network devices cont, secure network design,

false positive errors

• IDS/IPS trigger an alert when an attack did not actually take place

signature detection systems

• contains databases with rules describing malicious activity

• alert administrators to traffic matching signatures

• fails to detect brand new attacks

• reduce false positive rates

anomaly detection systems (aka behavior based or heuristic detection)

• build models of normal activity

• alert admins to activity not matching the model

• increased false positive rate

IPS deployment modes

• in band- device sits in path of network communciations and can block suspicious traffic

• out of band- device connects to a SPAN port on a switch. Can react after suspicious traffic enters the network

Protocol Analyzer uses

• troubleshoot network issues

• investigate security incidents

• eavesdrop on confidential communications

• most common is wireshark

tcpreplay

allows editing and replaying of traffic

content delivery networks (CDNs)

provide scalability and security

• can filter DDoS attacks

• provides web application firewall (WAF) functionality

quality of service (QoS)

allows admins to prioritize network traffic based upon protocol or IP addresses

WAN optimization techniques

• deduplication

• compression

• caching

• latency optimization

public IP addresses

assigned by a central authority and are routable over the Internet

-assigned by ICANN

private IP addresses

available for anyone’s use but not routable over the internet

Private IP Ranges

• 10.0.0.1-10.255.255.255

• 172.16.0.1-172.31.255.255

• 192.168.0.1-192.168.255.255

NAT and Security

• hides internal addresses from internet systems

• limits direct access to systems

• makes it difficult to identify the true origin of traffic

port address translation (PAT)

• allows multiple systems to share same public address

• assigns unique ports to each communciation

subnet mask

identifies the dividing line between network and host addresses

subnetting

breaks a large network address space up into manageable pieces that administrators may assign to smaller subnetworks

extranet

intranet segments extended to business partners

honeynet

decoy networks designed to attract attackers

ad hoc network

temporary entworks that may bypass security controls

east west traffic

network traffic between systems loacted in the data center

north south traffic

network traffic between systems in the data center and systems on the internet

logical segmentation

uses switches to enforce seperation between devices

physical segmentation

uses physically separate network devices and wiring to separate devices

microsegmentation

creates extremely small network segments serving very small groups of devices or individual devices

VLAN

seperate systems on a network into logical groups based upon function, regardless of physical location

-must enable vlan trunking to allow switches in different lcoations on the network to carry the same vlans

• must assign switchports to VLANs

proxy servers and content filters typically belong in the…

DMZ

network traffic collectors

• intrusion detection and prevention sensors

• network taps

• port mirrors

aggregation/ distribution switches

connect downstream access swithces to each other

SIEM

• gather info using collectors

• analyze info with a centralized aggregation and correlation engine

• place collectors near the systems generating records

VPN concentrators

• aggregate remote user connections

• often reside in their own VLAN, where access controls may restrict remote user activity

SSL accelerator

designed to boost the performance of services that you provide to the outside world at scale.

• handles the difficult cryptographic work of setting up TLS connections

• normally reside in DMZ

DDoS mitigation tools

• belongs as close to the internet as possible, ideally would be services purchased from ISP