Chapter 9: Implementing Secure Network Designs

7

DNS servers operate at layer __________ of the OSI model

128

IPv6 addresses are __________ bits

mutual authentication

Man in the middle attacks can be defeated using ____________________, where both hosts exchange secure credentials, but at layer two it is not always possible to put these controls in place

DHCP snooping

a configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing by inspecting traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address

Open Shortest Path First (OSPF)

a link state routing protocol used on IP networks

subnetted

a single network divided into multiple logical broadcast domains is said to be ______________

segregation

a situation where hosts on one network segment are prevented from or restricted in communicating with hosts on other segments

route

a successful attack against ____________ security enables the attacker to redirect traffic from its intended destination

complex dependencies

a typical weakness for network designs is having ___________________, meaning services that require many different systems to be available

point of failure

a typical weakness of network designs is a single _________________ which is a pinch point that relies on a single hardware server or appliance or network channel

MAC flooding

a variation of an ARP poisoning attack where a switch's cache table is inudated with frames from random source MAC addresses

documentation, change control

a weakness in network designs is a lack of ____________________ and __________________, meaning network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted

MAC cloning

an attack in which an attacker falsifies the factory assigned MAC address of a device's network interface

MAC filtering

applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it

Bridge Protocol Data Unit (BPDU)

are used to communicate information about the topology of a network and are not expected on access ports

east west traffic

design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out

load balancers

distribute traffic between network segments or servers to optimize performance, work at layer 4 of the OSI model or higher

Service Set Identifier (SSID)

A network name that wireless access points use to identify themselves.

DMZs

The hosts that provide the extranet or public access services should be placed in one or more ________________ which would typically include web servers, mail and other communication servers, proxy servers and remote access servers

flows

Understanding and controlling how data ______________ between systems is a key part of secure and effective network design

Network Access Control (NAC)

a general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level

segment

a portion of a network where all attached hosts can communicate freely with one another

3

firewalls operate on layer _______ of the OSI model

screened host

smaller networks may not have the budget or technical expertise to implement a DMZ, so internet access can still be implemented using a dual homed proxy/gateway server acting as a _________________

network mapping

software that can scan a network and identify hosts, addresses, protocols, network interconnections, and so on

eavesdropping

some transmission media are susceptible to this, meaning listening in to communications sent over the media, to secure transmissions, they must be encrypted

triple homed

a DMZ cam be established using one router/firewall appliance with three network interfaces, referred to as ________________

access point

a device that provides a connection between wireless devices and can connect to wired networks

internet

a zone permitting anonymous access by untrusted hosts over the internet

extranet

a zone referring to a network of semi trusted hosts, typically representing business partners, suppliers, or customers, hosts must authenticate to join

intranet

a zone referring to a private network that is only accessible by the organizations own personnel

firewalls

apply an access control list to filter traffic passing in or out of a network segment

zone

in networking infrastructure, an area of a network where the security configuration is the same for all hosts within it

proxy

if communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a _______________

2

layer ___________ network forwarding occurs between nodes on the same local network segement that are all in the same broadcast domain

3

layer ____________ network forwarding, or routing, occurs between both logically and physically defined networks

4

load balancers operate at layer ___________ of the OSI model

VLAN

logically separate network, created by using switching technology, even though two hosts on two of these may be physically connected to the same cabling, local traffic is isolated to each one so they must use a router to communicate

2

switches work at layer __________ of the OSI model

wireless controllers

a device that provides wireless LAN management for multiple APs so that each wireless access point does not need to be individually managed

routing protocols

allows a router to perform dynamic updates to its routing table based on route data exchanged with other routers

32

an IPv4 address is ____________ bits

2

wireless access points operate at layer _________ of the OSI model

fat, thin

An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller is known as a __________ WAP, while one that requires a wireless controller in order to function is known as a ___________ WAP

STP

Layer 2 loops are prevented by _________________ by dynamically disabling links as needed

secret

Most dynamic routing protocols support message authentication via a shared ___________ configured on each device, preventing route table poisoning

Routing Information Protocol (RIP)

a distance vector based routing protocol that uses a hop count to determine the distance to the destination netwrok

Enhanced Interior Gateway Routing Protocol (EIGRP)

a distance vector based routing protocol using a metric composed of several administrator weighted elements including reliability, bandiwdth, delay, and load

screened host

a dual homed proxy/gateway server used to provide internet access to other network nodes, while protecting them from external attack

man in the middle attack

a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently, also referred to as an on path attack

packet crafting

a method of manually generating packets (instead of modifying existing network traffic) to test the behavior of network devices, enabling a hacker to enumerate firewall or intrusion detection rules that are in place

ARP poisoning

a network based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient, this can be used to perform a variety of attacks, including DoS, spoofing, and MITM

router

a network device that links dissimilar networks and can support multiple alternate paths between location based parameters such as speed, traffic loads, and price, can apply logical IP subnet addresses to segments within a network

border gateway protocol

a path vector routing protocol used by IPSs to establish routing between one another

microsegmentation

a security process that is capable of applying policies to a single node, as though it was in a zone of its own

DMZ

a segment isolated from the rest of a private network by one or more firewalls that accepts connections from the internet over designated ports

bastion host

a server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise

perimeter security

a weakness in network design is an overdependence on _______________________, meaning if the network architecture is flat, penetrating the network edge gives the attacker freedom of movement

2

at layer __________, a broadcast domain is either all the nodes connected to the same physical unmanaged switch, or all the nodes within a VLAN

man in the middle

attackers can take advantage of the lack of security in low level data link protocols to perform _______________________ attacks

VLANs

because enterprise networks typically feature hundreds of switching appliances and network ports, segmentation is more likely to be enforced using ______________

DNS servers

host name records and perform name resolution to allow applications and users to address hosts and services using fully qualified domain names rather than IP addresses

IPv4

hosts should be allocated IPv6 addresses that map to the same zones as the _____________ topology

3

the network layer is layer __________ of the OSI model and includes routers, IP addresses, subnets, and the internet protocol

1, 2

Attacks at the physical and data link layers, referred to in the OSI model as layer _______ or layer __________, are often focused on information gathering

intranet, extranet, internet

There are three main zones in network topology:

port-based network access control (PNAC)

A switch or router that performs some sort of authentication of the attached device before activating the port, using an AAA server to authenticate the attached device before activating the port

3

routers operate on layer ________ of the OSI model

route table poisoning

Routing protocols that have no or weak authentication are vulnerable to ____________________ meaning that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole, or continuously looped around the network, causing DoS

broadcast storms

STP is principally designed to prevent _________________, which is traffic that is recirculated and amplified by loops in a switching topology, causing network slowdowns and crashing switches

MAC cloning

While a unique MAC address is assigned to each network interface by the vendor at the factory, it is possible to complete __________________ in software via OS commands, alterations to the network driver configuration, or using packet crafting software

2.4, 5

Wireless networks can operate in either the ______________ GHz band or the ______________ GHz band

ARP

_____________ maps a network interface's hardware address to an IP address

network access control

______________________ products allow administrators to devise policies or profiles describing a min security configuration that devices must meet to be granted network access, this is called a health policy

screened

a ______________ subnet uses two firewalls placed on either side of the DMZ

site survey

a collection of information about a location for the purposes of building an ideal infrastructure; it often contains optimum locations for wireless antenna and access point placement to provide the required coverage for clients and identifying sources of interference

availability

a common weakness in network designs is prioritizing _________________ over confidentiality and integrity, to take shortcuts to get a service up and running

choke

in a screened subnet, the ______________ firewall is internal and filters communications between hosts in the DMZ and hosts on the LAN

edge

in a screened subnet, the ______________ firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ, it can be referred to as a screening firewall or router

heat map

in a wifi site survey, a diagram showing signal strength at different locations, shows red for strong signal, and green/blue for weak signal, and which channel is being used and how they overlap

switch

in ethernet, a networking device that receives incoming data, reviews the destination MAC address against an internal address table, and sends the data out through the port that contains the destination MAC address

routing table

information about how to reach individual networks within an internetwork is processed by routers, which store the data in a __________________

DMZ

internet facing hosts are placed inside one or more _______________

security

it is quite likely that more than one DMZ will be required as the services that run in them may have different _____________ requirements

2

the data link layer is layer _________ of the OSI model and includes switches, access points, mac addresses and VLANs

port security

preventing a device attacked to a switch port from communicating on the network unless it matches a given MAC address or other protection profile

wireless access points

provide a bridge between a cabled network and wireless clients or stations, operate at layer 2 of the OSI model

zero trust

security design paradigm where any request (host to host or container to container) must be authenticated before being allowed

Wi-Fi Protected Access (WPA)

standards for authenticating and encrypting access to wifi networks, designed to fix critical vulnerabilities in WEP

BPDU guard

switch port security feature that disables the port if it receives BPDU notifications related to spanning tree, this is configured on access ports where there are any BPDU frames are likely to be malicious

7

the application layer is layer ___________ of the OSI model and includes fully qualified domain names, and protocols such as HTTP, SMTP, RTP, FTP, and DNS

DMZ

the basic principle of a _____________ is that traffic cannot pass directly through it, it enables external clients to access data on private systems without compromising the security of the network as a whole

ARP

the broadcast mechanism by which individual hardware MAC addresses are matched to an IP address on a local network segment

posture assessment

the process for verifying compliance with a health policy by using host health checks

MAC address table

the table on a switch keeping track of MAC addresses associated with each port, as the switch uses a type of memory called content addressable memory, this is sometimes called the CAM table

4

the transport layer is layer _________ of the OSI model and includes load balancers, firewalls, TCP, UDP

default gateway

the usual target of an ARP poisoning attack is the ___________________, meaning if successful, all traffic destined for remote networks will be sent to the attacker

source routing

this uses an option in the IP header to predetermine the route a packet will take through the network or waypoints that is must pass through, this can be used to maliciously spoof the IP addresses and bypass router/firewall filters

internal, external

to configure a DMZ, two different security configurations must be enabled, one on the _____________ interface and one on the ______________ interface

north south

traffic that goes to and from a data center is referred to as _________________ and represents clients outside the data center making requests and receiving responses