Lesson 8: Implementing a Secure Network Architecture

Question 1

network architecture weaknesses

Answer 1

• single points of failure—a “pinch point” relying on a single hardware server or appliance or network channel
• complex dependencies—services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services
• lack of documentation and change control—network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted
• overdependence on perimeter security—if the network architecture is “flat” (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement

Question 2

Cisco’s SAFE architecture

Answer 2

• good starting point for understanding the complex topic of network architecture design

Question 3

SAFE’s Places In the Network (PIN)

Answer 3

represents types of network locations, including campus networks, branch offices, data centers, and the cloud

Question 4

email workflow

Answer 4

• access–the client device must access the network, obtaining a physical channel and logical address (must be authenticated and authorized)
• email mailbox server–ensure that mailbox is only accessed by authorized clients and that it is fully available and fault tolerant
• mail transfer server–must connect with untrusted Internet hosts, so communications between untrusted network and trusted LAN must be carefully controlled

Question 5

segment

Answer 5

• one where all the hosts attached to the segment can communicate freely with one another

Question 6

segregation

Answer 6

hosts in one segment are restricted in the way they communicate with hosts in other segments

Question 7

Ethernet network

Answer 7

network segments can be established physically by connecting all hosts in one segment to one switch and all the hosts in one segment to one switch and all the hosts in another segment to another switch

• the two switches can be connected by a router and router can enforce network policies or Access Control Lists (ACL) to restrict communications between two segments
• because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs)

Question 8

isolated segment

Answer 8

one that has no connectivity with other segments

Question 9

air gapped

Answer 9

host or network segment that has no sort of physical connectivity with other hosts or networks is referred to as air gapped

Question 10

virtualization

Answer 10

• segregation and isolation of hosts or applications can also be accomplished using virtualization
• when a host is running as a guest OS on a hypervisor, connectivity with or isolation from other networks can be completely controlled via the hypervisor

Question 11

topology

Answer 11

• description of how a computer network is physically or logically organized
• essential to map the network topology when designing a computer network an to update the map when any changes or additions are made to it

Question 12

zone

Answer 12

• main building of a security topology
• area of network where the security configuration is the same for all hosts within it
• should be segregated from one another by physical and/or logical segmentation, using VLANs, subnets, and possibly virtualization

Question 13

firewall

Answer 13

• software or hardware that filters traffic passing into and out of a network segment
• bases its decisions on a set of rules called an access control list (ACL)

Question 14

private network (intranet)

Answer 14

network of trusted hosts owned and controlled by organization

Question 15

extranet

Answer 15

network of semi-trusted hosts, typically representing business partners, suppliers, or customers (hosts must authenticate to join extranet)

Question 16

internet/guest

Answer 16

zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet

Question 17

Internet-facing

Answer 17

an Internet-facing host accepts inbound connections from and makes connections to hosts on the Internet

Question 18

Demilitarized Zones (DMZs)

Answer 18

• Internet-facing host are placed in one or more Demilitarized Zones (DMZs)
• DMZ referred to as a perimeter network
• traffic cannot pass through it
• enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole
• if communication is required between hosts on either side of a DMZ, a host within DMZ acts a proxy
• to configure a DMZ, two different security configurations must be enabled: one on the external interface
• DMZ and intranet are on different subnets, so communications between them need to be routed
• DMZ can also be established using a single router/firewall appliance

Question 19

bastion hosts

Answer 19

• hosts in a DMZ are not fully trusted by the internal network, because of the possibility that they could be compromised from the Internet
• bastion host would not be configured with any services that run on the local network, such as user authentication

Question 20

differences between services designed to be accessible to a public Internet versus those for an extranet

Answer 20

• dedicated DMZ for employee web browsing and proxy services
• DMZ for email, VoIP, and conferencing servers
• isolate remote access/Virtual Private Network (VPN) traffic
• isolate traffic for authorized cloud applications
• multi-tier DMZ to isolate front-end, middleware, and backend servers
• multi-tier DMZ to isolate front-end, middleware, and backend servers

Question 21

subnet

Answer 21

• subdivision of larger network, isolated from the rest of the network by means of routers (or layer 3 switches)
• useful for security, as traffic passing between each subnet can be subjected to filtering and access control at the router
• important use of subnets is to implement a DMZ

Question 22

three-legged firewall (or triple-homed)

Answer 22

• one with three network ports, each directing traffic to a separate subnet

Question 23

screened host

Answer 23

• Internet access can still be implemented using a dual-homed proxy/gateway server acting as a screened host

Question 24

zone types

Answer 24

• guest–zone that allows untrusted or semi-trusted hosts on local network
• wireless–traffic from WiFi networks might be less trusted than from the cabled network
• honeynet–network containing honeypot hots, designed to attract and study malicious activity

Question 25

Cisco's campus network hierarchy

Answer 25

- access--allowing end-user devices, such as computers, printers, and smartphones to connect to the network - distribution--provides fault-tolerant interconnections between different access blocks and either the core or other distribution blocks - core--provides a highly available network backbone, such as clients and server computers should not be attached directly to the core

Question 26

layer 2 Ethernet switches

Answer 26

basic Ethernet switch might also be referred to as a LAN switch, data switch, or workgroup switch - there are unmanaged and managed types

Question 27

stackable

Answer 27

on a corporate network, switches are most likely to be managed and stackable, meaning they can be connected together and operate as a group

Question 28

modular

Answer 28

on a larger enterprise network, the switches are likely to be modular (as opposed to fixed), meaning they can be configured with different numbers and types of ports to support network links other than basic copper wire Ethernet

Question 29

switching and routing

Answer 29

- this function can be implemented by several devices: - router--provides connectivity between subnetworks based on their IP address - Layer 3 switch--router appliances are capable of many different types of routing, especially over wide area networks (WAN), and tend not to have many interface ports - aggregation switch--functionally similar to layer 3 switches, but the term is often used for high-performing switches deployed to aggregate links in a larger enterprise or services provider's routing infrastructure

Question 30

hubs

Answer 30

- early Ethernet networks used hubs as a means of connecting network segments - multiport repeater

Question 31

collision domain

Answer 31

all ports are said to be in the same collision domain

Question 32

bridge

Answer 32

- could be used to divide a network overloaded with hosts and suffering from excessive collisions into separate segments at the physical layer - bridge appliances have all been replaced by switches, but the function of a bridge continues to have an impact on network security because a user may accidentally (or maliciously) create a bridge from one network to another

Question 33

ad hoc network

Answer 33

created when wireless stations are configured to connect to one another in a peer-to-peer topology - computer could allow wireless clients to connect to it in either an ad hoc network or by being configured as a soft access point

Question 34

Spanning Tree Protocol (STP)

Answer 34

- Layer 2 loops are prevented by the STP, defined in the IEEE 802.1D MAC Bridges standard - Spanning tree is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming

Question 35

MAC spoofing

Answer 35

- changes the Media Access Control (MAC) address configured on an adapter interface or asserts the use of an arbitrary MAC address

Question 36

ARP poisoning

Answer 36

- attack works by broadcasting unsolicited ARP reply packets | - antiquated protocol with no security

Question 37

MAC flooding

Answer 37

- variation of an ARP poisoning attack - can be directed against a switch - if a swtich's cache table is overloaded by flooding it with frames containing different (usually random) source MAC addresses, it will typically start to operate as a hub (failopen mode)

Question 38

rogue devices

Answer 38

- can potential create loops by incorrect placement of patch cables, access to the physical switch ports and switch hardware should be restricted to authorized staff, using a secure server room and/or lockable hardware cabinets

Question 39

port security

Answer 39

protection from an attacker who could unplug a device from an enabled port and connect their own laptop

Question 40

MAC filtering

Answer 40

configuring MAC filtering on a switch means defining which MAC addresses are allowed to connect to a particular port

Question 41

ARP inspection

Answer 41

additional a security feature, such as ARP inspection, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies by maintaining a trusted database of IP:ARP mappings and ensuring that ARP packets are validly constructed and use valid IP addresses

Question 42

DHCP snooping

Answer 42

- inspects DHCP traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address - can also be used to prevent rogue (or spurious) DHCP servers from operating on the network

Question 43

endpoint security

Answer 43

set of security procedures and technologies designed to restrict network access at a device level

Question 44

port-based network access control (PNAC)

Answer 44

- PNAC means that the switch (or router) performs some sort of authentication of the attached device before activating the port - under the 802.1X, the device requesting access is the supplicant | switch, referred to as the authenticator, enables the Extensible Authentication Protocol over LAN (EAPoL) protocol only and waits for the device to supply authentication data

Question 45

authenticating server

Answer 45

typically RADIUS server, which checks the credentials and grants or denies access

Question 46

health policy

Answer 46

- as well as authentication, most network access control (NAC) products allow administrators to devise policies or profiles describing a minimum security configuration that devices must meet to be granted network access

Question 47

admission control

Answer 47

point at which client devices are granted or denied access based on their compliance with the health policy

Question 48

preadmission control

Answer 48

device must meet policy to gain access

Question 49

postadmission control

Answer 49

subsequently polls the device to check that it remains compliant

Question 50

NAC policy enforcer

Answer 50

with preadmission control, supplicant client devices connect to the network via a NAC policy enforcer, such as a switch, router, or wireless access point

Question 51

NAC policy server

Answer 51

performs machine and user authentication with a RADIUS AAA server

Question 52

posture assessment

Answer 52

- process by which host health checks are performed against a client device to verify compliance with the health policy - some NAC solutions can perform agentless posture assessment

Question 53

persistent v non-persistent

Answer 53

an agent can be persistent, in which case it is installed as a software application on the client, or non-persistent (dissolvable)

Question 54

remediation

Answer 54

refers to what happens if a device does not meet the security profile

Question 55

guest network

Answer 55

this would be a VLAN or a firewalled subnet (DMZ) granting limited access to network resources

Question 56

quarantine network

Answer 56

restricted network, captive portal (allows only HTTP traffic and redirects the HTTP traffic to a remediation server)

Question 57

rogue system detection

Answer 57

refers to process of identifying (and removing) hosts on the network that are not supposed to be there

Question 58

routers

Answer 58

can server both to join physically remote networks and subdivide a single network into multiple subnets

Question 59

border (or edge routers)

Answer 59

routers that join different types of networks

Question 60

routing protocols

Answer 60

Dynamic routers exchange information about routes using routing protocols, such as Open Shortest Path First (OSPF), Routing Information Protocol (RIP), and Border Gateway Protocol (BGP)

Question 61

IP spoofing

Answer 61

attacker changes the source and/or destination address recorded in the IP packet

Question 62

Network Address Translation (NAT)

Answer 62

devised as a way of freeing up scarce IP addresses for hosts needing Internet access

Question 63

Network Address Port Translation (NAPT) or NAT overloading

Answer 63

provides a means for multiple private IP addresses to be mapped onto a single public address

Question 64

source NAT

Answer 64

the types of NAT described so far involve source addresses (and ports in the case of NAPT) from a private range being rewritten with public addresses

Question 65

destination NAT (DNAT) or port forwarding

Answer 65

Port forwarding means that the router takes requests from the Internet for a particular application (say, HTTP/port 80) and sends them to a designated host and port on the LAN

Question 66

software defined networking (SDN)

Answer 66

application (or suite of applications) can be used to define policy decisions on the control plane. These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using application programming interfaces (APIs)

Question 67

routing attacks

Answer 67

- fingerprinting--port scanning using a tool such as Nmap can reveal the presence of a router and which dynamic routing and management protocols it is running - software exploits - spoofed routing information (route injection) - denial of service (DoS) - ARP poisoning - source routing