Lesson 9 Implement Secure Network Designs Flashcards
Switches
Forward frames between nodes in a cabled network
- works at the Datalink layer (2) of the OSI Model
- makes forwarding decisions based on the HW MAC address of attached nodes
- can establish network segments to the cabling or logical segments to establish virtual LANS (VLANS)
- Data it moves is frames
WAP
Wireless Access Point
- Provides a bridge btwn a cabled network and wireless clients or stations
- works at the OSI model Datalink layer (2)
- works with frame data
Routers
Forward packets around an internet based on IP addresses
- works on OSI Model Network layer (3)
- can apply logical IP subnet addresses to segments within a network
- works on Frame data
Firewalls
Apply Access Control List (ACL) to filter traffic passing in or out of a network segment
- works a the OSI Model Network layer (3)
Load Balancers
Network appliance which distributes traffic btwn network segments or servers to optimize performance
- works at the OSI Model Transport layer (4) or higher
DNS
Domain Name System
- A system which resolves IP addresses to FQDNs
- Works at OSI Model Application layer (7)
- abuse of name resolution is a common attack vector
OSI Model - Layer 1
Layer 1: Physical PDU: bits HW: Hubs, net tap, repeaters Addressing: none Protocols: UTP, STP, COAX, Fiber, TDM, FDM Control: node
OSI Model Layer 2
Layer: Datalink - Connects nodes inside a LAN together - Nodes to Nodes
PDU: Frame
HW: Switch, Bridge, WAP
Addressing: MAC address (Physical Address), VLAN id
Protocols: Ethernet, PPP, LLC
Control: MAC Filtering
Address Resolution Protocol (ARP) between Physical and Datalink layers
OSI Model Layer 3
Layer: Network - Connects LANs together - LAN to LAN
PDU: Packet
HW: Router, Layer 3 Switches
Addressing: IP Addresses (Logical Addresses)
Protocols: IP, ICMP, IPSec, IGMP
Control: Packet Filtering Firewall
OSI Model Layer 4
Layer: Transport - End to end connections PDU: Segment HW: Load Balancer, Firewall Addressing: Logical Port Numbers Protocols: TCP, UDP, optionally SSL/TLS Control: Packet Filtering Firewall
OSI Model Layer 5
Layer: Session - Interhost Communication
- Synchronize upper layers with lower layers
- allows session establishment btwn processes
PDU:
HW:
Addressing:
Protocols:
OSI Model Layer 6
Layer: Presentation - Syntax layer
- Formats the data as needed
PDU: Data HW: Addressing: Protocols: Control: NGFW or App layer Firewall
OSI Model Layer 7
Layer: Application - End Used Layer PDU: Data HW: Addressing: Protocols: HTTP(TCP 80), HTTPS(TCP 443), SMTP(TCP 25), FTP (20, 21) Control: NGFW or App Layer Firewall
ARP
Address Resolution Protocol
- Maps a MAC address to and IP address
- Sits btwn Datalink (2) and Network (3) layers
Firewall
- sits between Network Layer (4) and Datalink Layer (3)
DNS
Domain Name System
- Sits btwn Transport Layer (4) and the upper layers (5-7)
IP Addresses come from ?
Locally:
DHCP - Dynamic Host Configuration Protocol
- Service to assign network IP addresses to client upon connection
Public:
- Internet Service Provider (ISP), assigned when get the service
Private IP ranges
- 0.0.x
- 16-31.x.x
- 168.x.x
IPv4 vs IPv6
IPv4
- 32 bit
- 172.16.1.101/16 - the /16 indicates the first half of the address 172.16.0.0 is the network id, while the remainder identifies the host on the network.
- the /16 can also be written as subnet 255.255.0.0
IPv6
- 128 bit
- uses hex numbers
- 2001:db8::abc:0:dev0: 1234
Network Segmentation
Network Segment
- All hosts attached to the segment can use local layer 2 to communicate freely with one another
- said to be in the same broadcast domain
Segregation
- Host is one segment are restricted in the way they communicate with hosts in the other segment
- could be restricted by ports they can access or communicate across
- two switches can be connect via a layer 3 router and enforce network policies via Access Control List (ACL)
- more likely though to be enforced via virtual LAN (VLAN)
VLAN
Virtual Local Area Network
- segmentation enforcement
- Any port on a any switch can be assigned to any VLAN in the same topology
DMZ
Demilitarized Zones
- a perimeter or edge network made up of internet facing hosts
- basic principle is traffic can not pass directly through the DMZ
- acts as proxy to the outer facing (in the internet) servers and the internal hosts of the network
- hosts in the DMZ are bastion hosts and run minimal services to reduce the attack surface
Screened Subnet
- part of a DMZ to further restrict access into and out of the DMZ
- two firewalls sit on either side of the DMZ
- edge firewall is called the Screening Router/Firewall
- internal firewall is called the choke router/firewall
- provides better access control and easier monitoring
PNAC
Port-based Network Access Control
- part of the 802.1X standard
- means the switch utilizes an AAA Svr to authenticate the attached device before activating the port
Network Access Control
- extends the scope of Authentication
- allows for policies or profiles describing minimum security Configuration a device must meet to be granted access to the network
- this is called a health policies
Network loop prevention
Spanning Tree Protocol (STP)
- used to set blocks on switches in an attempt to prevent looping
Broadcast Strom Prevention
- broadcast and flooding unicast getting amplified as it loops around network
- Storm control if STP has failed
Bridge Protocol Data Unit (BPDU) guard
- configure switch to defeat attempts to engineer a loop by an attacker
- Portfast setting configured for access port
- guard disables port if STP traffic is detected
WAP
Wireless Access Point
- forwards traffic to the wired switched network
- identified by it’s MAC often referred to as the Basic Service Set Identifier
BSSID
Basic Service Set IDentifier
- each WAP identified by it’s MAC address
- for computer
SSID
Service Set Identifier
- Identifies each wireless network by it’s name
- human readable
Wi-Fi Authentication types
Personal
Open
Enterprise
Personal Wi-Fi authentication types
Pre-Shared Key (PSK)
Simultaneous Authentication of Equals (SAE)
Benefit of WPA3 over WPA2
Wired Equivalent Privacy (WEP) is broken (too many vulnerabilities)
Wi-fi Protected Access 3 (WPA3) fixed those vulnerabilities
WPA2 is flawed but acceptable
WPA3 is much improved but not largely available yet
WPA3 uses SAE
WPA3 and SAE
Simultaneous Authentication of Equals (SAE)
- replacement for WPA2’s authentication
- uses Diffie-Hillman key agreement for much stronger encryption
- Diffie-Hillman process is called Dragonfly
SAE
Simultaneous Authentication of Equals
- uses the Dragonfly handshake to thwart offline brute force or dictionary attacks
- Diffie-Heillman over elliptic curves key agreement combined with the password hash and MAC address to authenticate nodes
- also uses ephemeral session keys to provide forward secrecy
WPA3 uses SAE to provide authentication
PSK
Pre-Shared Key
- uses a passphrase to generate the key
- referred to as group authentication
- meaning the group of users share the same secret
- WPA2-PSK mode of the WAP
- attackers exploit the passphrase using dictionary or brute force attacks
WPS
Wi-Fi Protected Setup
- meant to simplify setting up a WAP
- lead to weaker security
- brute force attacks
Open Wi-Fi authentication
Open means client is not required to authenticate
- like in a cafe or other public WAP
Uses Captive Portals or splash screens
- authentication to the network via browser using HTTPS
Users must ensure they are using SSL/TLS or a VPN to secure confidential data when using an open authentication WAP
WPA3 can implement Open Wireless Encryption (OWE) which uses the Dragonfly handshake to use ephemeral session keys
Enterprise Wi-Fi Authentication - EAPoW
Extensible Authentication Protocol over Wireless (EAPoW)
- defined by 802.1X allowing an access point to forward authenticate data without allowing any other type of network access
- uses an AAA (RADIUS or TACACS+) servers on the wired network to authenticate the supplicant
- uses a master key (MK) to derive the same pairwise master key (PMK)
- The PMKs are used by the supplicant and the WAP to derive session keys
DDos
Distributed Denial of Service
- performed usually by a bot network
- usually uses a SYN flood attack by withholding the ACK portion of the TCP three way handshake, causes the switch/router to get caught up in trying to make connections rather than genuine traffic
Use blackhole to thwart by dropping packets into a blackhole on the network, an area that cannot reach any other part of the network
Use sinkhole routing, which routing the affected data to a different part of the network to be analyzed
Load Balancing
distributes client requests across available server nodes in a farm or pool
allows for scaling
Works on Layer 4 (basic LD) or layer 7 (has content switching)
Schedule:
- round robin
- fewest connections
- best response time
- weighted
source IP or session affinity
- client session is stuck to the first node that accepted the request
session persistence
- layer 7 LD function to use cookies to maintain the session, better than session affinity
Clustering
Provides redundancy in Load Balancing
- allows for multiple redundant processing nodes to share data with one another to accept connections
- nodes can failover to a working node should one node fail
Active/Passive
- Once node is processing connections, while the other is passive
Active/Active
- Bothe nodes are processing connections concurrently
