3.3 - Secure Network Designs

Question 1

What is Load Balancing?

Answer 1

Efficiently distributing incoming network traffic across a group of backend servers.

Question 2

What can a load balancer be used for?

Answer 2

1) Configurable load (manage across servers)
2) TCP offload (protocol overhead)
3) SSL offload (encryption/ decryption)
4) Caching
5) Prioritization (QoS)
6) Content switching (application-centric balancing)

Question 3

List a few ways to configure a load balancer.

Answer 3

1) Round-robin
- Each server is selected in turn
2) Weighted round-robin
- Prioritize the server use
3) Dynamic round-robin
- Monitor the server load and distribute to the
server with the lowest use

Question 4

What is active/active load balancing?

Answer 4

The workload is distributed across all nodes in order to prevent any single node from getting overloaded.

Question 5

What is affinity in load balancing?

Answer 5

Each user only talks to one server. This can be tracked through IP addresses or session IDs. Each user is “stuck” to one server.

AKA
Source affinity/ sticky session/ session persistence

Question 6

What is active/passive load balancing?

Answer 6

Some servers are active while others are on standby. If an active server fails, the passive server takes its place.

Question 7

What are some forms of network segmentation?

Answer 7

1) Physical segmentation
2) Logical segmentation with VLANs
3) Screened subnet (Logical)
4) Intranet/ Extranet
5)

Question 8

How would one physically segment a network?

Answer 8

The devices are physically separate, so they cannot communicate with each other.

Question 9

How would one logically segment a network?

Answer 9

Virtual Local Area Network (VLANs)

Question 10

How would one segment a network with a screened subnet?

Answer 10

AKA DMZ

Firewalls separate a section of the network that interfaces with the internet, so people coming in can only access the resources within the DMZ.

Question 11

What is an Extranet?

Answer 11

A private network for business partners. It usually requires additional authentication and only allows access to authorized users.

Question 12

What is an Intranet?

Answer 12

A private network that this only accessible internally. It has internal servers, and it is only for employees.

NO external access. Only internal or VPN.

Question 13

What is East-west traffic?

Answer 13

Traffic that flows within a data center. It is traffic between devices in the same data center. It has relatively fast response times.

Internal traffic

Question 14

What is North-south traffic?

Answer 14

Ingress/ egress to an outside device. External traffic

It has a different security posture than east-west traffic.

Question 15

What is zero trust?

Answer 15

A holistic approach to network security that covers every device, process, and person.

Nothing is trusted. There is multifactor authentication, encryption, system permissions, additional firewalls, monitoring and analytics, etc.

Question 16

What is a VPN (Virtual Private Network)?

Answer 16

Encrypted (private) data traversing a public network.

Question 17

What is a VPN concentrator?

Answer 17

An encryption/decryption access device that is often integrated into a firewall.

Question 18

What is a SSL VPN (Secure Sockets Layer VPN?

Answer 18

A VPN that uses SSL/TLS protocol (HTTPS port 443).

Can be run on a light VPN client or from a browser. There is no requirement for digital certificates or shared passwords (like IPSec).

Question 19

What is a HTML5 VPN?

Answer 19

A VPN that uses HTML 5. It creates a VPN tunnel without a separate VPN application. It includes comprehensive API support.

Question 20

What is the difference between a full tunnel VPN and a split tunnel VPN?

Answer 20

Full tunnel:
All of the data is going across the encrypted tunnel. The user cannot break out of the tunnel to send information to another device directly.

Split tunnel:
Some information goes through the tunnel, but information can be sent to another device outside the tunnel.

Question 21

What is a site-to-site VPN?

Answer 21

A connection between multiple networks.

This could be a corporate network where multiple offices work in conjunction with each other or a branch office network with a central office and multiple branch locations.

Question 22

What is L2TP (Layer 2 Tunneling Protocol)?

Answer 22

A protocol often used in site-to-site VPNs that allows sites to connect over a layer 3 network as if they were connected at layer 2. It is commonly implemented with IPsec.

L2TP would be used for the tunnel and IPsec for the encryption (aka L2TP over IPsec or L2TP/IPsec).

Question 23

What is IPSec (Internet Protocol Security)?

Answer 23

It is security for OSI Layer 3. It provides confidentiality and integrity (anti-replay).

There are two major IPSec protocols:
Authentication Header (AH)
Encapsulation Security Payload (ESP)

Question 24

What are the two major modes of IPSec? Explain them.

Answer 24

There are two major modes:
Transport mode: IPsec header and IPsec trailers
around the data (IP header is still on the outside)
Tunnel mode: New IP header on the outside with the
old IP header and data surrounded by an IPsec
header and trailer

Question 25

What are the two major IPSec protocols?

Answer 25

There are two major IPSec protocols:
Authentication Header (AH)
Encapsulation Security Payload (ESP)

Question 26

How does an authentication header in IPsec work?

Answer 26

A hash of the packet and an authentication header is created.

The hash is used for data integrity. It guarantees the data origin and prevents replay attacks.

AH does not provide encryption.

Question 27

How does ESP (Encapsulation Security Payload) in IPSec work?

Answer 27

It encrypts and authenticates the tunneled data, adding a header, trailer, and an integrity check value.

It can be combined with AH for integrity and authentication of the outer header.

Question 28

What are broadcast packets?

Answer 28

Packets that send information to everyone at once within a broadcast domain.

Question 29

How can broadcast packets cause issues?

Answer 29

They can bombard a network with traffic.

Question 30

What can create broadcast traffic?

Answer 30

Routing updates, ARP requests, malicious software, or a bad NIC

Question 31

What can be used to control broadcasts?

Answer 31

Networking switches

Question 32

What is Spanning Tree Protocol?

Answer 32

Predominantly used to prevent layer 2 loops and broadcast storms and is also used for network redundancy. It was developed around the time where recovery from an outage that took upwards of a minute or more was acceptable.

It blocks ports that would create a loop. If a device goes down, it can go into convergence mode to detect what devices are available.

Question 33

What is a BPDU guard?

Answer 33

It shuts down ports configured with STP portfast upon receipt of a BPDU (Bridge Protocol Data Unit) to prevent the creation of a loop. BPDUs are given off by switches.

Question 34

How might a switch protect against DHCP snooping?

Answer 34

It marks unofficial DHCP servers as untrusted, and it filters invalid IP and DHCP information.

Question 35

What is MAC filtering?

Answer 35

Access through physical hardware addresses are limited to approved addresses to prevent spoofed MAC addresses from getting through.

Question 36

How can a sinkhole address be used to reroute end users from dangerous sites? What are some other ways to use DNS for security?

Answer 36

A sinkhole address is an address that, using the DNS server, is rerouted from a known malicious site.

A query can be run to identify which machines have accessed malicious addresses.

You can use content filtering to prevent DNS queries to unwanted or suspicious sites.

Question 37

What are some examples of out-of-band management?

Answer 37

Serial/ USB
Modems
Console router/ comm server
- out-of- band access for multiple devices
- connect to the console router then choose where
you want to go

Question 38

What is QoS (Quality of Service)?

Answer 38

The prioritization of some network traffic over other network traffic.

Question 39

What are some characteristics of IPv6?

Answer 39

1) More IP address space
- More difficult to IP/ port scan
2) NAT is not needed
3) No ARP

Question 40

What is a network tap?

Answer 40

A device that is put in between two links to capture traffic.

Question 41

What is a port mirror?

Answer 41

A software-based tap.

Question 42

What is a cybersecurity monitoring service?

Answer 42

Constant cybersecurity monitoring that can identify threats, maintain compliance, and respond to events. They work at a Security Operations Center (SoC).

Question 43

What is FIM (File Integrity Monitoring)?

Answer 43

You can continually monitor important OS and application files.

Windows - SFC
Linus - Tripwire
Many host-based IPS-options

Question 44

How does a network-based firewall work?

Answer 44

It allows you to:
1) Filter traffic by port number or application
2) Encrypt traffic
3) Network Address Translation (NAT)
4) Authenticate dynamic routing communication

Question 45

How does a stateless firewall work?

Answer 45

It doesn’t keep track of traffic flows; instead, it examines each packet individually regardless of previous communications (i.e. doesn’t know to expect a reply from a web server that a query was sent to).

It has to follow a rule base to determine what to allow and to not allow. Rules determine what traffic can leave and what traffic can enter.

Question 46

How does a stateful firewall work?

Answer 46

It remembers the “state” of the session. Everything within a valid flow is allowed.

The only rule is on what traffic can leave. It cross-references the rule table (ACL) with the session table (what sessions are active).

Question 47

What is a UTM (Unified Threat Management)/ web security gateway?

Answer 47

Multiple security features or services combined into a single device within your network. It can provide:
1) URL filter / Content inspection
2) Malware inspection
3) Spam filter
4) CSU/DSU
5) Router, Switch
6) Firewall
7) IDS/IPS
8) Bandwidth shaper
9) VPN endpoint

Question 48

What is a Next-generation firewall (NGFW)?

Answer 48

A firewall that works on the Application layer, so it examines all the data in every packet. Every packet must be analyzed and categorized before a security decision is determined.

It can include:
1) Network-based Firewalls
2) Intrusion Prevention Systems
3) Content filtering

AKA
1) Application layer gateway
2) Stateful multilayer inspection
3) Deep packet inspection

Question 49

What is a Web application firewall (WAF)?

Answer 49

A firewall that is on a web server. It applies rules to HTTP/HTTPS conversations. It can allow or deny based on expected (tries to block unexpected) input.

Can help to prevent SQL injections.

A major focus of the Payment Card Industry and Data Security Standard (PCI DSS).

Question 50

What are ACLs ( Access Control Lists)?

Answer 50

A set of rules on a firewall to allow or disallow traffic based on tuples, or values that identify a specific connection or network session (Source IP, Destination IP, port number, time of day, application, etc.).

This traffic can be ingress or egress.

Question 51

In terms of functionality, what is the difference between an open-source firewall and a proprietary firewall?

Answer 51

Open-source firewalls provide traditional firewall functionality. Whereas, proprietary firewalls include application control and high-speed hardware.

Question 51

How does a firewall determine what rules have priority?

Answer 51

They take a top-to-bottom approach, in which specific rules are usually at the top. Top rules go before bottom.

Most have an implicit deny at the bottom of the list of rules. This denies traffic if there are no rules found for it.

Question 52

Which is more secure: Hardware firewall or software firewall?

Answer 52

Typically hardware.

Question 53

How can you make sure that devices that connect to your network are safe?

Answer 53

Posture Assessment
- Trusted device?
- Anti-virus? Updated?
- Corporate software?

Question 54

What is the difference between a persistent agent, agentless NAC, and a dissolvable agent in health checks/posture assessments?

Answer 54

Persistent: permanent

Dissolvable: no installation and terminates after it is
no longer needed

Agentless NAC: Integrated with AD
Checks are made during login and logoff

Question 55

What is a proxy server?

Answer 55

A server that sits between the users and the external network. It receives the user requests and sends the request on their behalf.

It is useful for caching information, access control, URL filtering, and content scanning.

If an application needs to know how to use the proxy, it is explicit. Some are invisible, or transparent.

Question 56

What is an application proxy?

Answer 56

A proxy that is used for applications. It can know one or more applications.

Can do NAT, FTP, HTTP, HTTPS, etc.

Question 57

What is a forward proxy?

Answer 57

AKA internal proxy

It is commonly used to protect and control user access to the internet.

Question 58

What is a reverse proxy?

Answer 58

It controls inbound traffic from the internet to your internal service.

Question 59

What is an open proxy?

Answer 59

A third-party, uncontrolled proxy. It can be a significant security concern. It is often used to circumvent existing security controls.

Question 60

What is the difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?

Answer 60

An IDS only alerts when there is a threat.

An IPS stops a threat before it gets into the network.

Question 61

What is Passive Monitoring in terms of IPS/IDS?

Answer 61

When an IPS/IDS examines a copy of the traffic. There is no way for it to block traffic when it is in passive monitoring mode.

Question 62

What is an out-of-band response in terms of IPS/IDS?

Answer 62

When an IPS/IDS identifies malicious traffic and sends TCP RST (reset) frames. This is an after-the-fact response.

Question 63

What is inline monitoring in terms of IPS/IDS?

Answer 63

When an IPS is between the switch and the internet. All traffic has to pass through the IDS/IPS.

Question 64

What is an in-band response in terms of IPS/IDS?

Answer 64

When an IPS/IDS is inline, it can drop malicious packets before they can proceed on the network.

Question 65

What ways can an IPS identify malicious software?

Answer 65

1) Signature-based
- Look for a perfect match
2) Anomaly-based
- Build a baseline of what’s “normal”
3) Behavior-based
- Observe and report
4) Heuristics
- Use AI to identify

Question 66

What is a jump server?

Answer 66

Allows internal devices to be access via a private device. SSH/ Tunnel/ VPN is ran to the jump server then jump over to whatever resource you need to access (RDP, SSH, etc.). It is usually highly secured.

A jump server breach can cause a significant breach.

Question 67

What is a Hardware Security Module (HSM)?

Answer 67

High-end cryptographic hardware. It can store keys or offload the CPU overhead from other devices that encryption causes (Cryptographic accelerators).

Question 68

What can you use sensors and collectors for?

Answer 68

Gather information from networking devices.

Sensors
IPS, Firewall, authentication logs, web server access logs, database transaction logs, email logs

Collectors
SIEM consoles, proprietary consoles (IPS, firewall)