3.3 Given a scenario, implement secure network designs.

Question 1

Active/active load balancing

Answer 1

In an active/active high-availability cluster, the load-balanced services perform the same functions at the same time, but with different transactions. As an example, two load-balanced Web servers would respond to different users’ browser requests. The load balancer manages the traffic and requests going to each of the members of the service or device cluster for which it is responsible. This helps provide for efficiency, eliminates delays or latency, and provides for system and data availability if a member of the cluster is unable to fulfill requests or requires maintenance.

Question 2

Active/passive load balancing

Answer 2

A load balancer contributes to security by providing for high availability. If a server goes down, the load balancer can transparently and immediately provide for availability by transferring network and resource requests to an identically configured backup server.

An active/passive high-availability cluster like this has one server active and the second passive, acting as a failover or backup.

Question 3

scheduling load balancing

Answer 3

Load balancers may use several different criteria to determine scheduling—that is, which device gets a particular request. A load balancer may base its decisions on network traffic conditions, for example; it may use a turn-based system (otherwise known as a round-robin type of system); or it can send traffic based on available resources on the target systems in more advanced products.

Question 4

Load Balancing Virtual IP

Answer 4

A load balancer receives traffic for other devices or services via a virtual IP address. All the traffic is sent to a virtual IP address that is hosted on the load balancer, which forwards the relevant traffic to each resource behind it. This address is labeled “virtual” because it only exists for the purpose of routing traffic, and it is assigned to a device that already has a hardware-relevant IP address.

Question 5

Load Balancing Persistence

Answer 5

A load balancer contributes to security by providing for high availability. If a server goes down, the load balancer can transparently and immediately provide for availability by transferring network and resource requests to an identically configured backup server. This is considered persistence in networking, meaning the network resources are always available.

Question 6

Network Segmentation

Answer 6

Network segmentation generally means partitioning a single enterprise network into two or more subnetworks using either switches (at Layer 2) or routers (at Layer 3). Layer 2 switches use VLAN capabilities to turn single broadcast domains into multiple broadcast domains.

Question 7

Virtual local area network (VLAN)

Answer 7

A VLAN doesn’t depend upon the physical layout of the network; it doesn’t matter if the hosts are physically sitting next to each other or are located several buildings apart. A VLAN creates a logical network in which to assign hosts.

Question 8

Screened Subnet(DMZ)

Answer 8

screened subnet—also known as a demilitarized zone (DMZ)—a LAN, separate from the internal LANs that contain workstations and private servers. The DMZ connects to the Internet via a lightly firewalled router, and an internal network connects to the DMZ via a much more aggressively firewalled router.

Question 9

East-West Traffic

Answer 9

The network documentation folks have long called the internal server-to-server connection east-west traffic, not because of any geographic necessities, but because the network diagrams tend to show them as horizontal connections.

Question 10

Extranet

Answer 10

A private TCP/IP network that provides external entities (customers, vendors, etc.) access to their intranet is called an extranet.

Question 11

Intranet

Answer 11

A network using VLANs or routers that’s essentially a single enterprise network is called an intranet.

Question 12

Zero Trust

Answer 12

The CompTIA Security+ objectives list Zero Trust under network segmentation. Zero Trust operates on the principle of “never trust, always verify,” which means exclude any traffic from anyone until you can prove that traffic is legitimate. Zero Trust uses network segmentation as some of the methods for excluding traffic.

Question 13

Virtual Private Network(VPN)

Answer 13

A virtual private network (VPN) uses the public Internet as a direct connection between a single computer and a faraway LAN or between two faraway LANs. This is not a remote desktop connection or a terminal or a Web page connection. A VPN puts a single system or a separate LAN on the same broadcast domain, the same Layer 2 connection, just as if the faraway system plugged directly into the LAN’s switch.

Question 14

Always-on VPN

Answer 14

Site-to-site VPN concentrators generally never disconnect. We call these always-on VPNs.

Question 15

Split-tunnel VPN

Answer 15

Current VPN technologies enable you to configure a VPN connection to send only LAN traffic through the tunnel. All other traffic ignores the tunnel. This is a split tunnel and is the most common type of tunnel.

Question 16

Full-tunnel VPN

Answer 16

One early problem with VPNs was that once you connected to a LAN, that was your only connection. Your IP address and default gateway were on that LAN; you used that LAN’s DHCP and DNS servers. That meant if your computer was connected to a VPN and opened a Web browser, your computer went through the VPN connection and then went back out and used the Internet connection on your LAN. This is called a full tunnel and is a terrible way to get to the Internet.

Question 17

Remote access vs. site-to-site VPN

Answer 17

VPNs work in one of two different ways. You can connect a single system to an existing LAN in what is called remote access, or you can connect two complete LANs in site-to-site.

Question 18

VPN IPSec

Answer 18

Internet Protocol Security (IPsec) is a security protocol that works at the Network layer of the OSI model. IPsec was developed to provide security services (authentication and encryption) for IP traffic, since IP does not have any built-in native security protections. Three major protocols make up IPsec: AH, ESP, and ISAKMP.

Question 19

SSL/TLS VPN

Answer 19

The only serious competitor to IPsec VPNs is VPNs using the SSL/TLS protocol. This is the same SSL/TLS protocol used in secure Web pages. SSL/TLS VPN connections don’t require special client software installed on the system that wants to connect to the remote network. That system uses only a Web browser and SSL/TLS security to make the VPN connection.

Question 20

HTML5(VPN)

Answer 20

Sophos has a Unified Threat Management (UTM) system on Amazon Web Services (AWS) that enables you to log into AWS and get a list of predefined network services. The system requires an HTML5-compliant browser—so the latest Chrome, Firefox, or Safari work fine—but the catch is interesting: you can only access content remotely; you can’t download content to your local machine. Sophos calls its service a VPN portal—and CompTIA includes HTML5 VPN as a VPN option. Be aware that this exists for the exam.

Question 21

Layer 2 tunneling protocol(L2TP)

Answer 21

Layer 2 Tunneling Protocol (L2TP) was developed jointly by Microsoft and Cisco, but it has become an Internet standard. L2TP is only an encapsulation protocol, simply providing transport services and protecting data through untrusted networks (such as the Internet) to get it to a destination network. L2TP still sees some adoption but is also fading to IPsec and SSL/TLS VPNs.

Question 22

DNS

Answer 22

The Domain Name System (DNS) resolves Internet names to IP addresses.

Question 23

Network access control(NAC)

Answer 23

Network access control (NAC) provides network protection and security by prohibiting hosts from connecting to the organization’s infrastructure unless they meet certain criteria. A NAC device provides an entry point or gateway into the network, typically for remote or mobile clients. This device checks the health and security settings of the client—a host health check—against a specified set of criteria before allowing it to access the network.

Question 24

Agent and agentless

Answer 24

Agent-based NAC tracks many features of potentially inbound devices, such as software versions and so on. The agent-based approach enables very fine control over allowing a device to connect to the network. The criteria used for an agent-based approach can be permanent or dissolvable. The former means the device that wants access to the network must have some software loaded—that software stays loaded. A dissolvable agent system runs something once on the device and admits or denies access; the software is then deleted.

Agentless NAC (such as one based on Windows Active Directory) would apply group policy rules to enforce the controls that an agent-based NAC device would do directly.

Question 25

Out-of-Band management

Answer 25

With out-of-band management, in contrast, the network administrator can access the server even if the server isn’t running, directly interfacing with the firmware of the server.

Question 26

Port Security

Answer 26

Switch ports require security to protect against these attacks. Flood guards and loop prevention are a few of the features you’ll see in all better switches. Keep in mind that port security is applied to individual ports.

Question 27

Broadcast storm prevention

Answer 27

Attackers use traffic floods primarily to conduct denial-of-service attacks on networks and hosts, since many hosts and network devices don’t always react very favorably to excessive amounts of traffic or malformed traffic. Because flooding is a routine tactic of attackers, most modern network devices (and even some hosts) have flood protection built into their operating systems. These flood guards or broadcast storm prevention features work by detecting excessive traffic (by volume, as well as by rate of speed) and take steps to block the traffic or even turn off the offending port, so that the host doesn’t have to process it.

Question 28

Bridge Protocol Data Unit (BPDU) guard

Answer 28

STP switches send out Bridge Protocol Data Unit (BPDU) guard frames every two seconds, quickly stopping loops by automatically turning off one of the ports that’s supporting the loop

Question 29

Loop Prevention

Answer 29

Some floods happen just from misconfiguration. If two or more pathways connect two switches, for example, this creates a loop, which then causes a broadcast storm—a type of flood (Figure 6-19). All but the simplest switches implement some kind of loop prevention, such as the Spanning Tree Protocol (STP).

Question 30

Dynamic Host Configuration Protocol (DHCP) snooping

Answer 30

With a DHCP snooping–capable switch, the switch is either automatically or manually given the IP addresses of the DHCP servers on your network. If any device other than the DHCP servers with the known IP addresses tries to send DHCP information, the server will automatically turn off its associated port

Question 31

Port Security Media access control(MAC) filtering

Answer 31

The network administrator configures the switch port for that host to accept frames from only that MAC address, preventing bad actors from unplugging the host and plugging in their evil system.

Question 32

Jump Servers

Answer 32

A lot of modern networks that employ a screened subnet use a specialized network appliance called a jump server that enables secure management of devices within the DMZ. The typical jump server enables logging and auditing and provides a single management point for user accounts.

Question 33

Reverse Proxy Servers

Answer 33

A forward proxy is known to the client system, often in the same LAN, taking the requests from the client, maybe doing something with the request, and then forwarding the request to the server just like any other client. Forward proxies are popular in organizations such as schools where the network administrators need to apply security controls to Internet access. A forward Web proxy almost always includes a strong firewall to check outgoing requests for blocked URLs, time-of-day restrictions, and anything else that needs be monitored to support the security policies of the organization.

Question 34

Forward Proxy Servers

Answer 34

A reverse proxy is used to protect servers. Reverse proxies are usually inside the same LAN as the servers. They always contain an application firewall to check the incoming requests for attack vectors and then pass the good requests to the server.

Question 35

Network-based Intrusion Detection System(NIDS)/Network-based Intrusion Prevention System(NIPS)

Answer 35

Network-based intrusion detection systems (NIDSs) and network-based intrusion prevention systems (NIPSs) look at attacks coming into the network at large instead of into a host. Attacks could be in the form of malformed network traffic or excessive amounts of traffic that would easily exceed a host’s threshold to handle effectively. An attack could also manifest as malicious content embedded in traffic or other forms of malware. Network intrusion handling also might look at massive DDoS conditions, such as those caused by botnet attacks.

Question 36

Signature-based NIDS/NIPS

Answer 36

uses preconfigured signature files (similarly to how anti-malware applications work), which are stored in the NIPS/NIDS database. These signatures define certain attack patterns based upon known traffic characteristics. Like an anti-malware solution, a signature-based NIDS/NIPS must also have its signatures database updated frequently, since the security community records new attack patterns often.

Question 37

Heuristic/behavior NIDS/NIPS

Answer 37

a heuristic system combines the best of both anomaly-based and signature-based systems. It starts out with a database of attack signatures and adapts them to network traffic patterns. It learns how different attacks manifest themselves on the network in which it is installed and adjusts its detection algorithms to fit the combination of network traffic behavior and signatures.

Question 38

Anomaly NIDS/NIPS

Answer 38

A behavior- or anomaly-based system detects attacks after comparing traffic with a baseline of patterns considered normal for the network. For this to work, the intrusion detection system must be installed and then given the opportunity to “learn” how the normal flow of traffic behaves over the network. This can take time, but once the NIDS/NIPS establishes a good baseline of normal network traffic, the system will detect any unusual or anomalous traffic patterns that don’t fit into the normal network traffic patterns and issue alerts on them as potential attacks.

Question 39

Inline vs. passive NIDS/NIPS

Answer 39

One point of interest is the difference between a NIDS and a NIPS. A NIDS is a passive device and focuses on detection alone, making it a detection control. It detects network traffic issues and alerts an administrator to these issues, also logging the events in the process. A NIPS, in contrast, is an active (CompTIA Security+ uses the term inline) device and focuses not only on detecting network attacks but also on preventing them.

Question 40

HSM

Answer 40

For Web servers, automated teller machines, or other applications that perform an unusually high amount of key handling, it’s usually a good idea to offload this work to other hardware. A hardware security module (HSM) is any type of hardware that’s designed to do this work.

Question 41

Sensors

Answer 41

In general, a NIDS/NIPS consists of many components. The core component of any IDS/IPS is the sensor, the device that monitors the packets, searching for problems. Given the nature of detection versus prevention, a NIPS sensor must be installed in-band to your network traffic, while a NIDS sensor, being passive, is normally installed out-of-band.

Question 42

Collectors/Aggregators

Answer 42

When it comes to SIEM, it’s all about aggregation: collecting data from disparate sources and organizing the data into a single format. Any device within a SIEM system that collects data is called a collector or an aggregator. In a simpler NIPS setup with three sensors, it’s common to have a single server that acts as a collector, querying the sensors for data in real time.

Question 43

Aggregators

Question 44

Web Application firewall(WAF)

Answer 44

Given the huge number of Web applications living in the cloud, just about every manufacturer of application firewalls for Web apps—appropriately named Web application firewalls (WAFs)—also provides cloud-based virtual appliances

Question 45

NGFW

Answer 45

A next-generation firewall (NGFW) functions at multiple layers of the OSI model to tackle traffic no traditional firewall can filter alone. A Layer 3 firewall can filter packets based on IP addresses, for example. A Layer 5 firewall can filter based on port numbers. Layer 7 firewalls understand different application protocols and can filter on the contents of the application data. An NGFW handles all of this and more.

Question 46

Stateful firewalls

Answer 46

A stateful firewall understands the procedures and processes of different Internet protocols and filters any form of communication that is outside of proper procedures. A stateful firewall understands several functions expected in normal TCP and UDP communication and uses that intelligence to inspect the state of that connection. Stateful firewalls collect several packets in a connection and look at them as a state to determine if the communication meets correct protocol steps.

Question 47

Stateless Firewalls

Answer 47

A stateless firewall looks at every incoming packet individually without considering anything else that might be taking place (ergo stateless). Stateless firewalls, also called packet filters, are the oldest type of firewall. If you’re going to have a firewall inspecting every packet, you must have some form of checklist that the firewall uses to determine whether a packet should be blocked. This is the router’s access control list (ACL). The ACL for an Internet gateway firewall is a unique tool that defines what makes a packet good or bad.

Question 48

Unified Threat Management(UTM)

Answer 48

Better security appliances implement unified threat management (UTM), marrying traditional firewalls with other security services, such as NIPS, load balancing, and more.

Question 49

Network Address Translation (NAT) Gateway

Answer 49

Given the setup of most networks these days, the default gateway often also acts as a network address translation (NAT) gateway, enabling many internal devices to use private IP addresses and access the Internet through a single public IP address.

Question 50

Content/URL Filter

Answer 50

A typical application firewall acts as a content/URL filter, blocking traffic based on the content of the traffic and on the source URL. Filtering is done based upon the characteristics of the traffic itself, rather than the content of the traffic. Application firewalls look at the content of the traffic as well, in addition to its characteristics. So, if HTTP is otherwise allowed into the network, an application firewall also looks at the content of the HTTP traffic, often detecting whether the content itself is allowed.

Question 51

Open-source vs. Proprietary Firewalls

Answer 51

Look for comparison questions on the CompTIA Security+ exam that explore hardware vs. software firewalls and open-source vs. proprietary firewall software solutions.

Question 52

Hardware VS. Software Firewalls

Answer 52

Look for comparison questions on the CompTIA Security+ exam that explore hardware vs. software firewalls and open-source vs. proprietary firewall software solutions.

Question 53

Access Control List(ACL)

Answer 53

A network-based firewall, like the host-based firewall discussed in Chapter 5, filters IP traffic based on rulesets known generically as access control lists (ACLs).

Question 54

Route Security

Answer 54

Routers enable networks to interconnect. Network engineers focus on secure network design principles with routers to ensure the information that enables that interconnectivity stays safe and uncorrupted. The details of the routing tables matter.

Question 55

Quality of Service (QoS)

Answer 55

The quality of service (QoS) router feature enables you to control the bandwidth of different protocols coming through a router. With QoS you can assign a minimum or a maximum bandwidth set either as a percentage of the router’s total bandwidth or as a set speed (MB/sec, for example).

The QoS feature makes sure that certain protocols never max out the router and ensure that critical protocols always have adequate bandwidth.

Question 56

Implications of IPv6

Answer 56

When thinking about implications of IPv6 for a network, moving to an NGFW might make the best option for future-proofing your security.

Question 57

Port spanning/Port Mirroring

Answer 57

A port mirror (also called a Switched Port Analyzer, or SPAN, in Cisco devices) is a special port on a managed switch configurable to listen for all data going in and out of the switch. Unlike a network TAP, port mirroring is convenient and easily changed to reflect any changes in your NIDS/NIPS monitoring strategy. Port mirroring solutions are very handy when you want to monitor more than one VLAN at a time.

Some folks refer to port mirroring as copying the data from a single switch port to a monitoring port, while referring to port spanning as grouping multiple ports (or all of them) to a monitor port.

Question 58

Port Taps

Answer 58

For some reason, objective 3.3 on the CompTIA Security+ exam blurs some terms, calling a network TAP a port tap, for example, and SPAN under port mirroring, port spanning. Don’t get confused between a TAP and a SPAN.

Question 59

Monitoring Services

Answer 59

The only way to determine a server’s status is by monitoring the server. Monitoring might be as simple as trying to log onto the server or as complex as using remote tools to query logs and events and comparing them to baselines to see how the server is performing.

Question 60

File Integrity Monitors

Answer 60

File integrity monitors, for example, check for baseline deviations and can alert administrators of problems. Basically, any file integrity monitoring (FIM) needs to answer these three questions:

• Is the system up?
• Is the system too busy?
• Are strange things happening?