Skip to content
Security+
1.0 Threats, Attacks, and Vulnerabilities.
2.0 Architecture and Design
3.0 Implementation
4.0 Operations and Incident Response
5.0 Governance, Risk, and Compliance
Practice Tests
Share
Explore

3.3 Given a scenario, implement secure network designs.

Makiel [Muh-Keel]
Last edited 867 days ago by Makiel [Muh-Keel].
Networks are at the core of our organizations, transferring data and supporting the services that we rely on to conduct business. That makes them a key target for attackers and a crucial layer in defensive architecture and design.
Defense in Depth is a security framework that embraces the design policy of multiple layers and controls of security simultaneously in play.
This allows the failure of one control/layer without worrying about a data breach.

🧬The OSI Model

OSI stands for Open Systems Interconnection; it was developed to help vendors create interoperable network devices and software in the form of protocols, or standards, so the different networks could become more compatible and work better together.
The central purpose of the OSI model is to allow different networks to interoperate, or work in conjunction with one another, smoothly.
image.png

📶Network Segmentation

Maintaining security in the network can be made easier by segmenting the network and controlling access from one segment to another.
Network Segmentation can be done at several layers of the OSI model. One of the biggest reasons for implementing segmentation is for security purposes.
Network segmentation divides a network up into logical or physical groupings that are frequently based on trust boundaries, functional requirements, or other reasons that help an organization apply controls or assist with functionality.

📚 Virtual Local Area Networks (VLANs)

VLANs are used for network segmentation; They can also prevent connections between systems that are connected to the same switch. They can also be used to organize users into common networks regardless of their physical location.
image.png

🪖Screened Subnet (DMZ) (Perimeter Network)

Screened Subnets, or DMZ (Demilitarized Zones) are network zones that contain systems that are exposed to less trusted areas.
Public traffic is vetted in the Screened Subnet before entering the internal network.
DMZs are commonly used to contain web servers or other Internet-facing devices but can also describe internal purposes where trust levels are different.
image.png

🌐 Intranet

Intranets are internal networks set up to provide information to employees or other members of an organization, and they are typically protected from external access.

🌎 Extranet

Extranets are networks that are set up for external access, typically by partners or customers rather than the public at large.
An extranet is a private network that enterprises use to provide trusted third parties -- such as suppliers, vendors, partners, customers and other businesses -- secure, controlled access to business information or operations.
image.png

🚫Zero-Trust

The Zero Trust concept supports least privilege. It describes that when a resource is created, the default permission should be No Access. It also means that when configuring ACLs on routers, all traffic should be blocked by default and only specific traffic allowed.
No one is trusted (Internal and External); Zero-Trust includes security between systems and security on the outer extremities.
image.png

🧭East-West Traffic

In today’s data centers, much of the data flows are between servers, sometimes called East-West traffic.
Since the data often stays inside the data center and is server to server, the access switches provide high-speed, low-latency local interconnections between the servers.
Traffic between systems in the same security zone move left and right between them—thus “east and west” as you would see on a map.
Designing security solutions that can handle east-west traffic is an important part of security within network segments.
Describes intersystem communication in the same datacenter.
Loading
www.techtarget.com
image.png

⚖ Load Balancing

Load Balancers are used to distribute traffic to multiple systems, provide redundancy, and allow for ease of upgrades and patching.
Load Balancers are typically used for web service infrastructure to evenly distribute network loads over multiple servers. You can accomplish this on a network by installing multiple, redundant links to ensure that network traffic is spread across several paths and to maximize the bandwidth on each link.
Think of this as similar to having two or more different freeways that will both get you to your destination equally well—if one is really busy, just take the other one.
image.png
Load balancers rely on a variety of scheduling or load-balancing algorithms to choose where traffic is sent to. Here are a few of the most common options:
Round-robin sends each request to servers by working through a list, with each server receiving traffic in turn.
It evenly distributes incoming traffic across servers in a sequential manner.
This method is easy to implement, but it doesn't take server load or capacity into account.
Least connection sends traffic to the server with the fewest number of active connections.
This method ensures that new requests are evenly distributed across the servers, considering their current workload.
It is effective in balancing traffic based on the actual load on each server, ensuring a more equitable distribution.
Agent-based adaptive balancing monitors the load and other factors that impact a server's ability to respond and updates the load balancer's traffic distribution based on the agent's reports.
It involves deploying specialized software agents on individual servers or resources to monitor their workload, performance, and availability.
These agents communicate with a centralized load balancer to facilitate dynamic workload distribution based on real-time conditions.
Source IP hashing uses a hash of the source IP to assign traffic to servers. This is essentially a randomization algorithm using client-driven input.
IP hashing ensures that requests from the same IP address are consistently routed to the same server, maintaining session persistence and stateful connections.
This helps maintain session persistence and allows applications to maintain session state information, such as shopping carts, login sessions, or user preferences.
There are two main modes of operation for a load balancer:

♻️Active/Active

Active/Active load balancer designs distribute the load among multiple systems that are online and in use at the same time
Two or more servers aggregate the network traffic load, and working as a team, they distribute it to the network servers
If one of your servers goes down, performance will decrease from the user’s perspective because their used to unknowingly having two active simultaneous servers.
image.png

🚦Active/Passive

Active/Passive load balancer designs bring backup or secondary systems online when an active system is removed or fails to respond properly to a health check.
This type of environment is more likely to be found as part of disaster recovery or business continuity environments, and it may offer less capability from the passive system to ensure some functionality remains.
The primary load balancer distributes the network traffic to the most suitable server, while the second load balancer operates in listening mode to constantly monitor the performance of the primary load balancer and is ready at any time to step in and take over the load balancing duties should the primary load balancer fail.
You maintain uninterrupted service for your customers.
image.png

🎮Virtual IP Address

A Virtual IP Address is the address that a load balanced cluster of real servers is accessed from, it’s the address presented to connecting clients.
Client workstations do not know that the virtual IP is actually multiple computers.
It is the front-facing IP address used for the load-balancing instance.
For example, multiple web servers may share the same IP address, allowing them to distribute requests across multiple machines. This is useful for load balancing and redundancy, A "high availability" server, for instance, may have a single IP address shared by two separate computers.
image.png

🚂Persistence

Persistence means that a client and a server continue to communicate throughout the duration of a session.
This helps servers provide a smoother experience, with consistent information maintained about the client, rather than requiring that the entire load-balanced pool be made aware of the client's session.
By having load balancers cache information about each client that access their servers, they’re able to create persistent sessions which a smoother experience for users.

🕵🏾Virtual Private Network

A Virtual Private Network (VPN) is a way to create a virtual network link across a public network that allows the endpoints to act as though they are on the same network.

✌🏾 Two major VPN technologies in use in modern networks

🔐IPsec

IPsec VPNs operate at layer-3, require a client, and can operate in either tunnel or transport mode. IPSec VPNs are often used for site-to-site VPNs, and for VPNs that need to transport more than just web and application traffic.
Two core IPSec protocols:
AH + ESP used in conjunction results in integrity and authentication of the header.
Authenticator Header (AH)
The AH protocol provides a mechanism for authentication only. AH provides data integrity, data origin authentication, and an optional replay protection service.
image.png
Encapsulation Security Payload (ESP)
The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication.
image.png
Tunnel mode allows the entire data packet to be encrypted.
Client Mode only encrypts the payload that lies inside the data packet.
Site-to-Site VPNs allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like Frame Relay.
Authentication and encryption for every packet.
image.png

🌐SSL/TLS

SSL/TLS VPNs can either use a portal-based approach (typically using HTML5), where users access it via a web page and then access services through that connection, or they can offer a tunnel mode like IPSec VPNs.
Enables end users to securely access resources on the corporate network from anywhere using an SSL/TLS-enabled web browser. They need no remote access client to do this, only a browser that can perform SSL or the more secure TLS.
HTML5 VPN is where users access it via a web page and then access services through that connection
Doesn’t need any big VPN clients it’s not incredibly complex, Just need a 2FA method.
Create a VPN Tunnel without a separate VPN application.
Supports application programming interfaces and includes a web cryptography API
SSL VPNs also provide the ability to segment application access, allowing them to be more granular without additional complex configuration
image.png

🍨Split tunnel vs Full tunnel

Split Tunnel vs. Full Tunnel When a client-to-site VPN is created it is possible to do so in two ways, split tunnel and full tunnel. The difference is whether the user use the VPN for connecting to the Internet as well as for connecting to the office.
Split Tunneling works by using two connections at the same time: the secure VPN connection and an open connection to the Internet. So in split tunneling, only traffic to the office goes through the VPN. Internet traffic does not. The security issue with this is that while the user is connected to the VPN, they are also connected to the most untrusted network, the Internet.
Full Tunneling all traffic goes through the VPN, which means the user is accessing the Internet through the connection of the office and so all traffic will be examined by the office security
image.png

📡Remote Access vs 🏢 Site-to-Site

Remote-Access VPNs are most frequently used in an as-needed mode, with remote workers turning on the VPN when they need to connect to specific resources or systems, or when they need a trusted network connection.
Client-to-Site VPNs or Remote Access VPNs allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to go from any device that has the VPN client correctly installed and configured on it.
Individual User Connection: Each remote user establishes an individual VPN connection to the organization's network.
image.png
Site-to-Site VPNs allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like Frame Relay. This is probably the best solution for connecting a remote office to a main company office because all traffic that goes between the offices will be encrypted with no effort on the part of the users.
Since site-to-site VPNs are typically used to extend an organization's network, they are frequently Always On VPNs, meaning that they are connected and available all of the time, and that if they experience a failure they will automatically attempt to reconnect.
It establishes a secure and encrypted connection between the network gateways of different locations, enabling secure communication between the networks.
image.png
Client-to-site VPNs focus on providing secure remote access for individual users, while site-to-site VPNs establish secure connections between networks or sites, allowing them to communicate with each other.

2️⃣Layer-2 Tunneling Protocol (L2TP)

Protocols often used in conjunction to provide strong encryption and authentication.
Used together, L2TP and IPsec are much more secure than PPTP (Point-to-Point Tunneling Protocol) but are still more suited for anonymization than for security.
L2TP (Layer-2 Tunneling Protocol) sometimes has problems with firewalls because of its use of UDP port 500, which some firewalls have been known to block.
L2TP was created as a direct upgrade to PPTP.
Connects over a layer-3 network
IPsec (Internet Protocol security) is a very flexible protocol for end-to-end security that authenticates and encrypts each individual IP packet in a given communication.
IPsec is used in a wide range of applications at the Internet Layer of the Internet Protocol suite.

📖DNS Network Security

Doman Name System Security Extensions (DNSSEC)

DNSSEC focuses on ensuring that DNS information is not modified or malicious.
DNSSEC doesn’t provide Confidentiality though.
DNSSEC uses digital signatures, allowing systems that query a DNSSEC-equipped server to validate that the server's signature matches the DNS record.
Digital Signatures: DNSSEC uses cryptographic digital signatures to sign DNS resource records.
These signatures are created using public-key cryptography and are associated with specific DNS records, such as the address (A) record or the start of authority (SOA) record.
Can be used to build a chain of trust for IPSec keys and SSH Fingerprints
UDP/TCP 53

🔌Port Security and Port-Level Protections

Port Security is a capability that allows you to limit the number of MAC addresses that can be used on a single port.

😅Problems avoided due to Port Security

MAC (hardware) address spoofing, content-addressable memory (CAM) table overflows, unwanted network intrusions.
CAM Table maps MAC addresses to IP addresses, allowing a switch to send traffic to the correct port. If a port lacks a entry on the CAM table, the switch will default to flooding traffic out all ports to query a response from the correct MAC.
🧬The OSI Model
📶Network Segmentation
📚 Virtual Local Area Networks (VLANs)
🪖Screened Subnet (DMZ) (Perimeter Network)
🌐 Intranet
🌎 Extranet
🚫Zero-Trust
🧭East-West Traffic
⚖ Load Balancing
♻️Active/Active
🚦Active/Passive
🎮Virtual IP Address
🚂Persistence
🕵🏾Virtual Private Network
✌🏾 Two major VPN technologies in use in modern networks
🔐IPsec
🌐SSL/TLS
🍨Split tunnel vs Full tunnel
📡Remote Access vs 🏢 Site-to-Site
2️⃣Layer-2 Tunneling Protocol (L2TP)
📖DNS Network Security
Doman Name System Security Extensions (DNSSEC)
🔌Port Security and Port-Level Protections
😅Problems avoided due to Port Security
🧱 Port security — Protocol-level protections
➰Loop Preventions
💂🏾‍♂️BPDU (Bridge Protocol Data Unit) Guard
⛈️Broadcast Storm Prevention
👀DHCP Snooping
💿MAC (Media Access Filtering) Filtering
🚧Network Access Control (NAC)
What is NAC?
👮🏾Agent NAC
🤖Agentless NAC
🛰️Out-of-Band Management
⇶ Network Security Appliances
Four Types of Network Security Appliances
Hardware
Software
Virtual
Cloud
🦘Jump Servers and Jump Boxes
🪩Proxy Servers
⏩Forward Proxy
◀️ Reverse Proxy
🔍Network-Based Intrusion Detection Systems (NIDS) / Network-based intrusion prevention system (NIPS)
😌Passive IPS System
👁️In-Line IPS
🛠️HSM
👂🏾Sensors and Data 📚Collectors
👂🏾Sensors
📚Collectors
📊Aggregators
🔥🧱Firewalls!
🏳️Stateless Firewalls
🏴‍☠️Stateful Firewall
🧠Next-generation firewall (NGFW)
🕸️Web-Application Firewall (WAF)
🫱🏾‍🫲🏻Unified Threat Management (UTM)
🔣Network Address Translation (NAT) Gateway
📺Content/ URL Filter
🕳️Open Source Firewall vs Proprietary Firewalls
📑Firewall Rules AKA Access Control Lists
🗺️Route Security
Routing Protocol Security features
BGP (Border Gateway Protocol)
OSPF (Open Shortest Path First)
EIGRP (Enhanced Interior Gateway Routing Protocol)
📊Quality of Service (QoS)
6️⃣Security implications of IPv6
Port Spanning/Port Mirroring
Port Mirroring
Port Spanning
Taps
🩺Monitoring Services
🤖Cybersecurity Monitoring Services
🗃️File Integrity Monitors
Want to print your doc?
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.