Given a scenario, implement secure network designs

Question 1

Load balancing

Answer 1

Active/active
Active/passive
Scheduling
Virtual IP
Persistence

A load balancer distributes client requests across available server nodes in a farm or pool. This is used to provision services that can scale from light to heavy loads, and to provide mitigation against DDoS attacks. A load balancer also provides fault tolerance. If there are multiple servers available in a farm, all addressed by a single name/IP address via a load balancer, then if a single server fails, client requests can be routed to another server in the farm.

Question 2

Active/active

Answer 2

An active/active cluster means that both nodes are processing connections concurrently. This allows the administrator to use the maximum capacity from the available hardware while all nodes are functional. In the event of a failover the workload of the failed node is immediately and transparently shifted onto the remaining node. At this time, the workload on the remaining nodes is higher and performance is degraded.

Question 3

Active/passive

Answer 3

if one node is active, the other is passive. This is referred to as active/passive clustering. The major advantage of active/passive configurations is that performance is not adversely affected during failover. However, the hardware and operating system costs are higher because of the unused capacity.

Question 4

Scheduling

Answer 4

The scheduling algorithm is the code and metrics that determine which node is selected for processing each incoming request. The simplest type of scheduling is called round robin; this just means picking the next node. Other methods include picking the node with the fewest connections or the best response time. Each method can also be weighted, using administrator set preferences or dynamic load information or both.

The load balancer must also use some type of heartbeat or health check probe to verify whether each node is available and under load or not. Layer 4 load balancers can only make basic connectivity tests while layer 7 appliances can test the application’s state, as opposed to only verifying host availability.

Question 5

Virtual IP

Answer 5

For example, you might want to provision two load balancer appliances so that if one fails, the other can still handle client connections. Unlike load balancing with a single appliance, the public IP used to access the service is shared between the two instances in the cluster. This is referred to as a virtual IP or shared or floating address. The instances are configured with a private connection, on which each is identified by its “real” IP address. This connection runs some type of redundancy protocol, such as Common Address Redundancy Protocol (CARP), that enables the active node to “own” the virtual IP and respond to connections. The redundancy protocol also implements a heartbeat mechanism to allow failover to the passive node if the active one should suffer a fault.

Question 6

Persistence

Answer 6

In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.

Question 7

Network segmentation

Answer 7

Virtual local area network (VLAN)
Screened subnet (previously known as demilitarized zone)
East-west traffic
Extranet
Intranet
Zero Trust

A network segment is one where all the hosts attached to the segment can use local (layer 2) forwarding to communicate freely with one another. The hosts are said to be within the same broadcast domain.

Question 8

Virtual local area network (VLAN)

Answer 8

Logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs). Any given switch port can be assigned to any VLAN in the same topology, regardless of the physical location of the switch. The segmentation enforced by VLANs at layer 2 can be mapped to logical divisions enforced by IP subnets at layer 3.

Question 9

Screened subnet (previously known as demilitarized zone)

Answer 9

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

A screened subnet uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. The edge firewall can be referred to as the screening firewall or router. The internal firewall filters communications between hosts in the DMZ and hosts on the LAN. This firewall is often described as the choke firewall. A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.

Question 10

East-west traffic

Answer 10

In computer networking, east-west traffic is network traffic among devices within a specific data center.

Question 11

Extranet

Answer 11

An extranet is a controlled private network that allows access to partners, vendors and suppliers or an authorized set of customers

Question 12

Intranet

Answer 12

What is an intranet?
An intranet is a private network contained within an enterprise that is used to securely share company information and computing resources among employees. … A database that includes all the usernames of employees who have access rights to the network is often used to maintain intranet security.

Question 13

Zero Trust

Answer 13

Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.

Question 14

Virtual private network (VPN)

Answer 14

Always-on
Split tunnel vs. full tunnel
Remote access vs. site-to-site
IPSec
SSL/TLS
HTML5
Layer 2 tunneling protocol (L2TP)

Question 15

Always-on

Answer 15

Traditional remote access VPN solutions require the user to initiate the connection and enter their authentication credentials. An always-on VPN means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user’s cached credentials to authenticate.

Question 16

Split tunnel vs. full tunnel

Answer 16

Split == VPN configuration where only traffic for the private network is routed via the VPN gateway. == The client accesses the Internet directly using its “native” IP configuration and DNS servers.

Full == VPN configuration where all traffic is routed via the VPN gateway. == Internet access is mediated by the corporate network, which will alter the client’s IP address and DNS servers and may use a proxy.

Question 17

Remote access vs. site-to-site

Answer 17

Remote == With a remote access VPN, clients connect to a VPN gateway on the edge of the private network. This is the “telecommuter” model, allowing home-workers and employees working in the field to connect to the corporate network. The VPN protocol establishes a secure tunnel so that the contents are kept private, even when the packets pass over ISPs’ routers.

Site to site == A VPN can also be deployed in a site-to-site model to connect two or more private networks. Where remote access VPN connections are typically initiated by the client, a site-to-site VPN is configured to operate automatically. The gateways exchange security information using whichever protocol the VPN is based on. This establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data. Hosts at each site do not need to be configured with any information about the VPN. The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel.

Question 18

IPSec

Answer 18

A set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet.

Internet Protocol Security (IPSec) operates at the network layer (layer 3) of the OSI model, so it can be implemented without having to configure specific application support. IPSec can provide both confidentiality (by encrypting data packets) and integrity/anti-replay (by signing each packet). The main drawback is that it adds overhead to data communications. IPSec can be used to secure communications on local networks and as a remote access protocol.

Question 19

SSL/TLS

Answer 19

SSL stands for Secure Sockets Layer and, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.

TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from DigiCert you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.

Question 20

HTML5 VPN

Answer 20

Traditionally, these remote desktop products require a client app. The canvas element introduced in HTML5 allows a browser to draw and update a desktop with relatively little lag. It can also handle audio. This is referred to as an HTML5 VPN or as a clientless remote desktop gateway (guacamole.apache.org). This solution also uses a protocol called WebSockets, which enables bidirectional messages to be sent between the server and client without requiring the overhead of separate HTTP requests.

Question 21

Layer 2 tunneling protocol (L2TP)

Answer 21

VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.
This first version of IKE is optimized to ensure the mutual authentication of two peer hosts, such as in a site-to-site VPN. On its own, it does not provide a simple means for a client user account to authenticate to a remote network directory. Consequently, for remote access VPNs, a combination of IPSec with the Layer 2 Tunneling Protocol (L2TP) VPN protocol is often used.

Question 22

DNS

Answer 22

The Domain Name System (DNS) is the hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks. The resource records contained in the DNS associate domain names with other forms of information.

Question 23

Network access control (NAC)

Answer 23

Agent and agentless

A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

Question 24

Agent and agentless

Answer 24

Most NAC solutions use client software called an agent to gather information about the device, such as its antivirus and patch status, presence of prohibited applications, or anything else defined by the health policy.

Question 25

Out-of-band management

Answer 25

Out-of-Band (OoB) network management is a concept that uses an alternate communication path to manage network infrastructure devices. … This isolation prevents compromised user devices or malicious network traffic from impacting network operations or compromising network infrastructure.

Question 26

Port security

Answer 26

Broadcast storm prevention
Bridge Protocol Data Unit (BPDU) guard
Loop prevention
Dynamic Host Configuration Protocol (DHCP) snooping
Media access control (MAC) filtering

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

Question 27

Broadcast storm prevention

Answer 27

Broadcast storm == Traffic that is recirculated and amplified by loops in a switching topology, causing network slowdowns and crashing switches.

Spanning Tree Protocol (STP). Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

STP is principally designed to prevent broadcast storms. Switches forward broadcast, multicast, and unknown unicast traffic out of all ports. If a bridged network contains a loop, broadcast traffic will travel through the network, get amplified by the other switches, and arrive back at the original switch, which will re-broadcast each incoming broadcast frame, causing an exponential increase (the storm), which will rapidly overwhelm the switches and crash the network.

Question 28

Bridge Protocol Data Unit (BPDU) guard

Answer 28

A threat actor might try to attack STP using a rogue switch or software designed to imitate a switch. When a switch does not know the correct port to use for a particular destination MAC address (if the cache has just been flushed, for instance), it floods the unknown unicast frame out to all ports. Topology changes in STP can cause a switch to flush the cache more frequently and to start flooding unicast traffic more frequently, which can have a serious impact on network performance and assists sniffing attacks.

The configuration of switch ports should prevent the use of STP over ports designated for client devices (access ports). An access port is configured with the portfast command to prevent STP changes from delaying client devices trying to connect to the port. Additionally, the BPDU Guard setting should be applied. This causes a portfast-configured port that receives a BPDU to become disabled (cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html). Bridge Protocol Data Units (BPDUs) are used to communicate information about the topology and are not expected on access ports, so BPDU Guard protects against misconfiguration or a possible malicious attack.

Question 29

Loop prevention

Answer 29

An Ethernet switch’s layer 2 forwarding function is similar to that of an older network appliance called a bridge. In a network with multiple bridges, implemented these days as switches, there may be more than one path for a frame to take to its intended destination. As a layer 2 protocol, Ethernet has no concept of Time To Live. Therefore, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely. Layer 2 loops are prevented by the Spanning Tree Protocol (STP). Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

Question 30

Dynamic Host Configuration Protocol (DHCP) snooping

Answer 30

A configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing.

DHCP is the protocol that allows a server to assign IP address information to a client when it connects to the network. DHCP snooping inspects this traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. It can also be used to prevent rogue (or spurious) DHCP servers from operating on the network. With DHCP snooping, only DHCP messages from ports configured as trusted are allowed. Additionally dynamic ARP inspection (DAI), which can be configured alongside DHCP snooping, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies. DAI maintains a trusted database of IP:ARP mappings and ensures that ARP packets are validly constructed and use valid IP addresses

Question 31

Media access control (MAC) filtering

Answer 31

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

Configuring MAC filtering on a switch means defining which MAC addresses are allowed to connect to a particular port. This can be done by creating a list of valid MAC addresses or by specifying a limit to the number of permitted addresses. For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port, but then drop any traffic from machines with different MAC addresses that try to connect

Question 32

Network appliances

Answer 32

Jump servers
Proxy servers
Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)
HSM
Sensors
Collectors
Aggregators
Firewalls

In addition to the secure switching and routing appliances and protocols used to implement network connectivity, the network infrastructure design must also include security appliances to ensure confidentiality, integrity, and availability of services and data. You should be able to distinguish the features of security and monitoring devices and software and deploy these devices to appropriate locations in the network.

Question 33

Jump servers

Answer 33

One of the challenges of managing hosts that are exposed to the Internet, such as in a DMZ or cloud virtual network, is to provide administrative access to the servers and appliances located within it. On the one hand, a link is necessary; on the other, the administrative interface could be compromised and exploited as a pivot point into the rest of the network. Consequently, the management hosts permitted to access administrative interfaces on hosts in the secure zone must be tightly controlled. Configuring and auditing this type of control when there are many different servers operating in the zone is complex.

One solution to this complexity is to add a single administration server, or jump server, to the secure zone. The jump server only runs the necessary administrative port and protocol (typically SSH or RDP). Administrators connect to the jump server then use the jump server to connect to the admin interface on the application server. The application server’s admin interface has a single entry in its ACL (the jump server) and denies connection attempts from any other hosts.

Question 34

Proxy servers

Answer 34

Forward
Reverse

A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance.

Question 35

Forward

Answer 35

A forward proxy provides for protocol-specific outbound traffic. For example, you might deploy a web proxy that enables client computers on the LAN to connect to websites and secure websites on the Internet. This is a forward proxy that services TCP ports 80 and 443 for outbound traffic.

Question 36

Reverse

Answer 36

A reverse proxy server provides for protocol-specific inbound traffic. For security purposes, you might not want external hosts to be able to connect directly to application servers, such as web, email, and VoIP servers. Instead, you can deploy a reverse proxy on the network edge and configure it to listen for client requests from a public network (the Internet). The proxy applies filtering rules and if accepted, it creates the appropriate request for an application server within a DMZ. In addition, some reverse proxy servers can handle application-specific load balancing, traffic encryption, and caching, reducing the overhead on the application servers.

Question 37

Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)

Answer 37

Signature-based
Heuristic/behavior
Anomaly
Inline vs. passive

A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.

captures traffic via a packet sniffer, referred to as a sensor. It analyzes the packets to identify malicious traffic and displays alerts to a console or dashboard.

Question 38

Signature-based

Answer 38

A network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.

(or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.

Question 39

Heuristic/behavior

Answer 39

A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.

Historically, this type of detection was provided by network behavior and anomaly detection (NBAD) products. An NBAD engine uses heuristics (meaning to learn from experience) to generate a statistical model of what baseline normal traffic looks like. It may develop several profiles to model network use at different times of the day.

Question 40

Anomaly

Answer 40

Anomaly-based detection can also be taken to mean specifically looking for irregularities in the use of protocols. For example, the engine may check packet headers or the exchange of packets in a session against RFC standards and generate an alert if they deviate from strict RFC compliance.

Question 41

Inline vs. passive

Answer 41

The primary motivation for deploying sensors inline is to stop attacks by blocking traffic. A passive sensor is deployed so that it monitors a copy of the actual traffic; no traffic passes through the sensor.

Question 42

HSM

Answer 42

An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.

A hardware security module (HSM) is a network appliance designed to perform centralized PKI management for a network of devices. This means that it can act as an archive or escrow for keys in case of loss or damage. Compared to using a general-purpose server for certificate services, HSMs are optimized for the role and so have a smaller attack surface. HSMs are designed to be tamper-evident to mitigate risk of insider threat, and can also provide enterprise-strength cryptographically secure pseudorandom number generators (CSPRNGs). HSMs can be implemented in several form factors, including rack-mounted appliances, plug-in PCIe adapter cards, and USB-connected external peripherals.

Question 43

Sensors

Answer 43

Typically, the packet capture sensor is placed inside a firewall or close to a server of particular importance. The idea is usually to identify malicious traffic that has managed to get past the firewall. A single IDS can generate a very large amount of logging and alerting data so you cannot just put multiple sensors everywhere in the network without provisioning the resources to manage them properly. Depending on network size and resources, one or just a few sensors will be deployed to monitor key assets or network paths.

SPAN (switched port analyzer)/mirror port
test access point (TAP)
Active TAP

Question 44

Collectors

Answer 44

Log Collection
The first task for SIEM is to collect data inputs from multiple sources. There are three main types of log collection:

Agent-based—with this approach, you must install an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage.
Listener/collector—rather than installing an agent, hosts can be configured to push updates to the SIEM server using a protocol such as syslog or SNMP. A process runs on the management server to parse and normalize each log/monitoring source.
Syslog (tools.ietf.org/html/rfc3164)allows for centralized collection of events from multiple sources. It also provides an open format for event logging messages, and as such has become a de facto standard for logging of events from distributed systems. For example, syslog messages can be generated by Cisco routers and switches, as well as servers and workstations.

Sensor—as well as log data, the SIEM might collect packet captures and traffic flow data from sniffers.

Question 45

Aggregators

Answer 45

Log Aggregation
As distinct from collection, aggregation refers to normalizing data from different sources so that it is consistent and searchable. SIEM software features connectors or plug-ins to interpret (or parse) data from distinct types of systems and to account for differences between vendor implementations. Usually parsing will be carried out using regular expressions tailored to each log file format to identify attributes and content that can be mapped to standard fields in the SIEM’s reporting and analysis tools. Another important function is to normalize date/time zone differences to a single timeline.

Question 46

Firewalls

Answer 46

Web application firewall (WAF)
NGFW
Stateful
Stateless
Unified threat management (UTM)
Network address translation (NAT) gateway
Content/URL filter
Open-source vs. proprietary
Hardware vs. software
Appliance vs. host-based vs. virtual

Question 47

Web application firewall (WAF)

Answer 47

A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.

A web application firewall (WAF) is designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks. WAFs use application-aware processing rules to filter traffic and perform application-specific intrusion detection. The WAF can be programmed with signatures of known attacks and use pattern matching to block requests containing suspect code. The output from a WAF will be written to a log, which you can inspect to determine what threats the web application might be subject to.

Question 48

NGFW

Answer 48

Host or network firewall capable of parsing application layer protocol headers and data (such as HTTP or SMTP) so that sophisticated, content-sensitive ACLs can be developed.

he original next-generation firewall (NGFW) was released as far back as 2010 by Palo Alto. This product combined application-aware filtering with user account-based filtering and the ability to act as an intrusion prevention system (IPS). This approach was quickly adopted by competitor products. Subsequent firewall generations have added capabilities such as cloud inspection and combined features of different security technologies.

Question 49

Stateful

Answer 49

A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.

A stateful inspection firewall addresses these problems by tracking information about the session established between two hosts, or blocking malicious attempts to start a bogus session. The vast majority of firewalls now incorporate some level of stateful inspection capability. Session data is stored in a state table. When a packet arrives, the firewall checks it to confirm whether it belongs to an existing connection. If it does not, it applies the ordinary packet filtering rules to determine whether to allow it. Once the connection has been allowed, the firewall usually allows traffic to pass unmonitored, in order to conserve processing effort.

Question 50

Stateless

Answer 50

A type of firewall that does not preserve information about the connection between two hosts. Often used to describe packet-filtering firewalls.

A basic packet filtering firewall is stateless. This means that it does not preserve information about network sessions. Each packet is analyzed independently, with no record of previously processed packets. This type of filtering requires the least processing effort, but it can be vulnerable to attacks that are spread over a sequence of packets. A stateless firewall can also introduce problems in traffic flow, especially when some sort of load balancing is being used or when clients or servers need to use dynamically assigned ports.

Question 51

Unified threat management (UTM)

Answer 51

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.

Unified threat management (UTM) refers to a security product that centralizes many types of security controls—firewall, anti-malware, network intrusion prevention, spam filtering, content filtering, data loss prevention, VPN, cloud access gateway—into a single appliance. This means that you can monitor and manage the controls from a single console. Nevertheless, UTM has some downsides. When defense is unified under a single system, this creates the potential for a single point of failure that could affect an entire network. Distinct security systems, if they fail, might only compromise that particular avenue of attack. Additionally, UTM systems can struggle with latency issues if they are subject to too much network activity. Also, a UTM might not perform as well as software or a device with a single dedicated security function.

Question 52

Network address translation (NAT) gateway

Answer 52

A routing mechanism that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.

Network address translation (NAT) was devised as a way of freeing up scarce IP addresses for hosts needing Internet access. A private network will typically use a private addressing scheme to allocate IP addresses to hosts. These addresses can be drawn from one of the pools of addresses defined in RFC 1918 (tools.ietf.org/html/rfc1918) as non-routable over the Internet:

10.0.0.0 to 10.255.255.255 (Class A private address range).
172.16.0.0 to 172.31.255.255 (Class B private address range).
192.168.0.0 to 192.168.255.255 (Class C private address range).
A NAT gateway is a service that translates between the private addressing scheme used by hosts on the LAN and the public addressing scheme used by router, firewall, or proxy server on the network edge. NAT provides security in the sense that it can manage ingress and egress traffic at well-defined points on the network edge, but it is important to realize that it does not perform a filtering function.

Question 53

Content/URL filter

Answer 53

A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).

Question 54

Open-source vs. proprietary Fire Walls

Answer 54

The ability to inspect source code will be a requirement for high-security environments that cannot rely on implicit trust when selecting vendors. The code underpinning appliance-based, software, and virtual firewalls can be developed as open-source or proprietary or somewhere inbetween:

Wholly proprietary—implemented as a proprietary OS, such as Cisco ASA, Juniper JunOS, PaloAlto PANOS, or Barracuda’s Windows-based appliance.
Mostly proprietary—developed from a Linux kernel, but with proprietary features added. Examples include Check Point IPSO, FortiGate FortiOS, and Sonicwall. Any code developed from a GPL source should be available, but in general terms these products cannot be used independently of a commercial contract with the vendor.
Wholly open-souce—these can be used independently of the vendor, but the vendors typically have commercial appliances and support contracts too. Examples include pfSense and Smoothwall.
In determining whether to follow a self-installed versus supported deployment, as well as the core appliance code, you need to consider access to support, update availability, and access to subscription-based features, such as signatures and threat feeds.

Question 55

Hardware vs. software

Answer 55

Hardware == A physical device installed between a computer network and the Internet or at the edge of the network to monitor data packets in transit is a hardware firewall. The name also knows it of the perimeter firewall as it protects your entire network by assessing the incoming and outgoing traffic at the perimeter.

Software == As the name suggests, a software firewall is a software-based solution installed as a virtual appliance or on individual computers on your network to safeguard them against vulnerabilities. It can control the behavior associated with certain applications.

For instance, you can use it to block certain websites or printers installed within your network.

Question 56

Appliance vs. host-based vs. virtual

Answer 56

Firewall Appliances
An appliance firewall is a stand-alone hardware firewall deployed to monitor traffic passing into and out of a network zone. A firewall appliance can be deployed in two ways:

Routed (layer 3)—the firewall performs forwarding between subnets. Each interface on the firewall connects to a different subnet and represents a different security zone.
Bridged (layer 2)—the firewall inspects traffic passing between two nodes, such as a router and a switch. This is also referred to as transparent mode. The firewall does not have an IP interface (except for configuration management). It bridges the Ethernet interfaces between the two nodes. Despite performing forwarding at layer 2, the firewall can still inspect and filter traffic on the basis of the full range of packet headers. The typical use case for a transparent firewall is to deploy it without having to reconfigure subnets and reassign IP addresses on other devices.

A router firewall or firewall router appliance implements filtering functionality as part of the router firmware. The difference is that a router appliance is primarily designed for routing, with firewall as a secondary feature. SOHO Internet router/modems come with a firewall built-in, for example.

Application-Based Firewalls
Firewalls can also run as software on any type of computing host. There are several types of application-based firewalls:

Host-based firewall (or personal firewall)—implemented as a software application running on a single host designed to protect that host only. As well as enforcing packet filtering ACLs, a personal firewall can be used to allow or deny software processes from accessing the network.
Application firewall—software designed to run on a server to protect a particular application only (a web server firewall, for instance, or a firewall designed to protect an SQL Server database). This is a type of host-based firewall and would typically be deployed in addition to a network firewall.
Network operating system (NOS) firewall—a software-based firewall running under a network server OS, such as Windows or Linux. The server would function as a gateway or proxy for a network segment.

Question 57

Access control list (ACL)

Answer 57

Firewall access control lists (ACLs) are configured on the principle of least access. This is the same as the principle of least privilege; only allow the minimum amount of traffic required for the operation of valid network services and no more. The rules in a firewall’s ACL are processed top-to-bottom. If traffic matches one of the rules, then it is allowed to pass; consequently, the most specific rules are placed at the top. The final default rule is typically to block any traffic that has not matched a rule (implicit deny). If the firewall does not have a default implicit deny rule, an explicit deny all rule can be added manually to the end of the ACL.

Question 58

Route security

Answer 58

A successful attack against route security enables the attacker to redirect traffic from its intended destination. On the Internet, this may allow the threat actor to herd users to spoofed websites. On an enterprise network, it may facilitate circumventing firewalls and security zones to allow lateral movement and data exfiltration.

Routes between networks and subnets can be configured manually, but most routers automatically discover routes by communicating with each other. Dynamic routers exchange information about routes using routing protocols. It is important that this traffic be separated from channels used for other types of data. Routing protocols do not always have effective integral security mechanisms, so they need to run in an environment where access is very tightly controlled.

Question 59

Quality of service (QoS)

Answer 59

Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS).

Most network appliances process packets on a best effort and first in, first out (FIFO) basis. Quality of Service (QoS) is a framework for prioritizing traffic based on its characteristics. It is primarily used to support voice and video applications that require a minimum level of bandwidth and are sensitive to latency and jitter. Latency is the time it takes for a transmission to reach the recipient, measured in milliseconds (ms). Jitter is defined as being a variation in the delay, or an inconsistent rate of packet delivery. FIFO-based delivery makes it more likely that other applications sharing the same network will cause loss of bandwidth and increase latency and jitter for a realtime service.

Question 60

Implications of IPv6

Answer 60

IPv6 has impacts for premises networks, for the way your company accesses cloud services, and for the way clients access web servers and other public servers that you publish.

IPv6 may be enabled by default on clients and servers, and even on network appliances (routers and firewalls), so there must be a management and security plan for it. If IPv6 is enabled but unmanaged, there is the potential for malicious use as a backdoor or covert channel. IPv6 also exposes novel attack vectors, such as spoofing and DoS attacks on neighbor discovery (tools.cisco.com/security/center/resources/ipv6_first_hop).

Hosts should be allocated IPv6 addresses that map to the same zones as the IPv4 topology. Firewalls should be configured with ACLs that either achieve the same security configuration as for IPv4 or block IPv6, if that is a better option. One issue here is that IPv6 is not intended to perform any type of address translation. Rather than obscure internal/external traffic flows with private to public address mapping, IPv6 routing and filtering policies should be configured to mirror the equivalent IPv4 architecture.

Question 61

Port spanning/port mirroring

Answer 61

Port taps

A SPAN port (sometimes called a mirror port) is a software feature built into a switch or router that creates a copy of selected packets passing through the device and sends them to a designated SPAN port. Using software, the administrator can easily configure or change what data is to be monitored. Since the primary purpose of a switch or router is to forward production packets, SPAN data is given a lower priority on the device. The SPAN also uses a single egress port to aggregate multiple links, so it is easily oversubscribed.

Question 62

Port taps

Answer 62

The two most common ways of accessing monitoring data are through either a switched port analyzer (SPAN) port or a test access port (Tap). A tap is a purpose-built device that passively makes a copy of network data but does not alter the data. Once you install it, you are done. No programming is required.

Question 63

Monitoring services

Answer 63

Packet Capture
Data captured from network sensors/sniffers plus netflow sources provides both summary statistics about bandwidth and protocol usage and the opportunity for detailed frame analysis.

Network Monitors
As distinct from network traffic monitoring, a network monitor collects data about network appliances, such as switches, access points, routers, firewalls, and servers. This is used to monitor load status for CPU/memory, state tables, disk capacity, fan speeds/temperature, network link utilization/error statistics, and so on. Another important function is a heartbeat message to indicate availability. This data might be collected using the Simple Network Management Protocol (SNMP) or a proprietary management system. As well as supporting availability, network monitoring might reveal unusual conditions that could point to some kind of attack.

Logs
Logs are one of the most valuable sources of security information. A system log can be used to diagnose availability issues. A security log can record both authorized and unauthorized uses of a resource or privilege. Logs function both as an audit trail of actions and (if monitored regularly) provide a warning of intrusion attempts. Log review is a critical part of security assurance. Only referring to the logs following a major incident is missing the opportunity to identify threats and vulnerabilities early and to respond proactively.

Question 64

File integrity monitors

Answer 64

A type of software that reviews system files to ensure that they have not been tampered with.

One of the core features of HIDS is file integrity monitoring (FIM). This may also be implemented as a standalone feature. When software is installed from a legitimate source (using signed code in the case of Windows or a secure repository in the case of Linux), the OS package manager checks the signature or fingerprint of each executable file and notifies the user if there is a problem. FIM software audits key system files to make sure they match the authorized versions. In Windows, the Windows File Protection service runs automatically and the System File Checker (sfc) tool can be used manually to verify OS system files. Tripwire (tripwire.com) and OSSEC (ossec.net) are examples of multi-platform tools with options to protect a wider range of applications.