Secure network designs

Question 1

What is another function of a load balancer other than just…. balancing the load?

Answer 1

TCP/SSL offload.

You can offset some of the protocol/encryption overheard by having the load balancer deal

Question 2

In load balancing, what is round-robin?

Answer 2

Round robin is a method of load balancing in which the load is distributed completely evenly across all servers by sending each request to a different server in order.
Request 1-->server 1
Request 2-->server 2
Request 3-->server 3
Request 4-->server 1
Request 5-->server 2

There is also such a thing as a “Weighted round-robin” where certain servers are prioritized over others, example: half of the requests will go to server 1, the other half will be distributed between servers 2-5.

“Dynamic round-robin” also exists, which is monitoring the server load and always giving traffic to the server which currently has the lowest use.

Question 3

What is active/active load balancing?

Answer 3

All servers are active at the same time.

If one server fails, another will take over its load.

Question 4

In load balancing what is affinity/sticky session/session persistence?

Answer 4

This is a way of ensuring that each user is stuck to the same server in load balancing scenarios. Typically tracked through IP address or session IDs
Many applications require communication to the same instance.

Question 5

What is active/passive load balancing?

Answer 5

This is when certain servers are active, and others are on standby.
If one of the active servers goes down or stops functioning, one of the standby servers will activate and start taking on the load in place of the downed server.

Question 6

What are the 3 types of network segmentation?

Answer 6

Physical, logical, and virtual.

Question 7

What is physical segmentation?

Answer 7

This is also called an air gap.
This is where devices are physically seperate.
Like an air gap between Switch A and Switch B.
Two devices have no connection to each other physically.

Question 8

What is logical segmentation?

Answer 8

Logical segmentation is almost always associated with VLANs.
This is a way of logically splitting up a switch to support two different networks, where they can not communicate with each other without a layer 3 device/router.
Basically splitting up a device and doing a segmentation on one device instead of creating an air gap.

Question 9

What is a screened subnet?

Answer 9

THINK DMZ(demilitarized zone), they don't call it that anymore.
This is an additional subnet hidden behind a firewall to separate a more sensitive network(probably your company's internal corporate network) from a public facing service that users are connecting to from the outside internet.
All of the traffic coming from the external internet will be forwarded to the "screened subnet" rather than your internal network.

Question 10

What is an extranet?

Answer 10

This is a seperate network set up for vendors, suppliers, and other partners that need access to your internal resources.
Unlike a screened subnet an extranet typically requires additional authentication.
You would typically get a login screen or something when trying to access an extranet from the internet, and if you authenticated, then you would be granted access to the extranet.
Similar to a screened subnet, they are split up by a firewall.

Question 11

What is an intranet?

Answer 11

Intranets are only accessible from inside the network.
This has no external access, you can only get in internally or through a VPN.
Typically houses work related documents needed for an organization.

Question 12

What is the difference between east-west traffic and north-south traffic?

Answer 12

This is almost exclusively referring to traffic flowing inside of a data center.
East-west traffic is going between devices in the same data center and is able to achieve relatively fast response times.
North-south traffic is either inbound or outbound from our data center and typically will have different security policies associated with it.

Question 13

What is a VPN?

Really explain

Answer 13

A VPN is a way to send data securely through an area that would normally be considered public without anyone in the middle being able to understand anything that is being said.
An encrypted tunnel.

Question 14

What is a concentrator in regards to VPNs?

Answer 14

When you connect to your corporate network using their vpn, you will be connecting to this device and it will middleman your conversations.
This is the device doing the heavy lifting with regards to VPNs.
This device handles all of the encrypting and sending out data, and decrypting anything that it happens to receive.
Often a standalone device or built into a firewall. There are also software based options available (nordvpn, etc)
These are almost always used though with some kind of client software for making it all happen, sometimes there can be something built into your OS for handling vpn connections.

Question 15

What is an SSL VPN?

Answer 15

A VPN that uses SSL/TLS, and communicates on tcp port 443 (think https(http secure, HTTPS, SSL/TLS, get it?)
You don’t need any big vpn clients, it is able to authenticate users with no requirement for digital certificates, and can be run from a browser or from a (usually light) VPN client.

Question 16

What is an HTML5 VPN?

Answer 16

This is a VPN that takes advantage of the recent upgrade to HTML to version 5.
HTML5 supports APIs and it comes built in with a web cryptography API, which makes you able to create an encrypted VPN tunnel without the need for a separate VPN application, and can instead do it completely from your browser using HTML. Nothing to install.
You do need to make sure you have a browser that can support HTML5.

Question 17

What is the difference between a full tunnel and a split tunnel VPN?

Answer 17

A full tunnel VPN configuration makes each and every connection middleman through the VPN concentrator, even those not to the corporate network(or whatever the concentrator is attached to). For example if you wanted to go to google.com while connected to the vpn, it would have to be sent all the way to the vpn concentrator, and then to google.com, and then back to you.

A split tunnel VPN allows you to make your own connections on the side, while still encrypting all traffic to the network of the VPN concentrator(likely your corporate network).

Question 18

What is a site-to-site VPN?

Answer 18

Think of a linking where a corporate network is connects to a remote site, with a VPN concentrator on both sides.
Effectively makes it so that a VPN connection can go both ways, with a concentrator on both sides.
VPN concentrators can be built into a firewall, this sort of setup will typically be using firewalls because both sites will probably already have one.

Question 19

What is L2TP?

Answer 19

Layer 2 tunneling protocol.
This is a way of connecting together two networks which need to use a layer 3(IP) network (due to probably distance) as if they were connected at layer 2.

Typically implemented with IPsec:
L2TP for the tunnel, IPsec for the encryption
Sometimes called L2TP over IPsec(L2TP/IPsec)

Question 20

What is IPsec?

Answer 20

IPsec is security for OSI layer 3.
Allows you to have authentication and encryption over a layer 3 network.
Authentication and encryption for every packet.

Provides confidentiality and itegrity(packet signing)

There are two major protocols you will use with IPsec:
AH(authentication header)
ESP(encapsulation security payload)

Question 21

When using IPsec what are the differences between transport mode and tunnel mode?

Answer 21

When using Transport mode everything is encrypted in an IPsec packet EXCEPT that you will use an unencrypted IP header so that it knows where to go. This part will be sent in the clear.

When using Tunnel mode every part of the packet is encrypted in the packet, including the IP header which will be sent to the IPsec concentrator on the other side of the tunnel.

Question 22

In IPsec what is an Authentication Header ( AH )

Answer 22

This is what you would use if your only concern with your packets in IPsec were the integrity of the data.
This contains the hash of the packet and a shared key that is shared between the two IPsec concentrators.
This doesn’t provide any encryption.
But it will provide integrity and authentication though, as well as prevent replay attacks (because sequence numbers are included as a part of this communication)

Question 23

In IPsec what is ESP (encapsulation security payload)

Answer 23

This encrypts and authenticates the tunneled data found in IPsec packets.
All that is included is the encryption(using AES) and an integrity check value to ensure the data went through the network without any corruption.

Typically you would want to combine this with AH though in most implementations of IPsec so that you can also get integrity and authentication to make sure that the data gets through the network without anyone changing any of the data.

Question 24

What is BPDU guard?

Answer 24

When a device first connects to a spanning tree network, it takes some time to map out the network and make sure there won’t be any loops, even if what you are plugging in is not a switch.

You can go in and configure a switch to not take this step(portfast) for new devices plugged into it, but this leaves you unprotected if someone were to go up and plug in a switch, and if that happened a loop would happen.

BPDU is the solution for this. With BPDU guard, the switch is constantly watching traffic coming from these interfaces, and if an interface ever sends a BPDU frame, then it recognizes that there could be a switch on the other side of this communication and that portfast would no longer apply. Then it would disable that interface before there was an opportunity for a loop to occur.

Question 25

What is DHCP snooping?

Answer 25

DHCP snooping would be the practice of basically turning your switch into a DHCP firewall. You can configure a list of trusted and untrusted interfaces using software built into a switch. With DHCP snooping the switch would be constantly monitoring these interfaces and adds a list of untrusted devices to a table. If DHCP traffic is seen coming from one of these untrusted interfaces the switch can filter that out and not allow it to be sent to any other devices on the network.

trusted devices would be things such as routers, switches, DHCP servers
untrusted devices would be things such as other computers, untrusted DHCP servers

Question 26

What is MAC filtering and why is it not the strongest security practice?

Answer 26

MAC filtering allows the administrator to either allow or disallow traffic based on the mac address that is communicating through the network.
This makes it so that you could add all of the mac addresses on your local network to an allow list, and if someone came in and plugged in a device, they would not be able to communicate over the network.

The reason it is not the strongest is that this is security through obscurity.
MAC addresses can be easily spoofed.

Question 27

What is out of band management?

Answer 27

This is a term used to describe managing a network device that you can’t currently connect to over the network.
Most devices have a separate management interface that you need to plug in to.

If you wanted to manage a device using this comm port you would usually connect it to a modem in order to dial in or connect around the network into the out of band management device.

In larger organizations you may have a centralized console router (also called a comm server) where you connect to the comm server and then the comm server will then gain you access to all of the other devices on that network that are connected through the out of band management interfaces.

Question 28

What is QoS (quality of service) ?

Answer 28

This a general term for implementing controls that prioritize other traffic over others.
Such as prioritizing VoIP traffic over streaming youtube, because you need phone calls to be in real time.

Question 29

What is the different between a physical tap and a port mirror (also called port redirection/SPAN) ?

Answer 29

A physical tap is going to be a device that you put in the middle of a network connection to send off data to another device and duplicate it.

A port mirror/port redirection/SPAN is a software based tap.

Question 30

What is FIM(file integrity monitoring)

Answer 30

This is a piece of software that monitors files that should never change, like your operating system files and is able to identify when changes occur.
Windows includes one of these called SFC(system file checker)
Linux has one that reacts in real time called Tripwire.

Question 31

What is the main distinction between a traditional firewall and a next generation firewall?

Answer 31

Next generation firewalls are able to distinguish between different application’s packets traveling over a network and control flows based on the application, and they exist at the OSI application layer so They can inspect all data in every packet.
They can also have IPS capabilities, by applying application specific vulnerability signatures to the traffic.

Question 32

Can a firewall act as a router?

Answer 32

Yes

Question 33

What is the difference between a stateless and a stateful firewall?

Answer 33

Stateless firewalls do not keep track of traffic flows
Each packet is individually examined, regardless of past history.

Stateful firewalls remember the “state” of the session.
Everything with a valid flow is allowed.
When a session is started from one IP to another IP, it is added to a session table, which keeps track of active sessions between two hosts, and will allow traffic coming from either end to go through, without the need for extra rules applying to packets coming as a response.
If an active session does not exist though, the traffic coming from a host without an allow rule will be denied. It will only be passed through if the session is started from the host with an allow rule for that connection.

Question 34

What is a UTM or web security gateway?

Answer 34

Unified threat managment.
This is a standalone device that is meant to be an all in one security appliance, with lots of capababilitites such as:
URL filtering/Content inspection
IDS/IPS
Firewalls
Router/switch
Spam filters
Malware inspection
CSU/DSU
and can even act as a VPN endpoint

Question 35

What is a WAF?

Answer 35

Web application firewall.
These are not like a normal firewall.
These rules are applied to a HTTP/HTTPS web application conversations.
They will allow or deny based on expected input.
This is a great way to prevent SQL injection.

Question 36

In a firewall ACL which rules would you want to place at the top? General or very specific rules?

Answer 36

You would want to put the very specific rules at the top of the list so they can be matched first.
If you put a general rule like “allow all https traffic” it would over ride more specific rules because that one was matched first.

Question 37

Which type of firewall characteristic is going to usually provide wider functionaility and faster speeds? Open-source vs proprietary?

Answer 37

Proprietary.

Open-source firewalls are going to generally be more simple and traditional.
Proprietary firewalls are going to possibly include application control and usually high speed software.

Question 38

What is the difference between edge control and access control?

Answer 38

Edge control is simply control at the “edge” of your network. Managed primarily through firewall rules. Firewall rules rarely change.

Access control is a way of controlling from wherever you are in the network, inside or outside.
Access can be based on many rules like user, group, location, application, etc. and access can be easily revoked or changed.

Question 39

When performing a posture assessment (think BringYourOwnDevice) what is the difference between a persistent agent and a dissolvable agent? What about agentless NAC?

Answer 39

Think about NAC when thinking about these things. Network access control.

A persistent agent is a piece of software that is installed on a device to check the posture of it and if it has malware, antivirus etc.
A dissolvable agent requires no installation and runs only during the posture assessment. Terminates when no longer required.
Agentless NAC is also possible. No software is required and it is built in. Integrated with active directory, and checks are made during login and logoff. Can not be scheduled.

Question 40

What would typically happen with a device if they failed a posture assessment during NAC?

Answer 40

They would be moved to a quarantine network and administrators would be notified.
They would be given just enough access to help fix the issue and get their posture right so that they can connect to the network.