Section 16: Network Segmentation
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/87
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
88 Terms
Firewall
A common network security device that acts as a barrier to networks
Uses a set of rules to define permitted or denied traffic
Types
Software/Hardware Based
Virtual/Physical devices
Host/Network based
Firewall Functions
Performs:
Network Address Translation (NAT)
Port Address Translation (PAT)
Can use one public IP and many private IPs
Types of Firewalls (3)
Packet Filtering Firewall
Stateful Firewall
Next-Generation Firewall (NGFW)
Packet Filtering Firewall
Permits or denies traffic based on packet headers
Uses Access Control Lists (ACLs) for decision-making
Limited by rules and may not enable two-way communication effectively
Stateful Firewall
Inspects traffic as part of a session and recognizes where the traffic originated
Allows incoming traffic that corresponds to outgoing requests
Can be exploited in phishing attacks due to session-based nature
Combine Packet Filtering AND Stateful firewalls for good security
Modern firewalls often support both packet filtering and stateful capabilities
Next-Gen Firewall (NGFW)
Conducts deep packet inspection (DPI) for detailed traffic analysis
Operates at layers 5,6, and 7 of the OSI model
Can be specific to web servers (web application firewall) or for entire networks
Access Control Lists (ACLs)
Set of rules assigned to routers or firewalls
Permit or deny traffic based on IP/MAC address or port depending on device:
Switch - MAC Address
Router - IP Address
Firewall - IP address or port
Criteria
Source/destination IP
Source/destination port
Source/destination MAC
Processed from top to bottom
Specific rules should be at the top
Generic rules should be at the bottom
Unified Threat Management (UTM) System
Combines firewall, router, intrusion detection/prevention, malware solutions and other security devices
Considered a border device with Next-Gen firewall capabilities
Available as physical, virtual, or cloud solutions
Blocking Strategies
Block incoming requests from internal or private loopback addresses, multicast IP ranges, and experimental ranges
Block incoming requests from protocols that should only be used locally
i.e ICMP, DHCP, OSPF, SMB
Configure IPv6 to block all traffic or allow only authorized hosts and ports
Explicit Allow
Specified in ACLs using “permit” statements
Each “permit” statement explicitly allows a specific type of traffic from a specific source to a specific destination
Ensure that only specified traffic is allowed
Explicit Deny
Statement used to block specific types of traffic
Created by changing the “permit” to “deny” in a ACL rule
Allow for more precise control over which traffic is blocked
Implicit Deny
Statement that is automatically applied at the end of an ACL if no explicit deny statements are present
Blocks all traffic that is not explicitly permitted by “permit” statements
Allow for more precise control over which traffic is blocked
Role-Based Access Control
Defines privileges and responsibilities of administrative users
Users are grouped based on roles or job functions
Permissions are assigned based on roles (e.g. configuring firewalls, adding/removing users)
Segmentation Zones (3)
Trusted Zone
Untrusted Zone
Screened Subnet
Trusted Zone
Local Area Network (LAN), also known as the Inside Zone
Represents the corporate intranet
Untrusted Zone
Includes the internet and other external networks
Outside Zone
Traffic from the internet to the trusted zone is typically blocked, except for responses to specific requests from the inside
Screened Subnet
A semi-trusted zone between the trusted and untrusted zone
Contains devices like web servers and email servers
Has restricted access from the untrusted zone and is not fully trusted by the internal network
Provides a choke point for network security measures, enhancing protection for hosted servers
Firewalls
Intrusion detection systems (IDS)
Intrusion preventions systems (IPS)
Unified threat management (UTM) systems
Screened Subnet to Trusted Zone
Traffic from internal to the screened subnet is allowed, but traffic is restricted
Return traffic from screened subnet devices is allowed
Screened Subnet to Untrusted Zone
Screened subnet devices can access the internet freely
Certain inbound ports need to be open for services like email and web hosting
Screened Subnet Functionality
Allows hosted servers like emails and webservers to be accessible from both internal and external networks
Without the screened subnet, servers hosted inside the network would be inaccessible or less useful to external users
Internet Facing Hosts
Hosts or servers that accept inbound connections from the internet
i.e. Web server on a screen subnet
Content of Screen Subnet
Internet facing servers:
Email and web servers
Communication servers
Proxy servers
Remote access servers
Public services or extranet capabilities
Security Measures
Harden devices in the screen subnet
Use intrusion detection systems
Consider all devices in the screen subnet as untrusted
Protect against pivoting attacks from the screen subnet to the internal network
Bastion Hosts
Bastion Host
A host or server in the screen subnet that is not configured with services that run on the local network
Example
Email server
Web server
Remote access server
Jumpbox
A hardened server that provides access to other hosts within the screen subnet
Purpose
Control access to the screen subnet from the internal network
Security
Should be heavily hardened and protected
Management of Jumpbox
Can be a physical PC or a virtual machine
Should have only the minimum required software
Fully hardened and secured to protect against unauthorized access
Content Filtering
A network management practice that involves restricting access to certain content, websites, or applications based on specific criteria to:
Conserve network bandwidth
Comply with legal or organizational policies
Prevent exposure to inappropriate or harmful content
Content Filtering Techniques (3)
URL Filtering
Keyword Filtering
Protocol or Port Filtering
URL Filtering
Blocks access to specific websites based on their URL
Common in organizational settings to prevent access to non-work-related or inappropriate sites
Keyword Filtering
Scans webpages for specific keywords or phrases and blocks them
Useful for blocking specific content without blocking entire websites
Can lead to over-blocking if not configured carefully
Protocol or Port Filtering
Blocks certain types of network traffic based on the protocol or port they use
Example
Blocking specific ports can prevent the use of certain file sharing applications or services
Proxy Servers
Act as intermediaries between a user’s device and the internet
Manage internet traffic and can be used for various purposes, including content filtering
Types of proxies (3)
Web Proxy
Reverse Proxy
Transparent Proxy
Web Proxy
Retrieves web pages from the internet and can be used to bypass content filters
Reverse Proxy
Manages incoming internet traffic to an organization, load balancing, improving security, and performance
Transparent Proxy
Monitors and filters internet traffic, blocking access to specific websites or content types, and enforcing company policies
Proxy Benefits
Filter out malicious traffic and prevent unauthorized access, improving cybersecurity
Hide user’s IP address, preserving anonymity and privacy
Block access to specific websites or content types, enforcing company policies
Cache frequently accessed resources, improving performance
Internet of Things (IoT)
A global network of appliances and personal devices equipped with sensors, software, and network connectivity to report state and configuration data
Types of IoT Devices (5)
Building and Home Automation Systems
IP Video Systems
Audio Visual Systems
Physical Access Control Systems
Scientific and Industrial Equipment
Building and Home Automation Systems
Manage:
Lighting
HVAC
Water
Security systems
IP Video Systems
Provide remote collaboration using video teleconference suites
Audio Visual Systems
Stream live video productions and control multiple displays
Physical Access Control Systems
Determine access into secure areas
Proximity readers
Access control systems
Biometric readers
Scientific and Industrial Equipment
Found in hospitals, factories, and laboratories
Allows centralized monitoring and management
IoT Device Best Practices
Segregation
Place IoT devices on their own network, physically or logically separated from the business network
Security
Ensures devices are properly security enabled and receive security patches
Power
Provide power using Power over Ethernet (PoE) or battery power supply
Categories of IoT Components (4)
Hub and Control System
Smart Devices
Wearables
Sensors
Hub and Control System
Central point of communication for automation and control
Smart Devices
Endpoints that connect to the hub for automation
Wearables
IoT devices that are designed as accessories that can be worn, such as smart watches and fitness trackers
Sensors
Measure various parameters like temperature, sound, motion, etc.
IoT Security Considerations
Understand endpoints
Each new device brings new vulnerabilities, so understand and secure them
Track and manage devices
Carefully manage device connections and configurations
Patch vulnerabilities
Apply patches when available, and manage residual risks
Conduct tests and evaluations
Evaluate devices using penetration testing techniques
Change default credentials
Change default usernames and passwords before deployment
Use encryption
Encrypt data sent and received by IoT devices
Segment IoT devices
Place IoT devices in their own VLAN and subnet to prevent interference
Information Technology (IT)
Focuses on standard computers, servers, networks, and cloud platforms
Operational Technology (OT)
A communications network that is designed to implement an industrial control system, rather than traditional business and data networking systems
Deals with controlling machinery and processes in the physical world
Industrial Control System (ICS)
Provides workflow and process automation by controlling machinery using embedded devices
Heavily used to control real world devices
Interconnected ICSs can form a Distributed Control System (DCS)
Prioritizes availability and integrity over confidentiality (CIA triad in OT)
Unlike the CIA triad in IT where confidentiality is often more emphasized
Fieldbus
Programmable Logic Controllers (PLCs)
Human Machine Interfaces (HMIs)
Fieldbus
A communication technology used in OT to link Programmable Logic Controllers (PLCs) together
Programmable Logic Controllers (PLCs)
Digital computers used in industrial settings for automation and are programmed using Human Machine Interfaces (HMIs)
Human Machine Interfaces (HMIs)
A local control panel or a piece of software running on a regular computer that will act as the input to the PLCs and the output for the entire system
Supervisory Control and Data Acquisition (SCADA)
A type of ICS used to manage large-scale, multi-site devices and equipment spread over a geographic region
Network made up of interconnected ICS/DCS plants using wide are network (WAN) connections, such as cellular, microwave, satellite, fiber, or VPN based WAN
Often operated with software running on ordinary systems like Windows or Linux
Bring Your Own Device (BYOD) Policy
Policy allowing employees to use their personal devices (laptops, tablets, phones) for work purposes
Security Issues
Introducing vulnerabilities from personal devices, potential for malware transfer to work network
Data Ownership
Concerns about who owns the data on personal devices, distinguishing between personal and business data
Storage Segmentation
Separating personal and company data on the same device
Can be achieved technologically or procedurally
Mobile Device Management (MDM)
Centralized software for remote administration and configuration, updating devices, enforcing policies
Choose Your Own Device (CYOD)
Employees choose from a selection of supported devices, organization provides and manages the device
Benefits of CYOD
Allows for:
Installation of MDM
Enforcing technical policies
Preventing data loss
Controlling device features
Considerations for Organizations on BYOD
Security Policy
Organizations must decide on a mobile device security policy that suits their needs
Choose between BYOD and CYOD based on security, cost, and control considerations
Concept of Zero Trust
Modern approach to cybersecurity due to sophisticated threats
Traditional strategies focused on strong perimeter defense like castle walls
Ineffective against modern threats due to de-perimeterization
De-perimeterization
Protect systems and data using encryption, secure protocols, and host-based protection
Allows cost reduction, global business transactions, and increased agility
Resulted from cloud migration, remote work, mobile tech, wireless networks, outsourcing
Zero Trust Principles
Trust nothing, verify everything
Verify every device, user, and transaction regardless of origin
Addresses threats from inside and outside networks
Zero Trust Architecture (2)
Control Plane
Data Plane
Control Plane
Defines, manages, and enforces access policies
Elements
Adaptive Identity
Real-time validation based on behavior, device, and location
Threat Scope Reduction
Limiting user access to minimize attack surface
Policy-driven Access Control
Enforcing access based on roles and responsibilities
Secured Zones
Isolated environments for sensitive data access
Data Plane
Ensures execution of policies
Components
Subject System
Individual or entity seeking access
Policy Engine
Cross-references access requests with predefined policies
Policy Administrator
Establishes and manages access policies
Policy Enforcement Point
Executes access decisions
Virtual Private Network (VPN)
Extends a private network across a public network, allowing users to send and receive data securely as if their devices were directly connected to the private network
Uses tunneling protocols to establish a secure connection over the public internet
Types of VPNs (3)
Site-to-Site
Client-to-Site
Clientless
Site-to-Site VPN
Connects two offices or sites
Provides a cost-effective alternative to dedicated lease lines
Client-to-Site VPN
Connects a single remote user to a corporate network, enabling remote work or telecommunicating
Clientless VPN
Creates a secure remote access VPN tunnel using a web browser, without requiring software or hardware clients
Tunneling protocols (HTTPS Connection)
Secure Socket Layer (SSL)
Provides cryptography and reliability using the upper layers of the OSI model (Layers 5,6, and 7)
Outdated and less secure
Transport Layer Security (TLS)
Provides secure web browsing over HTTPS
More updated than SSL
Both SSL and TLS use TCP
Can slow down connection due to more overhead
Datagram Transport Layer Security (DTLS)
UDP version of TLS
Provides same level of security as TLS
Operates faster due to less overhead inside UDP protocol
Excellent choice for video streaming and VoIP over secure and encrypted tunnels
VPN Configuration for Site-to-Site and Client-to-Site (2)
Full-Tunnel
Split-Tunnel
Full-Tunnel
Routes and encrypts all traffic through the VPN connection, making the remote user part of the headquarters
Better for untrusted networks*
i.e Coffee shops
Split Tunnel
Divides traffic, routing and encrypting traffic bound for headquarters over the VPN while sending other traffic directly to the internet
Offers better performance but may be less secure
Layer 2 Tunneling Protocol (L2TP)
A very early VPN invented in the 80s
Lacks security like encryption
Needs to be combined with an extra encryption layer for protection
Layer 2 Forwarding (L2F)
Developed by Cisco
Provides a tunneling protocol for the P2P protocol (PPP)
Lacks native security and encryption
Point-To-Point Tunneling Protocol (PPTP)
Support dial-up networks
Lacks native security except when used with Windows
Modern VPNs
IP Security (IPsec)
Provides authentication and encryption of packets to create a secure communication path between two computers
Telnet
Port 23
Sends text-based commands to remote devices
Sends data in plain-text, so it is not secure for sensitive information
Secure Shell (SSH)
Port 22
Encrypts data sent between client and server
Provides better security compared to Telnet
Always use SSH for configuring network devices
Remote Desktop Protocol (RDP)
Port 3389
Developed by Microsoft for graphical interface remote connections
Useful for remotely accessing Windows servers or client machines
Provides a Graphical User Interface (GUI) for remote control
Uses tunneling to secure connections
Remote Desktop Gateway (RDG)
A Windows server that creates secure connections to servers via RDP
Uses SSL or TLS protocols to encrypt data
Security features
Creating encrypted tunnels like a VPN
Controlling access to network resources based on permissions and group roles
Maintaining and enforcing authorization policies
Monitoring the status of the gateway and any RDP connections passing through that gateway
Virtual Network Computing (VNC)
Port 5900
Designed for thin client architectures and Virtual Desktop Infrastructure (VDI)
Cross-Platformed
Linux
OS X
Windows
Allows remote access with a graphical interface
Virtual Desktop Infrastructure (VDI)
Hosts a desktop environment on a centralized server
Runs a desktop image within a virtual machine for end-user access
Also known as Desktop as a Service (DAS) in cloud computing
In-Band Management
Uses Telnet or SSH over the network
Out-of-band Management
Uses a separate network for device configuration
Provides additional security by separating data networks from management networks
Application Programming Interface (API)
Set of protocols and routines for building and interacting with software applications
Intermediary between different systems for communication
Allows for:
Automated administration
Management
Monitoring of Apps/Services
Built using Representational State Transfer (REST) or Simple Object Access Protocol (SOAP)
Allows for direct integration of different third-party applications