Securing the Network

Question 1

DMZ

Answer 1

• Demilitarized zone 
—An additional layer of security between 
the Internet and you 
—Public access to 
public resources

Question 2

Extranet

Answer 2

•A private network for partners 
—Vendors, suppliers 
• Usually requires additional 
authentication 
—Only allow access to 
authorized users

Question 3

Intranet

Answer 3

• Private network 
—Only available internally 
• Company announcements, 
important documents, 
other company business 
—Employees only 
• No external access 
—Internal or VPN access only

Question 4

Wireless networking

Answer 4

•The convenience of wireless
—The security concerns of wireless
• Internal use
—Perhaps configure a separate
wireless network for guests
• Users authenticate to the wireless network
—Use their normal network login credentials
—802. IX standard
—Integrates into the existing name services
—No shared wireless passphrase

Question 5

Guest network

Answer 5

•An optional network 
—But convenient to provide 
—Meetings, demonstrations, etc 
• No access to the internal network 
—Internet access only 
• Integrate with a captive portal 
—Avoid unauthorized use of the network 
—Useful in congested areas 
—Keeps employees off the guest network

Question 6

Ad hoc

Answer 6

•Wireless without an access point
—Point to point communication
• Common on mobile devices
—AirDrop, contact sharing apps
• Difficult to control on unmanaged devices
—Configure ad hoc settings through the MDM
• Implement network access control
—Use ad hoc, but only with the right credentials
—Limit application use for ad hoc

Question 7

Honeypots and honeynets

Answer 7

•Attract the bad guys 
—And trap them there 
•The bad guys are probably a machine 
—Makes for interesting recon 
• Honeypots 
—Single-use/single-system traps 
• Honeynets 
—More than one honeypot on a network 
—More than one source of information

Question 8

NAT - Network Address Translation

Answer 8

• It is estimated that there are over
20 billion devices connected
to the Internet (and growing)
—IPv4 supports around 4.29 billion addresses
•The address space for IPv4 is exhausted
—There are no available addresses to assign
• How does it all work?
— Network Address Translation
•This isn’t the only use of NAT
—NAT is handy in many situations

Question 9

NAT and security

Answer 9

• NAT is not a security mechanism!
—There’s no protection there
• Security through obscurity
—The premise: If you can’t see it, you can’t attack it
—This isn’t security at all
• Bad guys can circumvent an unprotected NAT
—Sophisticated attacks already assume NAT is in place
—They will gain access to your internal devices, even with NAT in place
•A stateful firewall is the security mechanism
—Used in conjunction with NAT to provide security

Question 10

Segmenting the network

Answer 10

• Physical, logical, or virtual segmentation
—Devices, VLANs, virtual networks
• Performance
—High-bandwidth applications
• Security
— Users should not talk directly to database servers
—The only applications in the core are SQL and SSH
• Compliance
—Mandated segmentation (PCI compliance)
—Makes change control much easier

Question 11

Physical segmentation

Answer 11

• Devices are physically separate
—Switch A and Switch B
• Must be connected to provide communication
—Direct connect, or another switch or router
• Web servers in one rack
—Database servers on another
• Customer A on one switch, customer B on another
—No opportunity for mixing data

Question 12

Physical segmentation

Answer 12

• Separate devices

—Multiple units, separate infrastructure

Question 13

Logical segmentation with VLANs

Answer 13

•Virtual Local Area Networks (VLANs)
—Separated logically instead of physically
—Cannot communicate between VLANs without a Layer 3 device / router

Question 14

Virtualization

Answer 14

• Get rid of physical devices 
—All devices become virtualized 
• Servers, switches, routers, firewalls, load balancers 
—All virtual devices 
• Instant and complete control 
—Build a new network 
—Route between IP subnets 
—Drop a firewall between 
—Drag and drop devices between networks

Question 15

Air gaps

Answer 15

• One step farther than physical segmentation
—Physical segmentation usually has some connectivity
• Remove any connectivity between components
—No possible way for one device to communicate to another
—No shared components
• Network separation
—Secure networks
—Industrial systems (SCADA, manufacturing)
• Some technologies can jump the gap
—Removable media

Question 16

Site-to-Site VPNs

Answer 16

• Encrypt traffic between sites
—Through the public Internet
• Use existing Internet connection
—No additional circuits or costs

Question 17

Host-to-Site VPNs

Answer 17

• Also called “remote access VPN”
• Requires software on the user device
—May be built-in to existing operating system

Question 18

Host-to-Host VPNs

Answer 18

• User to user encryption
• Software-based
—No hardware needed

Question 19

Sensors and collectors

Answer 19

• Gather information from network devices
—Built-in sensors, separate devices
—Integrated into switches, routers, servers, firewalls, etc.
• Sensors
—Intrusion prevention systems, firewall logs, authentication logs,
web server access logs, database transaction logs, email logs
• Collectors
—Proprietary consoles (IPS, firewall),
SIEM consoles, syslog servers
—Many SIEMs include a correlation engine
to compare diverse sensor data

Question 20

Filters and firewalls

Answer 20

• Packet filters 
—Simple data blocks - ignores state 
—Linux iptables - filter packets in the kernel 
—Usually placed on a device or server 
• Firewalls 
— State-based 
—Advanced filtering by IP address, port, 
application, content 
—Usually located on the 
ingress/egress of a network 
—Some organizations place them 
between internal networks

Question 21

Proxy servers

Answer 21

•An intermediate server 
—Client makes the request to the proxy 
—The proxy performs the actual request 
—The proxy provides results back to the client 
• Useful features 
—Access control, caching, 
URL filtering, content scanning

Question 22

Forward proxy

Answer 22

• Protect users from the Internet

Question 23

VPN concentrators

Answer 23

•VPN appliances are usually located
on the edge of the network
—Internet-facing
• Sites connect from one site to another across the Internet

Question 24

SSL accelerators

Answer 24

•The SSL handshake requires 
some cryptographic overhead 
—Requires a lot of CPU cycles 
• Offload the SSL process to a hardware accelerator 
—Often integrated into a load balancer

Question 25

Load balancers

Answer 25

• Manage the load across 
multiple devices 
—The user has no idea 
—Placed between the users and the service 
• Servers can be added and removed 
—Real-time response to load 
• Load balancer performs 
constant health checks 
—If a server disappears, 
it is removed from the rotation

Question 26

DDoS mitigation

Answer 26

• Resist a distributed denial of service attack
—Minimize the impact
• Cloud-based
— Internet provider or reverse proxy service
• On-site tools
—DDoS filtering in a firewall or IPS
• Positioned between you and the Internet
— Literally you against the world

Question 27

Aggregation switches

Answer 27

Aggregation switches

Question 28

Taps and port mirrors

Answer 28

• Intercept network traffic
- 3.2
—Send a copy to a packet capture device
• Physical taps
—Disconnect the link, put a tap in the middle
—Can be an active or passive tap
• Port mirror
—Port redirection, SPAN (Switched Port ANalyzer)
—Software-based tap
—Limited functionality, but can work well in a pinch

Question 29

SDN (Software Defined Networking)

Answer 29

• Networking devices have two 
functional planes of operation 
—Control plane, data plane 
• Directly programmable 
—Configuration is different than forwarding 
• Agile 
—Changes can be made dynamically 
• Centrally managed 
—Global view, single pane of glass 
• Programmatically configured 
—Orchestration 
—No human intervention 
• Open standards / vendor neutral 
—A standard interface to the network

Question 30

SDN Security

Answer 30

Load balancer placed between firewall/IPS and web servers