
East-West traffic
Network traffic between systems in a data center
North-South traffic
Network traffic between data centers and the internet
Virtual LANs
Logically grouped together systems regardless of where they are located
VLAN steps
1) enable VLAN trunking to allow switches in different locations to carry the same VLANs 2) configure each switchboard to connect to the appropriate VLAN
Where are firewalls placed?
Wherever a boundary is intended
Network data collectors
Network taps, port mirrors
Network data collector placement
Placed on the segment they are intended to collect data from
Aggregation / distribution switches
Connect downstream access switches to each other
Port mirroring
Allows traffic monitoring on a single switchport
Security Information and Event Management
Collects all kinds of data, including network data, and aggregates it. Best practice is to minimize distance between collection and record
Protection tools
Proxy servers and content filters
Protection tool placement
Within the DMZ
Correlation engine
Sensitive device that should be kept on a protected network
VPN concentrators
Aggregate inbound network connections from users, including remote access
VPN concentrator placement
Commonly on their own VLAN. Can place separate concentrators on VLANs and have them align to a directory, directing remote users based on their identity or role
SSL accelerators
Handle the core of TLS cryptography work, so the web server can commit to web content
Load balancers
Allocate inbound traffic across available web servers to maintain consistency
SSL accelerator and Load Balancer location
Within the DMZ
DDOS
Distributed Denial of Service, where a service is flooded with illegitimate traffic to block access
DDOS mitigation placement
As close to the internet connection as possible
Software-defined Networking
Allows network admins to treat the functionality and implementation details of a network as separate and distinct functions
Network management planes
Control plane and data plane
Control plane
Routing and switching decisions
Data plane
Carrying out the instructions of the control plane
SDN role
Separate control and data planes, and coordinate how each router and switch makes decisions. This makes the network programmable
SDN security benefits
1) granular control 2) quicker responses
SDN security risks
1) makes it more complex 2) requires stronger access control
