Lesson 9: Implementing Secure Network Designs

Question 1

What are typical weaknesses of network design?

Answer 1

1.) Single points of failure—a “pinch point” relying on a single hardware server or appliance or network channel.
Complex dependencies—services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services.
2.) Availability over confidentiality and integrity—often it is tempting to take “shortcuts” to get a service up and running. Compromising security might represent a quick fix but creates long term risks.
3.) Lack of documentation and change control—network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted. It is vital that network managers understand business workflows and the network services that underpin them.
4.) Overdependence on perimeter security—if the network architecture is “flat” (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement.

Question 2

What is a VLAN?

Answer 2

Logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

Question 3

What is layer 2 forwarding?

Answer 3

Layer 2 forwarding occurs between nodes on the same local network segment that are all in the same broadcast domain. At layer 2, a broadcast domain is either all the nodes connected to the same physical unmanaged switch, or all the nodes within a virtual LAN (VLAN) configured on one or more managed switches. At layer 2, each node is identified by the network interface’s hardware or Media Access Control (MAC) address. A MAC address is a 48-bit value written in hexadecimal notation, such as 00-15-5D-F4-83-48.

Question 4

What is layer 3 forwarding?

Answer 4

Layer 3 forwarding, or routing, occurs between both logically and physically defined networks. A single network divided into multiple logical broadcast domains is said to be subnetted. Multiple networks joined by routers form an internetwork. At layer 3, nodes are identified by an Internet Protocol (IP) address.

Question 5

What is address resolution protocol?

Answer 5

The Address Resolution Protocol (ARP) maps a network interface’s hardware (MAC) address to an IP address.

Question 6

What is a network segment?

Answer 6

A network segment is one where all the hosts attached to the segment can use local (layer 2) forwarding to communicate freely with one another.

Question 7

What is an extranet?

Answer 7

Extranet—this is a network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet.

Question 8

What is an intranet?

Answer 8

Intranet (private network)—this is a network of trusted hosts owned and controlled by the organization. Within the intranet, there may be sub-zones for different host groups, such as servers, employee workstations, VoIP handsets, and management workstations.

Question 9

What is a DMZ?

Answer 9

A DMZ is also referred to as a perimeter or edge network. The basic principle of a DMZ is that traffic cannot pass directly through it. A DMZ enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole. If communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a proxy. For example, if an intranet host requests a connection with a web server on the Internet, a proxy in the DMZ takes the request and checks it. If the request is valid, it retransmits it to the destination.

Question 10

What’s a screened subnet?

Answer 10

A screened subnet uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. The edge firewall can be referred to as the screening firewall or router. The internal firewall filters communications between hosts in the DMZ and hosts on the LAN. This firewall is often described as the choke firewall. A choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring.

Question 11

What’s a triple-homed firewall?

Answer 11

A DMZ can also be established using one router/firewall appliance with three network interfaces, referred to as triple-homed. One interface is the public one, another is the DMZ, and the third connects to the LAN. Routing and filtering rules determine what forwarding is allowed between these interfaces. This can achieve the same sort of configuration as a screened subnet.

Question 12

What’s a screened host?

Answer 12

A dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.

Question 13

What are some of the implications of IPV6?

Answer 13

IPv6 has impacts for on-premises networks, for the way your company accesses cloud services, and for the way clients access web servers and other public servers that you publish.

If IPv6 is enabled but unmanaged, there is the potential for malicious use as a backdoor or covert channel. IPv6 also exposes novel attack vectors, such as spoofing and DoS attacks on neighbor discovery.

Hosts should be allocated IPv6 addresses that map to the same zones as the IPv4 topology. Firewalls should be configured with ACLs that either achieve the same security configuration as for IPv4 or block IPv6, if that is a better option. One issue here is that IPv6 is not intended to perform any type of address translation. Rather than obscure internal/external traffic flows with private to public address mapping, IPv6 routing and filtering policies should be configured to mirror the equivalent IPv4 architecture.

Question 14

What is east-west traffic?

Answer 14

Traffic that goes to and from a data center is referred to as north-south. This traffic represents clients outside the data center making requests and receiving responses. In data centers that support cloud and other Internet services, most traffic is actually between servers within the data center. This is referred to as east-west traffic.

Question 15

What is zero trust?

Answer 15

Zero trust is based on the idea that perimeter security is unlikely to be completely robust. On a modern network, there are just too many opportunities for traffic to escape monitoring by perimeter devices and DMZs. Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise by threat actors.

Another zero trust technique is to apply microsegmentation. Microsegmentation is a security process that is capable of applying policies to a single node, as though it was in a zone of its own. Like east-west traffic, this requires a new generation of virtualized security appliances to implement

Question 16

What is a man-in-the middle/on-path attack?

Answer 16

Attackers can also take advantage of the lack of security in low-level data link protocols to perform man-in-the-middle (MitM) attacks. A MitM or on-path attack is where the threat actor gains a position between two hosts, and transparently captures, monitors, and relays all communication between the hosts. An on-path attack could also be used to covertly modify the traffic. For example, a MitM host could present a workstation with a spoofed website form, to try to capture the user credential. Another common on-path attack spoofs responses to DNS queries, redirecting users to spoofed websites. On-path attacks can be defeated using mutual authentication, where both hosts exchange secure credentials, but at layer 2 it is not always possible to put these controls in place.

Question 17

What is MAC cloning?

Answer 17

Attackers can also take advantage of the lack of security in low-level data link protocols to perform man-in-the-middle (MitM) attacks. A MitM or on-path attack is where the threat actor gains a position between two hosts, and transparently captures, monitors, and relays all communication between the hosts. An on-path attack could also be used to covertly modify the traffic. For example, a MitM host could present a workstation with a spoofed website form, to try to capture the user credential. Another common on-path attack spoofs responses to DNS queries, redirecting users to spoofed websites. On-path attacks can be defeated using mutual authentication, where both hosts exchange secure credentials, but at layer 2 it is not always possible to put these controls in place.

Question 18

What is an ARP poisoning attack?

Answer 18

An ARP poisoning attack uses a packet crafter, such as Ettercap, to broadcast unsolicited ARP reply packets. Because ARP has no security mechanism, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address.

Question 19

What is packet crafting?

Answer 19

A method of manually generating packets (instead of modifying existing network traffic) to test the behavior of network devices, enabling a hacker to enumerate firewall or intrusion detection rules that are in place.

Question 20

What is a MAC flooding attack?

Answer 20

Where ARP poisoning is directed at hosts, MAC flooding is used to attack a switch. The intention of the attacker is to exhaust the memory used to store the switch’s MAC address table. The switch uses the MAC address table to determine which port to use to forward unicast traffic to its correct destination. Overwhelming the table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports, working as a hub. This makes sniffing network traffic easier for the threat actor.

Question 21

What is a broadcast storm and how are they prevented?

Answer 21

STP is principally designed to prevent broadcast storms. Switches forward broadcast, multicast, and unknown unicast traffic out of all ports. If a bridged network contains a loop, broadcast traffic will travel through the network, get amplified by the other switches, and arrive back at the original switch, which will re-broadcast each incoming broadcast frame, causing an exponential increase (the storm), which will rapidly overwhelm the switches and crash the network.

Question 22

What is a BPDU?

Answer 22

Bridge Protocol Data Unit (BPDU) Guard: A threat actor might try to attack STP using a rogue switch or software designed to imitate a switch. When a switch does not know the correct port to use for a particular destination MAC address (if the cache has just been flushed, for instance), it floods the unknown unicast frame out to all ports. Topology changes in STP can cause a switch to flush the cache more frequently and to start flooding unicast traffic more frequently, which can have a serious impact on network performance and assists sniffing attacks.

The configuration of switch ports should prevent the use of STP over ports designated for client devices (access ports). An access port is configured with the portfast command to prevent STP changes from delaying client devices trying to connect to the port. Additionally, the BPDU Guard setting should be applied. This causes a portfast-configured port that receives a BPDU to become disabled. Bridge Protocol Data Units (BPDUs) are used to communicate information about the topology and are not expected on access ports, so BPDU Guard protects against misconfiguration or a possible malicious attack.

Question 23

What is port security?

Answer 23

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

Question 24

What is MAC filtering?

Answer 24

Configuring MAC filtering on a switch means defining which MAC addresses are allowed to connect to a particular port. This can be done by creating a list of valid MAC addresses or by specifying a limit to the number of permitted addresses. For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port, but then drop any traffic from machines with different MAC addresses that try to connect

Question 25

What is DHCP snooping?

Answer 25

A configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing.

Question 26

What is network access control?

Answer 26

Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level. Endpoint security contrasts with the focus on perimeter security established by topologies such as DMZ and technologies such as firewalls. Endpoint security does not replace these but adds defense in depth.

The IEEE 802.1X standard defines a port-based network access control (PNAC) mechanism. PNAC means that the switch uses an AAA server to authenticate the attached device before activating the port. Network access control (NAC) products can extend the scope of authentication to allow administrators to devise policies or profiles describing a minimum security configuration that devices must meet to be granted network access. This is called a health policy.

Typical policies check things such as malware infection, firmware and OS patch level, personal firewall status, and the presence of up-to-date virus definitions. A solution may also be to scan the registry or perform file signature verification. The health policy is defined on a NAC management server along with reporting and configuration tools.

Posture assessment is the process by which host health checks are performed against a client device to verify compliance with the health policy. Most NAC solutions use client software called an agent to gather information about the device, such as its antivirus and patch status, presence of prohibited applications, or anything else defined by the health policy.

Question 27

What is an agent and agentless form of network access control?

Answer 27

An agent is installed as a software application on the client, or nonpersistent.

A nonpersistent (or dissolvable) agent is loaded into memory during posture assessment but is not installed on the device.

Question 28

What is route security?

Answer 28

A successful attack against route security enables the attacker to redirect traffic from its intended destination. On the Internet, this may allow the threat actor to herd users to spoofed websites. On an enterprise network, it may facilitate circumventing firewalls and security zones to allow lateral movement and data exfiltration.

Routing is subject to numerous vulnerabilities, including:

1.) Spoofed routing information (route injection)—Routing protocols that have no or weak authentication are vulnerable to route table poisoning. This can mean that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (nonexistent address), or continuously looped around the network, causing DoS. Most dynamic routing protocols support message authentication via a shared secret configured on each device. This can be difficult to administer, however. It is usually also possible to configure how a router identifies the peers from which it will accept route updates. This makes it harder to simply add a rogue router to the system. An attacker would have to compromise an existing router and change its configuration.
2.) Source routing—This uses an option in the IP header to pre-determine the route a packet will take through the network (strict) or “waypoints” that it must pass through (loose). This can be used maliciously to spoof IP addresses and bypass router/firewall filters. Routers can be configured to block source routed packets.
3.) Software exploits in the underlying operating system—Hardware routers (and switches) have an embedded operating system. For example, Cisco devices typically use the Internetwork Operating System (IOS). Something like IOS suffers from fewer exploitable vulnerabilities than full network operating systems. It has a reduced attack surface compared to a computer OS, such as Windows.

Question 29

Describe the differences between a heat map and site survey.

Answer 29

Site survey: A collection of information about a location for the purposes of building an ideal infrastructure; it often contains optimum locations for wireless antenna and access point placement to provide the required coverage for clients and identifying sources of interference.

Heat map: In a Wi-Fi site survey, a diagram showing signal strength at different locations.

Question 30

What is a wireless controller?

Answer 30

A device that provides wireless LAN management for multiple APs.

Question 31

What is the difference between a fat WAP and thin WAP?

Answer 31

An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller is known as a fat WAP, while one that requires a wireless controller in order to function is known as a thin WAP.

Question 32

What two wireless protocols are the most unsecure?

Answer 32

WEP and WPA.

Question 33

What is counter mode/CBC-MAC protocol (CCMP)?

Answer 33

CCMP was developed to address the vulnerabilities of the existing WEP protocol. CCMP uses the AES cipher to encrypt sensitive data. It employs 128-bit keys and a 48-bit initialization vector (IV), also known as a CCM nonce block, to detect replays and minimize vulnerability to replay attacks.

Question 34

What is WPA2?

Answer 34

WPA2 (Wi-Fi Protected Access 2) is the second generation of the Wi-Fi Protected Access wireless security protocol. Like its predecessor, WPA2 was designed to secure and protect Wi-Fi networks.

Question 35

What is WPA3?

Answer 35

The main features of WPA3 are as follows:

– Simultaneous Authentication of Equals (SAE)—replaces WPA’s 4-way handshake authentication and association mechanism with a protocol based on Diffie-Hellman key agreement.
–Enhanced Open—enables encryption for the open authentication method.
–Updated cryptographic protocols—replaces AES CCMP with the AES Galois Counter Mode Protocol (GCMP) mode of operation. Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit.
–Management protection frames—mandates use of these to protect against key recovery attacks.

Question 36

What is simultaneous authentication of equals?

Answer 36

Simultaneous Authentication of Equals (SAE)—replaces WPA’s 4-way handshake authentication and association mechanism with a protocol based on Diffie-Hellman key agreement.