Chapter 10: Security in Network Design
Specialized Security Devices
Firewalls and IDS/IPS Systems are examples of what type of security devices?
Install multiple (redundant) switches at critical junctures.
How do you make networks more fault tolerant?
Determined by the amount of storage space needed for the amount of data
How is the effectiveness of the SIEM determined?
FIM (File integrity monitoring)
IDS Security feature that checks files for any sort of manipulation that isn't expected.
NIDS (Network-based IDS)
IDS Security feature that protects a network and is usually situated at the edge of the network or in the DMZ. - Networks Protective Perimeter.
Statistical Anomaly Detection
IDS that compares network traffic samples to a predetermined baseline in order to detect anomalies.
Signature-based detection
IDS that looks for identifieable patters of code that are known to indeicate specific vulnerabilities, exploits, or other undesirable traffic.
HIPS (Host-based IPS)
IPS that protects certain hosts.
NIPS (network-based IPS)
IPS that protects the whole network.
Routers main functions
Main functions include: - Examine Packets - Determine destination based on Network Layer addressing information.
Port Mirroring
One port makes a copy of traffic and sends to second port for monitoring.
Port blocking
Prevents connection to and transmission completion through ports.
HIDS (Host-based IDS)
Runs on a single computer to alert about attacks to that one host.
UTM (Unified Threat Management)
Security strategy that combines multiple layers of security appliances and technologies into a single safety net. - Requires a great deal of processing power.
Non-Security devices with Security Features
The following two things are examples of what type of network security devices? 1.) Proxy Servers. 2.) ACLs.
Using multiple options for network security results in layered security
This method of security provides more protection than any one type of device?
Host Based Firewall
This type of firewall only protects the computer on which it is installed.
SIEM (Security Information and Event Managment)
Type of system that can be configured to evaluate all log data. - Looking for significant events that require attention from the IT staff.
Redundancy (Makes a network less vulnerable to hardware malfunctions.)
What allows data the option of traveling through more than one switch?
- RSTP (Rapid Spanning Tree Protcol) - MSTP (Multiple Spanning Tree Protcol) - TRILL (Transparent Interconnection of Lots of Links) - SPB (Shortest Path Bridging)
What are the four newer/faster versions of STP?
- Statistical Anomaly Detection - Signature-based detection
What are the two primary methods for detecting threats on a network?
- Calculates paths avoiding potential loops - Artificially blocks links completing loops
What are two ways STP prevents traffic loops.
Access-List command
What command is used to assign a statement to an already-installed ACL?
STP will recalculate the best loop-free data paths between the remaining switches.
What happens to the STP if a switch is removed from a network?
Traffic Loops
What is a potential problem with redundant paths?
Creating Exceptions to firewall rules.
What is referred to as "punching holes" in a firewall?
Number of false positives logged.
What is the main drawback to a secure use of IDS?
Firewall Misconfiguration
What is the most common cause of firewall failure?
Firewall locations
What is used in the following locations? - Between two interconnected private networks. - Between private and public networks. - Also may be integrated in routers, switches and other network devices.
- Must identify the ACL and include a permit or deny argument.
What must the Access-List command identify and include?
- Inbound traffic - Outbound traffic
What two types of traffic can an ACL be associated with?
Too strict of a firewall configuration.
What would prevent authorized users from transmitting and receiving necessary data on a newly setup network?
access-list acl_2 permit icmp any
Whats the access-list command?
access-list acl_2 permit tcp host 2.2.2.2 host 5.5.5.5
Which command permits TCP traffic from 2.2.2.2 host machine to 5.5.5.5 host machine?
Data Link Layer
Which layer does the STP operate on?
Unused physical and virtual ports on switches and other network devices.
Which ports on switches should be disabled?
The more statements or tests a router must scan the more time it takes a router to act.
Why do ACLs affect router performance?
If the deny criteria/characteristics match the criteria/characteristics from the ACL. or If the packet doesn't match any criteria (including match criteria)
Why would a router drop a packet it received?
Proxy Server
- Acts as an intermediary between external and internal networks. - Screens all incoming and outgoing traffic. - Manages security at Application Layer. - Appears as an internal network server to the outside world, but is a filtering device for internal LAN. - One of its most important functions is preventing the outside world from discovering the addresses of the internal network.
Firewall Default Configuration
- Blocks most common security threats - Preconfigured to accept and deny certain traffic types. - Network Administrators often customize settings.
STP (Spanning Tree Protocol)
- Defined in IEEE standard 802.1D - Operates in Data Link Layer
Optional firewall functions
- Encryption - User authentication - Centralized management - Easy rule establishment - Content Filtering based on data contained in packets. - Logging, auditing capabilities. - Protect internal LAN's address identity. - Monitor packets according to existing traffic streams (stateful firewall)
NGFW (Next generation Firewalls)
- Have built-in Application control features and are application aware (they can monitor and limit traffic of specific applications.) - Adapt to the class of a specific user or user group. - May also be context aware. (They adapt to various applications, users, and devices.)
Reverse Proxy
- Provides services to Internet clients from servers on its own network. - Provides identity protection for the server rather than the client. - Useful when multiple Web servers are accessed through the same public IP address.
IPS (Intrusion prevention system)
- Reacts to suspicious activity when alerted. - Detects threat and prevents traffic from flowing to network. (based on originating IP address)
Paket-filtering firewall
- Simplest firewall - Examines header of every entering packet (inbound traffic) - Can block traffic entering or exiting a LAN (outbound traffic)
Intrusion Detection System (IDS)
- Stand alone device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall. - Monitors network traffic and generates alerts about suspicious activity. - Commonly exists as an embedded feature in UTM solutions or NGFWs.
ACL (Access Control List)
- Used by routers to decline forwarding certain packets. - Acts like a filter to instruct the router to permit or deny traffic according to one or more of the following variables: - Network Layer Protocol - Transport Layer Protocol - Source IP address - Destination IP address - TCP or UDP port number.
Common Packet-Filtering criteria
- source and destination IP addresses - Source and destination ports - Flags set in the TCP header - Transmissions using UDP or ICMP protocols. - Packet's status as the first packet in new data stream, subsequent packet. - Packet's status as inbound to, outbound from private network.
Firewall
A specialized device or software that selectively filters or blocks traffic between networks. - Typically involve hardware and software combination.
IDS
Can only detect and log suspicious activity