Ch8 - 8.03 - Network Design and Administration Principles Flashcards
Physical Segmentation - Multiple Collision Domains
If your goal is to have multiple collision domains, then you can segment the traffic by using a bridge, switch, or
router. Each interface on each of these devices creates a collision domain, which is a group of systems that can have their data collide with one another. Each of these collision domains is also known as a network segment, with the security benefit being that a hacker monitoring traffic while on a network segment by default can capture
only traffic on that segment.
Physical Segmentation - Multiple Broadcast Domains
If you want to control how far your broadcast messages go on the network, you can use routers to break the network into multiple broadcast domains. The benefit of breaking the network into multiple broadcast domains with routers is that you can then use access control lists on the routers to control what traffic can enter or leave each of the networks
Virtual LANs
If you wanted to create communication boundaries by dividing your network into different broadcast domains without using multiple routers, you could do so by using virtual LANs (VLANs) on a network switch. You learned in Chapter 1 that once a system is connected to a port on a switch that is part of a particular VLAN, the system cannot communicate with systems in other VLANs unless a router is used to route the data from one VLAN to another VLAN.
Air Gaps
Air gap in the context of network segmentation is a conceptual term meaning a network has no connection point between two networks. For example, in highly secure environments, there may be a secret network and a nonsecret network. Due to the sensitivity of the secret network, there is to be no physical connection linking the two networks, thus creating an air gap.
Network Address Translation (NAT) Overloading
All clients inside the network access the Internet using one public address assigned to the public interface of the NAT device. The NAT device not only translates the private IP address to a public IP address, but it translates the port address information as well. This is known as port address translation (PAT) and is used so that the NAT device can track each different client request over the one public address.
Static NAT
Static NAT is when a single public IP address on the NAT device is mapped to a single private address inside the network. This is typically used to handle inbound requests to a server in the DMZ that the company is publishing to the Internet, such as a web site or FTP site.
Network Access Control (NAC)
Network access control (NAC) is a very hot technology today and allows you to control who gains access to a wired or wireless network based on the state of the connecting system. With network access control, you can specify conditions that a system must meet to gain access to the network. If those conditions are not met, you can then redirect the user to a restricted network from which they can remedy (set right) their system.
For example, you may require that for a system to connect to the network, it must have antivirus software installed, with the antivirus definitions up to date. You may also require that the system have a personal firewall enabled. If any of these conditions are not met, the NAC system then places the client on a restricted network where they can typically apply patches, or in this case, perform an update of the virus definitions.
When connected to the restricted network, the client has no access to network resources because communication to the private company network from the restricted network is controlled.
NAC Concepts/Scenarios
- Connecting to wireless/wired
- Patch status
- Connecting to a switch
- Agent vs. agentless
- Permanent vs. Dissolvable
- Host health check
Data Loss Prevention (DLP)
Organizations today are looking for ways to implement data loss prevention (DLP) solutions, which are designed to prevent data leaking outside the organization. DLP involves a number of security controls to ensure that data is not leaked outside the organization either intentionally or accidentally.
Mail Gateway
The mail gateway is the device or server that is placed in your DMZ that sends and receives e-mail for your organization. When people on the Internet send e-mail to employees within your organization, the mail is directed to the mail gateway within the DMZ. At this point, the mail gateway should do a virus scan and spam filter check on the message to ensure the message is a valid message clean of any viruses. Once the message passes the virus check and the spam filter, the mail gateway then forwards the message to your internal mail server. Keep in mind there is typically a firewall between the DMZ and the internal network, so you will need to configure a rule on this firewall to allow mail traffic from the mail gateway to the internal mail server
only.
IPSec
IP Security, typically called IPSec, is a protocol that provides different security features depending on how it is configured. IPSec can provide three different security services:
- Authentication
- Integrity
- Confidentiality
IPSec - Protocols
- ESP
The Encapsulating Security Payload protocol can provide all three services of authentication, integrity, and confidentiality. - AH
The Authentication Header protocol only provides authentication and integrity services. It cannot be used to encrypt the IP packet. - IKE
The Internet Key Exchange protocol is used to set up a security association (SA) between two parties. The SA is a unidirectional secure channel, so if the two parties want to send data to each other, typically two SAs are established—one for each direction. The IKE protocol is
also the key management protocol for IPSec that allows the parties to exchange encryption keys.
IPSec - Transport vs. Tunnel Mode
IPSec can be configured to run in either transport mode or tunnel mode.
Transport mode is used for host-to-host encryption, meaning that if two systems want to encrypt communication between them, they run in transport
mode.
If you wish to encrypt communication from all systems on one network with all systems on another network, then you can configure IPSec for tunnel mode. The benefit of tunnel mode is each client system, or host, does not need to have IPSec configured; you simply configure IPSec on the gateways to each of the networks.
VPN - Full Tunnel
Full tunnel is the traditional implementation in which a user launches VPN software from a remote network, such as their home network, to create an encrypted tunnel between their system and the corporate network VPN server. One of the problems users experience with full tunnel is that they cannot access any resources on the LAN they are connected to (in this case, the home network); for example, if they want to print to their home printer, they cannot because technically once the VPN connection is made, the user is on the corporate network and can access only those resources.
VPN - Split Tunnel
Split tunnel is a VPN feature that allows the user to access the corporate network through the secure VPN tunnel after the VPN software has been launched, but retain the capability to access LAN resources. The split tunnel feature can specify which destination systems are to have their traffic delivered through the tunnel and which traffic stays on the LAN. This is known as split-include tunnel.
