Chapter 19: Secure Network Design
You should be (deeply) familiar with bridges and repeaters, hubs and switches, routers, firewalls and edge devices from your Network+ studies.
Be clear that the functions of many of the edge devices are more and more often all found merged in one box. Depending on the size of your enterprise, that box may be from Cisco, Juniper, Fortinet or many others. If you have less to spend you’ll be looking at free/community edition edge devices or software (which will often be called “firewalls” though they do much more).
Defense in Depth / Layered Security
Vendor diversity
Control diversity
Administrative
Technical
Physical
User Training
Load Balancing
Active/active
Active/passive
Scheduling
Virtual IP
Persistence
Scheduling:
Affinity
Round-robin
Persistence
Network Segmentation
Virtual local area network (VLAN)
Screened subnet (previously known as demilitarized zone)
East-west traffic
Extranet
Intranet
Zero Trust
https://en.wikipedia.org/wiki/Zero_trust_security_model
Segmentation concepts from the 501 exam
RSTP
https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html
Flat / depthless networks
https://en.wikipedia.org/wiki/Flat_network
Enclaves
https://en.wikipedia.org/wiki/Network_enclave
Virtual Private Network (VPN)
Always-on
Split tunnel vs. full tunnel
Remote access vs. site-to-site
IPSec
SSL/TLS
HTML5
L2TP: Layer 2 tunneling protocol (Cisco)
PPTP: Point to Point tunneling protocol (MS)
DNS
DNS servers are the most potentially toxic servers on the Internet.
DNS servers update each other through Zone Transfers, which is a major vulnerability.
DNS servers can be attacked by cache poisoning.
-
-
- Prevent this by closing TCP port 53 (used for zone transfers), or
- Rejecting inbound connections on port 53, or
- Explicitly designating which servers are trusted to receive zone transfers, or
- DNSSEC.
-
NAC: Network Access Control (802.1x)
MAC filtering
RADIUS
Agent and agentless
Out-of-band management
Port security
Broadcast storm prevention
Bridge Protocol Data Unit (BPDU) guard
Loop prevention
Dynamic Host Configuration Protocol (DHCP) snooping
https://en.wikipedia.org/wiki/DHCP_snooping
Media access control (MAC) filtering
Network appliances
Jump servers
Proxy servers
Forward
Reverse
Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)
Signature-based
Heuristic/behavior
Anomaly
Inline vs. passive
HSM
Sensors
Collectors
Aggregators
Firewalls
Filtering packets as they arrive is the primary means of protection. Filtering can be by:
-
-
- IP address
- Domain name
- Protocol (TCP, UDP, IP)
- Port
- Text-based, by word or phrase
-
The filtering criteria are called a rule base. This is a chain of rules, with a final “cleanup rule,” is scanned in sequence (“rule base scanning“), with any rejection aborting the packet’s passage into the network. Each rule has an action:
-
-
- Allow
- Deny (which returns rejection informaion to the sender)
- Drop (which sends no information back to the sender)The critical action for the network administrator is examining log files, no less than weekly.
-
Types of Firewalls
True firewalls: Packet filters (Layer 3: IP addresses and port numbers)
ACLs
Application proxies (Layer 7)
Forward
Reverse
WAF: Web application firewall
Network proxy (Layer 3)
NGFW
Stateful packet filtering (Layer 5)
Stateless
UTM: Unified threat management
NAT: Network address translation gateway
Content/ filter / URL filter
Open-source vs. proprietary
Hardware vs. software
Appliance vs. host-based vs. virtual
Route(r) Security
Routers
ACL: Access control list
Antispoofing
QOS: Quality of service
Implications of IPv6
Port spanning/port mirroring
Port taps
Switch Port Analyzers
Port mirroring
Port monitoring
Port Security
Static learning
Dynamic learning
Sticky learning
Loop prevention
Flood guard
Monitoring services
File integrity monitors
About Firewalls: What IT Pros Know (But isn’t on the 601 exam)
pfSense
“pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.” – https://en.wikipedia.org/wiki/PfSense