3.2 Security principles to secures enterprise infrastructure.

Device Placement (Infrastructure consideration)

Strategic positioning of devices for protection and efficiency

Example: Placing firewalls at the network perimeter to filter traffic

Security Zones (Infrastructure consideration)

Diving networks into zones based on trust levels

Example: DMZ for public facing servers, internal zone for employes

Attack Surface (Infrastructure consideration)

All potential points where an attacker could exploit

Example: Reducing exposed ports to minimize surface

Connectivity (Infrastructure consideration)

Control and monitoring of network connections

Example: Restricting devices to necessary VLANs only

Fail open (Infrastructure consideration)

System that allows access when it fails (less secure)

Example: A firewall crashing , allows all traffic to go through

Fail Closed (Infrastructure consideration)

System Blocks access when it fails (more secure)


Example: Firewall failure blocks all traffic to prevent breach

Active Device (Device attribute)

Takes direction action like blocking threats

Example: IPS blocks suspicious activity in real time

Passive Devices (Device attribute)

Monitors traffic without taking action

Example: IDS logs but doesnt stop a port scan

Inline (Device attribute)

Traffic flows through the device
Example: Firewall inspects all packets before allowing entry

Tap/Monitor (Device attribute)

Observes mirrored traffic

Example: IDS passively watches packets on a span port

Jump Server (network appliances)

Mediated access point for critical systems, like a guard or a bouncer before granting access

Example: Admins access servers only via a jumpbox

Proxy Server (network appliances)

Middle layer between users and web

Example: Proxy filters inappropriate content and logs activity

IPS/IDS (network appliances)

Detects or prevents network threats (Intrusion detective/prevention system)

Example: IPS blocks malware payload or IDS logs reconnaissance

Load Balancer (network appliances)

Distributes load across multiple servers

Example: Balances request between two data centers

Sensors (network appliances)

Capture and report on security events

Example: Netflow sensor detects traffic spikes

Port Security

Restricts access based on MAC

Example: Switch blocks unknown device on secure port

EAP ( Port Security, Extensible Authentication Protocol)

Authentication Framework for network access

It is used in enterprise WIFI logins.

802.1x ( Port Security )

Network access control at port level

User must log in to access corporate LAN

Web Application Firewall, WAF (Firewall Types)

Protects web apps from malicious input

Example: WAF blocks XSS attacks on web login

Unified Threat Management, UTF (Firewall Types)

All in one security device

It provides ffirewall, antivirus, and web filter all in one.

Next Generation Fire wall, NGFW (Firewall Types)

Advanced firewall with deep inspection

Example, a NGFW can block app layer attacks like command injection.

Layer 4 Transport Layer (Firewall Type)

Manages network traffic based on information in the packet of the header, like Transport, IP addresses and port layer info.

Example: Block all traffic to port 80

Layer 7 Application type (Firewall Type)

Examines and filters traffic based on actual content and type of app Application content, its advanced and precise

Example: Block malware uploads and filters URL

VPN (Secure Communication/access)

Creates encrypted tunnel over the internet,

Example: remote staff uses VPN to reach company files

Remote Access (Secure Communication/access)

Securely connects users from afar (can use VPN)

Example: Remote staff use VPN to reach company files

Tunnelling (Secure Communication/access)

Wraps traffic inside another protocol

Example: TLS over HTTP encrypts browser traffic

IPSec (Secure Communication/access)

Encrypts internet communications

Internet protocol security

Example: IPSec VPN between headquarters and branch

SD-WAN (Secure Communication/access)

Smart routing and encryption for WANs

Software defined wide area network

Example: Prioritizes VoIP traffic over secure tunnel.

SASE (Secure Communication/access)

Cloud Delivered, security for remote users

Secure access service edge.

Example: Applies firewalls and DLP to work-from-home users

Selection of effective controls

Choosing controls suited to risks and system

Example: Using NGFW for app layer threats vs. basic firewall