Security+ SY0-601: 3.3: Secure Network Design

Chapter 19: Secure Network Design

You should be (deeply) familiar with bridges and repeaters, hubs and switches, routers, firewalls and edge devices from your Network+ studies.

Be clear that the functions of many of the edge devices are more and more often all found merged in one box. Depending on the size of your enterprise, that box may be from Cisco, Juniper, Fortinet or many others. If you have less to spend you’ll be looking at free/community edition edge devices or software (which will often be called “firewalls” though they do much more).

Defense in Depth / Layered Security

Vendor diversity

Control diversity

Administrative

Technical

Physical

User Training

Load Balancing

Active/active

Active/passive

Scheduling

Virtual IP

Persistence

Scheduling:

Affinity

Round-robin

Persistence

Network Segmentation

Virtual local area network (VLAN)

Screened subnet (previously known as demilitarized zone)

East-west traffic

Extranet

Intranet

Zero Trust

 

Segmentation concepts from the 501 exam

RSTP

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html

Flat / depthless networks

https://en.wikipedia.org/wiki/Flat_network

Enclaves

https://en.wikipedia.org/wiki/Network_enclave

Virtual Private Network (VPN)

Always-on

Split tunnel vs. full tunnel

Remote access vs. site-to-site

IPSec

SSL/TLS

HTML5

L2TP: Layer 2 tunneling protocol (Cisco)

PPTP: Point to Point tunneling protocol (MS)

DNS

DNS servers are the most potentially toxic servers on the Internet.

DNS servers update each other through Zone Transfers, which is a major vulnerability.

DNS servers can be attacked by cache poisoning.

      • Prevent this by closing TCP port 53 (used for zone transfers), or
      • Rejecting inbound connections on port 53, or
      • Explicitly designating which servers are trusted to receive zone transfers, or
      • DNSSEC.

NAC: Network Access Control (802.1x)

MAC filtering

RADIUS

Agent and agentless

Out-of-band management

Port security

Broadcast storm prevention

Bridge Protocol Data Unit (BPDU) guard

Loop prevention

Dynamic Host Configuration Protocol (DHCP) snooping

https://en.wikipedia.org/wiki/DHCP_snooping

Media access control (MAC) filtering

Network appliances

Jump servers

Proxy servers

Forward

Reverse

Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)

Signature-based

Heuristic/behavior

Anomaly

Inline vs. passive

HSM

Sensors

Collectors

Aggregators

Firewalls

Filtering packets as they arrive is the primary means of protection. Filtering can be by:

      • IP address
      • Domain name
      • Protocol (TCP, UDP, IP)
      • Port
      • Text-based, by word or phrase

The filtering criteria are called a rule base. This is a chain of rules, with a final “cleanup rule,” is scanned in sequence (“rule base scanning“), with any rejection aborting the packet’s passage into the network. Each rule has an action:

      • Allow
      • Deny (which returns rejection informaion to the sender)
      • Drop (which sends no information back to the sender)The critical action for the network administrator is examining log files, no less than weekly.

Types of Firewalls

True firewalls: Packet filters (Layer 3: IP addresses and port numbers)

ACLs

Application proxies (Layer 7)

Forward

Reverse

WAF: Web application firewall

Network proxy (Layer 3)

NGFW

Stateful packet filtering (Layer 5)

Stateless

UTM: Unified threat management

NAT: Network address translation gateway

Content/ filter / URL filter

Open-source vs. proprietary

Hardware vs. software

Appliance vs. host-based vs. virtual

Route(r) Security

Routers

ACL: Access control list

Antispoofing

QOS: Quality of service

Implications of IPv6

Port spanning/port mirroring

Port taps

Switch Port Analyzers

Port mirroring

Port monitoring

Port Security

Static learning

Dynamic learning

Sticky learning

Loop prevention

Flood guard

Monitoring services

File integrity monitors

About Firewalls: What IT Pros Know (But isn’t on the 601 exam)

pfSense

https://www.pfsense.org/

“pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.” – https://en.wikipedia.org/wiki/PfSense

A Comparison: Ubiquity, pfSense, Untangle