Chapter 10: Security in Network Design
Any Command
Is equivalent to using a wildcard mask of 255.255.255.255 which allows all IP addresses to pass through.
Signature-Based Detection
Looks for identifiable patters or signatures of code that are known to indicate specific vulnerabilities, exploits, or other undesirable traffic on the organization's network.
Stateless Firewall
Manages each incoming packet as a stand-alone entity without regard to currently active connections
PNAC (port-based network access control)
Means by which the switch or router performs authentication of the attached device before activating the port
Persistent Agent
Monitors the device's status regarding the security benchmarks to determine the device's compliance. Permanently installed on a device. This more robust program might provide additional security measures, such as remote wipe, virus scans, and mass messaging.
Nonpersistent Agent
Monitors the device's status regarding the security benchmarks to determine the device's compliance. Remains on device long enough to verify compliance and complete authentication and then uninstalls
Host-Based Firewall
Only protects the computer on which they are installed.
Root Guard
Prevents switches beyond the configured port from becoming the root bridge.
EAP (Extensible Authentication Protocol)
Provides the framework for authenticating clients and servers. Does not perform encryption or authentication on it's own. Works with other devices such as RADIUS. Encapsulated inside RADIUS messages. Organizes communications with the network client device and RADIUS handles the actual authentication on the server.
CHAP (Challenge Handshake Authentication Protocol)
Rarely used today. Encrypts usernames and passwords for transmission. Requires three steps to completely the authentication process: 1. server asks client please answer challenge 2. client says one way hash answer 3. Server calculates if it matches
HIPS (host-based intrusion prevention system)
Runs on a single computer and intercepts potential threats to help prevent attacks against that host.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
Similar to CHAP. Insecure due to hacker's being able to eavesdrop on the network and capture the string of characters that is encrypted with the password, decrypt the string and obtain the client's password.
5 categories of authentication factors
Something you know - A password, pin. Something you have - ATM card, Smart Card, or key Something you are - Fingerprint, facial pattern Somewhere you are - Your location or secured closet Something you do - The way you type, speak, or walk.
IPS (Intrusion Prevention System)
Stands in-line between the attacker and the targeted network or host, and can prevent traffic from reaching that network or host.
SPB (Shortest Path Bridging)
Supported by Avaya, Alcatel, Hauwei and Cisco. Created to address the weakness of STP. Relies on IS-IS (Intermediate System to Intermediate System). Keeps all potential paths active while managing the flow of data across those paths to prevent loops.
Signature Management
The process of regularly updating the signatures used to monitor a network's traffic.
KDC (Key Distribution Center)
The server that issues keys to clients during initial client authentication.
Root Bridge
The single bridge on a network selected by the Spanning Tree Protocol to provide the basis for all subsequent path calculations.
iptables
The software firewall that is included with most Linux distributions. Allow a system administrator to alter the Linux kernel firewall. They can create rules determining whether a packet is dropped or accepted. Filters incoming, outgoing, and forwarding traffic.
AAA (authentication, authorization, and accounting)
This controls users' access to a network and its resources consisting of three major elements.
Authentication
This is the process of verifying a user's credentials (typically a username or password) to grant the user access to secured resources on a system or a network.
Role Separation
This means each user can only b e a member of a single group in order to perform any tasks at all. If a user is listed in more than one group, all privileges and permissions are locked down for that user.
Authorization
This process determines what the user can and cannot do with network resources.
Accounting
This process logs users' access and activities on the network.
Access-List Command
Used to assign a statement to an already installed ACL
MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)
Uses strong encryption. Does not use the same encryption strings for transmission and reception. Requires mutual authentication.
Packet-Filtering Firewall
— A network device or application that examines the header of every packet of data it receives on any of its interfaces (called inbound traffic). — Refers to it's ACL to determine whether that destination is on the internal LAN or on an external network.
Storm Control command
— A type of flood guard that protects against flooding attacks from broadcast and multicast traffic. — Monitors network traffic at one-second intervals to determine if the traffic levels are within acceptable thresholds. — Anytime traffic exceeds predetermined threshold, all traffic is dropped for the rest of the time interval. — Limits the amount of broadcast or multicast traffic flowing through the switch.
ACL (Access Control List)
— Acts like a filter to instruct the router certain packets depending on their content. — Acts like a filter to instruct the router to permit or deny traffic according to the Network layer, Transport layer, source IP, destination IP, or TCP/UDP port number. — Is not automatically installed on a router.
BPDU Guard
— Blocks BPDUs on any port serving network hosts — Ensures these devices aren't considered as possible paths
STP (Spanning Tree Protocol)
— Functions at the Data Link layer. — Is used for routing and prevents network loops by adopting a dynamic routing method. — Can adapt to changes on the network. — Eliminates loops. — Provides redundant paths between devices. — Enables dynamic role configuration. — Recovers automatically from a topology change or device failure. — Identifies the optimal path between any two network devices. — Weakness: Allows only a single active path between two switches at any given time.
SIEM (Security Information and Event Management)
— Help to increase efficiency and effectiveness of detecting security issues. — Are sold as a software application or as stand-alone security appliances. — Not all are the same, but most of them include similar features. — Can be configured to evaluate data, looking for significant events that require attention from the IT staff according to predefined rules.
Reverse Proxy
— Provides services to Internet clients from servers on its own network — Provides identity protection for the server rather than the client — Useful when multiple web servers are accessed through the same public IP address
TKIP (Temporal Key Protocol)
— Uses a message integrity code, called Michael, that ensures incoming packets are coming from their declared source. — Assigns every transmission it's own key. — Includes encryption originally provided by RC4 (Rivest Cipher 4) a now insecure encryption cipher that is still widely used.
Proxy Server
—Acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic. —Manages security at the Application Layer. —Only provides low-grade security relative to other security devices. —Can help prevent an attack on internal network resources such as web servers and clients. —Another content filtering device for the internal LAN. — Devices combine this with firewall for more protection.
switchport port-security command
A Cisco command used to secure switch access ports. Essentially is a MAC filtering function that also protects against MAC flooding.
mac-limit
A Juniper command that restricts the number of MAC addresses allowed in the MAC address table.
Principal
A Kerberos client or user
Kerberos
A cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. A private key encryption service. Considered especially secure. Clients must prove their identities through a third party. Runs two services: — Authentication Service — Ticket-Granting Service
Network-based Firewall
A firewall placed on the edge of a private network that monitors the connections between a private network and a public network (such as the Internet). Protects an entire private network.
TRILL (Transparent Interconnection of Lots of Links)
A multipath, link-state protocol developed by IETF. A replacement for STP to solve blocking problems w/ the software. Supported by Cisco, Brocade, and Juniper. Ideal for data centers. Brings IS-IS routing intelligence into switched fabric. Routing traffic from switch to switch at Layer 2. No blocking - all links active ECMP (equal cost multipath) - loadshare across all of the paths (max. 16 paths at a time) Fast convergence
UTM (Unified Threat Management)
A security strategy that combines multiple layers of security appliances and technologies into a single safety net. Can provide a full spread of security services managed from a single point of control. Cons: If one layer of coverage is low quality, the overall protection is significantly compromised.
RADIUS Server
A server that offers centralized authentication services to a network's access server, VPN server, or wireless access point via the RADIUS protocol. Highly scalable. Many ISPs use this as a central authentication point for wireless, mobile, and remote users. Often combined with other network services on a single machine.
IDS (Intrusion Detection System)
A stand-alone device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall. It monitors network traffic, generating alerts about suspicious activity. Generally installed to provide security monitoring inside the network. Most commonly exists as an embedded feature in UTM solutions of NGFWs. Cons: Can create a number of false positives.
LDAP (Lightweight Directory Access Protocol)
A standard protocol for accessing network directories.
Ticket
A temporary set of credentials that a client uses to prove to other servers that its identity has been validated. Not the same as a key. Used to gain access to another network service, such as an email.
NIDS (network-based intrusion detection system)
A type of intrusion detection that protects an entire network and is situated at the edge of the network or in a network's protective perimeter, known as the DMZ (demilitarized zone). Can detect many types of suspicious traffic patterns.
HIDS (host-based intrusion detection system)
A type of intrusion detection that runs on a single computer, such as a client or server, to alert about attacks against that one host.
BPDU (Bridge Protocol Data Unit)
A type of network message that transmits STP information between switches.
FIM (file integrity monitoring)
A type of software that reviews system files to ensure that they have not been tampered with. Works by generating a baseline checksum of the monitored files, and then recalculating the checksum at regular intervals to determine if anything has changed
TACACS+ (Terminal Access Control Access Control System+)
AAA protocol. Offers network administrators the option of separating the authentication, authorization, and auditing capabilities. — Relies on TCP only at the Transport Layer. — Typically installed on a router or a switch, rather than on a server. — Most often used for device administration access control for technicians, although it can be used for network resource access control for users. — Encrypts all information transmitted for AAA (RADIUS only encrypts the password).
Stateful Firewall
Able to inspect each incoming packet to determine whether it belongs to a currently active connection (called a stateful inspection) and is therefore a legitimate packet.
NIPS (network-based intrusion prevention system)
Actively inspects network traffic in real-time and has the capability to stop the ongoing attack. Also detects malicious content.
EAP-FAST (EAP Flexible Authentication via Secure Tunneling)
Also a form of tunneled EAP. Works similarly to PEAP, except faster. Uses PACs (Protected Access Credentials), which are somewhat similar to cookies that websites store on a user's computer to track their activities. A PAC is stored on a supplicant device for speedier establishment of the TLS tunnel in future sessions.
NGFW (Next Generation Firewall)
Also called a Layer 7 Firewall. Combining a traditional firewall with any other network device (such as an intrusion prevention system) to get additional functionalities.
RBAC (Role-Based Access Control)
An access control model that manages rights and permissions based on job descriptions and responsibilities.
Agentless Authentication
An authentication process in which the user is authenticated rather than the device. The device is then scanned to determine compliance with access control requirements.
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
An encryption protocol designed for Wireless LAN. Improves wireless security for newer devices that can use WP2. Helps ensure data confidentiality with both encryptions and packet authentication. Ensures incoming packets are coming from their declared source. Uses AES which provides faster and more secure encryption than TKIP for wireless transmissions.
EAP-TLS (EAP-Transport Layer Security)
An extension of EAP sometimes used with 802.1x. This is one of the most secure EAP standards and is widely implemented. Uses TLS encryption to protect communications. Also uses PKI (public-key infrastructure) certificates to exchange public keys and authentication both the supplicant and the server through mutual authentication.
OSA (Open System Authentication)
An insecure form of authentication used by WEP where no key is used at all.
SKA (Shared Key Authentication)
An insecure form of authentication, used by WEP, where all wireless access clients use the same key, which can then be used for encrypted transmissions.
PAP (Password Authentication Protocol)
An older authentication protocol where passwords are sent across the network in clear text. Rarely used today.
RADIUS (Remote Authentication Dial-In User Service)
An open source standard that runs in the Application layer. Can use either UDP or TCP in Transport layer. Treats authentication and authorization as a single process. Can operate as a software application on a remote access server.
Active Directory
By default is configured with Kerberos protocol. Kerberos provides authentication with the database and then LDAP provides authorization by determining what the user can do while they're on the network.
Shutdown command
CLI command that closes unused physical and virtual ports on switches and other network devices.
no shutdown command
CLI command that enables shutdown ports.
Content-Filtering Firewalls
Can block designated types of traffic based on application data contained within packets.
RSTP (Rapid Spanning Tree Protocol)
Can detect and correct for link failures in milliseconds.
Statistical Anomaly Detection
Compares network traffic samples to predetermined baseline in order detect anomalies beyond certain parameters.
PEAP (Protected Extensible Authentication Protocol)
Creates an encrypted TLS tunnel between the supplicant and the server before proceeding with the usual EAP process. Provides an extra layer of protection for EAP. Uses TLS to encrypt the authentication process by encapsulating and encrypting the EAP conversation in a Transport Layer Security (TLS) tunnel. Since TLS requires a certificate, PEAP-TLS requires a certification authority (CA) to issue certificates.
BPDU Filter
Disables STP on specific ports.
EAPoL (Extensible Authentication Protocol over LAN)
EAP is carried by ethernet messages instead of PPP messages.
Mutual Authentication
Each computer verifies the credentials of the other.
NAC (Network Access Control)
Employs a set of rules called network policies which determine the level and type of access granted to a device when it joins a network. Authenticates and authorizes devices by verifying that the device complies with predefined security benchmarks.
Implicit Deny Rule
Ensures that any traffic the ACL does not explicitly permit is denied by default.
User Aware
Feature on NGFWs (next generation firewall). Adapt to the class of a specific user or user group.
Application Aware
Feature on NGFWs. Monitor and limit the traffic of specific applications, including the application's vendor and digital signature. This includes built-in Application Control features.