Lesson 8: Implementing a Secure Network Architecture Flashcards
network architecture weaknesses
- single points of failure—a “pinch point” relying on a single hardware server or appliance or network channel
- complex dependencies—services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services
- lack of documentation and change control—network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted
- overdependence on perimeter security—if the network architecture is “flat” (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement
Cisco’s SAFE architecture
- good starting point for understanding the complex topic of network architecture design
SAFE’s Places In the Network (PIN)
represents types of network locations, including campus networks, branch offices, data centers, and the cloud
email workflow
- access–the client device must access the network, obtaining a physical channel and logical address (must be authenticated and authorized)
- email mailbox server–ensure that mailbox is only accessed by authorized clients and that it is fully available and fault tolerant
- mail transfer server–must connect with untrusted Internet hosts, so communications between untrusted network and trusted LAN must be carefully controlled
segment
- one where all the hosts attached to the segment can communicate freely with one another
segregation
hosts in one segment are restricted in the way they communicate with hosts in other segments
Ethernet network
network segments can be established physically by connecting all hosts in one segment to one switch and all the hosts in one segment to one switch and all the hosts in another segment to another switch
- the two switches can be connected by a router and router can enforce network policies or Access Control Lists (ACL) to restrict communications between two segments
- because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs)
isolated segment
one that has no connectivity with other segments
air gapped
host or network segment that has no sort of physical connectivity with other hosts or networks is referred to as air gapped
virtualization
- segregation and isolation of hosts or applications can also be accomplished using virtualization
- when a host is running as a guest OS on a hypervisor, connectivity with or isolation from other networks can be completely controlled via the hypervisor
topology
- description of how a computer network is physically or logically organized
- essential to map the network topology when designing a computer network an to update the map when any changes or additions are made to it
zone
- main building of a security topology
- area of network where the security configuration is the same for all hosts within it
- should be segregated from one another by physical and/or logical segmentation, using VLANs, subnets, and possibly virtualization
firewall
- software or hardware that filters traffic passing into and out of a network segment
- bases its decisions on a set of rules called an access control list (ACL)
private network (intranet)
network of trusted hosts owned and controlled by organization
extranet
network of semi-trusted hosts, typically representing business partners, suppliers, or customers (hosts must authenticate to join extranet)
internet/guest
zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet
Internet-facing
an Internet-facing host accepts inbound connections from and makes connections to hosts on the Internet
Demilitarized Zones (DMZs)
- Internet-facing host are placed in one or more Demilitarized Zones (DMZs)
- DMZ referred to as a perimeter network
- traffic cannot pass through it
- enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole
- if communication is required between hosts on either side of a DMZ, a host within DMZ acts a proxy
- to configure a DMZ, two different security configurations must be enabled: one on the external interface
- DMZ and intranet are on different subnets, so communications between them need to be routed
- DMZ can also be established using a single router/firewall appliance
bastion hosts
- hosts in a DMZ are not fully trusted by the internal network, because of the possibility that they could be compromised from the Internet
- bastion host would not be configured with any services that run on the local network, such as user authentication
differences between services designed to be accessible to a public Internet versus those for an extranet
- dedicated DMZ for employee web browsing and proxy services
- DMZ for email, VoIP, and conferencing servers
- isolate remote access/Virtual Private Network (VPN) traffic
- isolate traffic for authorized cloud applications
- multi-tier DMZ to isolate front-end, middleware, and backend servers
- multi-tier DMZ to isolate front-end, middleware, and backend servers
subnet
- subdivision of larger network, isolated from the rest of the network by means of routers (or layer 3 switches)
- useful for security, as traffic passing between each subnet can be subjected to filtering and access control at the router
- important use of subnets is to implement a DMZ
three-legged firewall (or triple-homed)
- one with three network ports, each directing traffic to a separate subnet
screened host
- Internet access can still be implemented using a dual-homed proxy/gateway server acting as a screened host
zone types
- guest–zone that allows untrusted or semi-trusted hosts on local network
- wireless–traffic from WiFi networks might be less trusted than from the cabled network
- honeynet–network containing honeypot hots, designed to attract and study malicious activity
Cisco’s campus network hierarchy
- access–allowing end-user devices, such as computers, printers, and smartphones to connect to the network
- distribution–provides fault-tolerant interconnections between different access blocks and either the core or other distribution blocks
- core–provides a highly available network backbone, such as clients and server computers should not be attached directly to the core
layer 2 Ethernet switches
basic Ethernet switch might also be referred to as a LAN switch, data switch, or workgroup switch
- there are unmanaged and managed types
stackable
on a corporate network, switches are most likely to be managed and stackable, meaning they can be connected together and operate as a group
modular
on a larger enterprise network, the switches are likely to be modular (as opposed to fixed), meaning they can be configured with different numbers and types of ports to support network links other than basic copper wire Ethernet
switching and routing
- this function can be implemented by several devices:
- router–provides connectivity between subnetworks based on their IP address
- Layer 3 switch–router appliances are capable of many different types of routing, especially over wide area networks (WAN), and tend not to have many interface ports
- aggregation switch–functionally similar to layer 3 switches, but the term is often used for high-performing switches deployed to aggregate links in a larger enterprise or services provider’s routing infrastructure
hubs
- early Ethernet networks used hubs as a means of connecting network segments
- multiport repeater
collision domain
all ports are said to be in the same collision domain
bridge
- could be used to divide a network overloaded with hosts and suffering from excessive collisions into separate segments at the physical layer
- bridge appliances have all been replaced by switches, but the function of a bridge continues to have an impact on network security because a user may accidentally (or maliciously) create a bridge from one network to another
ad hoc network
created when wireless stations are configured to connect to one another in a peer-to-peer topology
- computer could allow wireless clients to connect to it in either an ad hoc network or by being configured as a soft access point
Spanning Tree Protocol (STP)
- Layer 2 loops are prevented by the STP, defined in the IEEE 802.1D MAC Bridges standard
- Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming
MAC spoofing
- changes the Media Access Control (MAC) address configured on an adapter interface or asserts the use of an arbitrary MAC address
ARP poisoning
- attack works by broadcasting unsolicited ARP reply packets
- antiquated protocol with no security
MAC flooding
- variation of an ARP poisoning attack
- can be directed against a switch
- if a swtich’s cache table is overloaded by flooding it with frames containing different (usually random) source MAC addresses, it will typically start to operate as a hub (failopen mode)
rogue devices
- can potential create loops by incorrect placement of patch cables, access to the physical switch ports and switch hardware should be restricted to authorized staff, using a secure server room and/or lockable hardware cabinets
port security
protection from an attacker who could unplug a device from an enabled port and connect their own laptop
MAC filtering
configuring MAC filtering on a switch means defining which MAC addresses are allowed to connect to a particular port
ARP inspection
additional a security feature, such as ARP inspection, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies by maintaining a trusted database of IP:ARP mappings and ensuring that ARP packets are validly constructed and use valid IP addresses
DHCP snooping
- inspects DHCP traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address
- can also be used to prevent rogue (or spurious) DHCP servers from operating on the network
endpoint security
set of security procedures and technologies designed to restrict network access at a device level
port-based network access control (PNAC)
- PNAC means that the switch (or router) performs some sort of authentication of the attached device before activating the port
- under the 802.1X, the device requesting access is the supplicant | switch, referred to as the authenticator, enables the Extensible Authentication Protocol over LAN (EAPoL) protocol only and waits for the device to supply authentication data
authenticating server
typically RADIUS server, which checks the credentials and grants or denies access
health policy
- as well as authentication, most network access control (NAC) products allow administrators to devise policies or profiles describing a minimum security configuration that devices must meet to be granted network access
admission control
point at which client devices are granted or denied access based on their compliance with the health policy
preadmission control
device must meet policy to gain access
postadmission control
subsequently polls the device to check that it remains compliant
NAC policy enforcer
with preadmission control, supplicant client devices connect to the network via a NAC policy enforcer, such as a switch, router, or wireless access point
NAC policy server
performs machine and user authentication with a RADIUS AAA server
posture assessment
- process by which host health checks are performed against a client device to verify compliance with the health policy
- some NAC solutions can perform agentless posture assessment
persistent v non-persistent
an agent can be persistent, in which case it is installed as a software application on the client, or non-persistent (dissolvable)
remediation
refers to what happens if a device does not meet the security profile
guest network
this would be a VLAN or a firewalled subnet (DMZ) granting limited access to network resources
quarantine network
restricted network, captive portal (allows only HTTP traffic and redirects the HTTP traffic to a remediation server)
rogue system detection
refers to process of identifying (and removing) hosts on the network that are not supposed to be there
routers
can server both to join physically remote networks and subdivide a single network into multiple subnets
border (or edge routers)
routers that join different types of networks
routing protocols
Dynamic routers exchange information about routes using routing protocols, such as Open Shortest Path First (OSPF), Routing Information Protocol (RIP), and Border Gateway Protocol (BGP)
IP spoofing
attacker changes the source and/or destination address recorded in the IP packet
Network Address Translation (NAT)
devised as a way of freeing up scarce IP addresses for hosts needing Internet access
Network Address Port Translation (NAPT) or NAT overloading
provides a means for multiple private IP addresses to be mapped onto a single public address
source NAT
the types of NAT described so far involve source addresses (and ports in the case of NAPT) from a private range being rewritten with public addresses
destination NAT (DNAT) or port forwarding
Port forwarding means that the router takes requests from the Internet for a particular application (say, HTTP/port 80) and sends them to a designated host and port on the LAN
software defined networking (SDN)
application (or suite of applications) can be used to define policy decisions on the control plane. These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using application programming interfaces (APIs)
routing attacks
- fingerprinting–port scanning using a tool such as Nmap can reveal the presence of a router and which dynamic routing and management protocols it is running
- software exploits
- spoofed routing information (route injection)
- denial of service (DoS)
- ARP poisoning
- source routing
