Network Design Flashcards
MAC Flooding
Attempt to overwhelm the limited switch memory set aside to store the MAC addresses for each port
Switches can fail-open when flooded and begin to act like a hub
MAC Spoofing
Occurs when an attacker masks their own MAC address to pretend they have the MAC address of another device
MAC Spoofing is often combined with an ARP spoofing attack
Limit static MAC addresses accepted
Limit duration of time for ARP entry on hosts
Conduct ARP inspection
DMZ
De-Militarized Zone:
A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports
Focused on providing controlled access to publicly available servers that are hosted within your organizational network
Sub-zones can be created to provide additional protection for some servers
Everything behind the DMZ is invisible to the outside network
Extranet
Specialized type of DMZ that is created for your partner organizations to access over a wide area network
Intranets are used when only one company is involved
Bastion Hosts
Hosts or servers in the DMZ which are not configured with any services that run on the local network
To configure devices in the DMZ, a jumpbox is utilized
Jumpbox
A hardened server that provides access to other hosts within the DMZ
An administrator connects to the jumpbox and the jumpbox connects to hosts in the DMZ
The jumpbox and management workstation should only have the minimum required software to perform their job and be well hardened
NAC
Network Access Control:
Security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network
If a device fails the inspection, it is placed into digital quarantine
NAC: Persistent Agents
A piece of software that is installed on the device requesting access to the network
NAC: Non-Persistent Agents
Uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan
VLAN Benefits
Segment the network
Reduce collisions
Organize the network
Boost performance
Increase security
VLANs: Switch Spoofing
Attacker configures their device to pretend it is a switch and uses it to negotiate a trunk link to break out of a VLAN
VLANs: Double Tagging
Attacker adds an additional VLAN tag to create an outer and inner tag
Prevent double tagging by moving all ports out of the default VLAN group
Benefits of Subnetting
Efficient use of IP addresses
Reduced broadcast traffic
Reduced collisions
Compartmentalized
Subnet’s policies and monitoring can aid in the security of your network
NAT/PAT
Network Address Translation:
Process of changing an IP address while it transits across a router
Using NAT can help us hide our network IPs
Port Address Translation:
Router keeps track of requests from internal hosts by assigning them random high number ports for each request
Telephony
Term used to describe devices that provide voice communication to users