____ Network Architecture ____
Switches use Virtual LANs (VLANs) to segment networks at the Data Link layer. Network administrators should use a Network Border Firewall between security zones.
- Extranets - Intranet segments extended to business partners
- Intranet - Local Area Network (LAN) resources that is accessible only within the regular premises or by staff through a Virtual Private Network (VPN) connection, except for stateful connections (connections that originate from within the network).
- DeMilitarized Zone (DMZ) - Contains part of the LAN that allow other services to run that do not normally run on workstations and internal servers, but does not contain private information that exists on the intranet (e.g. e-mail server or web server)
- Honey Nets - Decoy networks designed to attract attackers, but does not contain any sensitive information
- Ad Hoc Networks - Temporary networks that bypass security controls
Public and Private Internet Protocol (IP) Addresses
Network Address Translation (NAT) maps private IP addresses (nonroutable) to public (routable) addresses. Since there are a limited number of IP version 4 (IPv4) addresses, network administrators use Port Address Translation (PAT) to map a private IPv4 address to a Transmission Control Protocol (TCP) port.
- Public - Routable through the internet
- Private - Not routable through the internet, namely:
- Class A - 10.0.0.0/8
- Class B - 172.16.0.0/12
- Class C - 192.168.0.0/16
Subnetting IP Addresses - divides an assigned IP address range into smaller subnetworks that represent business units.
For example, an agency assigned the 22.214.171.124/8 (up to 16,777,214 hosts) can divide their network, like this:
VLANs - Logical LANs based on roles (extends the broadcast domain)
- 126.96.36.199/14 (up to 262,142 hosts) - Data Center
- 188.8.131.52/14 (up to 262,142 hosts) - Engineering
|(up to 60 more 123.x.0.0/14 subnetworks, where x is a number evenly divisable by 4 and 8 ≤ x ≤ 244 with each subnetwork containing up to 262,142 hosts)|
- 184.108.40.206/14 (up to 262,142 hosts) - Administration
- 220.127.116.11/14 (up to 262,142 hosts) - Sales
Security Device Placement for the following items requires careful planning:
Software-Defined Networking (SDN) - makes the network programmable via the following means:
- Network Border Firewall - A firewall which is on the perimeter of the network and does packet filtering and then applies rules from Access Control Lists (ACLs) to determine what is allowed into the LAN.
- Network Traffic Collectors - Used to determine what traffic exists on a network by doing the following:
- Collect and analyze data flow
- Correlate data and unveil traffic patterns
- Pin point the cause of bottle necks and other security risks
- Network Switched Port ANalyzer (SPAN) Ports - A port that a sniffer is attached to for netflow analysis.
- Security Information and Event Management (SIEM) - Provides real-time analysis of security alerts generated by network hardware and applications to help network administrators respond to attacks faster and organize mountains of log data.
- Proxy servers and content filters (normally in DMZ) - Evaluates web requests from users and forwards it to the internet. When the responses come back to the proxy server it will evaluate the responses and then forawrd it back to the user, if the responses are deamed acceptable.
- VPN Concentrators - A type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes (usually a router), built specifically for creating and managing VPN communication infrastructures.
- SSL Accelerators - Maintain the security and encryption of data going through a large network while also making sure the application runs efficiently by going through the handshake process for Secure Socket Layer (SSL) process on behalf of web servers in a server farm (i.e. the SSL Accelerator will process encryption and decryption requests while the web servers render web content).
- Load Balancers - Distribute network traffic across multiple servers
- DDoS Mitigation Tools - Tools that prevent a Distributed Denial of Service (DDoS) attack on the network.
Port isolation and private VLANs are the same thing, which isolates security issues via single port on a switch (e.g. hotel rooms)
- Network Functions
- Control Plane - Data flow decisions made by switches and routers
- Data Plane - Data simply being forwarded through routers and switches (no decisions made)
- Security benefits
- Granular network configurations
- Respond to Security Incidents
- Security Network Complexity - Need to monitor and act appropriately
Secure Systems Design - Appliances do the following:
Note: Network Devices which run Special-purpose operating systems (
- Bundle together hardware and software to achieve a function
- Often run full operating systems
- Requires vendor support for updates