Objective 3.3 - Secure Network Designs

Active/active load balancing

all servers are active and load balancer can use any of the servers at any time.
(Round robin and affinity are referred to this type)

Active/Passive Load Balancing

All traffic is sent to a server that is currently running, if that server fails, another server that is idle will turn on and replace the actions of that failed server.

Scheduling (Load Balancing)

Sends requests to servers using set rules.

Persistence Load Balancing

In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.

Network Segmentation

A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.

Virtual Local Area Network (VLAN)

a logical network that can separate physical devices without regard to the physical location of the device

Screened subnet

also known as DMZ; commonly uses two firewalls; one betweenpublic network and DMZ; other resides between the DMZ and the private network

East-west traffic

Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).

Extranet

A private electronic network that links a company with its suppliers and customers

Intranet

a network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization

Zero trust

Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.

Virtual Private Network (VPN)

A private data network that creates secure connections, or "tunnels," over regular Internet lines

Always-on VPN

A VPN that allows the user to always stay connected instead of connecting and disconnecting from it.

Split Tunnel VPN

An encrypted connection used with VPN's that only encrypts traffic going to private IP addresses used in the private network.

Full Tunnel VPN

all traffic goes through the encrypted tunnel while the user is connected to the VPN

Remote Access VPN

A user-to-LAN virtual private network connection used by remote users.

site-to-site VPN

A virtual private network in which multiple sites can connect to other sites over the Internet.

IPSec VPN

A virtual private networking technology that uses IPsec tunneling for security.

SSL/TLS VPN

VPN setup through a web browser, portal that uses SSL/TLS to secure traffic. Gives user access to the target network.

HTML5 VPN

Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).

Layer 2 Tunneling Protocol (L2TP)

A VPN protocol that lacks security features, such as encryption. However, [ ] can still be used for a secure VPN connection if it is combined with another protocol that provides encryption.

Network Access Control (NAC)

A technique that examines the current state of a system or network device before it is allowed to connect to the network.

out-of-band management

A switch management option that provides on-site infrastructure access when the network is down or complete remote access in cases of connectivity failures on the network, such as via a cellular signal, in order to interface with a switch.

Port Security

Disabling unused application/service ports to reduce the number of threat vectors.

Broadcast storm prevention

can include avoiding physical cable loops among switches, using spanning tree protocol (STP) on switches, and implementing port security.

Bridge Protocol Data Unit (BPDU)

Used by switches to share information with other switches that are participating in the Spanning-Tree Protocol

Bridge Protocol Data Unit (BPDU) guard

Switch port security feature that disables the port if it receives BPDU notifications related to spanning tree. This is configured on access ports where there any BPDU frames are likely to be malicious.

Loop prevention

A method of preventing switching loop or bridge loop problems. Both STP and RSTP prevent switching loops.

Dynamic host configuration protocol (DHCP) snooping

a preventative measure. The primary purpose is to prevent unauthorized DHCP servers from operating on a network.

Media access control (MAC) filtering

The method to secure a network by limiting which devices are allowed to connect to a network based on a list of MAC addresses kept by the wireless access points.

Network appliances

Devices that are dedicated to providing certain network services.

Jump servers (Network appliances)

a hardened server used to access and manage devices in another network with a different security zone.

Proxy servers

server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers.

Forward proxy servers

forward requests for services from a client. It can cache content and record users' Internet activity.

Reverse proxy servers

Accept traffic from the internet and forward it to one or more internal web servers. The [ ] is placed in the DMZ and the web servers can be in the internal network.

Network-Based Intrusion Detection System (NIDS)

A device that detects attacks and raises alerts. It is installed on network devices, such as routers or firewalls, and monitors network traffic.

network-based intrusion prevention system (NIPS)

A system that examines network traffic and automatically responds to computer intrusions.

Signature-based detection

Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.

Heuristic/behavioral-based detection

Detection mode that, instead of trying to match known variants to a database, will measure traffic patterns against the baseline. Also known as Anomaly-based.

Anomaly Detection

the process of identifying rare or unexpected items or events in a data set that do not conform to other items in the data set

Inline vs. passive

Passive
- Examine a copy of the traffic
- No way to block in realtime

Inline
- Malicious traffic is immediately identified

HSM (Hardware Security Module)

A software or appliance stand-alone used to enhance security and commonly used with PKI systems.

Web Application Firewall (WAF)

An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection

Next generation firewall

A hardware- or software-based network security system that is able to detect and block sophisticated attacks by filtering network traffic dependent on the packet contents.

stateful firewall

Inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, the [ ] permits that traffic. The process of inspecting traffic to identify unique sessions is called stateful inspection.

stateless firewall

A firewall that manages and maintains the
connection state of a session using the filter and ensures that only authorized packets are permitted in sequence.

Unified Threat Management (UTM)

comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software

Network address translation (NAT) gateway

instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

Content/URL filter

A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).

Open Source Firewall

software that can be used independently of the vendor. These are usually dedicated servers and are not used as jump servers.

proprietary firewall

A firewall that is owned by an entity who has an exclusive right to it.

hardware firewall

A physical filtering component that inspects data packets from the network before they reach computers and other devices on a network. A free-standing unit that does not use the resources of the computers it is protecting, so there is no impact on processing performance.

software firewall

a firewall in a software form factor rather than a physical appliance, which can be deployed on servers or virtual machines to secure cloud environments. Designed to protect data, workloads and applications in environments wherein it is difficult or impossible to deploy physical firewalls, including:

• Software-defined networks (SDN)

• Hypervisors

• Public cloud environments

• Virtualized data centers

• Branch offices

• Container environments

• Hybrid and multicloud environments

appliance firewall

A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance's firmware.

host-based firewall

A piece of software running on a single host that can restrict incoming and outgoing network activity for that host only.

virtual firewall

A firewall that is implemented in software within a virtual machine in cases where it would be difficult, costly, or impossible to install a traditional physical firewall.

Access Control List (ACL)

A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.

Route security

The basis of communicating between networks and the need to understand that protocols connect these various networks for important functionality.

Quality of Service (QoS)

Policies that control how much bandwidth a protocol,
PC, user, VLAN, or IP address may use.

Implications of IPv6

More IP address space, and no need for NAT, ARP spoofing is obsolete and IPSec is automatically built into the address

Port spanning/port mirroring

is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.

Port taps

A hardware device inserted into a cable to copy frames for analysis.

Monitoring services

these services can monitor applications, the OS, or CPU and memory usage like top

File integrity monitors

Are a series of internal processes that can validate the integrity of an OS and application files.