Lesson 9 Implement Secure Network Designs Flashcards
(40 cards)
1
Q
Switches
A
Forward frames between nodes in a cabled network
- works at the Datalink layer (2) of the OSI Model
- makes forwarding decisions based on the HW MAC address of attached nodes
- can establish network segments to the cabling or logical segments to establish virtual LANS (VLANS)
- Data it moves is frames
2
Q
WAP
A
Wireless Access Point
- Provides a bridge btwn a cabled network and wireless clients or stations
- works at the OSI model Datalink layer (2)
- works with frame data
3
Q
Routers
A
Forward packets around an internet based on IP addresses
- works on OSI Model Network layer (3)
- can apply logical IP subnet addresses to segments within a network
- works on Frame data
4
Q
Firewalls
A
Apply Access Control List (ACL) to filter traffic passing in or out of a network segment
- works a the OSI Model Network layer (3)
5
Q
Load Balancers
A
Network appliance which distributes traffic btwn network segments or servers to optimize performance
- works at the OSI Model Transport layer (4) or higher
6
Q
DNS
A
Domain Name System
- A system which resolves IP addresses to FQDNs
- Works at OSI Model Application layer (7)
- abuse of name resolution is a common attack vector
7
Q
OSI Model - Layer 1
A
Layer 1: Physical PDU: bits HW: Hubs, net tap, repeaters Addressing: none Protocols: UTP, STP, COAX, Fiber, TDM, FDM Control: node
8
Q
OSI Model Layer 2
A
Layer: Datalink - Connects nodes inside a LAN together - Nodes to Nodes
PDU: Frame
HW: Switch, Bridge, WAP
Addressing: MAC address (Physical Address), VLAN id
Protocols: Ethernet, PPP, LLC
Control: MAC Filtering
Address Resolution Protocol (ARP) between Physical and Datalink layers
9
Q
OSI Model Layer 3
A
Layer: Network - Connects LANs together - LAN to LAN
PDU: Packet
HW: Router, Layer 3 Switches
Addressing: IP Addresses (Logical Addresses)
Protocols: IP, ICMP, IPSec, IGMP
Control: Packet Filtering Firewall
10
Q
OSI Model Layer 4
A
Layer: Transport - End to end connections PDU: Segment HW: Load Balancer, Firewall Addressing: Logical Port Numbers Protocols: TCP, UDP, optionally SSL/TLS Control: Packet Filtering Firewall
11
Q
OSI Model Layer 5
A
Layer: Session - Interhost Communication
- Synchronize upper layers with lower layers
- allows session establishment btwn processes
PDU:
HW:
Addressing:
Protocols:
12
Q
OSI Model Layer 6
A
Layer: Presentation - Syntax layer
- Formats the data as needed
PDU: Data HW: Addressing: Protocols: Control: NGFW or App layer Firewall
13
Q
OSI Model Layer 7
A
Layer: Application - End Used Layer PDU: Data HW: Addressing: Protocols: HTTP(TCP 80), HTTPS(TCP 443), SMTP(TCP 25), FTP (20, 21) Control: NGFW or App Layer Firewall
14
Q
ARP
A
Address Resolution Protocol
- Maps a MAC address to and IP address
- Sits btwn Datalink (2) and Network (3) layers
15
Q
Firewall
A
- sits between Network Layer (4) and Datalink Layer (3)
16
Q
DNS
A
Domain Name System
- Sits btwn Transport Layer (4) and the upper layers (5-7)
17
Q
IP Addresses come from ?
A
Locally:
DHCP - Dynamic Host Configuration Protocol
- Service to assign network IP addresses to client upon connection
Public:
- Internet Service Provider (ISP), assigned when get the service
18
Q
Private IP ranges
A
- 0.0.x
- 16-31.x.x
- 168.x.x
19
Q
IPv4 vs IPv6
A
IPv4
- 32 bit
- 172.16.1.101/16 - the /16 indicates the first half of the address 172.16.0.0 is the network id, while the remainder identifies the host on the network.
- the /16 can also be written as subnet 255.255.0.0
IPv6
- 128 bit
- uses hex numbers
- 2001:db8::abc:0:dev0: 1234
20
Q
Network Segmentation
A
Network Segment
- All hosts attached to the segment can use local layer 2 to communicate freely with one another
- said to be in the same broadcast domain
Segregation
- Host is one segment are restricted in the way they communicate with hosts in the other segment
- could be restricted by ports they can access or communicate across
- two switches can be connect via a layer 3 router and enforce network policies via Access Control List (ACL)
- more likely though to be enforced via virtual LAN (VLAN)
21
Q
VLAN
A
Virtual Local Area Network
- segmentation enforcement
- Any port on a any switch can be assigned to any VLAN in the same topology
22
Q
DMZ
A
Demilitarized Zones
- a perimeter or edge network made up of internet facing hosts
- basic principle is traffic can not pass directly through the DMZ
- acts as proxy to the outer facing (in the internet) servers and the internal hosts of the network
- hosts in the DMZ are bastion hosts and run minimal services to reduce the attack surface
23
Q
Screened Subnet
A
- part of a DMZ to further restrict access into and out of the DMZ
- two firewalls sit on either side of the DMZ
- edge firewall is called the Screening Router/Firewall
- internal firewall is called the choke router/firewall
- provides better access control and easier monitoring
24
Q
PNAC
A
Port-based Network Access Control
- part of the 802.1X standard
- means the switch utilizes an AAA Svr to authenticate the attached device before activating the port
Network Access Control
- extends the scope of Authentication
- allows for policies or profiles describing minimum security Configuration a device must meet to be granted access to the network
- this is called a health policies
25
Network loop prevention
Spanning Tree Protocol (STP)
- used to set blocks on switches in an attempt to prevent looping
Broadcast Strom Prevention
- broadcast and flooding unicast getting amplified as it loops around network
- Storm control if STP has failed
Bridge Protocol Data Unit (BPDU) guard
- configure switch to defeat attempts to engineer a loop by an attacker
- Portfast setting configured for access port
- guard disables port if STP traffic is detected
26
WAP
Wireless Access Point
- forwards traffic to the wired switched network
- identified by it's MAC often referred to as the Basic Service Set Identifier
27
BSSID
Basic Service Set IDentifier
- each WAP identified by it's MAC address
- for computer
28
SSID
Service Set Identifier
- Identifies each wireless network by it's name
- human readable
29
Wi-Fi Authentication types
Personal
Open
Enterprise
30
Personal Wi-Fi authentication types
Pre-Shared Key (PSK)
Simultaneous Authentication of Equals (SAE)
31
Benefit of WPA3 over WPA2
Wired Equivalent Privacy (WEP) is broken (too many vulnerabilities)
Wi-fi Protected Access 3 (WPA3) fixed those vulnerabilities
WPA2 is flawed but acceptable
WPA3 is much improved but not largely available yet
WPA3 uses SAE
32
WPA3 and SAE
Simultaneous Authentication of Equals (SAE)
- replacement for WPA2's authentication
- uses Diffie-Hillman key agreement for much stronger encryption
- Diffie-Hillman process is called Dragonfly
33
SAE
Simultaneous Authentication of Equals
- uses the Dragonfly handshake to thwart offline brute force or dictionary attacks
- Diffie-Heillman over elliptic curves key agreement combined with the password hash and MAC address to authenticate nodes
- also uses ephemeral session keys to provide forward secrecy
WPA3 uses SAE to provide authentication
34
PSK
Pre-Shared Key
- uses a passphrase to generate the key
- referred to as group authentication
- meaning the group of users share the same secret
- WPA2-PSK mode of the WAP
- attackers exploit the passphrase using dictionary or brute force attacks
35
WPS
Wi-Fi Protected Setup
- meant to simplify setting up a WAP
- lead to weaker security
- brute force attacks
36
Open Wi-Fi authentication
Open means client is not required to authenticate
- like in a cafe or other public WAP
Uses Captive Portals or splash screens
- authentication to the network via browser using HTTPS
Users must ensure they are using SSL/TLS or a VPN to secure confidential data when using an open authentication WAP
WPA3 can implement Open Wireless Encryption (OWE) which uses the Dragonfly handshake to use ephemeral session keys
37
Enterprise Wi-Fi Authentication - EAPoW
Extensible Authentication Protocol over Wireless (EAPoW)
- defined by 802.1X allowing an access point to forward authenticate data without allowing any other type of network access
- uses an AAA (RADIUS or TACACS+) servers on the wired network to authenticate the supplicant
- uses a master key (MK) to derive the same pairwise master key (PMK)
- The PMKs are used by the supplicant and the WAP to derive session keys
38
DDos
Distributed Denial of Service
- performed usually by a bot network
- usually uses a SYN flood attack by withholding the ACK portion of the TCP three way handshake, causes the switch/router to get caught up in trying to make connections rather than genuine traffic
Use blackhole to thwart by dropping packets into a blackhole on the network, an area that cannot reach any other part of the network
Use sinkhole routing, which routing the affected data to a different part of the network to be analyzed
39
Load Balancing
distributes client requests across available server nodes in a farm or pool
allows for scaling
Works on Layer 4 (basic LD) or layer 7 (has content switching)
Schedule:
- round robin
- fewest connections
- best response time
- weighted
source IP or session affinity
- client session is stuck to the first node that accepted the request
session persistence
- layer 7 LD function to use cookies to maintain the session, better than session affinity
40
Clustering
Provides redundancy in Load Balancing
- allows for multiple redundant processing nodes to share data with one another to accept connections
- nodes can failover to a working node should one node fail
Active/Passive
- Once node is processing connections, while the other is passive
Active/Active
- Bothe nodes are processing connections concurrently
