CH. 10 Networking

Between two interconnected private networks Between private and public networks or on edge of a private network(network-based firewall that protects entire private network) May also see firewall features integrated in routers, switches, and other network devices (Other types of firewalls only protect the computer on which they are installed Known as host-based firewalls).

Firewall location?

Next Generation Firewalls(Layer 7 firewall)

Have built-in Application Control features and are application aware(They can monitor and limit traffic of specific applications including application vendor and digital signature including built in application control features) User Aware- Adapt to the class of a specific user or user group May also be context aware- They adapt to various applications, users, and devices?

Refers to A C L for permit, deny criteria Drops packet if deny characteristics match Forwards packet if permit characteristics match If the packet does not match any criteria given, the packet is dropped

Implicit deny rule?

System Properties dialog box

In Windows Switch from local authentication to network authentication on the domain using the?

Stateful firewall

Is able to inspect each incoming packet to determine whether it belongs to a currently active connection called a stateful inspection, and is therefor e legitimate connection?

punching a hole in the firewall(simply just creating exceptions to filtering rules)

Most common cause of firewall failure is firewall misconfiguration Configuration must not be so strict that it prevents authorized users from transmitting and receiving necessary data But no so lenient that you unnecessarily risk security breaches You may need to create exceptions to the rules Referred to as ?

R S T P (Rapid Spanning Tree Protocol)- Originally defined by 802.15 standard and can detect and correct for link failures in milliseconds. TRILL- Transport interconnection of lots of links- is a multipath link state protocol using IS-IS developed by IETF. M S T P (Multiple Spanning Tree Protocol)

Newer (faster) versions of S T P include?

Proxy servers and ACLS

Non-security devices with security features?

allowed mac command.

On a Juniper switch: The mac-limit command restricts the number of MAC addresses allowed in the MAC address table Allowed MAC addresses are configured with the?

A C L (Different A C Ls may be associated with inbound and outbound traffic, when ACLS are installed they are assigned a number or name)..

On most routers, each interface must be assigned a separate?

Encryption User authentication Centralized management Easy rule establishment Content-filtering based on data contained in packets Logging, auditing capabilities Protect internal LAN's address identity Monitor packets according to existing traffic streams (stateful firewall)

Optional firewall functions

Examine packets Determine destination based on Network layer addressing information

Router's main functions?

the amount of storage space needed for the amount of data generated (Network administrators can fine-tune a S I E M's configuration rules for the specific needs Which event should trigger responses Network technicians should review raw data on a regular basis To ensure no glaring indicators are being missed by existing rules)

S I E M systems can be configured to evaluate all log data, Looking for significant events that require attention from the IT staff,Effectiveness of the S I E M is Determined by?

B P D Us (Bridge Protocol Data Units)

S T P information is transmitted between switches Via?

B P D U guard(bridge protocol data unit)—Blocks B P D Us on any port serving network hosts and ensures things like workstations and servers aren't considered as possible paths, also enhance security by preventing rougue switch or computer to one of these ports to hijack the networks stp path. B P D U filter—Can be used to disable S T P on specific ports Root guard—Prevents switches beyond the configured port from becoming the root bridge

Security precautions that must be configured on S T P-enabled interfaces?

Unified Threat Management.

Security strategy that combines multiple layers of security appliances and technologies into a single safety net with single point Requires a great deal of processing power and each layer of coverage depends on each other.?

Firewalls and I D S/I P S systems (Using multiple options for network security results in layered security Provides more protection than any one type of device).

Specialized security devices?

I D S (intrusion detection system): detects traffic patterns

Stand-along device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall Monitors network traffic and generates alerts about suspicious activity Commonly exists as an embedded feature in U T M solutions or N G F Ws?

Traffic Loops(too many broadcast messages).

To make networks more fault tolerant You install multiple (redundant) switches at critical junctures Redundancy allows data the option of traveling through more than one switch Makes a network less vulnerable to hardware malfunctions A potential problem with redundant paths is ?

Statistical anomaly detection: Compares network traffic samples to a predetermined baseline in order to detect anomalies Signature-based detection: Looks for identifiable patterns (signatures) of code that are known to indicate specific vulnerabilities, exploits, or other undesirable traffic, may be updated and called signature management which includes retiring signatures and selecting important ones.

Two primary methods for detecting threats?

Unused physical and virtual ports on switches and other network devices should be disabled: Use the shutdown command on Cisco, Huawei, and Arista routers and switches Use the no shutdown/ undo shudton (for huwaei) command to enable them again.(For Juniper devices corresponding commands are enable and disable)

Unused ports should be

Access control List(Network layer protocol (e.g., IP or I C M P) Transport layer protocol (e.g., T C P or U D P) Source IP address Destination IP address T C P or U D P port number)

Used by routers to decline forwarding certain packets Acts like a filter to instruct the router to permit or deny traffic according to one or more of the following variables:?

Acts as an intermediary between external and internal networks Screens all incoming and outgoing traffic Manages security at Application layer Appears as an internal network server to the outside world, but is a filtering device for internal LAN One of its most important functions is preventing the outside world from discovering the addresses of the internal network Used to connect to the internet and can provide some content filtering since they are at the application layer.

What is a proxy server?

Provides services to Internet clients from servers on its own network Provides identity protection for the server rather than the client Useful when multiple Web servers are accessed through the same public I P address

What is a reverse proxy?

One port makes copy of traffic and sends to second port for monitoring; Number of false positives logged

What is port mirroring? IDS drawback?

Defined in I E E E standard 802.1D Operates in Data Link layer prevents traffic loops/switching loops: Calculating paths avoiding potential loops Artificially blocking links completing loop If a switch is removed, S T P will recalculate the best loop-free data paths between the remaining switches

What is the Spanning Tree Protocol (STP)?

I D S can only detect and log suspicious activity I P S (intrusion prevention system): Reacts to suspicious activity when alerted Detects threat and prevents traffic from flowing to network Stops bad traffic and allows valid traffic to pass. Based on originating IP address You can use IPS's multiple times, like one for DMZ and a second one inside the private network on the perimeter of a segment.

What is the difference between IDS and IPS?

What kind of firewall blocks traffic based on application data contained within the packets?

content-filtering firewall

Firewall

is a specialized device or software that selectively filters or blocks traffic between networks Typically involves hardware and software combination?

Access list command. (Example: To permit I C M P traffic from any IP address or network to any I P address or network: access-list acl_2 permit i c m p any) Example: To permit T C P traffic from 2.2.2.2 host machine to 5.5.5.5 host machine: access-list acl_2 permit t c p host 2.2.2.2 host 5.5.5.5)

is used to assign a statement to an already-installed A C L Must identify the A C L and include a permit or deny argument?

Stateless firewall

manages each incoming packet as a stand-alone entity without regard to active connections, are faster but are not as sophisticated?

network address for the segment and a wildcard mask(bits in wildcard mask work opposite of how bits in a subnet mask work, A 0 in wildcard mask says to match ip address to bits the network address is given and 1 says you dont care what the IP address bits are. In ACL wildcard 255.255.255.255 allows all Ip addresses to pass through.

routers can also specify network segments or groups of IP addresses by using?

H I D S (host-based I D S

runs on a single computer to alert about attacks to that one host Might also include F I M (file integrity monitoring) which alerts when any changes made to files that shouldn't change like OS files.

N I D S (network-based I D S)(are oftn software based and can be installed on a variety of network connected chanies.

) protects a network and is usually situated at the edge of the network or in the D M Z (demilitarized zone) Network's protective perimeter and can detect suspicious traffic patterns like denial of service smurf attacks?

Select root bridge/mater bridge based on Bridge I D (B I D) that provides basis for all subsequent path calculations Examine possible paths between network bridge and root bridge( and the most efficient is the least cost path, Enforces this path by saying that on any bridge only one root port which is the bridges port that is closest to the root bridge can forward frames toward the root bridge.) Disables links not part of shortest path(by enabling only the lowest cost port on each link between 2 bridges to transmit network traffic and this port is called the designated port but all ports can still receive stp info

3 steps in spanning tree protocol?

The more statements or tests a router must scan the more time it takes a router to act.

A C Ls do affect router performance in what way?

Security Appliances and can perform several functions like encryption, load balancing and IPS in addition to packet filtering.

A SOHO wireless router typically acts as a firewall and includes packet filetering options, Devices made by cisco or fortinet for enterprise wise security are known as?

S P B (Shortest Path Bridging)

A descendent of S T P that operates at Layer 3 Keeps all potential paths active while managing flow of data across these paths to prevent loops by utilizing al netowork paths, greatly improves network performance.?

Low security(cant remotely lock down user accounts) Convenience varies(Size of more than 12 can make using local authentication hard) Reliable backup access(during net or server failure only workable option is local authentication and these devices should be configured with a local privileged account used only when net and server are unavailable, and should have very secure credentials). (With local authentication Every computer on the network is responsible for securing its own resources,a ccounts must match with local user/workstation and account your trying to acces.)

A user can be authenticated to the local device or to the network Local authentication—Usernames and passwords are stored locally which has both advantages and disadvantages:

Switchport port-security (or just port-security on Huawei switches) Essentially a MAC filtering functions that also protects against MAC flooding (once mac table is full security violation occurs if another device attempts to connect to a port and by defualt the switch will shut down that port or it can restrict data to rogue device and generates an SNMP notification).

Another Cisco command (also used on Arista devices) to secure switch access ports against mac flooding?

Source and destination IP addresses Source and destination ports Flags set in the T C P header Transmissions using U D P or I C M P protocols Packet's status as the first packet in new data stream, subsequent packet Packet's status as inbound to, outbound from private network port blocking(prevents any user from connecting and completing a transmission through those ports, like on insecure netbios ports).

Common packet-filtering firewall criteria?

Authentication—Process of verifying user's credentials to grant user access to secured resources .(Who are you) Authorization—Determines what the user can and cannot do with network resources, affect layer 2 segmentation, layer 3 filtering and layer 7 entitlement.(what are you allowed to do) Accounting—To keep an account of the client's system or network usage(what did you do)

Controlling users' access to a network and its resources consists of what three major elements or what are the 3 components to manage access control to a network?

Packet Filtering firewall(Refers to its ACL to determine whether the type of packet is authorized or not regardless of if its on its internal or external network).

Examines header of every entering packet (inbound traffic) on any of its interfaces, is the simplest form of firewall. Can block traffic entering or exiting a LAN (outbound traffic)?

Blocks most common security threats Preconfigured to accept and deny certain traffic types Network administrators often customize settings (good to use firewalls for filtering on servers too).

Firewall default configuration?