8 - 2: Secure Networking Design

Question 1

Firewalls

Answer 1

Group systems into network segments

Question 2

Three network interfaces of border firewalls

Answer 2

Exterior internet,

Question 3

First border

Answer 3

Between the protected interior network and the outside internet. Only allows traffic screened against security policy

Question 4

Second border

Answer 4

Connects to org intranet, subdividing systems based on use, including endpoints, guest access, devices, etc.

Question 5

Third border

Answer 5

Connects to the DMZ

Question 6

DMZ

Answer 6

Demilitarized zone, where org systems that must connect with the outside internet, such as email, are kept secured. Extra layer in case of their compromise, considering the extra risk they face. Also called a screen sub-layer

Question 7

Zero trust

Answer 7

A newer approach replacing the DMZ method, where systems do not gain special privileges based on network location

Question 8

Extranets

Answer 8

Special intranet segments that allow outsiders access for maintenance and support

Question 9

Honeynets

Answer 9

Decoy networks security teams use to attract attackers to study their behavior and capability

Question 10

Ad hoc networks

Answer 10

Temporary networks that emerge outside typical security design, typically for use on a certain project or use case

Question 11

East-West traffic

Answer 11

Network traffic between systems in a data center

Question 12

North-South traffic

Answer 12

Network traffic between data centers and the internet

Question 13

Virtual LANs

Answer 13

Logically grouped together systems regardless of where they are located

Question 14

VLAN steps

Answer 14

1) enable VLAN trunking to allow switches in different locations to carry the same VLANs 2) configure each switchboard to connect to the appropriate VLAN

Question 15

Where are firewalls placed?

Answer 15

Wherever a boundary is intended

Question 16

Network data collectors

Answer 16

Network taps, port mirrors

Question 17

Network data collector placement

Answer 17

Placed on the segment they are intended to collect data from

Question 18

Aggregation / distribution switches

Answer 18

Connect downstream access switches to each other

Question 19

Port mirroring

Answer 19

Allows traffic monitoring on a single switchport

Question 20

Security Information and Event Management

Answer 20

Collects all kinds of data, including network data, and aggregates it. Best practice is to minimize distance between collection and record

Question 21

Protection tools

Answer 21

Proxy servers and content filters

Question 22

Protection tool placement

Answer 22

Within the DMZ

Question 23

Correlation engine

Answer 23

Sensitive device that should be kept on a protected network

Question 24

VPN concentrators

Answer 24

Aggregate inbound network connections from users, including remote access

Question 25

VPN concentrator placement

Answer 25

Commonly on their own VLAN. Can place separate concentrators on VLANs and have them align to a directory, directing remote users based on their identity or role

Question 26

SSL accelerators

Answer 26

Handle the core of TLS cryptography work, so the web server can commit to web content

Question 27

Load balancers

Answer 27

Allocate inbound traffic across available web servers to maintain consistency

Question 28

SSL accelerator and Load Balancer location

Answer 28

Within the DMZ

Question 29

DDOS

Answer 29

Distributed Denial of Service, where a service is flooded with illegitimate traffic to block access

Question 30

DDOS mitigation placement

Answer 30

As close to the internet connection as possible

Question 31

Software-defined Networking

Answer 31

Allows network admins to treat the functionality and implementation details of a network as separate and distinct functions

Question 32

Network management planes

Answer 32

Control plane and data plane

Question 33

Control plane

Answer 33

Routing and switching decisions

Question 34

Data plane

Answer 34

Carrying out the instructions of the control plane

Question 35

SDN role

Answer 35

Separate control and data planes, and coordinate how each router and switch makes decisions. This makes the network programmable

Question 36

SDN security benefits

Answer 36

1) granular control 2) quicker responses

Question 37

SDN security risks

Answer 37

1) makes it more complex 2) requires stronger access control