Lesson 9 Implement Secure Network Designs

Question 1

Switches

Answer 1

Forward frames between nodes in a cabled network

• works at the Datalink layer (2) of the OSI Model
• makes forwarding decisions based on the HW MAC address of attached nodes
• can establish network segments to the cabling or logical segments to establish virtual LANS (VLANS)
• Data it moves is frames

Question 2

WAP

Answer 2

Wireless Access Point

• Provides a bridge btwn a cabled network and wireless clients or stations
• works at the OSI model Datalink layer (2)
• works with frame data

Question 3

Routers

Answer 3

Forward packets around an internet based on IP addresses

• works on OSI Model Network layer (3)
• can apply logical IP subnet addresses to segments within a network
• works on Frame data

Question 4

Firewalls

Answer 4

Apply Access Control List (ACL) to filter traffic passing in or out of a network segment
- works a the OSI Model Network layer (3)

Question 5

Load Balancers

Answer 5

Network appliance which distributes traffic btwn network segments or servers to optimize performance
- works at the OSI Model Transport layer (4) or higher

Question 6

DNS

Answer 6

Domain Name System

• A system which resolves IP addresses to FQDNs
• Works at OSI Model Application layer (7)
• abuse of name resolution is a common attack vector

Question 7

OSI Model - Layer 1

Answer 7

Layer 1: Physical 
PDU: bits
HW: Hubs, net tap, repeaters
Addressing: none
Protocols: UTP, STP, COAX, Fiber, TDM, FDM
Control: node

Question 8

OSI Model Layer 2

Answer 8

Layer: Datalink - Connects nodes inside a LAN together - Nodes to Nodes
PDU: Frame
HW: Switch, Bridge, WAP
Addressing: MAC address (Physical Address), VLAN id
Protocols: Ethernet, PPP, LLC
Control: MAC Filtering

Address Resolution Protocol (ARP) between Physical and Datalink layers

Question 9

OSI Model Layer 3

Answer 9

Layer: Network - Connects LANs together - LAN to LAN
PDU: Packet
HW: Router, Layer 3 Switches
Addressing: IP Addresses (Logical Addresses)
Protocols: IP, ICMP, IPSec, IGMP
Control: Packet Filtering Firewall

Question 10

OSI Model Layer 4

Answer 10

Layer: Transport - End to end connections
PDU: Segment
HW: Load Balancer, Firewall
Addressing: Logical Port Numbers
Protocols: TCP, UDP, optionally SSL/TLS
Control: Packet Filtering Firewall

Question 11

OSI Model Layer 5

Answer 11

Layer: Session - Interhost Communication
- Synchronize upper layers with lower layers
- allows session establishment btwn processes
PDU:
HW:
Addressing:
Protocols:

Question 12

OSI Model Layer 6

Answer 12

Layer: Presentation - Syntax layer
- Formats the data as needed

PDU: Data
HW:
Addressing:
Protocols:
Control: NGFW or App layer Firewall

Question 13

OSI Model Layer 7

Answer 13

Layer: Application - End Used Layer
PDU: Data
HW:
Addressing:
Protocols: HTTP(TCP 80), HTTPS(TCP 443), SMTP(TCP 25), FTP (20, 21)
Control: NGFW or App Layer Firewall

Question 14

ARP

Answer 14

Address Resolution Protocol

• Maps a MAC address to and IP address
• Sits btwn Datalink (2) and Network (3) layers

Question 15

Firewall

Answer 15

• sits between Network Layer (4) and Datalink Layer (3)

Question 16

DNS

Answer 16

Domain Name System

- Sits btwn Transport Layer (4) and the upper layers (5-7)

Question 17

IP Addresses come from ?

Answer 17

Locally:
DHCP - Dynamic Host Configuration Protocol
- Service to assign network IP addresses to client upon connection

Public:
- Internet Service Provider (ISP), assigned when get the service

Question 18

Private IP ranges

Answer 18

10. 0.0.x
11. 16-31.x.x
12. 168.x.x

Question 19

IPv4 vs IPv6

Answer 19

IPv4

• 32 bit
• 172.16.1.101/16 - the /16 indicates the first half of the address 172.16.0.0 is the network id, while the remainder identifies the host on the network.
• the /16 can also be written as subnet 255.255.0.0

IPv6

• 128 bit
• uses hex numbers
• 2001:db8::abc:0:dev0: 1234

Question 20

Network Segmentation

Answer 20

Network Segment

• All hosts attached to the segment can use local layer 2 to communicate freely with one another
• said to be in the same broadcast domain

Segregation

• Host is one segment are restricted in the way they communicate with hosts in the other segment
• could be restricted by ports they can access or communicate across
• two switches can be connect via a layer 3 router and enforce network policies via Access Control List (ACL)
• more likely though to be enforced via virtual LAN (VLAN)

Question 21

VLAN

Answer 21

Virtual Local Area Network

• segmentation enforcement
• Any port on a any switch can be assigned to any VLAN in the same topology

Question 22

DMZ

Answer 22

Demilitarized Zones

• a perimeter or edge network made up of internet facing hosts
• basic principle is traffic can not pass directly through the DMZ
• acts as proxy to the outer facing (in the internet) servers and the internal hosts of the network
• hosts in the DMZ are bastion hosts and run minimal services to reduce the attack surface

Question 23

Screened Subnet

Answer 23

• part of a DMZ to further restrict access into and out of the DMZ
• two firewalls sit on either side of the DMZ
• edge firewall is called the Screening Router/Firewall
• internal firewall is called the choke router/firewall
• provides better access control and easier monitoring

Question 24

PNAC

Answer 24

Port-based Network Access Control

• part of the 802.1X standard
• means the switch utilizes an AAA Svr to authenticate the attached device before activating the port

Network Access Control

• extends the scope of Authentication
• allows for policies or profiles describing minimum security Configuration a device must meet to be granted access to the network
• this is called a health policies

Question 25

Network loop prevention

Answer 25

Spanning Tree Protocol (STP) - used to set blocks on switches in an attempt to prevent looping Broadcast Strom Prevention - broadcast and flooding unicast getting amplified as it loops around network - Storm control if STP has failed Bridge Protocol Data Unit (BPDU) guard - configure switch to defeat attempts to engineer a loop by an attacker - Portfast setting configured for access port - guard disables port if STP traffic is detected

Question 26

WAP

Answer 26

Wireless Access Point - forwards traffic to the wired switched network - identified by it's MAC often referred to as the Basic Service Set Identifier

Question 27

BSSID

Answer 27

Basic Service Set IDentifier - each WAP identified by it's MAC address - for computer

Question 28

SSID

Answer 28

Service Set Identifier - Identifies each wireless network by it's name - human readable

Question 29

Wi-Fi Authentication types

Answer 29

Personal Open Enterprise

Question 30

Personal Wi-Fi authentication types

Answer 30

Pre-Shared Key (PSK) Simultaneous Authentication of Equals (SAE)

Question 31

Benefit of WPA3 over WPA2

Answer 31

Wired Equivalent Privacy (WEP) is broken (too many vulnerabilities) Wi-fi Protected Access 3 (WPA3) fixed those vulnerabilities WPA2 is flawed but acceptable WPA3 is much improved but not largely available yet WPA3 uses SAE

Question 32

WPA3 and SAE

Answer 32

Simultaneous Authentication of Equals (SAE) - replacement for WPA2's authentication - uses Diffie-Hillman key agreement for much stronger encryption - Diffie-Hillman process is called Dragonfly

Question 33

SAE

Answer 33

Simultaneous Authentication of Equals - uses the Dragonfly handshake to thwart offline brute force or dictionary attacks - Diffie-Heillman over elliptic curves key agreement combined with the password hash and MAC address to authenticate nodes - also uses ephemeral session keys to provide forward secrecy WPA3 uses SAE to provide authentication

Question 34

PSK

Answer 34

Pre-Shared Key - uses a passphrase to generate the key - referred to as group authentication - meaning the group of users share the same secret - WPA2-PSK mode of the WAP - attackers exploit the passphrase using dictionary or brute force attacks

Question 35

WPS

Answer 35

Wi-Fi Protected Setup - meant to simplify setting up a WAP - lead to weaker security - brute force attacks

Question 36

Open Wi-Fi authentication

Answer 36

Open means client is not required to authenticate - like in a cafe or other public WAP Uses Captive Portals or splash screens - authentication to the network via browser using HTTPS Users must ensure they are using SSL/TLS or a VPN to secure confidential data when using an open authentication WAP WPA3 can implement Open Wireless Encryption (OWE) which uses the Dragonfly handshake to use ephemeral session keys

Question 37

Enterprise Wi-Fi Authentication - EAPoW

Answer 37

Extensible Authentication Protocol over Wireless (EAPoW) - defined by 802.1X allowing an access point to forward authenticate data without allowing any other type of network access - uses an AAA (RADIUS or TACACS+) servers on the wired network to authenticate the supplicant - uses a master key (MK) to derive the same pairwise master key (PMK) - The PMKs are used by the supplicant and the WAP to derive session keys

Question 38

DDos

Answer 38

Distributed Denial of Service - performed usually by a bot network - usually uses a SYN flood attack by withholding the ACK portion of the TCP three way handshake, causes the switch/router to get caught up in trying to make connections rather than genuine traffic Use blackhole to thwart by dropping packets into a blackhole on the network, an area that cannot reach any other part of the network Use sinkhole routing, which routing the affected data to a different part of the network to be analyzed

Question 39

Load Balancing

Answer 39

distributes client requests across available server nodes in a farm or pool allows for scaling Works on Layer 4 (basic LD) or layer 7 (has content switching) Schedule: - round robin - fewest connections - best response time - weighted source IP or session affinity - client session is stuck to the first node that accepted the request session persistence - layer 7 LD function to use cookies to maintain the session, better than session affinity

Question 40

Clustering

Answer 40

Provides redundancy in Load Balancing - allows for multiple redundant processing nodes to share data with one another to accept connections - nodes can failover to a working node should one node fail Active/Passive - Once node is processing connections, while the other is passive Active/Active - Bothe nodes are processing connections concurrently