Lesson 8: Implementing a Secure Network Architecture Flashcards

1
Q

Weaknesses in the network architecture make it more susceptible to undetected intrusions or to catastrophic service failures. Typical weaknesses include:

A
  • Single points of failure—a “pinch point” relying on a single hardware server or appliance or network channel.
  • Complex dependencies—services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services.
  • Availability over confidentiality and integrity—often it is tempting to take “shortcuts” to get a service up and running. Compromising security might represent a quick fix but creates long term risks.
  • Lack of documentation and change control—network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted. It is vital that network managers understand business workflows and the network services that underpin them.
  • Overdependence on perimeter security—if the network architecture is “flat” (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cisco’s SAFE architecture guidance refers to Places In the Network (PIN)

A
  • a good starting point for understanding the complex topic of network architecture design
  • The SAFE guidance refers to Places In the Network (PIN). These represent types of network locations, including campus networks, branch offices, data centers, and the cloud. There are two special locations in these networks—Internet Edge and WAN—that facilitate connections between locations and with untrusted networks.

Each PIN can be protected with security controls and capabilities, classified into a series of secure domains, such as threat defense, segmentation, security intelligence, and management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Network architecture is principally about supporting business workflows. You can illustrate the sorts of decisions that need to be made by analyzing a simple workflow, such as email:

A
  • Access—the client device must access the network, obtaining a physical channel and logical address. The user must be authenticated and authorized to use the email application. The corollary is that unauthorized users and devices must be denied access.
  • Email mailbox server—ensure that the mailbox is only accessed by authorized clients and that it is fully available and fault tolerant. Ensure that the email service runs with a minimum number of dependencies and that the service is designed to be resilient to faults.
  • Mail transfer server—this must connect with untrusted Internet hosts, so communications between the untrusted network and trusted LAN must be carefully controlled. Any data or software leaving or entering the network must be subject to policy-based controls.

You can see that this type of business flow will involve systems in different Places In the Network. Placing the client, the mailbox, and the mail transfer server all within the same logical network “segment” will introduce many vulnerabilities. Understanding and controlling how data flows between these locations is a key part of secure and effective network design.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

segment

A

In the context of security, a network segment is one where all the hosts attached to the segment can communicate freely with one another.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Segregation

A

means that the hosts in one segment are restricted in the way they communicate with hosts in other segments. They might only be able to communicate over certain network ports, for instance.

Segregation and isolation of hosts or applications can also be accomplished using virtualization. When a host is running as a guest OS on a hypervisor, connectivity with or isolation from other networks can be completely controlled via the hypervisor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

virtual LANs (VLANs)

A

Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs). Any given switch port can be assigned to any VLAN in the same topology, regardless of the physical location of the switch. The segmentation enforced by VLANs at the data link layer can be mapped to logical divisions enforced by IP subnets at layer 3.

An isolated segment is one that has no connectivity with other segments. A host or network segment that has no sort of physical connectivity with other hosts or networks is referred to as air gapped.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

topology

A

A topology is a description of how a computer network is physically or logically organized. It is essential to map the network topology when designing a computer network and to update the map when any changes or additions are made to it. The logical and physical network topology should be analyzed to identify points of vulnerability and to ensure that the goals of confidentiality, integrity, and availability are met by the design.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

zone

A

The main building block of a security topology is the zone. A zone is an area of the network where the security configuration is the same for all hosts within it. Zones should be segregated from one another by physical and/or logical segmentation, using VLANs, subnets, and possibly virtualization. Traffic between zones should be strictly controlled using a security device, typically a firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

firewall

A

A firewall is software or hardware that filters traffic passing into and out of a network segment. The firewall bases its decisions on a set of rules called an access control list (ACL). For example, a basic firewall can allow or deny a host access based on its IP address, by the port it is requesting, or a combination of both. Different types of firewalls (and other filtering devices) can apply different—often more sophisticated—criteria in their ACLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Dividing a campus network or data center into zones implies that each zone has a different security configuration. The main zones are as follows:

A

• Private network (intranet)—this is a network of trusted hosts owned and controlled by the organization.

Note: Hosts are trusted in the sense that they are under your administrative control and subject to the security mechanisms (anti-virus software, user rights, software updating, and so on) that you have set up to defend the network.

  • Extranet—this is a network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet.
  • Internet/guest—this is a zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Demilitarized Zones (DMZs)

A

The most important distinction between different security zones is whether a host is Internet-facing. An Internet-facing host accepts inbound connections from and makes connections to hosts on the Internet. Internet-facing hosts are placed in one or more Demilitarized Zones (DMZs). A DMZ is also referred to as a perimeter network. The idea of a DMZ is that traffic cannot pass through it. A DMZ enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole.

If communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a proxy. For example, if an intranet host requests a connection with a web server on the Internet, a proxy in the DMZ takes the request and checks it. If the request is valid, it re-transmits it to the destination. External hosts have no idea about what (if anything) is behind the DMZ.

Both extranet and Internet services are likely to be Internet-facing. The hosts that provide the extranet or public access services should be placed in one or more demilitarized zones. These would typically include web servers, mail and other communications servers, proxy servers, and remote access servers.

To configure a DMZ, two different security configurations must be enabled: one on the external interface and one on the internal interface. A DMZ and intranet are on different subnets, so communications between them need to be routed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

bastion hosts

A

The hosts in a DMZ are not fully trusted by the internal network because of the possibility that they could be compromised from the Internet. They are referred to as bastion hosts. A bastion is a defensive structure in a castle. The bastion protrudes from the castle wall and enables the defenders to fire at attackers that have moved close to the wall. A bastion host would not be configured with any services that run on the local network, such as user authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

We’ve already noted a difference between services designed to be accessible to a public Internet versus those for an extranet. Some other examples are:

A
  • Dedicated DMZ for employee web browsing and proxy services.
  • DMZ for email, VoIP, and conferencing servers.
  • Isolate remote access/Virtual Private Network (VPN) traffic.
  • Isolate traffic for authorized cloud applications.
  • Multi-tier DMZ to isolate front-end, middleware, and backend servers.

These different functions could be implemented either by completely separate DMZs or by using segmented demilitarized zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

subnet

A

A subnet is a subdivision of a larger network, isolated from the rest of the network by means of routers (or layer 3 switches). Each subnet(work) is in its own broadcast domain. Subnets can be used to represent geographical or logical divisions in the network. Geographical divisions might represent different floors of an office or networks connected by WAN links. Logical divisions might represent departmental functions or distinguish servers from clients. Subnets will usually be mapped to VLANs. The VLAN establishes a logical grouping of hosts at layer 2 of the OSI model (Data Link), and a subnet gives the hosts in a particular VLAN a distinct network address at layer 3 of the OSI model (Network).

Subnets are useful for security, as traffic passing between each subnet can be subjected to filtering and access control at the router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

important use of subnets

A

implement a DMZ. Two firewalls are placed at either end of the DMZ. One restricts traffic on the external interface; the other restricts traffic on the internal interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

three-legged (or triple-homed) firewall

A

A DMZ can also be established using a single router/firewall appliance. A three-legged (or triple-homed) firewall is one with three network ports, each directing traffic to a separate subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

screened host

A

Smaller networks may not have the budget or technical expertise to implement a DMZ. In this case, Internet access can still be implemented using a dual-homed proxy/ gateway server acting as a screened host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Some other examples of zone types are:

A
  • Guest—a zone that allows untrusted or semi-trusted hosts on the local network. Examples would include computers that are publicly accessible or visitors bringing their own portable computing devices to your premises.
  • Wireless—traffic from Wi-Fi networks might be less trusted than from the cabled network. You might also operate unauthenticated open access points or authenticated guest Wi-Fi networks, which should be kept isolated from the main network.
  • Honeynet—a network containing honeypot hosts, designed to attract and study malicious activity. When deploying a honeynet, it is particularly important to ensure that compromised hosts cannot be used to “break out” of the honeynet and attack the main network.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Network topology designs

A

implemented by installing physical network links and connecting hosts and zones using switches, routers, and firewalls. Network architecture design starts with the way the OSI model Physical and Data Link layers are implemented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Cisco recommends designing a campus network with three layers of hierarchy:

A
  • Access—allowing end-user devices, such as computers, printers, and smartphones, to connect to the network. Another important function of the access layer is to prevent the attachment of unauthorized devices.
  • Distribution—provides fault-tolerant interconnections between different access blocks and either the core or other distribution blocks. The distribution layer is often used to implement traffic policies, such as routing boundaries, filtering, or Quality of Service (QoS).
  • Core—provides a highly available network backbone. Devices such as clients and server computers should not be attached directly to the core. Its purpose should be kept simple: provide redundant traffic paths for data to continue to flow around the access and distribution layers of the network.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

layer 2 Ethernet switches

A

The access layer is implemented for each site using structured cabling and network ports for wired access and access points for wireless access. Both are ultimately connected to one or more layer 2 Ethernet switches. A basic Ethernet switch might also be referred to as a LAN switch, data switch, or workgroup switch. There are unmanaged and managed types. On a corporate network, switches are most likely to be managed and stackable, meaning they can be connected together and operate as a group. On a large enterprise network, the switches are likely to be modular (as opposed to fixed), meaning they can be configured with different numbers and types of ports to support network links other than basic copper wire Ethernet. On a SOHO network, switches are more likely to be unmanaged, standalone units that can just be added to the network and run without any configuration.

Managed switches can be configured with Virtual LANs (VLANs). The VLANs are used to implement logical segregation of traffic. For example, ports 1 through 10 and 11 through 20 on a switch could be configured as two separate VLANs, typically each with their own subnet address. Communication between the groups of ports would only be possible via a router or layer 3 switch. Port-based switching is the simplest means of configuring a VLAN (static VLANs). Others (dynamic VLANs) include using the host’s MAC address, protocol type, or even authentication credentials.

As well as representing organizational departments and/or overcoming physical barriers between different locations, it is common practice to isolate server-to-server traffic from client-server traffic and to isolate administration/management traffic; channels used for inbound management of appliances and servers. Another standard configuration option is to create a null VLAN that is non-routable to the rest of the network. This VLAN is used for any ports that do not have authorized connected equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The distribution and core layers provide switching and routing between different access layer locations and server groups. This function can be implemented by several devices:

A
  • Router—provides connectivity between subnetworks based on their IP address.
  • Layer 3 switch—router appliances are capable of many different types of routing, especially over wide area networks (WAN), and tend not to have many interface ports. On a campus Ethernet network, the internal routers will typically be moving traffic between VLANs and have no need to perform WAN routing. This functionality is now commonly built into all but the cheapest Ethernet switches. Such switches with the ability to route traffic efficiently between VLANs are called layer 3 switches.
  • Aggregation switch—these are functionally similar to layer 3 switches, but the term is often used for high-performing switches deployed to aggregate links in a large enterprise or service provider’s routing infrastructure. Rather than 1 Gbps access ports and 10 Gbps uplink ports (as would be typical of an access layer switch), basic interfaces on an aggregation switch would be 10 Gbps and uplink/backbone ports would be 40 Gbps.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

hubs

A

Early Ethernet networks used hubs as a means of connecting network segments. A hub is a multiport repeater; it takes the signal generated by a node and retransmits it to every port on the hub. All the ports are said to be in the same collision domain. A bridge could be used to divide a network overloaded with hosts and suffering from excessive collisions into separate segments at the physical layer. Each of the segments experiences lower traffic loads since the bridge only passes signals from one segment to another if appropriate. The bridge can identify in which segment a host is located by its MAC address and only forwards traffic for that host over that interface.

Bridge appliances have all been replaced by switches, but the function of a bridge continues to have an impact on network security because a user may accidentally (or maliciously) create a bridge from one network to another. A typical example is a laptop with a bridged connection between the wireless and Ethernet adapters.

24
Q

ad hoc network

A

A computer could allow wireless clients to connect to it in either an ad hoc network or by being configured as a soft access point. An ad hoc network is created when wireless stations are configured to connect to one another in a peer-to-peer topology. This would not normally be part of a secure network design, but might be required in some special circumstances, such as communicating with a wireless host that is physically remote from other network infrastructure.

Generally speaking, bridged and ad hoc connections could be a potential network backdoor or could cause a switching loop. These issues can be mitigated with loop protection and port security.

25
Q

Spanning Tree Protocol (STP)

A

In a network with multiple bridges, implemented these days as switches and routers, there may be more than one path for a frame to take to its intended destination. As a layer 2 protocol, Ethernet has no concept of Time To Live. Therefore, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely. Layer 2 loops are prevented by the Spanning Tree Protocol (STP), defined in the IEEE 802.1D MAC Bridges standard. Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

An adversary may try to attack STP using a rogue switch or software designed to imitate a switch. When a switch does not know the correct port to use for a particular destination MAC address (if the cache has just been flushed, for instance), it floods the frame out to all ports, even if the frame is unicast, not broadcast. Topology changes in STP can cause a switch to flush the cache more frequently and to start flooding unicast traffic more frequently, which can have a serious impact on network performance.

26
Q

Bridge Protocol Data Units (BPDUs)

A

The configuration of switch ports should prevent the use of STP over ports designated for client devices (access ports). An access port is configured with the portfast command to prevent STP changes from delaying client devices trying to connect to the port. Additionally, the BPDU Guard setting should be applied. This causes a portfast-configured port that receives a BPDU to become disabled. Bridge Protocol Data Units (BPDUs) are used to communicate information about the topology and are not expected on access ports, so BPDU Guard protects against misconfiguration or a possible malicious attack.

27
Q

Man-in-the-Middle (MitM) attacks

A

Attackers can also take advantage of the lack of security in low-level data link protocols to perform Man-in-the-Middle attacks. A Man-in-the-Middle (MitM) attack is where the attacker sits between two communicating hosts, and transparently captures, monitors, and relays all communication between the hosts. A MitM attack could also be used to covertly modify the traffic. One way to launch a MitM attack is to use Trojan software to replace some genuine software on the system. These types of attacks can also be launched against antiquated protocols, such as ARP or DNS. MitM attacks can be defeated using mutual authentication, where both server and client exchange secure credentials, but at layer 2 it is not always possible to put these controls in place.

28
Q

MAC spoofing

A

changes the Media Access Control (MAC) address configured on an adapter interface or asserts the use of an arbitrary MAC address. While a unique MAC address is assigned to each network interface by the vendor at the factory, it is simple to override it in software via OS commands, alterations to the network driver configuration, or using packet crafting software. This can lead to a variety of issues when investigating security incidents or when depending on MAC addresses as part of a security control, as the presented address of the device may not be reliable. Because it operates at the Data Link layer, MAC address spoofing is limited to the local broadcast domain. MAC spoofing is also the basis of other layer 2 Man-in-the-Middle attacks.

29
Q

ARP poisoning attack

A

works by broadcasting unsolicited ARP reply packets. Because ARP is an antiquated protocol with no security, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address. A trivial ARP poisoning attack could be launched by adding static entries to the target’s ARP cache. A more sophisticated attack can be launched by running software such as Dsniff, Cain and Abel, or Ettercap from a computer attached to the same switch as the target.

The usual target will be the subnet’s default gateway (the router that accesses other networks). If the ARP poisoning attack is successful, all traffic destined for remote networks will be sent to the attacker. The attacker can perform a Man-in-the-Middle attack, either by monitoring the communications and then forwarding them to the router to avoid detection, or modifying the packets before forwarding them. The attacker could also perform a Denial of Service attack by not forwarding the packets.

There are utilities that can detect ARP spoofing attacks. Another option is to use switches that can perform port authentication, preventing connected devices from changing their MAC addresses.

A variation of an ARP poisoning attack, MAC flooding, can be directed against a switch. If a switch’s cache table is overloaded by flooding it with frames containing different (usually random) source MAC addresses, it will typically start to operate as a hub (failopen mode). The alternative would be to deny network connections to any of the attached nodes. As hubs repeat all unicast communications to all ports, this makes sniffing network traffic easier.

30
Q

rogue devices

A

Because of the risks from rogue devices and the potential to create loops by incorrect placement of patch cables, access to the physical switch ports and switch hardware should be restricted to authorized staff, using a secure server room and/or lockable hardware cabinets. To prevent the attachment of unauthorized client devices at unsecured wall ports, the switch port that the wall port cabling connects to can be disabled by using the management software or the patch cable can be physically removed from the port. Completely disabling ports in this way can introduce a lot of administrative overhead and scope for error. Also, it doesn’t provide complete protection as an attacker could unplug a device from an enabled port and connect their own laptop. Consequently, more sophisticated methods of ensuring port security have been developed.

31
Q

MAC filtering

A

Configuring MAC filtering on a switch means defining which MAC addresses are allowed to connect to a particular port. This can be done by creating a list of valid MAC addresses or by specifying a limit to the number of permitted addresses. For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port but then drop any traffic from machines with different network adapter IDs that try to connect. This provides a guard against MAC flooding attacks. Additionally a security feature, such as ARP inspection, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies by maintaining a trusted database of IP:ARP mappings and ensuring that ARP packets are validly constructed and use valid IP addresses.

Another option is to configure DHCP snooping. This inspects DHCP traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. It can also be used to prevent rogue (or spurious) DHCP servers from operating on the network. With DHCP snooping, only DHCP offers from ports configured as trusted are allowed.

32
Q

To secure a switch, the following guidelines should be met:

A
  • Disable unused ports by placing them in an otherwise unused VLAN with no connectivity to the rest of the network. This helps to prevent the attachment of rogue devices.
  • Secure the switch’s management console by renaming the administrative account (if possible) and setting a strong password.
  • Use a secure interface to access the management console. Most switches can be operated using Telnet or HTTP, but these are not secure and transmit all information as plaintext. Use encrypted communications, such as HTTPS or SSH, or use the switch’s console serial port. Switch administration traffic should be performed on a dedicated VLAN, separate from other types of traffic.

Note: Using an access method other than the normal data network is referred to as out-of-band (OOB) management.

  • Disable unused management console access methods. For example, if you use SSH, disable the serial port, HTTP, HTTPS, and Telnet.
  • Restrict the hosts that can be used to access the management console by enforcing an access control list (ACL); restrict permitted management hosts to a single IP address or subnet, for instance.
  • Install the latest firmware updates and review vendor security bulletins to be forewarned about possible exploits or vulnerabilities.
  • Configure the SNMP interface on the switch to report only to an authorized management station or disable SNMP if it is not required.
33
Q

Endpoint security

A

Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level. Endpoint security contrasts with the focus on perimeter security established by topologies such as DMZ and technologies such as firewalls. Endpoint security does not replace these but adds defense in depth.

34
Q

IEEE 802.1X standard

A

efines a port-based network access control (PNAC) mechanism. PNAC means that the switch (or router) performs some sort of authentication of the attached device before activating the port. Under 802.1X, the device requesting access is the supplicant. The switch, referred to as the authenticator, enables the Extensible Authentication Protocol over LAN (EAPoL) protocol only and waits for the device to supply authentication data. Using EAP, this data could be a simple username/password (EAP-MD5) or could involve using a digital certificate or token. The authenticator passes this data to an authenticating server, typically a RADIUS server, which checks the credentials and grants or denies access. If access is granted, the switch will configure the port to use the appropriate VLAN and enable it for ordinary network traffic. Unauthenticated hosts may also be placed in a guest VLAN with only limited access to the rest of the network.

35
Q

health policy

A

As well as authentication, most network access control (NAC) products allow administrators to devise policies or profiles describing a minimum security configuration that devices must meet to be granted network access. This is called a health policy. Typical policies check things such as malware infection, firmware and OS patch level, personal firewall status, and the presence of up-to-date virus definitions. A solution may also be to scan the registry or perform file signature verification. The health policy is defined on a NAC management server along with reporting and configuration tools.

36
Q

Admission control

A

the point at which client devices are granted or denied access based on their compliance with the health policy. Most NAC solutions work on the basis of preadmission control (that is, the device must meet the policy to gain access). Post-admission control involves subsequently polling the device to check that it remains compliant. Some solutions only perform post-admission control; some do both.

37
Q

NAC policy enforcer

A

With preadmission control, supplicant client devices connect to the network via a NAC policy enforcer, such as a switch, router, or wireless access point. Other options for the location of the policy enforcer include a VPN remote access gateway or a specially configured DHCP server. The policy enforcer checks the client credentials with the NAC policy server and performs machine and user authentication with a RADIUS AAA server. The client is allocated a suitable IP address by a DHCP server and assigned to a VLAN by the switch; depending on whether the policy was met, this would allow access to the network or to a quarantined area or captive web portal only.

Post-admission controls would rely on the NAC policy server polling the client device once access has been granted or performing a policy check if the configuration of a client changes or when a client attempts to access a particular server or service.

38
Q

Posture assessment

A

process by which host health checks are performed against a client device to verify compliance with the health policy. Most NAC solutions use client software called an agent to gather information about the device, such as its anti-virus and patch status, presence of prohibited applications, or anything else defined by the health policy.

39
Q

persistent

A

An agent can be persistent, in which case it is installed as a software application on the client

40
Q

non-persistent

A

A non-persistent (or dissolvable) agent is loaded into memory during posture assessment but is not installed on the device.

41
Q

agentless

A

Some NAC solutions can perform agentless posture assessment. This is useful when the NAC solution must support a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available with an agentless solution.

If implemented as a primarily software-based solution, NAC can suffer from the same sort of exploits as any other software. There have been instances of exploits to evade the NAC admission process or submit false scan results. One fruitful line of attack is to use virtual machines to evade the initial admission policy; one VM is created that complies with the policy, and when access is granted, the user switches to a second non-compliant VM. This is why post-admission control is an increasingly important requirement for NAC solutions.

42
Q

Remediation

A

refers to what happens if the device does not meet the security profile. A non-compliant device may be refused connection completely or put in a quarantined guest network or captive portal.

  • Guest network—this would be a VLAN or firewalled subnet (DMZ) granting limited access to network resources. For example, you might allow visitors with non-compliant devices to use your Internet routers to browse the web and view their email but not grant them any access to your corporate network.
  • Quarantine network—this is another type of restricted network, usually based on a captive portal. A captive portal allows only HTTP traffic and redirects the HTTP traffic to a remediation server. The remediation server would allow clients to install OS and anti-virus updates in order to achieve or return to compliance.
43
Q

Rogue system detection refers to a process of identifying (and removing) hosts on the network that are not supposed to be there. You should be aware that “system” could mean several different types of devices (and software):

A
  • Wired clients (PCs, servers, laptops, appliances).
  • Wireless clients (PCs, laptops, mobile devices).
  • Software (rogue servers and applications, such as malicious DHCP or DNS servers or a soft access point).
  • Virtual machines.
44
Q

Several techniques are available to perform rogue machine detection:

A
  • Visual inspection of ports/switches will reveal any obvious unauthorized devices or appliances. It is, however, possible to imagine a sophisticated attack going to great lengths to prevent observation, such as creating fake asset tags.
  • Network mapping/host discovery—unless an OS is actively trying to remain unobserved (not operating when scans are known to be run, for instance), network mapping software should identify hosts. Identifying a rogue host on a large network from a scan may still be difficult.
  • Wireless monitoring can reveal the presence of unauthorized or malicious access points and stations.
  • Network monitoring can reveal the use of unauthorized protocols on the network or identify hosts producing an unusual volume of network traffic.
  • NAC and intrusion detection—security suites and appliances can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
45
Q

Routers

A

can serve both to join physically remote networks and subdivide a single network into multiple subnets. Routers that join different types of networks are called border or edge routers. These are typified by distinguishing external (Internet-facing) and internal interfaces. These devices are placed at the network perimeter. Edge routers stand in contrast to routers that handle traffic moving within the LAN. This function is likely to be performed by a layer 3 switch on an enterprise network.

46
Q

routing protocols

A

Routes between networks and subnets can be configured manually, but most routers automatically discover routes by communicating with each other. Dynamic routers exchange information about routes using routing protocols, such as Open Shortest Path First (OSPF), Routing Information Protocol (RIP), and Border Gateway Protocol (BGP). It is important that this traffic be separated from channels used for other types of data. Routing protocols do not usually have effective integral security mechanisms, so they need to run in an environment where access is very tightly controlled.

A hardware router is configured and secured in the same way as a switch (using a web or command-line interface, for instance). The main difference is that a router is likely to have an exposed public interface. This means that properly securing the router is all the more important. Routers are often more complex than switches and it is consequently easier to make mistakes. A software router is configured using the appropriate tools in the underlying NOS. As well as the configuration of the routing functions, the performance and security of the underlying server should be considered too.

47
Q

reachability

A

As well as configuring routers with network reachability information, most routers can also be configured to block traffic, acting as a firewall. Network traffic can be filtered using an access control list (ACL). A network ACL comprises a set of rules processed in order from top-to-bottom. Each rule can be set to accept or deny traffic based on things such as source and destination IP addresses or TCP/UDP port. A router would normally be configured with ACLs for inbound and outbound traffic.

48
Q

Routing is subject to numerous vulnerabilities, including:

A
  • Fingerprinting—port scanning using a tool such as Nmap can reveal the presence of a router and which dynamic routing and management protocols it is running.
  • Software exploits in the underlying operating system. Hardware routers (and switches) have an embedded operating system. For example, Cisco devices typically use the Internetwork Operating System (IOS). Something like IOS suffers from fewer exploitable vulnerabilities than full network operating systems. It has a reduced attack surface compared to a computer OS, such as Windows.

Note: On the other hand, SOHO routers and DSL/cable modems can be particularly vulnerable to unpatched exploits.

  • Spoofed routing information (route injection). Routing protocols that have no or weak authentication are vulnerable to route table poisoning. This can mean that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (non-existent address), or continuously looped around the network, causing DoS. Most dynamic routing protocols support message authentication via a shared secret configured on each device. This can be difficult to administer, however. It is usually also possible to configure how a router identifies the peers from which it will accept route updates. This makes it harder to simply add a rogue router to the system. An attacker would have to compromise an existing router and change its configuration.
  • Denial of service (redirecting traffic to routing loops or blackholes or overloading the router).
  • ARP poisoning or ICMP redirect—tricking hosts on the subnet into routing through the attacker’s machine rather than the legitimate default gateway. This allows the attacker to eavesdrop on communications and perform replay or MitM attacks.
  • Source routing—this uses an option in the IP header to pre-determine the route a packet will take through the network (strict) or “waypoints” that it must pass through (loose). This can be used maliciously to spoof IP addresses and bypass router/firewall filters. Routers can be configured to block source routed packets.
  • There have also been various vulnerabilities associated with the way routing software processes miscrafted IP headers (to cause buffer overflows).
49
Q

IP spoofing

A

In an IP spoofing attack, the attacker changes the source and/or destination address recorded in the IP packet. IP spoofing is done to disguise the real identity of the attacker’s host machine. The technique is also used in most Denial of Service attacks to mask the origin of the attack and make it harder for the target system to block packets from the attacking system.

IP spoofing can be defeated on a corporate network by requiring authenticated IPSec tunnels to critical services. Most routers can operate as a firewall and can be configured with ACLs to implement an anti-spoofing function.

50
Q

The following sorts of IP ranges might be blocked as a matter of policy:

A
  • Private or reserved IP ranges (“Martians”) and unallocated public address ranges or allocated but unassigned ranges (“bogons”)—valid Internet hosts should not be using addresses in these ranges.
  • IP reputation lists—block connections from a list of “known bad” IP addresses.
  • Source IP addresses that are inconsistent with the subnet(s) associated with an interface. This is a means of policing internal traffic flows.
  • Geolocation—block addresses associated with a particular geographic region.
51
Q

Network Address Translation (NAT)

A

originally devised as a way of freeing up scarce IP addresses for hosts needing Internet access. It provides an addressing method for private networks connected to the Internet. A private network will typically use a private addressing scheme to allocate IP addresses to hosts. These addresses can be drawn from one of the pools of addresses defined in RFC 1918 as non-routable over the Internet:

  • 10.0.0.0 to 10.255.255.255 (Class A private address range).
  • 172.16.0.0 to 172.31.255.255 (Class B private address range).
  • 192.168.0.0 to 192.168.255.255 (Class C private address range).

Essentially, NAT is a service translating between a private (or local) addressing scheme used by hosts on the LAN and a public (or global) addressing scheme used by an Internet-facing device. NAT is configured on a border device, such as a router, proxy server, or firewall. There are several types of NAT, including static, dynamic, overloaded, and destination NAT. Static and dynamic NAT establish connections using 1:1 mappings between a single or pool of private (“inside local”) network address and the public (“inside global”) address.

52
Q

Network Address Port Translation (NAPT) or NAT overloading

A

Many companies are only allocated a single or small block of addresses by their ISP. Network Address Port Translation (NAPT) or NAT overloading provides a means for multiple private IP addresses to be mapped onto a single public address. NAT overloading works by allocating each new connection a high-level TCP or UDP port. For example, say two hosts (192.168.0.101 and 192.168.0.102) initiate a web connection at the same time. The NAPT service creates two new port mappings for these requests (192.168.0.101:61101 and 192.168.0.102:61102). It then substitutes the private IPs for the public IP and forwards the requests to the public Internet. It performs a reverse mapping on any traffic returned using those ports, inserting the original IP address and port number, and forwards the packets to the internal hosts.

53
Q

source NAT

A

The types of NAT described so far involve source addresses (and ports in the case of NAPT) from a private range being rewritten with public addresses. This type of address translation is called source NAT.

54
Q

destination NAT (DNAT) or port forwarding

A

There are also circumstances where you may want to use the router’s public address for something like a web server but forward incoming requests to a different IP. This is called destination NAT (DNAT) or port forwarding. Port forwarding means that the router takes requests from the Internet for a particular application (say, HTTP/port 80) and sends them to a designated host and port on the LAN.

55
Q

With so many devices to configure, it is better to take a step back and consider an abstracted model about how the network functions. In this model, network functions can be divided into three planes:

A
  • Control plane—makes decisions about how traffic should be prioritized and secured and where it should be switched.
  • Data plane—handles the actual switching and routing of traffic and imposition of Access Control Lists (ACLs) for security.
  • Management plane—monitors traffic conditions and network status.
56
Q

software defined networking (SDN)

A

A software defined networking (SDN) application (or suite of applications) can be used to define policy decisions on the control plane. These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using application programming interfaces (APIs). The interface between the SDN applications and the SDN controller is described as the “northbound” API, while that between the controller and appliances is the “southbound” API.

At the device level, SDN can use virtualized appliances or physical appliances. The appliances just need to support the southbound API of the network controller software.

This architecture saves the network administrator the job and complexity of configuring each appliance with appropriate settings to enforce the desired policy. It also allows for fully automated deployment (or provisioning) of network links, appliances, and servers. Network administrators can more easily manage the flow and logistics of their network, and adjust traffic on-the-fly based on their needs. An architecture designed around SDN may also provide greater security insight because it enables a centralized view of the network. This makes SDN an important part of the latest software deployment and disaster recovery technologies.

57
Q

Follow these guidelines when securing network design elements:

A
  • Design the network with a logical security zone topology implemented at the Physical and Data Link layers by segmentation and segregation technologies.
  • Implement a DMZ to allow access to public-facing resources while reducing risks for internal resources.
  • Place one firewall at the external-facing edge and one at the internal-facing edge for optimal security of the DMZ.
  • Air-gap subnetworks and hosts that must be isolated from other networks.
  • Create subnets in order to segment hosts with a common purpose.
  • Implement VLANs to streamline the management of network segments.
  • Install switch and router appliances in a hardened configuration.
  • Consider implementing a NAC solution to govern how devices access the network and use rogue system detection to scan for unauthorized hosts.
  • Implement NAT to conceal the IPv4 addresses of internal hosts from external networks.
  • Consider implementing SDN to improve the network management process.