3.1 Secure Network Design
Layer 3
The segmentation enforced by VLANs at the data link layer can be mapped to logical divisions enforced by IP subnets at ____________.
a single IP address or subnet
Restrict the hosts that can be used to access the management console by enforcing an Access Control List (ACL); restrict permitted hosts to ________ or ________, for instance.
subnet
A _________ is a subdivision of a larger network, isolated from the rest of the network by means of routers (or layer 3 switches).
IP address, by the port it is requesting, or a combination of both
A basic firewall can allow or deny a host access based on its .
soft access point
A computer could allow wireless clients to connect to it in either an ad hoc network or by being configured as a _________________. This makes the laptop create a bridge from one network to another.
ARP or DNS
Man-in-the-Middle attacks can also be launched against antiquated protocols, such as ______ or _______.
mutual authentication
MitM attacks can be defeated using ___________________, where both server and client exchange secure credentials.
security requirements
More than one DMZ might be required as the services that run in them may have different ____________.
physical and data link layers
Network architecture design starts with the way the OSI model ___________ and ___________ layers are implemented.
Firewall
Network traffic between zones should be strictly controlled, using a security device. This device can be software or hardware oriented to filter traffic passing into and out of the network.
ARP Request packet
Normally, a device that needs to send a packet to an IP address but does not know the receiving device's MAC address broadcasts an ___________________.
Screened Subnetting
One important use of subnets is to implement a DMZ. Two firewalls are placed at either end of the DMZ. One restricts traffic on the external interface; the other restricts traffic on the internal interface.
Trojan
One way to launch a MitM attack is to use __________________ software to replace some genuine software on the system.
Lack of documentation and change control
network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted. It is vital that network managers understand business workflows and the network services that underpin them.
Availability over confidentiality and integrity
often it is tempting to take "shortcuts" to get a service up and running. Compromising security might represent a quick fix but creates long term risks.
Complex dependencies
services that require many different systems to be available. Ideally the failure of individual systems or services should not affect the overall performance of other network services.
dynamic VLANs
VLANs that include using the host's MAC address, protocol type, or even authentication credentials are referred to as _______________.
Bridge
A ______ could be used to divide a network overloaded with hosts and suffering from excessive collisions into separate segments at the physical layer. This device can identify in which segment a host is located by its MAC address and only forwards traffic for that host over that interface.
Routed
A DMZ and intranet are on different subnets so communications between them need to be __________.
Three-Legged Firewall
A DMZ can also be established using a single router / firewall appliance. A _____________ (or triple-homed) firewall is one with three network ports, each directing traffic to a separate subnet: --> One port is the external interface. --> One port is the DMZ. --> One port is the internal interface. This is more complex to configure than a screened subnet. Also, the firewall represents a single point of failure and is easier to compromise. However, this configuration does save on costs.
"null" VLAN
A VLAN that is non-routable to the rest of the network. This VLAN is used for any ports that do not have authorized connected equipment.
air gap
A host or network segment that has no sort of physical connectivity with other hosts or networks.
collision domain
A hub is a multiport repeater; it takes the signal generated by a node and retransmits it to every port on the hub. All the ports are said to be in the same _____________ .
Dsniff, Cain and Abel, or Ettercap
A more sophisticated ARP poisoning attack can be launched by running software such as ________, _________, or __________ from a computer attached to the same switch as the target.
segment
A network ___________ is an area of the network where all the hosts attached to a specific area or the network can communicate freely with one another.
Extranet
A network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join this network because this network typically is internet-facing. This network could also be set up using leased line connections.
root port
A port that forwards "up" to the root bridge, possibly via intermediate bridges, is identified as a ____________.
blocking; non-designated port
A port that would create a loop is identified as a _________ or ____________ .
Intranet
A private network of trusted hosts owned and controlled by the organization. Hosts are trusted in the sense that they are under the same administrative control and subject to the security mechanisms (anti-virus software, user rights, software updating, and so on) that the organization have set up to defend the network.
Layer 3
A subnet gives the hosts in a particular VLAN a distinct network address at layer ____ of the OSI model (Network).
static entries
A trivial ARP poisoning attack could be launched by adding _______________ to the target's ARP cache.
network interface and subnet
A true DMZ is established by a separate ____________ and ________ so that traffic between hosts in the DMZ and the LAN must be routed (and subject to firewall rules). Most SOHO routers do not have the necessary ports or routing functionality to create a true DMZ.
MAC flooding
A variation of an ARP poisoning attack, that can be directed against a switch.
Internet-facing host
Accepts inbound connections from and makes connections to hosts on the Internet.
isolated
An _____________________ segment is one that has no connectivity with other segments.
Topology
Any given switch port can be assigned to any VLAN in the same _________________, regardless of the physical location of the switch.
sniffing
As hubs broadcast communications to all ports, this makes _________ network traffic easier.
network mapping and eavesdropping
Attacks at the physical and data link layer are often focused on information gathering: Such as _______________ and _______________________ on network traffic.
Virtual LANs (VLAN)
Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using _______________ .
ARP Poisoning Attack
Broadcasting unsolicited ARP reply packets. Because ARP is an "antiquated protocol" with no security, the receiving devices trust this communication and update their MAC:IP address cache table with the spoofed address.
MAC spoofing
Changing the Media Access Control (MAC) address configured on an adapter interface or asserts the use of an arbitrary MAC address.
Layer 3 switch
In CISCO Systems __________ switch or router appliances are capable of many different types of routing (especially over Wide Area Networks [WAN]) and tend not to have many interface ports. On a campus Ethernet network, the internal routers will typically be moving traffic between VLANs and have no need to perform WAN routing.
Access Layer
In CISCO Systems this layer allows end-user devices, such as computers, printers, and smartphones, to connect to the network. Another important function of the this layer is to prevent the attachment of unauthorized devices.
router or layer 3 switch.
Communication between the groups of ports would only be possible via a ________ or _______________.
authorized management station
Configure the SNMP interface on the switch to report only to an a_____________________ or disable SNMP if it is not required.
segmented
Different functions could be implemented either by completely separate DMZs or by using ___________ demilitarized zones.
HTTP (TCP/UDP Port 80), HTTPS (TCP/Port 443), and Telnet (TCP/Port 23)
Disable unused management console access methods. For example, if you use SSH, disable the serial ports, _______, ________, and ________.
security configuration
Dividing a campus network or data center into zones implies that each zone has a different ___________.
Core Layer
In CISCO Systems this layer provides a highly available network backbone. Devices such as clients and server computers should not be attached directly to this layer. Its purpose should be kept simple: provide redundant traffic paths for data to continue to flow around the access and distribution layers of the network.
broadcast
Each subnet(work) is in its own ____________ domain
Distribution
In CISCO Systems this layer provides fault-tolerant interconnections between different access blocks and either the core or other distribution blocks. This layer is often used to implement traffic policies, such as routing boundaries, filtering, or Quality of Service (QoS).
IP address
In CISCO Systems, a Router provides connectivity between subnetworks based on their
distribution and core layers
In CISCO Systems, the _______________ and _________ layers provide switching and routing between different access layer locations and server groups.
Bastion Hosts
Hosts in a DMZ are not fully trusted by the internal network because of the possibility that they could be compromised from the Internet. They are referred to as___________ . These hosts would not be configured with any services that run on the local network, such as user authentication.
Segregation
Hosts in one segment are restricted in the way they communicate with hosts in other segments. They might only be able to communicate over certain network ports, for instance.
Failopen Mode
If a switch's cache table is overloaded by flooding it with frames containing different (usually random) source MAC addresses, it will typically start to operate as a hub. This is called ______?
Proxy
If communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a __________. This device takes the request and checks it. If the request is valid, it re-transmits it to the destination. External hosts have no idea about what (if anything) is behind the DMZ.
attacker
If the ARP poisoning attack is successful, all traffic destined for remote networks will be sent to the ___________________ .
Ethernet
In a network with multiple bridges (implemented these days as switches and routers), there may be more than one path for a frame to take to its intended destination. As a layer 2 protocol, __________ has no concept of Time To Live. Therefore, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely.
segregated
In order to enforce the concept of a zone, zones must be ____________.
Disable unused ports by placing them in an otherwise unused VLAN with no connectivity to the rest of the network. Secure the switch's management console by renaming the administrative account (if possible) and setting a strong password. Use a secure interface to access the management console. Use encrypted communications, such as HTTPS or SSH, or use the switch's console serial port. Install the latest firmware updates and review vendor security bulletins to be forewarned about possible exploits or vulnerabilities.
In order to secure a switch, the following guidelines should be met.
Address Resolution Protocol (ARP)
In terms of TCP/IPv4, the most significant protocol operating at the Data Link layer is the __________________. This protocol maps a network interface's hardware (MAC) address to an IP address.
Demilitarized Zone (DMZ)
Internet-facing hosts are placed this zone that is also referred to as a perimeter network. The idea of a this zoneis that traffic cannot pass through it.
Spanning Tree Protocol (STP)
Layer 2 loops are prevented by the ____________, defined in the IEEE 802.1D MAC Bridges standard.
static VLANs
Port-based switching is the simplest means of configuring a VLAN. These VLANs are referred to as ___________.
designated ports
Ports that can forward traffic "down" through the network with the least cost are identified as ____________.
network policies or Control Lists (ACL)
Router enforce _____________ or Access ____________ to restrict communications between the two segments.
virtualization
Segregation and isolation of hosts or applications can also be accomplished using
screened host
Smaller networks may not have the budget or technical expertise to implement a DMZ. In this case, Internet access can still be implemented using a dual-homed proxy server acting as a ____________ .
DoS
Sometimes the term DMZ (or "DMZ host") is used by SOHO router vendors to mean an Internet-facing host or zone not protected by the firewall. This might be simpler to configure and solve some access problems but makes the whole network very vulnerable to intrusion and ____________ Attack .
Root Bridge
Spanning tree is a means for the bridges to organize themselves into a hierarchy. The bridge at the top of the hierarchy is the _____________ .
Bridge
Split tunneling is another example of a potential __________ between different networks.
filtering and access control
Subnets are useful for security, as traffic passing between each subnet can be subjected to ____________ and ________________ at the router.
geographical or logical
Subnets can be used to represent __________________ or _____________________ divisions in the network.
Layer 2
Subnets will usually be mapped to VLANs. The VLAN establishes a logical grouping of hosts at layer ________ of the OSI model (Data Link Layer).
Topology Change Notifications
Subsequently, bridges exchange ____________ if devices are added or removed, enabling them to change the status of forwarding / blocked ports appropriately.
port authentication
Switches that can perform "_______________", can prevent connected devices from changing their MAC address.
Man-in-the-middle (MITM) attack or a Denial of Service (DoS) Attack
The attacker in ARP poisoning can perform a ______________, either by monitoring the communications (forwarding them to the router to avoid detection) or modifying the packets before forwarding them and/or a ___________________ by not forwarding the packets.
ARP Reply
The device with the matching IP from the ARP Request Packet responds with an ________________.
Access Control List (ACL)
The firewall bases its decisions on a set of rules called _____________.
web servers, mail and other communications servers, proxy servers, and remote access servers.
The hosts that provide the extranet or public access services should be placed in one or more demilitarized zones. These would typically include
Zone
The main building block of a security topology of a particular network location and is an area of the network (or of a connected network) where the security configuration is the same for all hosts within it.
Content Addressable Memory (CAM)
The switch cache table is referred to as _______________ so the attack is also called CAM table overflow.
Top-of-Rack (ToR) switches
These switches are deployed in data centers.
Aggregation switch
These switches are functionally similar to layer 3 switches, but the term is often used for very high-performing switches deployed in a large enterprise or service provider's routing infrastructure. Rather than 1 Gbps access ports and 10 Gbps uplink ports (as would be typical of a workgroup switch), basic interfaces on an aggregation switch would be 10 Gbps and uplink / backbone ports would be 40 Gbps.
Man-in-the-Middle (MitM)
This attack is where the attacker sits between two communicating hosts, and transparently captures, monitors, and relays all communication between the hosts. This attack could also be used to covertly modify the traffic.
Internet / guest
This is a zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the public network.
access, distribution, and core
Three layers of hierarchy that Cisco recommends designing a campus network with.
external interface and internal interface
To configure a DMZ, two different security configurations must be enabled: one on the ________________ and one on the _______________.
Out-of-Band
Using an access method other than the normal data network is referred to as _________ management.
network backdoor; switching loop
When a soft access point is configured, it can create a potential ____________ or could cause a _______________ .
OS commands, alterations to the network driver configuration, or using packet crafting software
While a unique MAC address is assigned to each network interface by the vendor at the factory, it is often possible to override it in software via ___________, ________________________, __________________.
802.1D-2004 / 802.1w
With basic STP, configuration changes can disrupt network communications for extended periods. STP is now more likely to be implemented as _____________ or Rapid STP (RSTP). The rapid version creates outages of a few seconds or less.
Logical
__________________ divisions might represent departmental functions or distinguish servers from clients.
Geographical
_______________________ divisions might represent different floors of an office or networks connected by WAN links.
Single points of failure
a "pinch point" relying on a single hardware server or appliance or network channel.
Server Type (i.e Email Mailbox Server)
ensure that the file (mailbox) is only accessed by authorized clients and that it is fully available and fault tolerant. Ensure that the file (email) service runs with a minimum number of dependencies and that the service is designed to be resilient to faults.
Overdependence on perimeter security
if the network architecture is "flat" (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement.
Access
the client device must access the network, obtaining a physical channel and logical address. The user must be authenticated and authorized to use an application. The corollary is that unauthorized users and devices must be denied access.
Transfer Server (Mail)
this must connect with untrusted Internet hosts, so communications between the untrusted network and trusted LAN must be carefully controlled. Any data or software leaving or entering the network must be subject to policy-based controls.
