Lesson 5: Secure Enterprise Network Architecture Flashcards
Define ‘Network infrastructure’
Appliances, and addressing/forwarding protocols that support basic connectivity.
Define ‘Network applications’
Services that run on the infrastructure to support business activities.
Define ‘Data assets’
Information that is created, stored, and transferred as a result of business activity.
Define a ‘workflow’
Series of tasks that a business needs to perform.
Define a ‘Email mailbox server’
Stores data assets and must only be accessed by authorized clients; Must be fully available and fault tolerant.
Define a ‘Mail transfer server’
Connects with untrusted Internet hosts to transfer mail; Any email leaving or entering the network must be subject to policy-based controls.
Define an ‘on-premises network’
A private network facility that is owned and operated by an organization for use by its employees only; Enterprise local area network (LAN)
What network topology model describes a typical on-premises network?
Star topology.
What is the security concern with a star topology?
“Flat” in terms of security; Any host can communicate freely with any other host in the same segment.
Define ‘logical segmentation’
Network topology enforced by switch, router, and firewall configuration
Define ‘attack surface’
All the points at which a threat actor could gain access to hosts and services.
What is the attack surface of layer 1 and layer 2 of the OSI model?
Unauthorized connections to physical ports or wireless networks to communicate within the broadcast domain.
What is the attack surface of layer 3 of the OSI model?
Unauthorized hosts; Authenticating all connections
What is the attack surface of layer 4 and layer 7 of the OSI model?
Unauthorized connections to TCP/UDP ports to communicate with application layer protocols and services.
Define ‘port security’
Preventing a device attached to a switch port from communicating on the network unless it matches a policy.
Define ‘MAC Filtering’
Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
What is a more secure type of port security compared to MAC filtering?
802.1X Port-based Network Access Control (PNAC)
What is required for Port-based Network Access Control (PNAC) to function?
A switch authenticating a host against a radius server or certificate when it connects to one of its ports.
What two protocols allow 802.1X Port-based Network Access Control (PNAC) to function?
- Extensible Authentication Protocol (EAP)
- Remote Authentication Dial-In User Service (RADIUS)
Define ‘Extensible Authentication Protocol (EAP)’
Framework for negotiating authentication methods that enable systems to use hardware-based identifiers or digital certificates.
Define ‘Remote Authentication Dial-In User Service (RADIUS)’
AAA protocol used to manage remote and wireless authentication infrastructures.
Define ‘selection of effective controls’
The process of choosing the type and placement of security controls to ensure the goals of the CIA triad and compliance with any framework requirements.
What is the goal of ‘selection of effective controls’?
To enforce segmentation, apply access controls, and monitor traffic for policy violations.
Define ‘Defense in depth’
Security strategy that positions the layers of diverse security control categories and functions as opposed to relying on perimeter controls
What are the 3 types of controls in a defense in depth strategy?
- Preventive controls
- Detective controls
- Corrective controls
How is defense in depth achieved?
Security-critical zones are protected by diverse preventive, detective, and corrective controls at each level of the OSI model.
What is a critical component of defense in depth?
Device palcement.
Define ‘Device placement’
Positioning security controls to protect security zones and individual hosts to implement a defense in depth.
Define a ‘Preventive control’
Often placed at the perimeter of a network segment or zone; Firewall, Load balancers
Define a ‘Detective controls’
Placed within the perimeter; Monitors traffic within a network or subnet; Provides alerting of malicious traffic that has evaded perimeter controls.
Define a ‘Corrective control’
Installed on hosts as a layer of endpoint protection in addition to the network infrastructure controls.
Define a ‘passive security control’
Does not require any sort of client or agent configuration or host data transfer to operate; Analyzes intercepted network traffic instead of sending probes to a target.
Define an ‘active security control’
Requires hosts to be explicitly configured to use the control; Detective and preventive security controls that use an agent or network configuration to monitor hosts.
Define an ‘inline’ device
Placement and configuration of a network security control so that it becomes part of the cable path.
Define the function of a ‘SPAN (switched port analyzer)/mirror port’
Copying ingress and/or egress communications from one or more switch ports to another port to monitor communications.
Define the function of a ‘Test access point (TAP)’
A hardware device with ports for incoming and outgoing network cabling inserted into a cable run to copy frames to a mirror port for analysis.
What are the two states of failures a security device could enter?
- Fail-open
- Fail-closed
Define a ‘Fail-open’ state of failure
A security control configuration that ensures continued access to resources in the event of failure; Prioritizes availability over confidentiality and integrity.
What is the risk of entering a fail-open state of failure?
A threat actor could engineer a failure state to defeat the control.
Define a ‘Fail-closed’ state of failure
A security control configuration that blocks access to a resource in the event of failure.
What is the risk of entering a fail-closed state of failure?
System downtime
Define a ‘Packet Fileting Firewall’
A Layer 3 device; Compares packet headers against ACLs to determine which network traffic to accept.
What information from a packet header is used to define rules in an ACL?
IP, Protocol, and Port.
What actions can be defined in an ACL rule?
Accpet/permit, drop/deny, reject/block
What is the outcome of a drop/deny?
Silently discards the packet.
What is the outcome of a reject/block?
Blocks the packet but responds to the sender with an ICMP message, such as “port unreachable”.
What are the two types of ACLs?
- Inbound ACL
- Outbound ACL
Define an ‘appliance firewall’
A standalone hardware device that performs only the function of a firewall (filter/monitor inbound and outbound traffic)
What are the 3 ways to deploy an appliance firewall?
- Routed (Layer 3)
- Bridged (Layer 2)
- Inline (Layer 1)
Define a ‘routed (layer 3)’ firewall
Performs forwarding between subnets; Each interface connects to a different subnet representing a different security zone; Interfaces configured with an IP and MAC address.
Define a ‘bridged (layer 2)’ firewall
Inspects traffic passing between two nodes, such as a router and a switch; bridges the Ethernet interfaces between the two nodes and each interfaces is configured with a MAC but no IP.
Define a ‘Inline (layer 1)’ firewall
Firewall acts as a cable segment and has no MAC or IP address; Traffic received on one interface is either blocked or forwarded over the other interface.
Define a ‘transparent firewall’
Standalone firewall deployed in front or in-between nodes without having to reconfigure subnets and reassign IP addresses on other devices; Bridged and Inline firewalls.
Define a ‘router firewall’
A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.
