Lesson 5: Secure Enterprise Network Architecture Flashcards
Define ‘Network infrastructure’
Appliances, and addressing/forwarding protocols that support basic connectivity.
Define ‘Network applications’
Services that run on the infrastructure to support business activities.
Define ‘Data assets’
Information that is created, stored, and transferred as a result of business activity.
Define a ‘workflow’
Series of tasks that a business needs to perform.
Define a ‘Email mailbox server’
Stores data assets and must only be accessed by authorized clients; Must be fully available and fault tolerant.
Define a ‘Mail transfer server’
Connects with untrusted Internet hosts to transfer mail; Any email leaving or entering the network must be subject to policy-based controls.
Define an ‘on-premises network’
A private network facility that is owned and operated by an organization for use by its employees only; Enterprise local area network (LAN)
What network topology model describes a typical on-premises network?
Star topology.
What is the security concern with a star topology?
“Flat” in terms of security; Any host can communicate freely with any other host in the same segment.
Define ‘logical segmentation’
Network topology enforced by switch, router, and firewall configuration
Define ‘attack surface’
All the points at which a threat actor could gain access to hosts and services.
What is the attack surface of layer 1 and layer 2 of the OSI model?
Unauthorized connections to physical ports or wireless networks to communicate within the broadcast domain.
What is the attack surface of layer 3 of the OSI model?
Unauthorized hosts; Authenticating all connections
What is the attack surface of layer 4 and layer 7 of the OSI model?
Unauthorized connections to TCP/UDP ports to communicate with application layer protocols and services.
Define ‘port security’
Preventing a device attached to a switch port from communicating on the network unless it matches a policy.
Define ‘MAC Filtering’
Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
What is a more secure type of port security compared to MAC filtering?
802.1X Port-based Network Access Control (PNAC)
What is required for Port-based Network Access Control (PNAC) to function?
A switch authenticating a host against a radius server or certificate when it connects to one of its ports.
What two protocols allow 802.1X Port-based Network Access Control (PNAC) to function?
- Extensible Authentication Protocol (EAP)
- Remote Authentication Dial-In User Service (RADIUS)
Define ‘Extensible Authentication Protocol (EAP)’
Framework for negotiating authentication methods that enable systems to use hardware-based identifiers or digital certificates.
Define ‘Remote Authentication Dial-In User Service (RADIUS)’
AAA protocol used to manage remote and wireless authentication infrastructures.
Define ‘selection of effective controls’
The process of choosing the type and placement of security controls to ensure the goals of the CIA triad and compliance with any framework requirements.
What is the goal of ‘selection of effective controls’?
To enforce segmentation, apply access controls, and monitor traffic for policy violations.
Define ‘Defense in depth’
Security strategy that positions the layers of diverse security control categories and functions as opposed to relying on perimeter controls
What are the 3 types of controls in a defense in depth strategy?
- Preventive controls
- Detective controls
- Corrective controls
How is defense in depth achieved?
Security-critical zones are protected by diverse preventive, detective, and corrective controls at each level of the OSI model.
What is a critical component of defense in depth?
Device palcement.
Define ‘Device placement’
Positioning security controls to protect security zones and individual hosts to implement a defense in depth.
Define a ‘Preventive control’
Often placed at the perimeter of a network segment or zone; Firewall, Load balancers
Define a ‘Detective controls’
Placed within the perimeter; Monitors traffic within a network or subnet; Provides alerting of malicious traffic that has evaded perimeter controls.
Define a ‘Corrective control’
Installed on hosts as a layer of endpoint protection in addition to the network infrastructure controls.
Define a ‘passive security control’
Does not require any sort of client or agent configuration or host data transfer to operate; Analyzes intercepted network traffic instead of sending probes to a target.
Define an ‘active security control’
Requires hosts to be explicitly configured to use the control; Detective and preventive security controls that use an agent or network configuration to monitor hosts.
Define an ‘inline’ device
Placement and configuration of a network security control so that it becomes part of the cable path.
Define the function of a ‘SPAN (switched port analyzer)/mirror port’
Copying ingress and/or egress communications from one or more switch ports to another port to monitor communications.
Define the function of a ‘Test access point (TAP)’
A hardware device with ports for incoming and outgoing network cabling inserted into a cable run to copy frames to a mirror port for analysis.
What are the two states of failures a security device could enter?
- Fail-open
- Fail-closed
Define a ‘Fail-open’ state of failure
A security control configuration that ensures continued access to resources in the event of failure; Prioritizes availability over confidentiality and integrity.
What is the risk of entering a fail-open state of failure?
A threat actor could engineer a failure state to defeat the control.
Define a ‘Fail-closed’ state of failure
A security control configuration that blocks access to a resource in the event of failure.
What is the risk of entering a fail-closed state of failure?
System downtime
Define a ‘Packet Fileting Firewall’
A Layer 3 device; Compares packet headers against ACLs to determine which network traffic to accept.
What information from a packet header is used to define rules in an ACL?
IP, Protocol, and Port.
What actions can be defined in an ACL rule?
Accpet/permit, drop/deny, reject/block
What is the outcome of a drop/deny?
Silently discards the packet.
What is the outcome of a reject/block?
Blocks the packet but responds to the sender with an ICMP message, such as “port unreachable”.
What are the two types of ACLs?
- Inbound ACL
- Outbound ACL
Define an ‘appliance firewall’
A standalone hardware device that performs only the function of a firewall (filter/monitor inbound and outbound traffic)
What are the 3 ways to deploy an appliance firewall?
- Routed (Layer 3)
- Bridged (Layer 2)
- Inline (Layer 1)
Define a ‘routed (layer 3)’ firewall
Performs forwarding between subnets; Each interface connects to a different subnet representing a different security zone; Interfaces configured with an IP and MAC address.
Define a ‘bridged (layer 2)’ firewall
Inspects traffic passing between two nodes, such as a router and a switch; bridges the Ethernet interfaces between the two nodes and each interfaces is configured with a MAC but no IP.
Define a ‘Inline (layer 1)’ firewall
Firewall acts as a cable segment and has no MAC or IP address; Traffic received on one interface is either blocked or forwarded over the other interface.
Define a ‘transparent firewall’
Standalone firewall deployed in front or in-between nodes without having to reconfigure subnets and reassign IP addresses on other devices; Bridged and Inline firewalls.
Define a ‘router firewall’
A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.
Why is a packet filtering firewall stateless?
Does not persevere information about network sessions/connections.
Define a ‘stateful inspection firewall’
Tracks information about the session established between two hosts; analyze packets down to the application layer rather than filtering packets only by header information.
How does a stateful inspection firewall process packets?
Firewall confirms whether it belongs to an existing connection; If not, it applies ordinary packet filtering rules to determine whether to allow it.
What two layers of the OSI model does a stateful inspection firewall operate at?
layer 4 and layer 7
Define a ‘layer 4 firewall’
A stateful inspection firewall that can monitor TCP/UDP sessions.
What mechanism does a layer 4 firewall inspect when determining if packet belongs to an existing connection?
Examines the TCP three-way handshake to distinguish new from established connections.
How does a layer 4 firewall leverage the 3 way handshake to process a packet?
A legitimate TCP connection should follow a SYN > SYN/ACK > ACK sequence with corresponding sequence number; Deviations from this can be dropped as malicious flooding or session hijacking attempts.
Define a ‘layer 7 firewall’
A stateful inspection firewall that can filter traffic based on specific application protocol headers and payload, such as web or email data.
Define a ‘proxy server’
Mediates the communications between a client and another server; Can filter/forward communicates and improve performance with caching.
Define a ‘caching engine’
Feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
Define a ‘forward proxy server’
Outbound protocol specific proxy connections.
Besides Forward/Reverse proxy, what are the two proxy server implementations?
- Non-transparent proxy
- Transparent proxy
Define a ‘non-transparent proxy server’
A server that redirects requests and responses for clients configured with the proxy address and port.
Define a ‘Transparent proxy server’
Implemented as a router or as an inline network appliance to intercept client traffic.
Define a ‘reverse proxy server’
Proxy server that protects servers from direct contact with client requests; Deployed on the network edge and configured to listen for protocol-specific inbound traffic.
Define an ‘intrusion detection system (IDS)’
Performs real-time analysis of either network traffic or system and application logs.
What mechanism does an intrusion detection system (IDS) use to function?
A sensor/packet sniffer (SPAN/TAP)
Define ‘Snort’
Open source Network intrusion detection system (NIDS).
How does an intrusion detection system (IDS) detect malicious traffic?
When traffic matches a detection signature, the IDS raises an alert or generates a log entry but does not block the source host.
Define an ‘intrusion prevention system (IPS)’
Security appliance or software that can detect malicious traffic and can actively block attacks.
How does an intrusion prevention system (IPS) detect malicious traffic?
Scans traffic to match detection signatures.
What are the 3 actions an intrusion prevention system (IPS) can take after matching a signature?
- Block the source
- Reset the connection
- Redirect traffic to a honeypot/honeynet for additional analysis
What are the two ways of deploying an intrusion prevention system (IPS)?
- Inline appliance with an integrated firewall and routing/forwarding capability
- Passive sensors that can reconfigure a router/firewall as a mitigating action
What are 4 features of a ‘next-generation firewall (NGFW)’?
- Layer 7 filtering
- User directory based filtering to prevent insider threat
- Integrated IPS
- Integration with cloud networking
Define ‘Unified threat management (UTM)’
All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data-loss prevention, content filtering, and so on.
What is a downfall to implementing Unified threat management (UTM)?
Creates single point of failure; Latency issues due to consolidated overhead; Overall performance issues.
Define a ‘Load balancer’
A type of switch, router, or software that distributes client requests between different resources.
What are the benefits of a load balancer?
Mitigation against denial of service attacks; Provide fault tolerance.
What are the two main types of load balaners?
- Layer 4 load balancer
- Layer 7 load balancer
Define a ‘layer 4 load balancer’
Makes forwarding decisions based on IP address and TCP/UDP port values, working at the transport layer of the OSI model.
Define a ‘layer 7 load balancer’ (content switch)
Makes forwarding decisions based on application-level data; Uniform resource locator (URL) web address or data types like video or audio streaming.
Define the ‘scheduling’ function implemented by load balancers
Algorithm and metrics that determine which node is selected for processing each incoming request from the load balancer.
What is the most common/simplest form of the scheduling function in a load balancer?
Round-robin
Define ‘Round robin’ scheduling
Picking the next node based on a defined metric.
How is a heart beat mechanism used in determine scheduling in a load balancer?
To verify whether each node is available and under load or not.
How does a client keep a persistent connection with a node configured behind a layer 4 load balancer?
Source IP Session affinity
Define ‘Source IP/Session Affinity’
Layer 4 load balancer scheduling approach.
What is the function of ‘Source IP (Session) Affinity?
To route traffic to nodes that have previously established connections with the client in question.
How does a layer 7 load balancer keep a client connected to a session with a node?
Persistence configuration
Define ‘persistence’ configuration in a layer 7 load balancer
Sticky Sessions; Enables a client to maintain a connection with a load-balanced server over the duration of the session.
How does the persistence configuration in a layer 7 load balancer keep a client connected to a session?
By setting a cookie on the node or injected by the load balancer.
Define a ‘web application firewall (WAF)’
Firewall designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks.
How does a web application firewall (WAF) detect/protect?
Uses application-aware processing rules to filter traffic and perform application-specific intrusion detection; Programmed with signatures of known attacks and use pattern matching to block requests containing suspect code.
How can a web application firewall (WAF) be deployed/implemented?
Deployed as an appliance protecting the zone that the web server is placed in or as plug-in software for a web server platform.
Define ‘Remote access architecture’
Infrastructure, protocols, and software that allow a host to join a local network from a physically remote location.
What is the most common modern remote access mechanism/technology?
virtual private network (VPN)
Define a ‘virtual private network (VPN)’
A secure tunnel created between two endpoints connected via an unsecure transport network.
Define a ‘Secure Tunnel’
Mechanism encapsulating data from one protocol for safe transfer over another network such as the Internet.
What is the least secure VPN protocol/solution?
Point-to-Point Tunneling Protocol (PPTP).
Define a ‘transport layer security (TLS) VPN’
Client connects to the remote access server using digital certificates.
Describe TLS’ function when configured with aVPN
TLS creates an encrypted tunnel for the user to submit authentication credentials.
What layer(s) of the OSI model does TLS function?
Layer 4 & Layer 7; Transport layer and Application layer.
Define ‘Internet Protocol Security (IPsec)’
Layer 3 protocol suite used to secure data through authentication and encryption as the data travels across a network,
What are the two core Internet Protocol Security (IPsec) protocols?
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
Define the purpose of the IPsec ‘Authentication Header (AH)’ protocol
Authenticates the sender of transmitted data; Provides integrity and protection against replay attacks.
How does the IPSec Authentication Header (AH) protocol function?
Calculates a cryptographic hash of the whole packet, plus a shared secret key, and adds this value in the header as an Integrity Check Value (ICV).
Define ‘Encapsulating Security Payload (ESP)’ IPsec protocol
Encrypts the header and payload of a data packet as well as authenticating the sender.
What two modes can IPsec be used in?
- Transport mode
- Tunnel mode
Define IPsec transport mode
Used to secure communications between hosts on a private network.
What is the outcome of configuring IPsec Encapsulating Security Payload (ESP) in transport mode?
The IP header for each packet is not encrypted, just the payload data.
What is the outcome of configuring IPsec Authentication Header (AH) in transport mode?
Provides integrity for the IP header.
Define IPsec ‘Tunnel mode’
Used for site to site VPN connections.
What is the outcome of configuring IPsec Encapsulating Security Payload (ESP) in tunnel mode?
The whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header.
What is the outcome of configuring IPsec Authentication Header (AH) in tunnel mode?
AH has no use case in tunnel mode, as confidentiality is usually required.
What is required for a host/router to use IPsec?
Must be assigned an IPsec policy to set the authentication mechanism, IPsec protocol (AH/ESP), and the mode (Transport/Tunnel).
What type of encryption key does IPsec’s encryption and hashing depend on?
A shared secret.
Define the ‘Internet Key Exchange (IKE) protocol’
Framework for creating a security association (SA) between hosts using IPSec.
Define the function of a ‘security association (SA)’
Authenticates peers in an association; Selects cryptographic ciphers mutually supported by peers , and performs key exchange between peers.
What is the purpose of a ‘security association (SA)’
Establishes that two hosts trust one another (authenticate) and agree on secure protocols and cipher suites to use to exchange data.
Define the first phase of Internet Key Exchange (IKE) protocol negotiations between two hosts
Authenticates the two peers and performs key agreement using the Diffie-Hellman algorithm to create a secure channel.
What two methods of authenticating hosts in the first phase of an Internet Key Exchange (IKE) protocol negotiation?
- Digital Certificates
- Pre-shared key (group authentication)
Define the second phase of Internet Key Exchange (IKE) protocol negotiations between two hosts
Peers in the Security Association (SA) establish ciphers and key sizes and IPSec protocol (AH and/or ESP) to be used in the IPSec session.
How many versions of IKE are there?
Two versions
Define the first version of Internet Key Exchange (IKE) protocol
Designed for site-to-site and host-to-host topologies and requires a supporting protocol to implement remote access VPNs.
Define the second version of Internet Key Exchange (IKE) protocol
For use as a stand-alone remote access client-to-site VPN solution.
What are improvements to IKEv2 in comparison IKEv1
Supports EAP, allows NAT transversal to configure a tunnel allowed by a home router/firewall.
Define HTML5 VPN
Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).
Define ‘in-band’ remote management
Remote management link shares traffic with other communications on the production network.
Define ‘out-of-band’ remote management
The management interface of a network appliance is accessed using a separate network from the usual data network.
What are examples of in-band remote management protocols?
RDP, SSH, TLS/IPSec
What are examples of out-of-band remote management?
A serial console or modem port on a router.
Define a ‘Jump server’
A hardened server that provides access to other hosts.
