Chapter 7 Flashcards
Layered Security
This means that each layer of security includes additional protections that help prevent a hole or flaw in another layer from allowing an attacker in.
Physical Segmentation
Involves running on separate physical infrastructure or networks.
System Isolation
Is handled by ensuring that the infrastructure is separated, and can go as far as using an air gap
Air Gap
Ensures that there is no connection at all between the infrastructures
Virtual Segmentation
Takes advantage of virtualization capabilities to separate functions to virtual machines or containers, although some implementations of segmentation for virtualization also run on separate physical servers in addition to running separate virtual machines.
Network Segmentation
Or compartmentalization is a common element of network design. It provides a number of advantages: The number of systems that are exposed to attackers (commonly called the organization’s attack surface) can be reduced by compartmentalizing systems and networks. It can help to limit the scope of regulatory compliance efforts by placing the systems, data, or unit that must be compliant in a more easily maintained environment separate from the rest of the organization. In some cases, segmentation can help increase availability by limiting the impact of an issue or attack. Segmentation is used to increase the efficiency of a network. Larger numbers of systems in a single segment can lead to network congestion, making segmentation attractive as networks increase in size.
Jump box
Which is a system that resides in a segmented environment and is used to access and manage the devices in the segment where it resides. Jump boxes span two different security zones and should thus be carefully secured, managed, and monitored.
Product Diversity
(using products from multiple vendors) is sometimes used to create an additional layer of security. The intent of using diverse products is to eliminate a single point of failure by ensuring that a vulnerability or design flaw found in one product does not make an entire network or system vulnerable to exploit. For example, in a network design, this might mean using Juniper border routers, Cisco core routers, and Palo Alto security devices. If a vulnerability existed in the Cisco core routers, the other devices would be less likely to suffer from the same issue, meaning that attackers should not be able to exploit them, thus potentially limiting the impact of an attack.
VPN’s
Although VPNs do not technically have to provide an encryption layer to protect the traffic they carry, almost all modern implementations will use encryption while providing a secure connection that makes a remote network available to a system or device.
Physical Network Architecture
Is composed of the routers, switches, security devices, cabling, and all the other network components that make up a traditional network. You can leverage a wide range of security solutions on a physical network, but common elements of a security design include the following: Firewalls; IPS’s & IDS’s; Content filtering and caching devices; NAC; Network Scanners; UTM
Firewalls
Control traffic flow between networks or systems.
IPS’s & IDS’s
IPS - Which can detect and stop attacks
IDS - Which only alarm or notify when attacks are detected
Content Filtering and caching devices
Used to control what information passes through to protected devices
Network Access Control (NAC)
Technology that controls which devices are able to connect to the network and which may assess the security state of devices or require other information before allowing a connection.
Network Scanners
That can identify systems and gather information about them, including the services they are running, patch levels, and other details about the systems.
Unified Threat Management (UTM)
Devices that combine a number of these services often including firewalls, IDSs/IPSs, content filtering, and other security features.
Software-Defined Networking (SDN)
Makes networks programmable. Using SDN, you can control networks centrally, which allows management of network resources and traffic with more intelligence than a traditional physical network infrastructure. Software-defined networks provide information and control via APIs (application programming interfaces) like OpenFlow, which means that network monitoring and management can be done across disparate hardware and software vendors.
Software-Defined Networking (SDN)
Makes networks programmable. Using SDN, you can control networks centrally, which allows management of network resources and traffic with more intelligence than a traditional physical network infrastructure. Software-defined networks provide information and control via APIs (application programming interfaces) like OpenFlow, which means that network monitoring and management can be done across disparate hardware and software vendors.
Virtualization
Uses software to run virtual computers on underlying real hardware.
Virtual Desktop Infrastructure (VDI)
Which runs desktop OS like Windows 10 on central hardware and streams the desktops across the network to systems.
Containerization
Provides an alternative to virtualizing an entire system, and instead permits applications to be run in their own environmnet with their own required components, such as libraries, config files, and other dependencies, in a dedicated container.
Serverless
Computing in a broad sense describes cloud computing, but much of the time when it used currently it describes technology called FaaS. Serverless computing relies on a system that executes functions as they are called.
Asset Management
Securing assets effectively requires knowing what assets you have and what their current state is. These paired requirements drive organizations to implement asset management tools and processes.
Asset Tagging
Can help discourage theft, help identify systems more easily, and can make day-to-day support work easier for support staff who can quickly look up a system or device in an asset inventory list to determine what it is, who the device was issued to, and what its current state should be