3.3 Secure Network Designs Flashcards by Melissa Andrews

• Distribute the load
– Multiple servers
– Invisible to the end-user
• Large-scale implementations
– Web server farms, database farms
• Fault tolerance
– Server outages have no effect
– Very fast convergence

Balancing the load

How well did you know this?

Not at all

Perfectly

• Configurable load
– Manage across servers
• TCP offload
– Protocol overhead
• SSL offload
– Encryption/Decryption
• Caching
– Fast response
• Prioritization
– QoS
• Content switching
– Application-centric balancing

Load balancer

How well did you know this?

Not at all

Perfectly

• Round-robin
– Each server is selected in turn
• Weighted round-robin
– Prioritize the server use
• Dynamic round-robin
– Monitor the server load and distribute to the server
with the lowest use
• Active/active load balancing

Scheduling

How well did you know this?

Not at all

Perfectly

• Affinity
– A kinship, a likeness
• Many applications require communication to the same
instance
– Each user is “stuck” to the same server
– Tracked through IP address or session IDs
– Source affinity / sticky session / session persistence

Affinity

How well did you know this?

Not at all

Perfectly

• Some servers are active
– Others are on standby
• If an active server fails, the passive server takes its place

Active/passive load balancing

How well did you know this?

Not at all

Perfectly

• Physical, logical, or virtual segmentation
– Devices, VLANs, virtual networks
• Performance
– High-bandwidth applications
• Security
– Users should not talk directly to database servers
– The only applications in the core are SQL and SSH
• Compliance
– Mandated segmentation (PCI compliance)
– Makes change control much easier

Segmenting the network

How well did you know this?

Not at all

Perfectly

• Devices are physically separate - Air gap between
Switch A and Switch B
• Must be connected to provide communication
– Direct connect, or another switch or router
• Web servers in one rack - Database servers on another
• Customer A on one switch, customer B on another
– No opportunity for mixing data
• Separate devices
– Multiple units, separate infrastructure

Physical segmentation

How well did you know this?

Not at all

Perfectly

• Virtual Local Area Networks (VLANs)
– Separated logically instead of physically
– Cannot communicate between VLANs without
a Layer 3 device / router

Logical segmentation with VLANs

How well did you know this?

Not at all

Perfectly

• Previously known as the demilitarized zone (DMZ)
– An additional layer of security between
the Internet and you
– Public access to public resources

Screened subnet

How well did you know this?

Not at all

Perfectly

• A private network for partners
– Vendors, suppliers
• Usually requires additional authentication
– Only allow access to authorized users

Extranet

How well did you know this?

Not at all

Perfectly

• Private network - Only available internally
• Company announcements, important documents,
other company business
– Employees only
• No external access
– Internal or VPN access only

Intranet

How well did you know this?

Not at all

Perfectly

• Traffic flows within a data center
– Important to know where traffic starts and ends
• East-west
– Traffic between devices in the same data center
– Relatively fast response times
• North-south traffic
– Ingress/egress to an outside device
– A different security posture than east-west traffic

East-west traffic

How well did you know this?

Not at all

Perfectly

• Many networks are relatively open on the inside
– Once you’re through the firewall, there are few
security controls
• Zero trust is a holistic approach to network security
– Covers every device, every process, every person
• Everything must be verified
– Nothing is trusted
– Multifactor authentication, encryption, system
permissions, additional firewalls, monitoring and
analytics, etc.

Zero-trust

How well did you know this?

Not at all

Perfectly

• Virtual Private Networks
– Encrypted (private) data traversing a public network
• Concentrator
– Encryption/decryption access device
– Often integrated into a firewall
• Many deployment options
– Specialized cryptographic hardware
– Software-based options available
• Used with client software
– Sometimes built into the OS

VPNs

How well did you know this?

Not at all

Perfectly

• Uses common SSL/TLS protocol (tcp/443)
– (Almost) No firewall issues!
• No big VPN clients
– Usually remote access communication
• Authenticate users
– No requirement for digital certificates or shared
passwords (like IPSec)
• Can be run from a browser or from a
(usually light) VPN client
– Across many operating systems

SSL VPN (Secure Sockets Layer VPN)

How well did you know this?

Not at all

Perfectly

• On-demand access
from a remote device
– Software
connects to a VPN
concentrator
• Some software can
be configured as
always-on

Remote access VPN

How well did you know this?

Not at all

Perfectly

• Layer 2 Tunneling Protocol
– Connecting sites over a layer 3 network as if they
were connected at layer 2
• Commonly implemented with IPsec
– L2TP for the tunnel, IPsec for the encryption
– L2TP over IPsec (L2TP/IPsec)

L2TP

How well did you know this?

Not at all

Perfectly

• Security for OSI Layer 3
– Authentication and encryption for every packet
• Confidentiality and integrity/anti-replay
– Encryption and packet signing
• Very standardized
– Common to use multi-vendor implementations
• Two core IPSec protocols
– Authentication Header (AH)
– Encapsulation Security Payload (ESP)

IPSec (Internet Protocol Security)

How well did you know this?

Not at all

Perfectly

• Data integrity
• Origin authentication
• Replay attack protection
• Keyed-hash mechanism
• No confidentiality/encryption
-
• Hash of the packet and a shared key
– SHA-2 is common
– Adds the AH to the packet header
• This doesn’t provide encryption
– Provides data integrity (hash)
– Guarantees the data origin (authentication)
– Prevents replay attacks (sequence numbers)

AH (Authentication Header)

How well did you know this?

Not at all

Perfectly

• Data confidentiality (encryption)
• Limited traffic flow confidentiality
• Data integrity
• Anti-replay protection
--

• Encrypts and authenticates the tunneled data
– Commonly uses SHA-2 for hash, AES for encryption
– Adds a header, a trailer, and an Integrity Check Value
• Combine with Authentication Header (AH) for integrity
and authentication of the outer header

ESP (Encapsulating Security Payload)

How well did you know this?

Not at all

Perfectly

IPsec Transport mode and Tunnel mode
AH and ESP
• Combine the data integrity of AH
with the confidentiality of ESP
--
IPsec Transport mode and Tunnel mode
• Tunnel mode is the most common
– Transport mode may not even be an option

IPsec Transport mode and Tunnel mode - AH and ESP

How well did you know this?

Not at all

Perfectly

• Hypertext Markup Language version 5
– The language commonly used in web browsers
• Includes comprehensive API support
– Application Programming Interface
– Web cryptography API
• Create a VPN tunnel without a separate VPN application
– Nothing to install
• Use an HTML5 compliant browser
– Communicate directly to the VPN concentrator

HTML5 VPNs

How well did you know this?

Not at all

Perfectly

• There’s a lot of security that happens at the
physical switch interface
– Often the first and last point of transmission
• Control and protect
– Limit overall traffic
– Control specific traffic types
– Watch for unusual or unwanted traffic
• Different options are available
– Manage different security issues

Port security

How well did you know this?

Not at all

Perfectly

• Send information to everyone at once
– One frame or packet, received by everyone
– Every device must examine the broadcast
• Limited scope - The broadcast domain
• Routing updates, ARP requests - Can add up quickly
• Malicious software or a bad NIC
– Not always normal traffic
• Not used in IPv6
– Focus on multicast

Broadcasts

How well did you know this?

Not at all

Perfectly

• The switch can control broadcasts – Limit the number of broadcasts per second • Can often be used to control multicast and unknown unicast traffic – Tight security posture • Manage by specific values or by percentage – Or the change over normal traffic patterns

Broadcast storm control

• Connect two switches to each other – They’ll send traffic back and forth forever – There’s no “counting” mechanism at the MAC layer • This is an easy way to bring down a network – And somewhat difficult to troubleshoot – Relatively easy to resolve • IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990) – Created by Radia Perlman – Used practically everywhere

Loop protection

• Spanning tree takes time to determine if a switch port should forward frames – Bypass the listening and learning states – Cisco calls this PortFast • BPDU (Bridge Protocol Data Unit) – The spanning tree control protocol • If a BPDU frame is seen on a PortFast configured interface (i.e., a workstation), shut down the interface – This shouldn’t happen - Workstations don’t send BPDUs

BPDU Guard

• IP tracking on a layer 2 device (switch) – The switch is a DHCP firewall – Trusted: Routers, switches, DHCP servers – Untrusted: Other computers, unofficial DHCP servers • Switch watches for DHCP conversations – Adds a list of untrusted devices to a table • Filters invalid IP and DHCP information – Static IP addresses – Devices acting as DHCP servers – Other invalid traffic patterns

DHCP Snooping

• Media Access Control – The “hardware” address • Limit access through the physical hardware address – Keeps the neighbors out – Additional administration with visitors • Easy to find working MAC addresses through wireless LAN analysis – MAC addresses can be spoofed – Free open-source software • Security through obscurity

MAC filtering

• DNS had no security in the original design – Relatively easy to poison a DNS • DNSSEC – Domain Name System Security Extensions • Validate DNS responses – Origin authentication – Data integrity • Public key cryptography – DNS records are signed with a trusted third party – Signed DNS records are published in DNS

Domain Name Resolution

``` • Stop end users from visiting dangerous sites – The DNS resolves to a sinkhole address • A query to a known-malicious address can identify infected systems – And prevent further exploitation • Content filtering – Prevent DNS queries to unwanted or suspicious sites ```

Using a DNS for security

• The network isn’t available – Or the device isn’t accessible from the network • Most devices have a separate management interface – Usually a serial connection / USB • Connect a modem – Dial-in to manage the device • Console router / comm server – Out-of-band access for multiple devices – Connect to the console router, then choose where you want to go

Out-of-band management

• Many different devices – Desktop, laptop, VoIP phone, mobile devices • Many different applications – Mission critical applications, streaming video, streaming audio • Different apps have different network requirements – Voice is real-time – Recorded streaming video has a buffer – Database application is interactive • Some applications are “more important” than others – Voice traffic needs to have priority over YouTube

The need for QoS

• Prioritize traffic performance – Voice over IP traffic has priority over web-browsing – Prioritize by maximum bandwidth, traffic rate, VLAN, etc. • Quality of Service – Describes the process of controlling traffic flows • Many different methods – Across many different topologies

QoS (Quality of Service)

``` • More IP address space – More difficult to IP/port scan (but not impossible) – The tools already support IPv6 • No need for NAT – NAT is not a security feature • Some attacks disappear – No ARP, so no ARP spoofing • New attacks will appear – For example, Neighbor Cache Exhaustion • IPsec built in / IPsec ready ```

IPv6 security is different

• Intercept network traffic – Send a copy to a packet capture device • Physical taps – Disconnect the link, put a tap in the middle – Can be an active or passive tap • Port mirror – Port redirection, SPAN (Switched Port ANalyzer) – Software-based tap – Limited functionality, but can work well in a pinch

Taps and port mirrors

``` • Constant cybersecurity monitoring – Ongoing security checks – A staff of cybersecurity experts at a Security Operations Center (SoC) • Identify threats – A broad range of threats across many different organizations • Respond to events – Faster response time • Maintain compliance – Someone else ensures PCI DSS, HIPAA compliance, etc. ```

Monitoring services

``` • Some files change all the time – Some files should NEVER change • Monitor important operating system and application files – Identify when changes occur • Windows - SFC (System File Checker) • Linux - Tripwire • Many host-based IPS options ```

FIM (File Integrity Monitoring)

``` • Standard issue – Home, office, and in your operating system • Control the flow of network traffic – Everything passes through the firewall • Corporate control of outbound and inbound data – Sensitive materials • Control of inappropriate content – Not safe for work, parental controls • Protection against evil – Anti-virus, anti-malware ```

The universal security control

• Filter traffic by port number or application – Traditional vs. NGFW firewalls • Encrypt traffic - VPN between sites • Most firewalls can be layer 3 devices (routers) – Often sits on the ingress/egress of the network – Network Address – Translation (NAT) functionality – Authenticate dynamic routing communication

Network-based firewalls

• Does not keep track of traffic flows – Each packet is individually examined, regardless of past history – Traffic sent outside of an active session will traverse a stateless firewall

Stateless firewall

• Stateful firewalls remember the “state” of the session | – Everything within a valid flow is allowed

Stateful firewall

* Unified Threat Management (UTM) / * Web security gateway * URL filter / Content inspection * Malware inspection * Spam filter * CSU/DSU * Router, Switch * Firewall * IDS/IPS * Bandwidth shaper * VPN endpoint

UTM / All-in-one security appliance

``` • The OSI Application Layer – All data in every packet • Can be called different names – Application layer gateway – Stateful multilayer inspection – Deep packet inspection • Requires some advanced decodes – Every packet must be analyzed and categorized before a security decision is determined -- NGFWs • Network-based Firewalls – Control traffic flows based on the application – Microsoft SQL Server, Twitter, YouTube • Intrusion Prevention Systems – Identify the application – Apply application-specific vulnerability signatures to the traffic • Content filtering – URL filters – Control website traffic by category ```

Next-generation firewall (NGFW)

``` • Not like a “normal” firewall – Applies rules to HTTP/HTTPS conversations • Allow or deny based on expected input – Unexpected input is a common method of exploiting an application • SQL injection – Add your own commands to an application’s SQL query • A major focus of Payment Card Industry – Data Security Standard (PCI DSS) ```

Web application firewall (WAF)

``` • Access control lists (ACLs) – Allow or disallow traffic based on tuples – Groupings of categories – Source IP, Destination IP, port number, time of day, application, etc. • A logical path – Usually top-to-bottom • Can be very general or very specific – Specific rules are usually at the top • Implicit deny – Most firewalls include a deny at the bottom – Even if you didn’t put one ```

Firewall rules

• Open-source vs. proprietary – Open-source provides traditional firewall functionality – Proprietary features include application control and high-speed hardware • Hardware vs. software – Purpose-built hardware provides efficient and flexible connectivity options – Software-based firewalls can be installed almost anywhere • Appliance vs. host-based vs. virtual – Appliances provide the fastest throughput – Host-based firewalls are application-aware and can view non-encrypted data – Virtual firewalls provide valuable East/West network security

Firewall characteristics

• Control at the edge – Your Internet link – Managed primarily through firewall rules – Firewall rules rarely change • Access control – Control from wherever you are - Inside or outside – Access can be based on many rules – By user, group, location, application, etc. – Access can be easily revoked or changed – Change your security posture at any time

Edge vs. access control

• You can’t trust everyone’s computer – BYOD (Bring Your Own Device) – Malware infections / missing anti-malware – Unauthorized applications • Before connecting to the network, perform a health check – Is it a trusted device? – Is it running anti-virus? Which one? Is it updated? – Are the corporate applications installed? – Is it a mobile device? – Is the disk encrypted? – The type of device doesn’t matter - Windows, Mac, Linux, iOS, Android

Posture assessment

``` • Persistent agents – Permanently installed onto a system – Periodic updates may be required • Dissolvable agents – No installation is required – Runs during the posture assessment – Terminates when no longer required • Agentless NAC – Integrated with Active Directory – Checks are made during login and logoff – Can’t be scheduled ```

Health checks/posture assessment

• What happens when a posture assessment fails? – Too dangerous to allow access • Quarantine network, notify administrators – Just enough network access to fix the issue • Once resolved, try again – May require additional fixes

Failing your assessment

• Sits between the users and the external network • Receives the user requests and sends the request on their behalf (the proxy) • Useful for caching information, access control, URL filtering, content scanning • Applications may need to know how to use the proxy (explicit) • Some proxies are invisible (transparent)

Proxies

* One of the simplest “proxies” is NAT * A network-level proxy * Most proxies in use are application proxies * The proxy understands the way the application works * A proxy may only know one application * HTTP * Many proxies are multipurpose proxies * HTTP, HTTPS, FTP, etc.

Application proxies

``` • An “internal proxy” • Commonly used to protect and control user access to the Internet ```

Forward Proxy

• Inbound traffic from the Internet to your internal service

Reverse Proxy

``` • A third-party, uncontrolled proxy • Can be a significant security concern • Often used to circumvent existing security controls ```

Open Proxy

``` • Intrusion Detection System / – Intrusion Prevention System – Watch network traffic • Intrusions – Exploits against operating systems, applications, etc. – Buffer overflows, cross-site scripting, other vulnerabilities • Detection vs. Prevention – Detection – Alarm or alert – Prevention – Stop it before it gets into the network ```

NIDS and NIPS

• Examine a copy of the traffic – Port mirror (SPAN), network tap • No way to block (prevent) traffic

Passive monitoring

• When malicious traffic is identified, – IPS sends TCP RST (reset) frames – After-the-fact – Limited UDP response available

Out-of-band-response

• IDS/IPS sits physically inline | – All traffic passes through the IDS/IPS

Inline monitoring

• Malicious traffic is immediately identified – Dropped at the IPS – Does not proceed through the network

In-band response

``` • Signature-based – Look for a perfect match • Anomaly-based – Build a baseline of what’s “normal” • Behavior-based – Observe and report • Heuristics – Use artificial intelligence to identify ```

Identification technologies

``` • High-end cryptographic hardware – Plug-in card or separate hardware device • Key backup – Secured storage • Cryptographic accelerators – Offload that CPU overhead from other devices • Used in large environments Clusters, redundant power ```

Hardware Security Module (HSM)

``` • Access secure network zones – Provides an access mechanism to a protected network • Highly-secured device – Hardened and monitored • SSH / Tunnel / VPN to the jump server – RDP, SSH, or jump from there • A significant security concern – Compromise to the jump server is a significant breach ```

Jump server

• Aggregate information from network devices – Built-in sensors, separate devices – Integrated into switches, routers, servers, firewalls, etc. • Sensors – Intrusion prevention systems, firewall logs, authentication logs, web server access logs, database transaction logs, email logs • Collectors – Proprietary consoles (IPS, firewall), – SIEM consoles, syslog servers – Many SIEMs include a correlation engine to compare diverse sensor data

Sensors and collectors