Lesson 9 Implement Secure Network Designs Flashcards

1
Q

Switches

A

Forward frames between nodes in a cabled network

  • works at the Datalink layer (2) of the OSI Model
  • makes forwarding decisions based on the HW MAC address of attached nodes
  • can establish network segments to the cabling or logical segments to establish virtual LANS (VLANS)
  • Data it moves is frames
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

WAP

A

Wireless Access Point

  • Provides a bridge btwn a cabled network and wireless clients or stations
  • works at the OSI model Datalink layer (2)
  • works with frame data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Routers

A

Forward packets around an internet based on IP addresses

  • works on OSI Model Network layer (3)
  • can apply logical IP subnet addresses to segments within a network
  • works on Frame data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Firewalls

A

Apply Access Control List (ACL) to filter traffic passing in or out of a network segment
- works a the OSI Model Network layer (3)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Load Balancers

A

Network appliance which distributes traffic btwn network segments or servers to optimize performance
- works at the OSI Model Transport layer (4) or higher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

DNS

A

Domain Name System

  • A system which resolves IP addresses to FQDNs
  • Works at OSI Model Application layer (7)
  • abuse of name resolution is a common attack vector
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

OSI Model - Layer 1

A
Layer 1: Physical 
PDU: bits
HW: Hubs, net tap, repeaters
Addressing: none
Protocols: UTP, STP, COAX, Fiber, TDM, FDM
Control: node
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

OSI Model Layer 2

A

Layer: Datalink - Connects nodes inside a LAN together - Nodes to Nodes
PDU: Frame
HW: Switch, Bridge, WAP
Addressing: MAC address (Physical Address), VLAN id
Protocols: Ethernet, PPP, LLC
Control: MAC Filtering

Address Resolution Protocol (ARP) between Physical and Datalink layers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

OSI Model Layer 3

A

Layer: Network - Connects LANs together - LAN to LAN
PDU: Packet
HW: Router, Layer 3 Switches
Addressing: IP Addresses (Logical Addresses)
Protocols: IP, ICMP, IPSec, IGMP
Control: Packet Filtering Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

OSI Model Layer 4

A
Layer: Transport - End to end connections
PDU: Segment
HW: Load Balancer, Firewall
Addressing: Logical Port Numbers
Protocols: TCP, UDP, optionally SSL/TLS
Control: Packet Filtering Firewall
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

OSI Model Layer 5

A

Layer: Session - Interhost Communication
- Synchronize upper layers with lower layers
- allows session establishment btwn processes
PDU:
HW:
Addressing:
Protocols:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

OSI Model Layer 6

A

Layer: Presentation - Syntax layer
- Formats the data as needed

PDU: Data
HW:
Addressing:
Protocols:
Control: NGFW or App layer Firewall
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

OSI Model Layer 7

A
Layer: Application - End Used Layer
PDU: Data
HW:
Addressing:
Protocols: HTTP(TCP 80), HTTPS(TCP 443), SMTP(TCP 25), FTP (20, 21)
Control: NGFW or App Layer Firewall
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ARP

A

Address Resolution Protocol

  • Maps a MAC address to and IP address
  • Sits btwn Datalink (2) and Network (3) layers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Firewall

A
  • sits between Network Layer (4) and Datalink Layer (3)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

DNS

A

Domain Name System

- Sits btwn Transport Layer (4) and the upper layers (5-7)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

IP Addresses come from ?

A

Locally:
DHCP - Dynamic Host Configuration Protocol
- Service to assign network IP addresses to client upon connection

Public:
- Internet Service Provider (ISP), assigned when get the service

18
Q

Private IP ranges

A
  1. 0.0.x
  2. 16-31.x.x
  3. 168.x.x
19
Q

IPv4 vs IPv6

A

IPv4

  • 32 bit
  • 172.16.1.101/16 - the /16 indicates the first half of the address 172.16.0.0 is the network id, while the remainder identifies the host on the network.
  • the /16 can also be written as subnet 255.255.0.0

IPv6

  • 128 bit
  • uses hex numbers
  • 2001:db8::abc:0:dev0: 1234
20
Q

Network Segmentation

A

Network Segment

  • All hosts attached to the segment can use local layer 2 to communicate freely with one another
  • said to be in the same broadcast domain

Segregation

  • Host is one segment are restricted in the way they communicate with hosts in the other segment
  • could be restricted by ports they can access or communicate across
  • two switches can be connect via a layer 3 router and enforce network policies via Access Control List (ACL)
  • more likely though to be enforced via virtual LAN (VLAN)
21
Q

VLAN

A

Virtual Local Area Network

  • segmentation enforcement
  • Any port on a any switch can be assigned to any VLAN in the same topology
22
Q

DMZ

A

Demilitarized Zones

  • a perimeter or edge network made up of internet facing hosts
  • basic principle is traffic can not pass directly through the DMZ
  • acts as proxy to the outer facing (in the internet) servers and the internal hosts of the network
  • hosts in the DMZ are bastion hosts and run minimal services to reduce the attack surface
23
Q

Screened Subnet

A
  • part of a DMZ to further restrict access into and out of the DMZ
  • two firewalls sit on either side of the DMZ
  • edge firewall is called the Screening Router/Firewall
  • internal firewall is called the choke router/firewall
  • provides better access control and easier monitoring
24
Q

PNAC

A

Port-based Network Access Control

  • part of the 802.1X standard
  • means the switch utilizes an AAA Svr to authenticate the attached device before activating the port

Network Access Control

  • extends the scope of Authentication
  • allows for policies or profiles describing minimum security Configuration a device must meet to be granted access to the network
  • this is called a health policies
25
Q

Network loop prevention

A

Spanning Tree Protocol (STP)
- used to set blocks on switches in an attempt to prevent looping

Broadcast Strom Prevention

  • broadcast and flooding unicast getting amplified as it loops around network
  • Storm control if STP has failed

Bridge Protocol Data Unit (BPDU) guard

  • configure switch to defeat attempts to engineer a loop by an attacker
  • Portfast setting configured for access port
  • guard disables port if STP traffic is detected
26
Q

WAP

A

Wireless Access Point

  • forwards traffic to the wired switched network
  • identified by it’s MAC often referred to as the Basic Service Set Identifier
27
Q

BSSID

A

Basic Service Set IDentifier

  • each WAP identified by it’s MAC address
  • for computer
28
Q

SSID

A

Service Set Identifier

  • Identifies each wireless network by it’s name
  • human readable
29
Q

Wi-Fi Authentication types

A

Personal
Open
Enterprise

30
Q

Personal Wi-Fi authentication types

A

Pre-Shared Key (PSK)

Simultaneous Authentication of Equals (SAE)

31
Q

Benefit of WPA3 over WPA2

A

Wired Equivalent Privacy (WEP) is broken (too many vulnerabilities)
Wi-fi Protected Access 3 (WPA3) fixed those vulnerabilities
WPA2 is flawed but acceptable
WPA3 is much improved but not largely available yet

WPA3 uses SAE

32
Q

WPA3 and SAE

A

Simultaneous Authentication of Equals (SAE)

  • replacement for WPA2’s authentication
  • uses Diffie-Hillman key agreement for much stronger encryption
  • Diffie-Hillman process is called Dragonfly
33
Q

SAE

A

Simultaneous Authentication of Equals

  • uses the Dragonfly handshake to thwart offline brute force or dictionary attacks
    • Diffie-Heillman over elliptic curves key agreement combined with the password hash and MAC address to authenticate nodes
    • also uses ephemeral session keys to provide forward secrecy

WPA3 uses SAE to provide authentication

34
Q

PSK

A

Pre-Shared Key

  • uses a passphrase to generate the key
  • referred to as group authentication
    • meaning the group of users share the same secret
  • WPA2-PSK mode of the WAP
  • attackers exploit the passphrase using dictionary or brute force attacks
35
Q

WPS

A

Wi-Fi Protected Setup

  • meant to simplify setting up a WAP
  • lead to weaker security
  • brute force attacks
36
Q

Open Wi-Fi authentication

A

Open means client is not required to authenticate
- like in a cafe or other public WAP
Uses Captive Portals or splash screens
- authentication to the network via browser using HTTPS
Users must ensure they are using SSL/TLS or a VPN to secure confidential data when using an open authentication WAP

WPA3 can implement Open Wireless Encryption (OWE) which uses the Dragonfly handshake to use ephemeral session keys

37
Q

Enterprise Wi-Fi Authentication - EAPoW

A

Extensible Authentication Protocol over Wireless (EAPoW)
- defined by 802.1X allowing an access point to forward authenticate data without allowing any other type of network access

  • uses an AAA (RADIUS or TACACS+) servers on the wired network to authenticate the supplicant
  • uses a master key (MK) to derive the same pairwise master key (PMK)
  • The PMKs are used by the supplicant and the WAP to derive session keys
38
Q

DDos

A

Distributed Denial of Service

  • performed usually by a bot network
  • usually uses a SYN flood attack by withholding the ACK portion of the TCP three way handshake, causes the switch/router to get caught up in trying to make connections rather than genuine traffic

Use blackhole to thwart by dropping packets into a blackhole on the network, an area that cannot reach any other part of the network

Use sinkhole routing, which routing the affected data to a different part of the network to be analyzed

39
Q

Load Balancing

A

distributes client requests across available server nodes in a farm or pool

allows for scaling

Works on Layer 4 (basic LD) or layer 7 (has content switching)

Schedule:

  • round robin
  • fewest connections
  • best response time
  • weighted

source IP or session affinity
- client session is stuck to the first node that accepted the request

session persistence
- layer 7 LD function to use cookies to maintain the session, better than session affinity

40
Q

Clustering

A

Provides redundancy in Load Balancing

  • allows for multiple redundant processing nodes to share data with one another to accept connections
  • nodes can failover to a working node should one node fail

Active/Passive
- Once node is processing connections, while the other is passive

Active/Active
- Bothe nodes are processing connections concurrently