Lesson 9 - Implement Secure Network Designs Flashcards
Typical weaknesses in secure network design include:
Single points of failure
Complex dependencies
Availability over confidentiality and integrity
Lack of documentation and change control
Overdependence on perimeter security
In Ethernet, a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address.
Switches
Switches work at layer 2 of the OSI model and make forwarding decisions based on the hardware or Media Access Control (MAC) address of attached nodes.
provide a bridge between a cabled network and wireless clients, or stations.
Wireless access points
Access points work at layer 2 of the OSI model.
A network device that links dissimilar networks and can support multiple alternate paths between location-based parameters such as speed, traffic loads, and price.
Routers
forward packets around an internetwork, making forwarding decisions based on IP addresses.
Routers work at layer 3 of the OSI model.
Routers can apply logical IP subnet addresses to segments within a network.
Apply an access control list (ACL) to filter traffic passing in or out of a network segment.
Firewalls
Firewalls can work at layer 3 of the OSI model or higher.
Distribute traffic between network segments or servers to optimize performance.
Load balancers
Load balancers can work at layer 4 of the OSI model or higher.
Host name records and perform name resolution to allow applications and users to address hosts and services using fully qualified domain names (FQDNs) rather than IP addresses.
Domain Name System (DNS) servers
DNS works at layer 7 of the OSI model. Name resolution is a critical service in network design.
Abuse of name resolution is a common attack vector.
Occurs between nodes on the same local network segment that are all in the same broadcast domain. A broadcast domain is either all the nodes connected to the same physical unmanaged switch, or all the nodes within a virtual LAN (VLAN) configured on one or more managed switches.
Layer 2 forwarding
At layer 2, each node is identified by the network interface’s hardware or Media Access Control (MAC) address. A MAC address is a 48-bit value written in hexadecimal notation, such as 00-15-5D-F4-83-48.
Occurs between both logically and physically defined networks. A single network divided into multiple logical broadcast domains is said to be subnetted.
Layer 3 forwarding, or routing
Multiple networks joined by routers form an internetwork. At layer 3, nodes are identified by an Internet Protocol (IP) address.
Maps a network interface’s hardware (MAC) address to an IP address.
Address Resolution Protocol (ARP)
Normally a device that needs to send a packet to an IP address but does not know the receiving device’s MAC address broadcasts an ARP Request packet, and the device with the matching IP responds with an ARP Reply.
IP provides the addressing mechanism for logical networks and subnets.
Internet Protocol (IP)
A 32-bit IPv4 address is written in dotted decimal notation, with either a network prefix or subnet mask to divide the address into network ID and host ID portions. For example, in the IP address 172.16.1.101/16, the /16 prefix indicates that the first half of the address (172.16.0.0) is the network ID, while the remainder uniquely identifies a host on that network. This /16 prefix can also be written as a subnet mask in the form 255.255.0.0.
Logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.
virtual LANs (VLANs).
Allows a router to perform dynamic updates to its routing table based on route data exchanged with other routers.
routing protocols
A path vector routing protocol used by ISPs to establish routing between one another.
Border Gateway Protocol (BGP)
A link-state routing protocol used on IP networks
Open Shortest Path First (OSPF)
IGRP is a distance vector-based routing protocol using a metric composed of several administrator weighted elements including reliability, bandwidth, delay, and load. E(nhanced)IGRP, the version now in use, supports classless addressing and more efficient route selection.
Enhanced Interior Gateway Routing Protocol (EIGRP)
A distance vector-based routing protocol that uses a hop count to determine the distance to the destination network.
Routing Information Protocol (RIP)
A portion of a network where all attached hosts can communicate freely with one another.
segment
Assuming an Ethernet network, network segments can be established physically by connecting all the hosts in one segment to one switch and all the hosts in another segment to another switch. The two switches can be connected by a router and the router can enforce network policies or access control lists (ACL) to restrict communications between the two segments.
A situation where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments.
Segregation
Assuming an Ethernet network, network segments can be established physically by connecting all the hosts in one segment to one switch and all the hosts in another segment to another switch. The two switches can be connected by a router and the router can enforce network policies or access control lists (ACL) to restrict communications between the two segments.
Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs). Any given switch port can be assigned to any VLAN in the same topology, regardless of the physical location of the switch. The segmentation enforced by VLANs at layer 2 can be mapped to logical divisions enforced by IP subnets at layer 3.
In networking infrastructure, an area of a network where the security configuration is the same for all hosts within it. In physical security, an area separated by barriers that control entry and exit points.
Zone
A private network that is only accessible by the organization’s own personnel.
Intranet (private network)
A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.
demilitarized zones (DMZs)
This is a zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet.
Internet/guest
A private network that provides some access to outside parties, particularly vendors, partners, and select customers.
extranet
A server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.
bastion hosts
Run minimal services to reduce the attack surface as much as possible.
A bastion host would not be configured with any data that could be a security risk to the internal network, such as user account credentials.
Uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. The edge firewall can be referred to as the screening firewall or router. The internal firewall filters communications between hosts in the DMZ and hosts on the LAN. This firewall is often described as the choke firewall. A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.
Screened Subnet
A DMZ can also be established using one router/firewall appliance with three network interfaces, referred to as triple-homed. One interface is the public one, another is the DMZ, and the third connects to the LAN. Routing and filtering rules determine what forwarding is allowed between these interfaces. This can achieve the same sort of configuration as a screened subnet.
Triple-Homed Firewall
A dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.
screened host
The edge firewall can be referred to as the screening firewall or router.
The internal firewall filters communications between hosts in the DMZ and hosts on the LAN.
This firewall is often described as the choke firewall.
A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.
Traffic that goes to and from a data center.
North-South Traffic
Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).
East-West Traffic
Traffic within data center
Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.
Zero Trust
Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise by threat actors.
Software that can scan a network and identify hosts, addresses, protocols, network interconnections, and so on.
network mapping
Some transmission media are susceptible to eavesdropping (listening in to communications sent over the media). To secure transmissions, they must be encrypted.
eavesdropping
A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently. Also referred to as an on-path attack.
Man-in-the-Middle (MitM) Attacks
On-Path Attach
An attack in which an attacker falsifies the factory-assigned MAC address of a device’s network interface.
MAC Cloning
MAC Address Spoofing
A method of manually generating packets (instead of modifying existing network traffic) to test the behavior of network devices, enabling a hacker to enumerate firewall or intrusion detection rules that are in place.
Packet Crafting
The broadcast mechanism by which individual hardware MAC addresses are matched to an IP address on a local network segment.
Address Resolution Protocol (ARP)
A host uses the Address Resolution Protocol (ARP) to discover the host on the local segment that owns an IP address.
A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.
ARP Poisoning
It is directed at host.
A variation of an ARP poisoning attack where a switch’s cache table is inundated with frames from random source MAC addresses.
MAC Flooding
MAC Flooding is used to attack a switch.
The intention of the attacker is to exhaust the memory used to store the switch’s MAC address table. The switch uses the MAC address table to determine which port to use to forward unicast traffic to its correct destination. Overwhelming the table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports, working as a hub. This makes sniffing network traffic easier for the threat actor.
The table on a switch keeping track of MAC addresses associated with each port. As the switch uses a type of memory called Content Addressable Memory (CAM), this is sometimes called the CAM table.
MAC Address Table
A switching protocol that prevents network loops by dynamically disabling links as needed.
Spanning Tree Protocol (STP)
Layer 2 loops are prevented by the Spanning Tree Protocol (STP).
Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.