Académique Documents
Professionnel Documents
Culture Documents
TABLE OF CONTENTS:
Topic A:
Implement Secure Network Architecture Concepts
Topic B:
Install and Configure a Secure Switching Infrastructure
Topic C:
Install and Configure Network Access Control
Topic D:
Install and Configure a Secure Routing and NAT Infrastructure
TOPIC A
Implement Secure Network Architecture Concepts
While you may not be responsible for network design in your current role, it is important that
you understand the vulnerabilities that can arise from weaknesses in network architecture, and
some of the general principles for ensuring a well-designed network. This will help you to
contribute to projects to improve resiliency and to make recommendations for improvements.
SEGREGATION/SEGMENTATION/ISOLATION
In the context of security, a network segment is one where all the hosts attached to the
segment can communicate freely with one another. Segregation means that the hosts in one
segment are restricted in the way they communicate with hosts in other segments. They might
only be able to communicate over certain network ports, for instance.
Because enterprise networks typically feature hundreds of switching appliances and network
ports (not to mention wireless access and remote access), segmentation is more likely to be
enforced using virtual LANs (VLANs). Any given switch port can be assigned to any VLAN in the
same topology, regardless of the physical location of the switch. The segmentation enforced by
VLANs at the data link layer can be mapped to logical divisions enforced by IP subnets at layer
3.
An isolated segment is one that has no connectivity with other segments. A host or network
segment that has no sort of physical connectivity with other hosts or networks is referred to as
air gapped.
Segregation and isolation of hosts or applications can also be accomplished using virtualization.
When a host is running as a guest OS on a hypervisor, connectivity with or isolation from other
networks can be completely controlled via the hypervisor.
It is also quite likely that more than one DMZ will be required as the services that run in them
may have different security requirements. We've already noted a difference between services
designed to be accessible to a public Internet versus those for an extranet. Some other
examples are:
• Dedicated DMZ for employee web browsing and proxy services.
• DMZ for email, VoIP, and conferencing servers.
• Isolate remote access/Virtual Private Network (VPN) traffic.
• Isolate traffic for authorized cloud applications.
• Multi-tier DMZ to isolate front-end, middleware, and backend servers.
These different functions could be implemented either by completely separate DMZs or by
using segmented demilitarized zones.
SCREENED SUBNETS
One important use of subnets is to implement a DMZ. Two firewalls are placed at either end of
the DMZ. One restricts traffic on the external interface; the other restricts traffic on the internal
interface.
THREE-LEGGED FIREWALL
A DMZ can also be established using a single router/firewall appliance. A three-legged (or triple-
homed) firewall is one with three network ports, each directing traffic to a separate subnet.
SCREENED HOST
Smaller networks may not have the budget or technical expertise to implement a DMZ. In this
case, Internet access can still be implemented using a dual-homed proxy/ gateway server acting
as a screened host.
GUEST, WIRELESS, AND HONEYNET ZONES
There is no single way of designing a network. Rather, a network will reflect the business needs
of the organization. You may want to define your own security zones to suit business needs.
Your intranet may in fact compose several zones, with segregated segments for different types
of server and client, management/administrative traffic, different departments with separate
security policies, and so on. Some other examples of zone types are:
• Guest—a zone that allows untrusted or semi-trusted hosts on the local network.
Examples would include computers that are publicly accessible or visitors bringing their own
portable computing devices to your premises.
• Wireless—traffic from Wi-Fi networks might be less trusted than from the cabled
network. You might also operate unauthenticated open access points or authenticated guest
Wi-Fi networks, which should be kept isolated from the main network.
• Honeynet—a network containing honeypot hosts, designed to attract and study
malicious activity. When deploying a honeynet, it is particularly important to ensure that
compromised hosts cannot be used to "break out" of the honeynet and attack the main
network.
TOPIC B
Implement and Configure a Secure Switching Infrastructure
Now that you are familiar with the components that make up a secure network architecture,
you can start implementing network components to build your own secure environment. In this
topic, you will investigate some common network-level attacks and the controls and
countermeasures you can use to prevent them.
SWITCHING INFRASTRUCTURE
Network topology designs have to be implemented by installing physical network links and
connecting hosts and zones using switches, routers, and firewalls. Network architecture design
starts with the way the OSI model Physical and Data Link layers are implemented. Cisco
recommends designing a campus network with three layers of hierarchy: access, distribution,
and core.
• Access—allowing end-user devices, such as computers, printers, and smartphones, to
connect to the network. Another important function of the access layer is to prevent the
attachment of unauthorized devices.
• Distribution—provides fault-tolerant interconnections between different access blocks
and either the core or other distribution blocks. The distribution layer is often used to
implement traffic policies, such as routing boundaries, filtering, or Quality of Service (QoS).
• Core—provides a highly available network backbone. Devices such as clients and server
computers should not be attached directly to the core. Its purpose should be kept simple:
provide redundant traffic paths for data to continue to flow around the access and distribution
layers of the network.
Managed switches can be configured with Virtual LANs (VLANs). The VLANs are used to
implement logical segregation of traffic. For example, ports 1 through 10 and 11 through 20 on
a switch could be configured as two separate VLANs, typically each with their own subnet
address. Communication between the groups of ports would only be possible via a router or
layer 3 switch. Port-based switching is the simplest means of configuring a VLAN (static VLANs).
Others (dynamic VLANs) include using the host's MAC address, protocol type, or even
authentication credentials.
LOOP PREVENTION
In a network with multiple bridges, implemented these days as switches and routers, there may
be more than one path for a frame to take to its intended destination. As a layer 2 protocol,
Ethernet has no concept of Time To Live. Therefore, layer 2 broadcast traffic could continue to
loop through a network with multiple paths indefinitely. Layer 2 loops are prevented by the
Spanning Tree Protocol (STP), defined in the IEEE 802.1D MAC Bridges standard. Spanning tree
is a means for the bridges to organize themselves into a hierarchy and prevent loops from
forming.
This diagram shows the minimum configuration necessary to prevent loops in a network with
three bridges or switches. The root bridge has two designated ports (DP) connected to Bridge A
and Bridge B. Bridges A and B both have root ports (RP) connected back to the interfaces on the
root bridge. Bridges A and B also have a connection directly to one another. On Bridge A, this
interface is active and traffic for Bridge B can be forwarded directly over it. On Bridge B, the
interface is blocked (BP) to prevent a loop and traffic for Bridge A must be forwarded via the
root bridge.
An adversary may try to attack STP using a rogue switch or software designed to imitate a
switch. When a switch does not know the correct port to use for a particular destination MAC
address (if the cache has just been flushed, for instance), it floods the frame out to all ports,
even if the frame is unicast, not broadcast. Topology changes in STP can cause a switch to flush
the cache more frequently and to start flooding unicast traffic more frequently, which can have
a serious impact on network performance.
The configuration of switch ports should prevent the use of STP over ports designated for client
devices (access ports). An access port is configured with the portfast command to prevent STP
changes from delaying client devices trying to connect to the port. Additionally, the BPDU
Guard setting should be applied. This causes a portfast-configured port that receives a BPDU to
become disabled. Bridge Protocol Data Units (BPDUs) are used to communicate information
about the topology and are not expected on access ports, so BPDU Guard protects against
misconfiguration or a possible malicious attack.
MAN-IN-THE-MIDDLE AND MAC SPOOFING ATTACKS
Attacks at the Physical and Data Link layers are often focused on information gathering
—network mapping and eavesdropping on network traffic. Attackers can also take
advantage of the lack of security in low-level data link protocols to perform Man-in-the- Middle
attacks. A Man-in-the-Middle (MitM) attack is where the attacker sits between two
communicating hosts, and transparently captures, monitors, and relays all communication
between the hosts. A MitM attack could also be used to covertly modify the traffic. One way to
launch a MitM attack is to use Trojan software to replace some genuine software on the
system. These types of attacks can also be launched against antiquated protocols, such as ARP
or DNS. MitM attacks can be defeated using mutual authentication, where both server and
client exchange secure credentials, but at layer 2 it is not always possible to put these controls
in place.
In terms of TCP/IPv4, the most significant protocol operating at the Data Link layer is the
Address Resolution Protocol (ARP). ARP maps a network interface's hardware (MAC) address to
an IP address. Normally, a device that needs to send a packet to an IP address but does not
know the receiving device's MAC address broadcasts an ARP Request packet, and the device
with the matching IP responds with an ARP Reply.
MAC spoofing changes the Media Access Control (MAC) address configured on an adapter
interface or asserts the use of an arbitrary MAC address. While a unique MAC address is
assigned to each network interface by the vendor at the factory, it is simple to override it in
software via OS commands, alterations to the network driver configuration, or using packet
crafting software. This can lead to a variety of issues when investigating security incidents or
when depending on MAC addresses as part of a security control, as the presented address of
the device may not be reliable. Because it operates at the Data Link layer, MAC address
spoofing is limited to the local broadcast domain. MAC spoofing is also the basis of other layer 2
Man-in-the-Middle attacks.
This screenshot shows packets captured during a typical ARP poisoning attack:
• In frames 6-8, the attacking machine (with MAC address ending :4a) directs gratuitous
ARP replies at other hosts (:76 and :77), claiming to have the IP addresses .2 and .102.
• In frame 9, the .101/:77 host tries to send a packet to the .2 host, but it is received by
the attacking host (with the destination MAC :4a).
• In frame 10, the attacking host retransmits frame 9 to the actual .2 host. Wireshark
colors the frame black and red to highlight the retransmission.
• In frames 11 and 12 you can see the reply from .2, received by the attacking host in
frame 11 and retransmitted to the legitimate host in frame 12.
The usual target will be the subnet's default gateway (the router that accesses other networks).
If the ARP poisoning attack is successful, all traffic destined for remote networks will be sent to
the attacker. The attacker can perform a Man-in-the-Middle attack, either by monitoring the
communications and then forwarding them to the router to avoid detection, or modifying the
packets before forwarding them. The attacker could also perform a Denial of Service attack by
not forwarding the packets.
There are utilities that can detect ARP spoofing attacks. Another option is to use switches that
can perform port authentication, preventing connected devices from changing their MAC
addresses.
A variation of an ARP poisoning attack, MAC flooding, can be directed against a switch. If a
switch's cache table is overloaded by flooding it with frames containing different (usually
random) source MAC addresses, it will typically start to operate as a hub (failopen mode). The
alternative would be to deny network connections to any of the attached nodes. As hubs repeat
all unicast communications to all ports, this makes sniffing network traffic easier.
TOPIC C
Install and Configure Network Access Control
The portability of devices such as removable storage, wireless access points, VoIP phones, cell
phones, smartphones, and laptop computers, makes penetrating network perimeter security
more straightforward. The security of these devices is often heavily dependent on good user
behavior. There is also the circumstance of providing guests with network facilities, such as web
access and email. While training and education can mitigate the risks somewhat, new
technologies are emerging to control these threats.
ADMISSION CONTROL
Admission control is the point at which client devices are granted or denied access based on
their compliance with the health policy. Most NAC solutions work on the basis of
preadmission control (that is, the device must meet the policy to gain access). Post-admission
control involves subsequently polling the device to check that it remains compliant. Some
solutions only perform post-admission control; some do both.
With preadmission control, supplicant client devices connect to the network via a NAC policy
enforcer, such as a switch, router, or wireless access point. Other options for the location of the
policy enforcer include a VPN remote access gateway or a specially configured DHCP server.
The policy enforcer checks the client credentials with the NAC policy server and performs
machine and user authentication with a RADIUS AAA server. The client is allocated a suitable IP
address by a DHCP server and assigned to a VLAN by the switch; depending on whether the
policy was met, this would allow access to the network or to a quarantined area or captive web
portal only.
Post-admission controls would rely on the NAC policy server polling the client device once
access has been granted or performing a policy check if the configuration of a client changes or
when a client attempts to access a particular server or service.
HOST HEALTH CHECKS
Posture assessment is the process by which host health checks are performed against a client
device to verify compliance with the health policy. Most NAC solutions use client software
called an agent to gather information about the device, such as its anti-virus and patch status,
presence of prohibited applications, or anything else defined by the health policy.
An agent can be persistent, in which case it is installed as a software application on the client,
or non-persistent. A non-persistent (or dissolvable) agent is loaded into memory during posture
assessment but is not installed on the device.
Some NAC solutions can perform agentless posture assessment. This is useful when the NAC
solution must support a wide range of devices, such as smartphones and tablets, but less
detailed information about the client is available with an agentless solution.
If implemented as a primarily software-based solution, NAC can suffer from the same sort of
exploits as any other software. There have been instances of exploits to evade the NAC
admission process or submit false scan results. One fruitful line of attack is to use virtual
machines to evade the initial admission policy; one VM is created that complies with the policy,
and when access is granted, the user switches to a second non-compliant VM. This is why post-
admission control is an increasingly important requirement for NAC solutions.
REMEDIATION
Remediation refers to what happens if the device does not meet the security profile. A non-
compliant device may be refused connection completely or put in a quarantined guest network
or captive portal.
• Guest network—this would be a VLAN or firewalled subnet (DMZ) granting limited
access to network resources. For example, you might allow visitors with non- compliant devices
to use your Internet routers to browse the web and view their email but not grant them any
access to your corporate network.
• Quarantine network—this is another type of restricted network, usually based on a
captive portal. A captive portal allows only HTTPS traffic and redirects the HTTP traffic to a
remediation server. The remediation server would allow clients to install OS and anti-virus
updates in order to achieve or return to compliance.
TOPIC D
Install and Configure a Secure Routing and NAT Infrastructure
Once you have created segments and zones to represent your secure network topology, you do
need to facilitate at least some communications between these segregated areas. Network
traffic is moved around logical subnetworks at layer 3 by routers. In this topic, you will learn
how to secure routing infrastructure.
ROUTING INFRASTRUCTURE
Routers can serve both to join physically remote networks and subdivide a single network into
multiple subnets. Routers that join different types of networks are called border or edge
routers. These are typified by distinguishing external (Internet-facing) and internal interfaces.
These devices are placed at the network perimeter. Edge routers stand in contrast to routers
that handle traffic moving within the LAN. This function is likely to be performed by a layer 3
switch on an enterprise network.
The following graphic shows a simplified example of a typical routing and switching
infrastructure configuration. Basic layer 2 switches provide ports and Virtual LANs (logical
groupings of clients) for wired and (via an access point) wireless devices. Traffic between logical
networks is controlled by layer 3 switches with LAN routing functionality. WAN/edge routers
provide services such as web, email, and communications access for corporate clients and VPN
access to the corporate network for remote clients.
ROUTER CONFIGURATION
Routes between networks and subnets can be configured manually, but most routers
automatically discover routes by communicating with each other. Dynamic routers exchange
information about routes using routing protocols, such as Open Shortest Path First (OSPF),
Routing Information Protocol (RIP), and Border Gateway Protocol (BGP). It is important that this
traffic be separated from channels used for other types of data. Routing protocols do not
usually have effective integral security mechanisms, so they need to run in an environment
where access is very tightly controlled.
A hardware router is configured and secured in the same way as a switch (using a web or
command-line interface, for instance). The main difference is that a router is likely to have an
exposed public interface. This means that properly securing the router is all the more
important. Routers are often more complex than switches and it is consequently easier to make
mistakes. A software router is configured using the appropriate tools in the underlying NOS. As
well as the configuration of the routing functions, the performance and security of the
underlying server should be considered too.
Many companies are only allocated a single or small block of addresses by their ISP. Network
Address Port Translation (NAPT) or NAT overloading provides a means for multiple private IP
addresses to be mapped onto a single public address. NAT overloading works by allocating each
new connection a high-level TCP or UDP port. For example, say two hosts (192.168.0.101 and
192.168.0.102) initiate a web connection at the same time. The NAPT service creates two new
port mappings for these requests (192.168.0.101:61101 and 192.168.0.102:61102). It then
substitutes the private IPs for the public IP and forwards the requests to the public Internet. It
performs a reverse mapping on any traffic returned using those ports, inserting the original IP
address and port number, and forwards the packets to the internal hosts.
DESTINATION NAT/PORT FORWARDING
The types of NAT described so far involve source addresses (and ports in the case of NAPT) from
a private range being rewritten with public addresses. This type of address translation is called
source NAT. There are also circumstances where you may want to use the router's public
address for something like a web server but forward incoming requests to a different IP. This is
called destination NAT (DNAT) or port forwarding. Port forwarding means that the router takes
requests from the Internet for a particular application (say, HTTP/port 80) and sends them to a
designated host and port on the LAN.