By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Given a scenario, implement secure network designs. Topics: - load balancing - network segmentation - screened subnet (previously known as demilitarized zone) - east–west traffic - Zero Trust - virtual private network (VPN) - network access control (NAC) - port security - jump server - proxy server - network-based intrusion detection system (NIDS) - network-based intrusion prevention system (NIPS) - web application firewall (WAF) - next-generation firewalls (NGFW) - unified threat management (UTM) - network address translation (NAT) gateway - access control list (ACL) - IPv6 Network Devices and Segmentation Secure network design depends on understanding the concepts of basic perimeter and internal network devices and devices that provide a myriad of additional services, such as acting as load balancers and as proxies that improve network functionality. Many of these devices were developed for faster connectivity and to eliminate traffic bottlenecks; others were developed for convenience. With all devices that touch a network, proper placement and security features are important implementation considerations. Routers Routers operate at the network layer of the OSI model. They receive information from a host and forward that information to its destination on the network or the Internet. Routers maintain tables that are checked each time a packet needs to be redirected from one interface to another. The tables inside the router help speed up request resolution so that packets can reach their destination more quickly. The routes can be added to the routing table manually or can be updated automatically using the following protocols: - Routing Information Protocol (RIP/RIPv2) - Interior Gateway Routing Protocol (IGRP) - Enhanced Interior Gateway Routing Protocol (EIGRP) - Open Shortest Path First (OSPF) - Border Gateway Protocol (BGP) - Exterior Gateway Protocol (EGP) - Intermediate System-to-Intermediate System (IS-IS) Although router placement is primarily determined based on the need to segment different networks or subnets, routers also have some good security features. One of the best features of a router is its capability to filter packets by source address, destination address, protocol, or port. Access control lists (ACLs) are used to do this filtering. In the broadest sense, an ACL is a rule that controls traffic to and from network resources. Basic Internet routing is based on the destination IP address, and a router with a default configuration forwards packets based only on the destination IP address. In IP spoofing, an attacker gains unauthorized access to a network by making it appear (by faking the IP address) as if traffic has come from a trusted source. Routers can be configured to help prevent IP spoofing. Anti-spoofing techniques can include creating a set of access lists that deny access to private IP addresses and local host ranges from the Internet and also using strong protocol authentication. Because routers are a crucial part of a network, it is important to properly secure them. The security that is configured when setting up and managing routers can be the difference between keeping data secure and providing an open invitation to an attacker. The following are general recommendations for router security: - Create and maintain a written router security policy. The policy should identify who is allowed to log in to the router and who is allowed to configure and update it. The policy also should outline logging and management practices. - Create and organize offline master editions of your router configuration files. Keep the offline copies of all router configurations in sync with the configurations that are actually running on the routers. - Implement access lists that allow only the protocols, ports, and IP addresses that network users and services require. Deny everything else. - Test the security of your routers regularly, especially after any major configuration changes. Keep in mind that, no matter how secure your routing protocol, if you never change the default password on the router, you leave yourself wide open to attacks. At the opposite end of the spectrum, a router that is too tightly locked down can turn a functional network into a completely isolated network that does not allow access to anyone. Network Address Translation (NAT) A network address translation (NAT) gateway acts as a liaison between an internal network and the Internet. It allows multiple computers to connect to the Internet using one IP address. An important security aspect of NAT is that it hides the internal network from the outside world because the internal network uses a private IP address. Smaller companies can use Windows Internet Connection Sharing (ICS) to achieve NAT. With ICS, all machines share one Internet connection, such as a broadband modem. NAT can also be used for address translation among multiple protocols; it improves security and provides more interoperability in heterogeneous networks. NAT is not generally used with secure protocols such as DNSSEC or IPsec because of its lack of support for TCP segment reassembly. IPsec uses cryptography to protect communications. NAT has to replace the headers of an incoming packet with its own headers before sending the packet. This might not be possible when IPsec is in use because IPsec information is encrypted. IPv6 was developed before NAT was in general use. IPv6 is designed to replace IPv4. Addresses are 128 bits instead of the 32 bits used in IPv4. IPv6 addresses are represented in hexadecimal. Because IPv6 offers an almost infinite number of addresses, it makes NAT unnecessary. However, Network Address Translation—Protocol Translation (NAT-PT; RFC 2766) was developed as a means for hosts that run IPv6 to communicate with hosts that run IPv4. Switches Switches are the most common choice when it comes to connecting desktops to a wiring closet. Switches generally operate at the data link layer (Layer 2) of the OSI model. Their packet-forwarding decisions are based on Media Access Control (MAC) addresses. Switches allow LANs to be segmented, thus increasing the amount of bandwidth that goes to each device. Each segment is a separate collision domain, but all segments are in the same broadcast domain. Here are the basic functions of a switch: - Filtering and forwarding frames - Learning MAC addresses - Preventing loops Managed switches are configurable. You can implement sound security with switches much as you can configure security on a firewall or a router. Managed switches allow control over network traffic and who has access to the network. In general, you do not want to deploy managed switches using their default configuration because the default configuration often does not provide the most secure network design. A VLAN can be used to properly segment a network. A VLAN provides a way to limit broadcast traffic in a switched network, creating a boundary and, in essence, creating multiple, isolated LANs on one switch. A VLAN provides a logical separation of a physical network and often combines Layer 2 and Layer 3 switches. Layer 3 switches can best be described as routers with fast forwarding done through hardware. Layer 3 switches can perform some of the same functions as routers and offer more flexibility than Layer 2 switches. Port Security Port security is a Layer 2 traffic control feature on switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses to come in through the port. The primary use of port security is to keep two or three users from sharing a single access port. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. By default, a port security violation forces the interface into the error-disabled state. Port security can be configured to enter one of three modes when a violation is detected: default shutdown mode, protect mode, or restrict mode. In protect mode, frames from MAC addresses other than the allowed addresses are dropped. Restrict mode is similar to protect mode, but it generates a syslog message and increases the violation counter. The following security mechanisms provide port security: - Bridge Protocol Data Unit (BDPU) Guard: A BDPU is used to exchange data to ensure the ideal path for the flow of data, but it can also be leveraged for an attack. BDPU Guard provides a mechanism to prevent receipt of a BDPU from a connected device such as a client and reflect the BPDU back to the switch. - Media Access Control (MAC) filtering: This is a security control that authorizes access to only known network card addresses. - Loop detection: This is a mechanism that prevents degraded network service when there are multiple paths carrying data from the same source to the same destination. Loop detection works by transmitting a special loop packet that, when detected, prompts appropriately shutdown of ports. This helps prevent loops as well as broadcast storms, where data is forwarded by the switch from every port. - Dynamic Host Configuration Protocol (DHCP) snooping: DHCP snooping prevents rogue DHCP servers from providing IP addresses to clients by validating messages from untrusted sources.
Designing a network properly from the start and implementing appropriate controls is important to ensure that the network is stable, reliable, and scalable. Physical and virtual security controls must be in place. Locate switches in a physically secure area, if possible. Be sure that strong authentication and password policies are in place to secure access to the operating system and configuration files. Various controls help maintain port security. Ensure that you are familiar with port security controls and keep in mind that even with filtering, MAC addresses can be spoofed, and multiple hosts can still easily be hidden behind a small router. Virtual Local Area Network (VLAN) A virtual local area network (VLAN) can be used to properly segment a network. The purpose of VLAN is to unite network nodes logically into the same broadcast domain, regardless of their physical attachment to the network. A VLAN provides a logical separation of a physical network. It is basically a software solution that supports the creation of unique tag identifiers that can be assigned to different ports on a switch. A VLAN provides a way to limit broadcast traffic in a switched network, creating a boundary and, in essence, creating multiple, isolated LANs on one switch. When the hosts in one VLAN need to communicate with hosts in another VLAN, the traffic must be routed between them; this is called inter-VLAN routing. When a Layer 2 (data link layer) switch is used, a router is required to pass the traffic from one VLAN to another. When a Layer 3 (network layer) switch is used, inter-VLAN routing is done through Layer 3 interfaces. The purpose of a VLAN is to logically group network nodes, regardless of their physical location. The most notable benefit of using a VLAN is that it can span multiple switches. Because users on the same VLAN do not have to be associated by physical location, they can be grouped logically. VLANs provide the following benefits: - Users can be grouped by logical department instead of physical location. - Moving and adding users is simplified. No matter where a user physically moves, changes are made to the software configuration in the switch. - Grouping users with VLANs makes it easier to apply security policies. Working with VLANs involves a variety of configurations and considerations. For example, when mapping VLANs onto a new hierarchical network design, it is important to check the subnetting scheme that has been applied to the network and associate a VLAN to each subnet. Allocating IP address spaces in contiguous blocks allows the switch blocks to be summarized into one large address block. In addition, different types of traffic might exist on the network, and organizations should consider this before they implement device placement and VLAN configuration. Ideally, a VLAN should be limited to one access switch or switch stack. However, it might be necessary to extend a VLAN across multiple access switches within a switch block to support a capability such as wireless mobility. In such a situation, if you are using multiple switches from various vendors, you need to consider that some switch features might be supported on only one vendor’s switches but not on other vendors’ switches. You need to consider such points as VLAN Trunking Protocol (VTP) domain management and inter-VLAN routing when you have two or more switches in a network. Keep in mind that use of a VLAN is not an absolute safeguard against security infringements. A VLAN does not provide the same level of security as a router. A VLAN is a software solution and cannot take the place of a well-subnetted or routed network. It is possible to make frames hop from one VLAN to another. This takes skill and knowledge on the part of an attacker, but it is possible. Bridges Bridges are often used when two different network types need to be accessed. Bridges provide some network layer functions, such as route discovery, as well as forwarding at the data link layer. They forward packets only between networks that are destined for the other network. Several types of bridges exist: - Transparent basic bridge: Acts similarly to a repeater. It merely stores traffic until it can move on. - Source routing bridge: Interprets the routing information field (RIF) in the LAN frame header. - Transparent learning bridge: Pinpoints the routing location by using the source and destination addresses in its routing table. As new destination addresses are found, they are added to the routing table. - Transparent spanning bridge: Contains a subnet of the full topology for creating loop-free operation. Looping problems can occur when a site uses two or more bridges in parallel between two LANs to increase the reliability of the network. A major feature in Layer 2 devices is Spanning Tree Protocol (STP), a link-management protocol that provides path redundancy and prevents undesirable loops in the network. Multiple active paths between stations cause loops in the network. When loops occur, some devices see stations appear on both sides of the device. This condition confuses the forwarding algorithm and allows duplicate frames to be forwarded. This situation can occur in bridges as well as Layer 2 switches. A bridge loop occurs when data units can travel from a first LAN segment to a second LAN segment through more than one path. To eliminate bridge loops, existing bridge devices typically employ a technique referred to as the spanning tree algorithm. The spanning tree algorithm is implemented by bridges interchanging special messages known as bridge protocol data units (BPDUs). The STP Loop Guard feature provides additional protection against STP loops. Spanning Tree Protocol is designed to detect and prevent loops. It also helps prevent loops on managed switches. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs, based on the port role. The Loop Guard feature makes additional checks. If BPDUs are not received on a non-designated port and Loop Guard is enabled, that port is moved into the STP loop-inconsistent blocking state instead of the listening/learning/forwarding state. Without the Loop Guard feature, the port assumes the designated port role. The port then moves to the STP forwarding state and creates a loop. Security Devices and Boundaries A firewall is a component placed on a computer or a network to help eliminate undesired access by the outside world. It can consist of hardware, software, or a combination of both. A firewall is the first line of defense for a network. The primary function of a firewall is to mitigate threats by monitoring all traffic entering or leaving a network. How firewalls are configured is important, especially for large companies. A compromised firewall might spell disaster in the form of bad publicity or a lawsuit—not only for the company whose firewall is compromised but for the companies it does business with. For smaller companies, a firewall is an excellent investment because most small companies do not have a full-time technology staff, and an intrusion could easily put them out of business. All things considered, a firewall is an important part of your defense, but you should not rely on it exclusively for network protection. A small network firewall placement Generally, a firewall can be described as being either stateful or stateless. A stateless firewall tends to work as ACL filters. This type of firewall does not inspect traffic. It merely observes the traffic coming into and going out of the network and then allows or denies packets based on the information in the ACL. Because this type of firewall does minimal filtering, it tends to be faster than a stateful firewall and is best for heavy traffic loads. A stateless firewall tends to work as basic ACL filters. A stateful firewall is a deeper inspection firewall type that analyzes traffic patterns and data flows. A stateful firewall is a deeper inspection firewall type that analyzes traffic patterns and data flows. This allows a more dynamic access control decision because the network state is not static. Stateful firewalls are better when it comes to identifying unauthorized communication attempts because they watch the state of the connection from beginning to end, including security functions such as tunnels and encryption. Rules can be created for either inbound traffic or outbound traffic. Inbound rules explicitly allow or explicitly block inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or explicitly block network traffic originating from the computer that matches the criteria in the rule. In many firewalls, granular rules can be configured to specify the computers or users, programs, services, or ports and protocols. Rules can be configured so that they are applied when profiles are used. As soon as a network packet matches a rule, that rule is applied, and processing stops. The more restrictive rules should be listed first, and the least restrictive rules should follow; if a less restrictive rule is placed before a more restrictive rule, checking stops at the first rule. The order of firewall rules affects their application. When a less restrictive rule is placed before a more restrictive rule, checking stops at the first rule. Implicit deny is an access control practice in which resource availability is restricted to only logins that are explicitly granted access. The resources remain unavailable even when logins are not explicitly denied access. This practice is commonly used in Cisco networks, where most ACLs have implicit deny as the default setting. By default, an implicit deny all clause appears at the end of every ACL, and based on this, anything that is not explicitly permitted is denied. Essentially, an implicit deny works the same as finishing an ACL with the statement deny ip any any. This ensures that when access is not explicitly granted, it is automatically denied by default. The implicit deny is generally used by default in firewall configurations. An access list has an implicit deny at the end of the list; unless you explicitly permit it, traffic cannot pass. Designing a network properly from the start and implementing appropriate controls is important to ensure that the network is stable, reliable, and scalable. Physical and virtual security controls must be in place. Controls include segregation, segmentation, and isolation. The network should be segmented to separate information and infrastructure based on organizational security requirements. Network segregation, isolation, and segmentation are some of the most effective controls an organization can implement to mitigate the effect of network intrusion. When properly implemented, these controls can be used as preventive measures to protect sensitive information. In sensitive systems such as supervisory control and data acquisition (SCADA) networks, applying network segmentation in layers, from the data link layer through the application layer, can go a long way toward protecting vital infrastructure services. Segmentation, isolation, and segregation entail more than just segmenting networks via firewalls. They also include restricting intersystem communication to specific ports or protocols. Some key considerations for implementing good network segmentation, segregation, and isolation are knowing how users and systems interact and communicate with each other, implementing least privilege and need-to-know principles, using whitelisting instead of blacklisting, and addressing all layers of the OSI model. When your computers are on separate physical networks, you can divide your network into subnets that enable you to use one block of addresses on multiple physical networks. If an incident happens and you notice it quickly, you can usually contain the issue to the affected subnet. In addition to securing internal connectivity, you should secure connections between interconnecting networks. This might be appropriate when an organization establishes network interconnections with partners, as in an extranet or with an actual connection between the involved organizations because of a merger, an acquisition, or a joint project. Business partners can include government agencies and commercial organizations. Although this type of interconnection increases functionality and reduces costs, it can result in security risks, including compromise of all connected systems and any network connected to those systems, along with exposure of data the systems handle. With interconnected networks, the potential for damage greatly increases because a compromise of a system on one network can easily spread to other networks. Networks that partners, vendors, or departments share should have clear separation boundaries. Air gaps are physically isolated machines or networks that do not have any connection to the Internet or any machine that connects to the Internet. Even when an organization implements an air gap, there are still risks to the environment. For example, files such as patches and updates must be exchanged with the outside world, employees connect personal devices to the network, and misconfigurations can cause vulnerabilities. It is important not to neglect physical security. Place switches in a physically secure area, if possible. Make sure that network management stations are secure both physically and on the network. You might even consider using a separate management subnet and protecting it using a router with an access list. As you create a network security policy, you must define procedures to defend your network and users against harm and loss. With this objective in mind, network design and its included components play an important role in implementing security for the organization. An overall security solution includes design elements such as zones and topologies that distinguish private networks, intranets, and the Internet. This section discusses these elements and helps you tell them apart and also understand their places in the security of the network. Screened Subnet A screened subnet or demilitarized zone (DMZ) is a small network between an internal network and the Internet that provides a layer of security and privacy. Both internal and external users might have limited access to the servers in the screened subnet. Figure 19.2 depicts a screened subnet. Firewalls play a huge role in managing both east–west traffic and north–south traffic. East–west traffic refers to traffic within a data center between servers, and north–south traffic refers to data transfers between the data center and outside of the network.
Screened subnets are a great example of controlling east–west traffic. An example of a screened subnet Web servers and mail servers are often placed in the screened subnet. Because these devices are exposed to the Internet, it is important that they be hardened and kept current with patches. The screened subnet allows external users to access information that the organization deems necessary but that will not compromise any internal organizational information. This configuration permits outside access yet prevents external users from directly accessing a server that holds internal organizational data. An exposed server or a segmented network that provides public access to a critical service, such as a web server or an email server, can be configured to be isolated from an organization’s network but to report attack attempts to the network administrator. Such a network is called a screened subnet (formerly known as a demilitarized zone or DMZ). In addition to a screened subnet, many organizations have intranets and extranets. An intranet is a subnet portion or segmented zone of an internal network that uses web-based technologies. The information is stored on web servers and accessed using browsers. The web servers don’t necessarily have to be accessible to the outside world. This is possible because the IP addresses of the servers are reserved for private internal use. If the intranet can be accessed from public networks, this access should be accomplished through a virtual private network (VPN) for security reasons. An extranet is a subnet or segmented zone of the public portion of a company’s IT infrastructure that grants resource access to partners and resellers that have proper authorization and authentication. This type of arrangement is commonly used in business-to-business relationships. An extranet can open an organization to liability, so care must be taken to properly configure VPNs and firewalls to strictly enforce security policies. The idea of Zero Trust continues to gain traction. Zero Trust is an evolving framework that is primarily focused on protecting resources rather than placing trust in the entire network and what is already within that perimeter. This idea is especially meaningful when you consider the perimeter that exists today: It’s distributed, and it’s hard to draw a circle around it. Cloud resources, for example, are not located in the organization’s on-premises data center. Zero Trust principles essentially define a perimeter around only a particular resource and then dynamically secure and manage access based on the user, device, and other factors accessing the resource at a particular time. The main objectives in the placement of network firewalls are to allow only traffic that the organization deems necessary and provide notification of suspicious behavior. Most organizations deploy at least two firewalls. The first firewall is placed in front of the screened subnet to allow requests destined for servers in the screened subnet or to route requests to an authentication proxy. The second firewall is placed between the screened subnet and the internal network to allow outbound requests. All initial necessary connections are located on the screened subnet machines. For example, a RADIUS server might be running in the screened subnet for improved performance and enhanced security, even though its database resides inside the company intranet.
Most organizations have many firewalls; the level of protection is strongest when a firewall is close to the outside edge of the environment. A network with a screened subnet separated by two firewalls Watch for scenarios that ask you to select the proper firewall placement based on organizational need. When deploying multiple firewalls, you might experience network latency. If you do, check the placement of the firewalls and possibly reconsider the topology to ensure that you get the most out of the firewalls. Another factor to think about is the use of a storage-area network (SAN) or network-attached storage (NAS) behind a firewall. Most storage environments span multiple networks, creating a virtual bridge that can counteract a firewall, providing a channel into the storage environment if a system is compromised in the screened subnet. For better security, segment a wireless network by placing a firewall between the WLAN and the rest of the network. Because IPsec is a solution to securely authenticate and encrypt network IP packets, you can use IPsec to provide strong security between a Remote Authentication Dial-In User Service (RADIUS) server and a domain controller or to secure traffic to a partner organization’s RADIUS servers. RADIUS provides authentication and access control within an enterprise network. Many VPN solutions use IPsec, which is an excellent solution in many circumstances. However, IPsec should not be a direct alternative for WLAN protection implemented at the network hardware layer. An important security concept common in managing screened subnets is a jump server or jump box. A jump server is a system used to access systems in different security zones, such as a screened subnet. It is an especially hardened system just for this purpose that provides a method to access resources in the screened subnet from the protected network via other trusted systems. Web Application Firewalls Web application firewalls (WAFs) can examine HTTP application traffic and identify threats through deep packet inspection techniques. Often we do not think in terms of application-level security when discussing devices such as firewalls, IPSs, IDSs, and proxies. However, most next-generation devices are capable of being application aware. To meet the changing ways organizations do business, next-generation firewalls (NGFWs) have been developed. NGFWs are considered application-aware. This means they go beyond the traditional port and IP address examination of stateless firewalls to inspect traffic at a deeper level. Application layer firewalls integrate the functions of other network devices, such as proxies, IDSs, and IPSs. Many application layer firewalls use an IPS engine to provide application support. As a result, various blended techniques are used to identify applications and formulate policies based on business rules. Application layer firewalls are preferred to network layer firewalls because they have the capability to do deep packet inspection and function at Layer 7 of the OSI model. Network layer firewalls mainly function at Layer 3 of the OSI model and, as such, are basically limited to packet forwarding. Proxies A proxy server operates on the same principle as a proxy-level firewall: It is a go-between for the network and the Internet. Proxy servers are used for security, logging, and caching. Various types of proxy servers exist, including forward, reverse, and transparent proxy servers, as well as caching, multipurpose, and application proxy servers. When a caching proxy server receives a request for an Internet service (usually on port 80 or 443), it passes the request through filtering requirements and checks its local cache for previously downloaded web pages. The web pages are stored locally, so response times for web pages are faster, and traffic to the Internet is substantially reduced. The web cache can also be used to block content from websites that you do not want employees to access, such as pornography, social media, or peer-to-peer networks. You can use this type of server to rearrange web content to work for mobile devices. This strategy also provides better utilization of bandwidth because it stores all your results from requests for a period of time. A caching server that does not require a client-side configuration is called a transparent proxy server. In this type of server, the client is unaware of a proxy server. Transparent proxies are also called inline, intercepting, or forced proxies. The proxy redirects client requests without modifying them. Transparent proxy servers are implemented primarily to reduce bandwidth usage and client configuration overhead in large networks. Transparent proxy servers are found in large enterprise organizations and ISPs. Because transparent proxies have no client overhead and can filter content, they are ideal for use in schools and libraries. Most proxy servers today are web application proxies that support protocols such as HTTP and HTTPS. When clients and the server cannot directly connect because of some type of incompatibility issue, such as security authentication, an application proxy server is used. Application proxies must support the application for which they are performing the proxy function and do not typically encrypt data. On the other hand, multipurpose proxy servers, also known as universal application-level gateways, are capable of running various operating systems (such as Linux, Windows, and macOS) and allowing multiple protocols to pass through (such as HTTP, FTP, NNTP, SMTP, IMAP, LDAP, and DNS). They also can convert between IPv4 and IPv6 addresses. These proxies can be used for caching, converting pass-through traffic, and handling access control. They are not restricted to a certain application or protocol. Depending on the network size and content requirements, either a forward or reverse proxy is used. Forward and reverse proxies add a layer of security to the network by controlling traffic to and from the Internet. Both types of proxy servers are used as intermediaries for requests between source and destination hosts. A forward proxy controls traffic originating from clients on the internal network that is destined for hosts on the Internet. Because client requests are required to pass through the proxy before they are permitted to access Internet resources, forward proxy servers are primarily used to enforce security on internal client computers and are often used in conjunction with a firewall. Forward proxies can also be implemented for anonymity because they do not allow direct client access to the Internet. Reverse proxy servers do just the opposite: A reverse proxy server operates on the server side to cache static HTTP content when the server accepts requests from external Internet clients. The primary purpose of a reverse proxy server is to increase the efficiency and scalability of the web server by providing load-balancing services. Full reverse proxies are capable of deep content inspection and often are implemented in order to enforce web application security and mitigate data leaks. Know the differences between forward and reverse proxy servers. Proxy servers are used for a variety of reasons, and their placement depends on usage. You can place proxy servers between the private network and the Internet for Internet connectivity or internally for web content caching. If an organization is using a proxy server for both Internet connectivity and web content caching, you should place the proxy server between the internal network and the Internet, with access for users who are requesting the web content. In some proxy server designs, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding all HTTP and FTP traffic through the proxy server and all other IP traffic through the router. Proxies today play a huge role in filtering inappropriate or malicious content. Content filtering proxies control Internet content that is available for use in the organizational environment. Internet content filters compare a collection of terms, words, and phrases to content from browsers and applications. This type of software can filter content from various Internet activities and applications, such as instant messaging, email, and Microsoft Office documents. Content filtering reports only on violations identified in the specified applications listed for the filtering application. In other words, if the application filters only Microsoft Office documents and a user chooses to use Office, the content is filtered. If the user chooses to use something other than Office, that content is not filtered. Internet content filtering works by analyzing data against a database contained in the software. If a match occurs, the data can be addressed in one of several ways, including filtering, capturing, or blocking the content and closing the application. Operating system parental controls is an example of software that enables Internet content filtering. Unlike antivirus and antispyware applications, content monitoring does not require daily updates to keep the database effective and current. On the downside, content filtering needs to be “trained.” A misconfigured web content filter can either prevent legitimate content or allow prohibited content. For example, if the IP addresses or domains of customers are accidentally blocked, customers become blacklisted. Accidentally blacklisting customers can have a very detrimental effect on business. The issue with most content filters is that they look at only HTTP traffic and filter based on a database of words. Content filters can be bypassed by using HTTPS, a filter evasion application such as TOR, or a web proxy service. To prevent a content filter from being bypassed, select a solution that is used inline, has the capability to decrypt HTTPS, and uses real-time analysis to detect proxy website behavior. Content filtering proxies can be hardware or software. Many network solutions use some combination of both. Configurations include deployment behind a firewall or in a screened subnet, with public addresses behind a packet-filtering router. Content filters and gateway appliances that filter are most often placed inline behind a corporate firewall. When a filter is placed directly inline, all network traffic to the Internet passes through the filter. This facilitates filtering and scanning of all Internet traffic requests, content filtering and scanning of downloads for spyware and viruses, and application filtering. The following are also available modes for filters: - One network interface, with the client configured in proxy mode - One network interface in routed proxy mode - Two network interfaces in pass-through mode - Two network interfaces, with the client configured in proxy mode Hardware appliances are usually connected to the same network segment as the users they monitor. These appliances use access control filtering software on the dedicated filtering appliance. The device monitors every packet of traffic that passes over a network. In a multisegmented network, the filter must be installed in a location where it can both receive and manage Internet requests from the filter and communicate with installed agents. Every proxy server in a network must have at least one network interface. A proxy server with a single network interface can provide web content caching and IP gateway services. To provide Internet connectivity, you must specify two or more network interfaces for the proxy server. Unified Threat Management (UTM) Spyware, malware, worms, and viruses pose serious threats to both system integrity and user privacy. The prevalence of such malicious programs can also threaten the stability of critical systems and networks. Vendors have responded by offering converged unified threat management (UTM) security appliances that contain varying information security–related functions, including spam-filtering functions and antivirus protection. For example, the Barracuda Spam and Virus Firewall has antivirus protection built in. Another example is the Cisco Web Security Appliance. A malware inspection filter is basically a web filter applied to traffic that uses HTTP. The body of each HTTP request and response is inspected. Malicious content is blocked, and legitimate content passes through unaltered. Passing files can be hashed and matched against the signatures stored in a malware signature database. Other approaches include caching files for running a heuristic scan later within the file cache. If the scan finds a malicious file in the file cache, the signature is inserted in the malware signature database so that it can be blocked in the future. Other UTM features may include, for example, email filtering, DLP, content filtering, and an application layer firewall. In UTM devices, updates are posted hourly to ensure that the latest definitions are in place. As with any appliance that provides multiple functions, a UTM appliance is a single point of failure. To maintain availability, organizations might need to have two units deployed in automatic failover mode. Minimally, a UTM appliance provides a network firewall and IDS and IPS capabilities. VPN Concentrators Employees in today’s mobile workforce require a secure method for accessing corporate resources while on the road or working from home. One of the most common methods implemented for this type of access is a virtual private network (VPN). A VPN concentrator is used to allow multiple external users to access internal network resources using secure features that are built into the device. A VPN concentrator is deployed where a single device must handle a very large number of VPN tunnels. Remote-access VPN connectivity is provided using either Internet Protocol Security (IPsec) or Transport Layer Security (TLS/SSL). User authentication can be via RADIUS, Kerberos, Microsoft Active Directory, RSA SecurID, digital certificates, or the built-in authentication server. In addition to IPsec VPNs, technologies such as TLS and its predecessor, SSL, can be used to secure network communications. These VPNs use the SSL and TLS protocols to provide a secure connection between internal network resources and remote users such as bring your own device (BYOD) users, vendors, and business partners. Because TLS is a point-to-point communication encryption technology, it can be used to secure traffic in a variety of applications, including web- and email-based communications. The main advantage of SSL and TLS VPNs over IPsec VPNs is simple end-user implementation because they function via a browser and an Internet connection. In a typical scenario, the VPN concentrator allows users to utilize an encrypted tunnel to securely access a corporate network or other network via the Internet. Another use is internally, to encrypt WLAN or wired traffic when the security of login and password information is paramount for high-level users and sensitive information. You can implement a VPN concentrator to prevent login and password information from being captured. A VPN concentrator also allows ACLs to be applied to remote user sessions. These scenarios use various technologies that you need to comprehend to properly implement the correct VPN solution. VPN concentrators come in various models and allow for customized options, such as the numbers of simultaneous users, amount of throughput needed, amount of protection required, and tunnel modes. For example, Cisco VPN concentrators include components that allow for split tunneling, increased capacity, and throughput. With an always-on VPN, the user is always on a trusted and secured network. The workforce has become very mobile, allowing employees to work anytime and anywhere. This shift has led organizations to replace traditional IPsec VPNs with SSL/TLS VPNs that include an always-on solution. In addition, Zero Trust concepts are being applied to eliminate VPNs as resources become more and more distributed, and the paradigm of a single trusted network no longer exists. Instead of depending on the user to establish a VPN connection, an always-on VPN client immediately and automatically establishes a VPN connection when an Internet connection is made. Network authentication occurs through certificates or other enterprise solutions, and the connection is transparent to the user. Examples of always-on VPN solutions include Microsoft DirectAccess and Cisco AnyConnect Secure Mobility. So far, this section has mainly discussed the technologies used to secure VPN communications, but other modes and types of VPNs exist as well. When you think of VPNs, you likely think of remote-access VPNs that connect single hosts to organizational networks. However, site-to-site VPNs are also possible. Besides being configured to secure traffic between a remote user and the corporate network, a VPN can be configured as a site-to-site VPN. A site-to-site VPN is implemented based on IPsec policies assigned to VPN topologies. These VPNs connect entire networks to each other. An example of this type of implementation might be a VPN connecting a bank branch office to a network and the main office. Individual hosts do not need VPN client software. They communicate using normal TCP/IP traffic via a VPN gateway, which is responsible for setting up and breaking down the encapsulation and encryption traffic. The last item this section discusses is the mode in which the VPN operates. Two modes are available: full tunneling and split tunneling. Full tunneling works exactly as it sounds like it would: All requests are routed and encrypted through the VPN. In split tunneling, the traffic is divided. Internal traffic requests are routed over the VPN, and other traffic, such as web and email traffic, directly accesses the Internet. With split tunneling, the traffic is split after the VPN connection is made through the client configuration settings, such as the IP address range or specific protocols. Split tunneling is mainly used to reserve bandwidth while the users are on the Internet and to reduce the load on the VPN concentrator, especially when the organization has a large remote workforce. Split tunneling can also be useful when employees are treated as contractors on client sites and require access to both employer resources and client resources. NIDS and NIPS An intrusion detection system (IDS) is designed to analyze data, identify attacks, and respond to intrusions by sending alerts. IDSs differ from firewalls in that whereas a firewall controls the information that gets into and out of the network, an IDS can also identify unauthorized activity. IDSs are also designed to identify attacks in progress within the network, not just on the boundary between private and public networks. Intrusion detection is managed by two basic methods: knowledge-based and behavior-based detection. IDSs identify attacks based on rule sets, and an IDS typically has a large number of rules. Rule writing is an important and difficult part of network security monitoring. Luckily, security vendors do a lot of the rule writing. For example, Proofpoint currently has more than 37,000 rules, in several popular formats, and also hosts a web page that provides a daily rule set summary. Of course, these rules might need to be modified to meet the needs of the organization. The two basic types of IDSs are network-based and host-based IDSs. As the names suggest, network-based IDSs (NIDSs) look at the information exchanged between machines. Host-based IDSs (HIDSs) look at information that originates on individual machines. Consider the following differences between the two types: - NIDSs monitor the packet flow and try to locate packets that got through the firewall but were not supposed to do so. They are best at detecting DoS attacks and unauthorized user access. - HIDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. NIDSs try to locate packets that the firewall missed and that are not actually allowed on the network. HIDSs collect and analyze data that originates on the local machine or a computer hosting a service. NIDSs tend to be more distributed than HIDSs. NIDSs and HIDSs should be used together to ensure that an environment is truly secure. IDSs can be located anywhere on a network. You can place them internally or between firewalls. As with other network devices, the placement of a NIDS determines the effectiveness of the technology. A typical NIDS consists of sensors to monitor packet traffic, a server for management functions, and a management console. A sensor collects information about a network and can really be anything from a network tap to a firewall log. Sensors in both NIDS and NIPS have real-time network awareness. Generally, sensor placement depends on what the organization wants to protect, the calculated risk, and traffic flows. Sensors should be placed closest to assets identified as high priority or most important. Other considerations with sensor placement include the following: - Use or purpose of the sensor - Bandwidth utilization - Distance from protected assets Sensors can be placed outside the perimeter of the firewall as an early detection system or can be used internally as an added layer of security. Using sensors outside the perimeter firewall generates a lot of noise. This is not typically the ideal placement, but it can occasionally work for fine-tuning security policy. Internally placed sensors that are near the local network switching nodes and near the access routers at the network boundary have reduced false alarm rates because the sensors do not have to monitor any traffic blocked by the firewall. Sensors should be placed in the screened subnet because compromise of a machine in this zone could lead to a compromise of the internal network. Intrusion detection software and devices are reactive, or passive. This means that the system detects a potential security breach, logs the information, and signals an alert after the event occurs. By the time an alert has been issued, the attack has usually occurred and has damaged the network or desktop. A passive device is sometimes referred to as an out-of-band device. Out-of-band devices only listen passively. They do not change or affect the traffic. Network-based intrusion prevention systems (NIPSs) are sometimes considered to be an extension of IDSs. NIPSs can be either hardware or software based, as with many other network protection devices. Intrusion prevention differs from intrusion detection in that it actually prevents attacks instead of only detecting the occurrence of attacks. NIPSs are designed to sit inline with traffic flows and prevent attacks in real time. An inline NIPS sits between the systems that need to be protected and the rest of the network. NIPSs proactively protect machines against damage from attacks that signature-based technologies cannot detect because most NIPS solutions can look at application layer protocols such HTTP, FTP, and SMTP. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. An IDS detects and alerts. An IPS detects and prevents. Know the difference between the two concepts. A NIPS is often referred to as an in-band device. Because the device is analyzing live network traffic, an in-band device acts as the enforcement point and can prevent an attack from reaching its target. In general, in-band systems are deployed at the network perimeter, but they also can be used internally to capture traffic flows at certain network points, such as into the data center. Detection Methods Behavior-based intrusion detection methods are rooted in the premise that an intrusion can be detected by comparing the normal activity of a network to current activity. Any abnormalities from normal or expected behavior of the network are reported via an alarm. Behavior-based methods can identify attempts to exploit new or undocumented vulnerabilities, can alert to elevation or abuse of privileges, and tend to be independent of operating system–specific processes. Behavior-based methods consider any activity that does not match a learned behavior to be intrusive. These methods are associated with a high false alarm rate. If a network is compromised before the learned behavior period, any malicious activity related to the compromise is not reported. Signature-based detection methods are considered knowledge based because the underlying mechanism is a database of known vulnerabilities. Signature-based methods monitor a network to find a pattern or signature match. When they find a match, they generate an alert. Vendors provide signature updates, similar to antivirus software updates, but generally signatures can be created any time a particular behavior needs to be identified. Because pattern matching can be done quickly when the rule set is not extensive, the system or user notices very little intrusiveness or performance reduction. Signature-based methods only detect known signatures or patterns, so these events must be created for every suspicious activity. They are more reactive because an attack must be known before it can be added to the database. Signature-based methods provide lower rates of false alarms compared to behavior-based methods because all suspicious activity is in a known database. Anomaly-based detection methods are similar to behavior-based intrusion detection methods. Both are based on the concept of using a baseline for network behavior. However, a slight variation exists between the two. In anomaly-based detection methods, after the application is trained, the established profile is used on real data to detect deviations. Training an application entails inputting and defining data criteria in a database. In a behavior-based intrusion detection method, the established profile is compared to current activity, and monitoring seeks evidence of a compromise instead of the attack itself. Anomaly-based detection methods require the application engine to be able to decode and process all monitored protocols, which leads to high initial overhead. After the initial protocol behavior has been defined, scalability becomes more rapid and straightforward. The rule development process for anomaly-based methods can become complicated because of the differences in vendor protocol implementations. Heuristic intrusion detection methods are commonly known as anomaly-based methods because heuristic algorithms are used to identify anomalies. Much like anomaly-based methods, heuristic-based methods are typically rule based and look for abnormal behavior. Heuristic rules tend to categorize activity into one of the following types: benign, suspicious, or unknown. As an IDS learns network behavior, the activity category can change. The slight difference between heuristic- and anomaly-based methods is that anomaly-based methods are less specific. Anomaly-based methods target behavior that is out of the ordinary instead of classifying all behavior. Analytics A false positive occurs when a typical or expected behavior is identified as being irregular or malicious. False positives generally occur when an IDS detects the presence of a newly installed application and the IDS has not yet been trained for this new behavior. Sometimes anomalous behavior in one area of an organization is acceptable, while in other areas it is suspicious. False positives in IDS management are problematic because they can easily prevent legitimate IDS alerts from being identified quickly. Rule sets need to be tuned to reduce the number of false positives. A single rule that generates false positives can create thousands of alerts in a short period of time. In addition, the alerts for rules that cause repeated false positives are often ignored or disabled, which increases risk to the organization because legitimate attacks might eventually be ignored, increasing the probability that the system will be compromised by the type of attack the disabled or ignored rule was actually looking for. A false negative occurs when an alert that should have been generated did not occur. In other words, an attack takes place, but the IDS doesn’t detect it. False negatives most often happen because an IDS is reactive, and signature-based systems do not recognize new attacks. Sometimes in a signature-based system, a rule can be written to catch only a subset of an attack vector. Several risks are associated with false positives. When false positives occur, missed attacks are not mitigated, and the organization is likely to have a false sense of security. In addition, in an environment that relies on anomaly detection and in a host-based intrusion detection system (HIDS) that relies on file changes, if a system was compromised at the time of IDS training, false negatives will occur for any already exploited conditions. You should be familiar with the following terms for the exam: - False positive: A typical or expected behavior is identified as being irregular or malicious. - False negative: An alert that should have been generated did not occur. Network Access Control (NAC) One the most effective ways to protect a network from malicious hosts is to use network access control (NAC). NAC helps ensure that computers are properly configured. NAC systems are available as software packages or dedicated NAC appliances, although most are dedicated appliances that include both hardware and software. Some of the main uses for NAC follow: - Guest network services - Endpoint baselining - Identity-aware networking - Monitoring and containment The idea with NAC is to secure the environment by examining the user’s machine and then grant (or not grant) access based on the results. NAC is based on assessment and enforcement. For example, if a user’s computer patches are not up to date and no desktop firewall software is installed, you might decide to limit access to network resources. Any host machine that does not comply with your defined policy could be relegated to a remediation server or put on a guest VLAN. The basic components of NAC products follow: - Access requestor (AR): The AR is the device that requests access. Assessment of the device can be self-performed or delegated to another system. - Policy decision point (PDP): The PDP is the system that assigns a policy based on the assessment. The PDP determines what access should be granted and can be the NAC’s product-management system. - Policy enforcement point (PEP): The PEP is the device that enforces the policy. This device can be a switch, a firewall, or a router. NAC systems can be integrated into a network in four ways: - Inline: An inline NAC system exists as an appliance inline, usually between the access point and the distribution switches. - Out of band: An out-of-band NAC system intervenes and performs an assessment as hosts come online and then grants appropriate access. - Switch based: Switch-based NAC works similarly to inline NAC, except that enforcement occurs on the switch itself. - Host or endpoint based: Host- or endpoint-based NAC relies on an installed host agent to assess and enforce access policy. NAC implementations require several design considerations such as whether to integrate with an agent or be agentless. For example, out-of-band designs might or might not use agents, and they can use 802.1X, VLAN steering, or IP subnets. In a NAC system that uses agents, devices are enrolled in the NAC system, and an agent is installed on the device. The agent reports to a NAC policy server. Agents provide detailed information about connected devices to enforce policies. An agent might permanently reside on an end device, or it might be dissolvable. If the agent is dissolvable, it provides one-time authentication, reports information to the NAC system, and then disappears. Because agents can be spoofed by malware, an organization needs to be vigilant about proper malware protection or should use an agentless NAC solution. Because the user clicks on a web link to download a dissolvable agent, this type of agent is also referred to as a portal-based agent. Agents perform more granular health checks on endpoints to ensure a greater level of compliance. When a health check is on a computer or laptop, it is often called a host health check. Health checks monitor availability and performance for proper hardware and application functionality. Agentless solutions are mainly implemented through embedded code within an Active Directory domain controller. The NAC code verifies that the end device complies with the access policy when a user joins the domain, logs on to, or logs out of the domain. Active Directory scans cannot be scheduled, and the device is scanned only during these three actions. Another instance in which an agentless solution is deployed is through an IPS. Agentless solutions offer less functionality and require fewer resources than do agent-based solutions. A good solution for a large, diverse network or a network in which BYOD is prevalent is to combine both agent and agentless functionality and use the agentless solution as a fallback. Agents often do not work with all devices and operating systems. An alternative might be to use a downloadable, dissolvable agent; however, some device incompatibility might still arise. In addition to providing the capability to enforce security policy, contain noncompliant users, and mitigate threats, NAC offers business benefits. These include compliance, a better security posture, and operational cost management. Quiz: 1. Your company will have a new branch office. You need to seamlessly provide branch office users access to the corporate network resources as if they were at the corporate offices. Which of the following would best enable you to accomplish this goal? A. VLANs B. Site-to-site VPN C. Spanning Tree Protocol D. Screened subnet 2. You are consulting for an organization that has only ever required outbound Internet access. The organization now needs to deploy a web server for its customers (and it will maintain the web server) but is concerned about inbound access to the organization network. Which one of the following should you recommend? A. VLAN B. VPN C. Load balancer 3. Your company requires a switch feature that makes additional checks in Layer 2 networks to prevent STP issues. Which of the following safeguards should be implemented? A. Loop Guard B. Flood protections C. Implicit deny D. Port security 4. You are implementing server load balancing. In which configuration is the passive server promoted to active if the active server fails? A. Active/active B. Round-robin C. Weighted round-robin D. Active/passive 5. Your network IDS is reporting a high number of false positives. What does this mean? A. Typical or expected behavior is being identified as irregular or malicious. B. Alerts that should have been generated are not occurring. C. The activity is being categorized into one of the following types: benign, suspicious, or unknown. D. The IDS is preventing intrusions instead of detecting them. Answer 1: B. Besides being configured to secure traffic between a remote user and the corporate network, a VPN can be configured as a site-to-site VPN. Answer A is incorrect, as VLANs are logical separations of a physical network. Answer C is incorrect. Spanning Tree Protocol is a link-management protocol that provides path redundancy. Answer D is incorrect. A screened subnet is a subnetwork where an organization places externally facing servers. Answer 2: D. A screened subnet is the best choice as it would allow the organization to expose a web server to the public yet have it isolated from the internal network via a logical subnetwork. Answers A and B are incorrect. VLANs are logical separations of a physical network. A VPN would provide for secure remote access into internal resources for the employees. Answer C is incorrect. While a load balancer can be used to manage the traffic to the organization’s website and may be something the organization wants to consider, it does not meet the need to prevent inbound access to the network. Answer 3: A. The Loop Guard feature makes additional checks in Layer 2 switched networks to prevent loops. Answer B is incorrect because flood protection is a firewall feature to control network activity associated with DoS attacks. Answer C is incorrect because implicit deny is an access control practice in which resource availability is restricted to only logons that are explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses to come in through the port. Answer 4: D. In an active/passive configuration, all traffic is sent to the active server. The passive server is promoted to active if the active server fails or is taken down for maintenance. Answer A is incorrect. In an active/active configuration, two or more servers work together to distribute the load to network servers. Answers B and C are incorrect because in a round-robin load-balancing strategy traffic is sent in a sequential, circular pattern to each node of a load balancer, and in a weighted round-robin strategy traffic is sent in a circular pattern to each node of a load balancer, based on the assigned weight number. Answer 5: A. A false positive occurs when a typical or expected behavior is identified as irregular or malicious. Answer B is incorrect. A false negative occurs when an alert that should have been generated did not occur. Answer C is incorrect because this describes heuristic intrusion detection rules, which tend to categorize activity into one of the following types: benign, suspicious, or unknown. Answer D is incorrect. In fact, the opposite is true: An intrusion detection system (IDS) detects intrusions and sends alerts, whereas an intrusion prevention system (IPS) detects and prevents intrusions.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.