3.1 Secure Network Design

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Layer 3

The segmentation enforced by VLANs at the data link layer can be mapped to logical divisions enforced by IP subnets at ____________.

a single IP address or subnet

Restrict the hosts that can be used to access the management console by enforcing an Access Control List (ACL); restrict permitted hosts to ________ or ________, for instance.

subnet

A _________ is a subdivision of a larger network, isolated from the rest of the network by means of routers (or layer 3 switches).

IP address, by the port it is requesting, or a combination of both

A basic firewall can allow or deny a host access based on its .

soft access point

A computer could allow wireless clients to connect to it in either an ad hoc network or by being configured as a _________________. This makes the laptop create a bridge from one network to another.

ARP or DNS

Man-in-the-Middle attacks can also be launched against antiquated protocols, such as ______ or _______.

mutual authentication

MitM attacks can be defeated using ___________________, where both server and client exchange secure credentials.

security requirements

More than one DMZ might be required as the services that run in them may have different ____________.

physical and data link layers

Network architecture design starts with the way the OSI model ___________ and ___________ layers are implemented.

Firewall

Network traffic between zones should be strictly controlled, using a security device. This device can be software or hardware oriented to filter traffic passing into and out of the network.

ARP Request packet

Normally, a device that needs to send a packet to an IP address but does not know the receiving device's MAC address broadcasts an ___________________.

Screened Subnetting

One important use of subnets is to implement a DMZ. Two firewalls are placed at either end of the DMZ. One restricts traffic on the external interface; the other restricts traffic on the internal interface.

Trojan

One way to launch a MitM attack is to use __________________ software to replace some genuine software on the system.

Lack of documentation and change control

network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted. It is vital that network managers understand business workflows and the network services that underpin them.

Availability over confidentiality and integrity

often it is tempting to take "shortcuts" to get a service up and running. Compromising security might represent a quick fix but creates long term risks.

Complex dependencies

services that require many different systems to be available. Ideally the failure of individual systems or services should not affect the overall performance of other network services.

dynamic VLANs

VLANs that include using the host's MAC address, protocol type, or even authentication credentials are referred to as _______________.

Bridge

A ______ could be used to divide a network overloaded with hosts and suffering from excessive collisions into separate segments at the physical layer. This device can identify in which segment a host is located by its MAC address and only forwards traffic for that host over that interface.

Routed

A DMZ and intranet are on different subnets so communications between them need to be __________.

Three-Legged Firewall

A DMZ can also be established using a single router / firewall appliance. A _____________ (or triple-homed) firewall is one with three network ports, each directing traffic to a separate subnet: --> One port is the external interface. --> One port is the DMZ. --> One port is the internal interface. This is more complex to configure than a screened subnet. Also, the firewall represents a single point of failure and is easier to compromise. However, this configuration does save on costs.

"null" VLAN

A VLAN that is non-routable to the rest of the network. This VLAN is used for any ports that do not have authorized connected equipment.

air gap

A host or network segment that has no sort of physical connectivity with other hosts or networks.

collision domain

A hub is a multiport repeater; it takes the signal generated by a node and retransmits it to every port on the hub. All the ports are said to be in the same _____________ .

Dsniff, Cain and Abel, or Ettercap

A more sophisticated ARP poisoning attack can be launched by running software such as ________, _________, or __________ from a computer attached to the same switch as the target.

segment

A network ___________ is an area of the network where all the hosts attached to a specific area or the network can communicate freely with one another.

Extranet

A network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join this network because this network typically is internet-facing. This network could also be set up using leased line connections.

root port

A port that forwards "up" to the root bridge, possibly via intermediate bridges, is identified as a ____________.

blocking; non-designated port

A port that would create a loop is identified as a _________ or ____________ .

Intranet

A private network of trusted hosts owned and controlled by the organization. Hosts are trusted in the sense that they are under the same administrative control and subject to the security mechanisms (anti-virus software, user rights, software updating, and so on) that the organization have set up to defend the network.

Layer 3

A subnet gives the hosts in a particular VLAN a distinct network address at layer ____ of the OSI model (Network).

static entries

A trivial ARP poisoning attack could be launched by adding _______________ to the target's ARP cache.

network interface and subnet

A true DMZ is established by a separate ____________ and ________ so that traffic between hosts in the DMZ and the LAN must be routed (and subject to firewall rules). Most SOHO routers do not have the necessary ports or routing functionality to create a true DMZ.

MAC flooding

A variation of an ARP poisoning attack, that can be directed against a switch.

Internet-facing host

Accepts inbound connections from and makes connections to hosts on the Internet.

isolated

An _____________________ segment is one that has no connectivity with other segments.

Topology

Any given switch port can be assigned to any VLAN in the same _________________, regardless of the physical location of the switch.

sniffing

As hubs broadcast communications to all ports, this makes _________ network traffic easier.

network mapping and eavesdropping

Attacks at the physical and data link layer are often focused on information gathering: Such as _______________ and _______________________ on network traffic.

Virtual LANs (VLAN)

Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using _______________ .

ARP Poisoning Attack

Broadcasting unsolicited ARP reply packets. Because ARP is an "antiquated protocol" with no security, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address.

MAC spoofing

Changing the Media Access Control (MAC) address configured on an adapter interface or asserts the use of an arbitrary MAC address.

Layer 3 switch

In CISCO Systems __________ switch or router appliances are capable of many different types of routing (especially over Wide Area Networks [WAN]) and tend not to have many interface ports. On a campus Ethernet network, the internal routers will typically be moving traffic between VLANs and have no need to perform WAN routing.

Access Layer

In CISCO Systems this layer allows end-user devices, such as computers, printers, and smartphones, to connect to the network. Another important function of the this layer is to prevent the attachment of unauthorized devices.

router or layer 3 switch.

Communication between the groups of ports would only be possible via a ________ or _______________.

authorized management station

Configure the SNMP interface on the switch to report only to an a_____________________ or disable SNMP if it is not required.

segmented

Different functions could be implemented either by completely separate DMZs or by using ___________ demilitarized zones.

HTTP (TCP/UDP Port 80), HTTPS (TCP/Port 443), and Telnet (TCP/Port 23)

Disable unused management console access methods. For example, if you use SSH, disable the serial ports, _______, ________, and ________.

security configuration

Dividing a campus network or data center into zones implies that each zone has a different ___________.

Core Layer

In CISCO Systems this layer provides a highly available network backbone. Devices such as clients and server computers should not be attached directly to this layer. Its purpose should be kept simple: provide redundant traffic paths for data to continue to flow around the access and distribution layers of the network.

broadcast

Each subnet(work) is in its own ____________ domain

Distribution

In CISCO Systems this layer provides fault-tolerant interconnections between different access blocks and either the core or other distribution blocks. This layer is often used to implement traffic policies, such as routing boundaries, filtering, or Quality of Service (QoS).

IP address

In CISCO Systems, a Router provides connectivity between subnetworks based on their

distribution and core layers

In CISCO Systems, the _______________ and _________ layers provide switching and routing between different access layer locations and server groups.

Bastion Hosts

Hosts in a DMZ are not fully trusted by the internal network because of the possibility that they could be compromised from the Internet. They are referred to as___________ . These hosts would not be configured with any services that run on the local network, such as user authentication.

Segregation

Hosts in one segment are restricted in the way they communicate with hosts in other segments. They might only be able to communicate over certain network ports, for instance.

Failopen Mode

If a switch's cache table is overloaded by flooding it with frames containing different (usually random) source MAC addresses, it will typically start to operate as a hub. This is called ______?

Proxy

If communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a __________. This device takes the request and checks it. If the request is valid, it re-transmits it to the destination. External hosts have no idea about what (if anything) is behind the DMZ.

attacker

If the ARP poisoning attack is successful, all traffic destined for remote networks will be sent to the ___________________ .

Ethernet

In a network with multiple bridges (implemented these days as switches and routers), there may be more than one path for a frame to take to its intended destination. As a layer 2 protocol, __________ has no concept of Time To Live. Therefore, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely.

segregated

In order to enforce the concept of a zone, zones must be ____________.

Disable unused ports by placing them in an otherwise unused VLAN with no connectivity to the rest of the network. Secure the switch's management console by renaming the administrative account (if possible) and setting a strong password. Use a secure interface to access the management console. Use encrypted communications, such as HTTPS or SSH, or use the switch's console serial port. Install the latest firmware updates and review vendor security bulletins to be forewarned about possible exploits or vulnerabilities.

In order to secure a switch, the following guidelines should be met.

Address Resolution Protocol (ARP)

In terms of TCP/IPv4, the most significant protocol operating at the Data Link layer is the __________________. This protocol maps a network interface's hardware (MAC) address to an IP address.

Demilitarized Zone (DMZ)

Internet-facing hosts are placed this zone that is also referred to as a perimeter network. The idea of a this zoneis that traffic cannot pass through it.

Spanning Tree Protocol (STP)

Layer 2 loops are prevented by the ____________, defined in the IEEE 802.1D MAC Bridges standard.

static VLANs

Port-based switching is the simplest means of configuring a VLAN. These VLANs are referred to as ___________.

designated ports

Ports that can forward traffic "down" through the network with the least cost are identified as ____________.

network policies or Control Lists (ACL)

Router enforce _____________ or Access ____________ to restrict communications between the two segments.

virtualization

Segregation and isolation of hosts or applications can also be accomplished using

screened host

Smaller networks may not have the budget or technical expertise to implement a DMZ. In this case, Internet access can still be implemented using a dual-homed proxy server acting as a ____________ .

DoS

Sometimes the term DMZ (or "DMZ host") is used by SOHO router vendors to mean an Internet-facing host or zone not protected by the firewall. This might be simpler to configure and solve some access problems but makes the whole network very vulnerable to intrusion and ____________ Attack .

Root Bridge

Spanning tree is a means for the bridges to organize themselves into a hierarchy. The bridge at the top of the hierarchy is the _____________ .

Bridge

Split tunneling is another example of a potential __________ between different networks.

filtering and access control

Subnets are useful for security, as traffic passing between each subnet can be subjected to ____________ and ________________ at the router.

geographical or logical

Subnets can be used to represent __________________ or _____________________ divisions in the network.

Layer 2

Subnets will usually be mapped to VLANs. The VLAN establishes a logical grouping of hosts at layer ________ of the OSI model (Data Link Layer).

Topology Change Notifications

Subsequently, bridges exchange ____________ if devices are added or removed, enabling them to change the status of forwarding / blocked ports appropriately.

port authentication

Switches that can perform "_______________", can prevent connected devices from changing their MAC address.

Man-in-the-middle (MITM) attack or a Denial of Service (DoS) Attack

The attacker in ARP poisoning can perform a ______________, either by monitoring the communications (forwarding them to the router to avoid detection) or modifying the packets before forwarding them and/or a ___________________ by not forwarding the packets.

ARP Reply

The device with the matching IP from the ARP Request Packet responds with an ________________.

Access Control List (ACL)

The firewall bases its decisions on a set of rules called _____________.

web servers, mail and other communications servers, proxy servers, and remote access servers.

The hosts that provide the extranet or public access services should be placed in one or more demilitarized zones. These would typically include

Zone

The main building block of a security topology of a particular network location and is an area of the network (or of a connected network) where the security configuration is the same for all hosts within it.

Content Addressable Memory (CAM)

The switch cache table is referred to as _______________ so the attack is also called CAM table overflow.

Top-of-Rack (ToR) switches

These switches are deployed in data centers.

Aggregation switch

These switches are functionally similar to layer 3 switches, but the term is often used for very high-performing switches deployed in a large enterprise or service provider's routing infrastructure. Rather than 1 Gbps access ports and 10 Gbps uplink ports (as would be typical of a workgroup switch), basic interfaces on an aggregation switch would be 10 Gbps and uplink / backbone ports would be 40 Gbps.

Man-in-the-Middle (MitM)

This attack is where the attacker sits between two communicating hosts, and transparently captures, monitors, and relays all communication between the hosts. This attack could also be used to covertly modify the traffic.

Internet / guest

This is a zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the public network.

access, distribution, and core

Three layers of hierarchy that Cisco recommends designing a campus network with.

external interface and internal interface

To configure a DMZ, two different security configurations must be enabled: one on the ________________ and one on the _______________.

Out-of-Band

Using an access method other than the normal data network is referred to as _________ management.

network backdoor; switching loop

When a soft access point is configured, it can create a potential ____________ or could cause a _______________ .

OS commands, alterations to the network driver configuration, or using packet crafting software

While a unique MAC address is assigned to each network interface by the vendor at the factory, it is often possible to override it in software via ___________, ________________________, __________________.

802.1D-2004 / 802.1w

With basic STP, configuration changes can disrupt network communications for extended periods. STP is now more likely to be implemented as _____________ or Rapid STP (RSTP). The rapid version creates outages of a few seconds or less.

Logical

__________________ divisions might represent departmental functions or distinguish servers from clients.

Geographical

_______________________ divisions might represent different floors of an office or networks connected by WAN links.

Single points of failure

a "pinch point" relying on a single hardware server or appliance or network channel.

Server Type (i.e Email Mailbox Server)

ensure that the file (mailbox) is only accessed by authorized clients and that it is fully available and fault tolerant. Ensure that the file (email) service runs with a minimum number of dependencies and that the service is designed to be resilient to faults.

Overdependence on perimeter security

if the network architecture is "flat" (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement.

Access

the client device must access the network, obtaining a physical channel and logical address. The user must be authenticated and authorized to use an application. The corollary is that unauthorized users and devices must be denied access.

Transfer Server (Mail)

this must connect with untrusted Internet hosts, so communications between the untrusted network and trusted LAN must be carefully controlled. Any data or software leaving or entering the network must be subject to policy-based controls.


Ensembles d'études connexes

JBU-Art History 1-Exam 1-Demaris

View Set

Argument and persuasive terms. True or false!

View Set

Microsoft 98-366 Network Fundamentals Exam Questions

View Set

Anatomy Test 2 (Chapter 21 and 23)

View Set

Essential Cloud Infrastructure: Foundation

View Set

Install and configure SharePoint farms

View Set