3.3 Given a scenario, implement secure network designs Notes | Knowt (2024)

3.3 Load Balancing

Load Balancing

  • manage the disruption of incoming requests across servers based on various factor such as server capacity, current load, and health status.

    • prevents any single server from becoming overloaded and ensures even distribution of traffic

    TCP Offload

  • backend servers are relieved from handling these tasks, which can be resource-intensive. TCP is the protocol used for establishing and maintaining connections between devices over the internet

    SSL Offload

  • can handle SSL (Secure Sockets Layer) encryption and decryption, relieving backend servers from the resource-intensive task and improving overall efficiency

    Caching

  • can cache frequently accessed content or data, such as static web pages or images, to deliver faster responses to clients and reduce the load

  • Can prioritize certain types of traffic or requests based on predefined rules or policies, ensuring that critical applications or services receive sufficient resources and bandwidth

Active Load Balancing

  • servers actively process incoming requests and handle the workload

Passive Load Balancing

  • servers are kept in a standby state and do not actively process requests.

    • ready to take over the workload if any of the active servers fail or become unavailable

Active/Active Load Balancing

  • all servers are actively handling requests simultaneously

Scheduling Load Balancing

  • involves determining how incoming reqests are distributed amongst servers

Scheduling Round-robin balancing

  • requests are distributed to servers in a circular order

  • each server is selected in turn

Weighted Round-robin

  • servers are assigned different weights based on their capacity or capability

Dynamic Round-robin

  • Server load is continuosly monitored

  • Requests are routed to the server with the lowest current load, ensuring resource utilization

Virtual IP load balancer

  • involves using a single IP address to represent multiple servers behind a load balancing

Persistence load balancer

  • ensures that clients maintain a consistent connection with a specific server instance throughout their session

3.3 Network Segmentation

Virtual Local Area Networks (VLANs)

  • allows you to logically segment a network like dividing an office building into separate departments, providing isolation and security benefits while enabling efficient communication between different groups of devices

Screened subnet

  • acts as a buffer zone between the public internet and your private network , allowing public access to specific resources while protect your sensitive information from unauthorized access

East-west traffic

  • communication happening inside the same building or location.

    • Quicker communication

Extranet

  • a special area within your company’s network where trusted partner, vendors, or supplies are invited to collaborate.

    • access is restricted to authorized users, who need to pass through additional authentication measures to ensure security and privacy

Intranet

  • private area for employees of a company.

    • employees access company-related information and resources, collaborate with colleagues, and stay informed about internal matters

  • access is limited to employees only

  • NO EXTERNAL ACCESS

Zero Trust

  • no one is trusted.

    • everyone identity and intentions are continuously monitored and implement multiple layers of security measures to ensure the security measures to ensure the safety of site

3.3 Virtual private network (VPN)

Virtual Private Network (VPN)

  • allow for secure communication over public networks by encrypting data

    • data is encrypted before it travels over the internet.

VPN Concentrator

  • a security checkpoint for data traveling in and out of a private network.

    • managing the flow of data in and out of a VPN Network

  • authenticates users, encrypts their data, and ensures that only authorized users gain access to the internal network resource

  • provides secure remote access to a network using the SSL/TLS protocol.

Remote access VPN

  • enables user to connect to a private network securely from a remote location

    • on demand access to private network from their remote devices, such as laptops or smartphones, whenever they need access to network resources

Personal Device ————> VPN (Encrypts Traffic+ Connects to Internal Network) ———→ Internet

What is VPN used for?

Full Tunnel VPN

  • directs all your internet traffic through a VPN tunnel

  • internet traffic, data is encrypted before it leaves the device

Split Tunnel VPN

  • splits the traffic flow

  • allows you to designate which apps or websites will use the encrypted VPN tunnel

Remote Access VPN

  • allows user to connect to a private network from a remote location , such as their home or a public WI-FI hotspot, securely over the internet.

    • VPN client software. Remote access VPN • On-demand access from a remote device – Software connects to a VPN concentrator • Some software can be configured as always-on

Site to Site VPN

  • allows multiple offices of a company to connect securely over the internet.

  • instead of individual devices connecting to a VPN server, entire networks (sites) are connected to each other , creating a secure and private network over the internet

  • lets employees in different locations share resources and communicate as if they were in the same office


IPsec (Internet Protocol Security)

  • provides security for OSI Layer 3 with the following features

    • Authentication and Encryption

  • Confidentiality and Integrity : Ensures data privacy and prevents alteration during transmission through encryption and packet signing

  • Includes two Protocols

    • Authentication Header (AH) and Encapsulation Security Payload (ESP)

Layer 2 Tunneling Protocol (L2TP)

  • used for connecting sites over a layer 3 network as if they were connected at layer 2.

  • commonly implemented with IPSec for added security

  • creates a tunnel for data transmission

HTML5

  • standard language used for creating and structuring content on the web.

  • has the ability to create a VPN tunnel without the need for a separate VPN application.

Network Access Control (NAC)

  • solutions help manage who and what can connect to a network.

  • designed to enhance network security by enforcing policies for endpoint devices seeking to connect to a network

  • Enforce rules that devices must follow, like having antivirus software.

Out-of-band response

  • a method used by an Intrusion Prevention System (IPS) to deal with malicious network traffic

  • Occurs after the IPS has identified the malicious traffic

  • IPS sends TCP RST (reset) frames to the source of the packets to terminate the connection

Port Security

  • measures taken to secure physical switch interfaces

  • limits overall traffic

  • limiting the number of MAC addresses allowed on a port

Broadcast storm prevention

  • is like a traffic cop for network messages

  • Limits the number of broadcast messages that can flood a network, preventing them from causing congestions of disruptions

  • Limit the number of broadcasts per second

Bridge Protocol Data Unit (BDPU) guard

  • protects against STP attacks

  • detects BDPUs that could disrupt the network

Spanning Tree Protocol

  • prevents bridge loops in Ethernet networks

  • acts a traffic cop to prevent endless loops

  • used to reduce layer 2 loops

  • What is a loop? something that goes around and around and it never stops

  • Only uses one link for a switch

Loop Prevention

  • Connect two switches to each other

    • They will send traffic back and forth forever

  • IEEE standard 802.1D prevents loops in bridged (switched) networks

Dynamic Host Configuration Protocol (DHCP) snooping

  • a security feature on a switch that can be used to prevent unauthorized DHCP servers from operating on the network

  • switches have interfaces on the network that it can mark as untrusted if it has not be trusted

  • switch can filter out the untrusted DHCP conversation and not allow it to be sent to any of the devices on the network

Media access control (MAC) filtering

  • a network security technique used on switches to control device access based on their unique Media Access Control (MAC) address

  • not always useful due to the fact MAC address can be spoofed

  • creates a list of authorized MAC addresses.

  • only allows devices with matching MAC address to connect to specific ports

3.3 Network Appliances

Jump Servers

  • acts a security checkpoint in the lobby

  • acts as an middle man for connecting you to a server in a more secure zone of the network.

  • creates a separation between the less secure zone and the highly secure zone where the important servers are located

Proxy Servers (Forward Proxy)

  • acts an middle man between a client requesting a resource (like a webpage) and the server that provides that resource

  • when accessing a website, your request goes to the proxy server first, instead of directly to the website.

  • _______ receive your request and forwards it to the actual website server

  • can filter content before the server receives it

  • improves browsing speed

Reverse Proxy

  • request goes to the reverse proxy first, instead of directly to the web server

  • the reverse proxy directs the users to the appropriate web server

  • the web server processes the request and sends it to the reverse proxy and the reverse proxy sends it to the client

Network-based intrusion detection system (NIDS)

  • acts like a security guard who monitors the flow of people

  • keeps an eye on network traffic, analyzing packets to identify suspicious activity.

  • Compares network traffic patterns to known attack signatures

  • if it detects something suspicious , it generates alerts for further investigation

Network-based intrusion prevention system (NIPS)

  • acts a security guard who can actively prevent unauthorized access

  • monitors network traffic, but it can take action to block suspicious activity in real-time

  • can block malicious traffic or take steps to isolate the compromised device

Signature Based

  • a specific method used by intrusion detection systems (IDS) to identify malicious activity on a network.

  • patterns or characteristics of malicious activity identifies by security researches.

Heuristic/behavior

  • a specific method used by intrusion detection systems (IDS) to identify detection focuses on observing activities.

  • notices someone acting suspiciously.

Anomaly based

  • a specific method used by intrusion detection systems (IDS) to identify un-normal behavior from a user and alerts the user for potential security concerns

Inline IDS

  • Inspects all network traffic passing through in real-time.

    • analyze the packet to identify malicious activity and take immediate action to block it

Passive IDS

  • monitors network traffic flowing by but doesn’t directly interfere with it.

    • analyzes the traffic and sends alerts for suspicious activity

  • reports any suspicious activity they see

Hardware Security Module

  • a tamper-resistant device that safeguards sensitive data, particularly cryptographic keys and digital signatures

  • store and manage cryptographic keys.

  • perform cryptographic operations like encryption and decryption within their secure environment

Sensors

  • monitor the flow of data across your network for unusual patterns or potential threats

    • Intrusion prevention systems, firewall logs, authentication logs, database transaction logs, email logs

Aggregate

  • to combine multiple network connections into one logical connection.

Collectors

  • refers to systems that gather log and event data from various security devices and applications. These devices can include

    • Firewalls

    • SIEM consoles

    • Syslog servers

Web Application Firewall (WAF)

  • acts as a security shield that protects web application from malicious attacks

  • is like a security guard who stands between your store (web application) and the street (internet)

  • filters incoming traffic based on a set of security rules. It can block requests that appear suspicious or malicious

  • Protects against SQL Injection

  • Applies rules to HTTP/HTTPS conversations

Network Based Firewall (NGFWs)

  • acts a security barrier that safeguards your entire network from unauthorized access and malicious traffic.

  • controls who are what comes in to your network

  • examines all incoming and outgoing traffic on your network connection

  • implements

  • Can incorporate content filtering features such as URL filtering, to control website traffic by category

  • Integrate IPS capabilities to identify and block malicious traffic based on known attack signatures and vulnerabilities specific to applications

  • Can incorporate content filtering features such as URL filtering, to control website traffic by category

Stateful Firewall

  • keep track of active connections

  • allows or blocks traffic dynamically. It remembers authorized connections and allows data flowing within those connections

  • knows the reason on why there are there and as long as the connection is valid the connection is free-less

Stateless Firewall

  • is a network security tool that filters traffic based on pre-defined rules without keeping track of ongoing connections

  • does not keep track of traffic flows

    • each packet is individually examined , regardless of past history

    • traffic sent outside of an active session will traverse a stateless firewall

Unified Threat Management (UTM)

  • integrates multiple security functionalities into a single platform

  • acts like a well-coordinated security team with all the guards together from a central command center

  • Functions include

    • Firewall , IDS/IPS, and Antivirus/Anti-malware, Content filtering, and Web Filtering, VPN Endpoint, Spam Filter


Network Address Translation (NAT) Gateway

  • acts as a translator between your internal network and the internet

  • turns your private ip address to a public ip address that can be recognized by the internet.

Content/URL Filtering

  • a security practice that controls the type of content or websites users on your network can access

Firewall characteristics

Open-source vs. Proprietary

Open Source Firewalls

  • free to use and modify, large community for support , may lack advanced features like application control

Proprietary Firewalls

  • often include advanced features, easier to manage with user-friendly interfaces and vendor support

Hardware vs. Software

Hardware Firewalls

  • offers efficient performance and dedicated processing power for firewall functions. They may also provide more flexible connectivity options with specialized ports

Software Firewalls

  • More affordable, can be easily installed on existing hardware and readily upgraded. Offer greater flexibility for deployment on various platforms

Appliance vs. host-based vs. virtual

Appliances Firewalls

  • dedicated hardware appliances often provide the fastest throughput

Host Based Firewalls

  • firewalls installed directly on individual devices (hosts) can be application-aware and monitor both incoming an outgoing traffic and view non-encrypted data

Virtual Firewalls

  • virtual firewalls provide valuable east/west network security

Access Control List (ACL)

  • is a set of rules that defines how network traffic is allowed or blocked on a network device like a router, firewall, or switch

  • The rules can be based on these factors

    • IP Address, Allowed Protocols, Source and Destination Ports

Route Security

  • ensures accurate and secure routing information to avoid

QoS (Quality of Service)

  • refers to a set of technologies that prioritizes network traffic to ensure smooth operation for critical operations

  • VoIP , bandwidth, traffic rate

Implications of IPv6

  • More IP address space

  • No need for NAT

  • Built in support for IPSec , a suite of protocols for secure communication. It provides encryption and authentication for data packets

Port spanning/port mirroring

Port spanning/port mirroring - is a network monitoring technique that copies traffic from one or more network ports to another designated port for monitoring purposes.

Port Taps

  • physical hardware devices that insert themselves in-line between two network devices

  • creating an exact copy of all traffic flowing through the connected cable

Monitoring services

  • Constant cybersecurity monitoring

    • Ongoing security checks

    • A staff of cybersecurity experts at a Security Operations Center (SOC)

  • Respond to events

    • Faster response time

  • Maintains compliance

File Integrity Monitoring (FIM)

  • Some files change all the time

    • Some files should NEVER change

  • Monitor important operating system and application files

    • Identify when changes occur

  • Windows - SFC (System File Checker)

3.3 Given a scenario, implement secure network designs  Notes | Knowt (2024)

FAQs

What is the biggest advantage of network printing setup? ›

A network printer is a shared printer connected to a workgroup or a network. In this scenario, all the computers connected to the network through an Ethernet cable or WIFI. The primary benefit is that users can access the same printer simultaneously with the help of a print server.

What does a defense in breadth approach add? ›

The founding principal of Defense in Breadth is layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another [9,10].

Which security model assumes that everything is an open and untrusted network? ›

Zero trust defined

Under zero trust, every user, device, and component is considered untrusted at all times, regardless of whether they are inside or outside of an organization's network.

What is the main role of a load balancer in network security Quizlet? ›

Network Load Balancers is optimized to handle sudden and volatile traffic patterns while using a single static IP address per AZ.

What is the purpose of network printing? ›

Network printers offer flexibility and efficiency to all employees in the office; they can operate with multiple platforms and a variety of different printer types (laser, inkjet, thermal, etc.). This means users throughout the office can access network printers regardless of the platform in use on their device.

What two advantages does network printing have over local printing? ›

Connectivity: Network printers can be accessed by multiple computers within a network, while local printers are directly connected to a single computer. Printing speed: Network printers generally boast faster printing speeds, ideal for high-volume printing tasks.

What are the 3 key layers of the defense-in-depth security strategy? ›

A layered security strategy is evaluated in three different areas: administrative, physical, and technical. Administrative controls include the policies and procedures needed to restrict unauthorized access, such as role-based access control (RBAC) or employee training to protect against phishing scams.

What is a network defense strategy? ›

In computing, defense strategy is a concept and practice used by computer designers, users, and IT personnel to reduce computer security risks.

What is the difference between defense in breadth and defense-in-depth? ›

Defence in breadth provides security at the application level. Most defence in depth applies at Network Layer also known as Layer 3 of OSI stack.

What is Zero Trust for beginners? ›

Zero Trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter.

What is the difference between Zero Trust and traditional network? ›

Zero-trust continuously monitors everyone and everything trying to access resources, while the traditional approach trusts insiders once they're past the network security, allowing broader access without constant verification.

Which architecture secures a network with a stack of security appliances and firewalls? ›

Hub-and-spoke networks are secured with stacks of appliances such as VPNs and “next-generation” firewalls, using an architecture known as castle-and-moat network security.

What does a load balancer rule configured with protocol all and port enables to do? ›

A load balancer rule configured with 'protocol - all and port - 0' is known as a High Availability (HA) port rule. This rule enables a single rule to load-balance all TCP and UDP flows that arrive on all ports of an internal Standard Load Balancer.

Which classification of router would be used to connect your organization to the internet? ›

Core router: Unlike the routers used within a home or small business LAN, a core router is used by large corporations and businesses that transmit a high volume of data packets within their network.

Why do we need network load balancer? ›

A load balancer serves as the single point of contact for clients. The load balancer distributes incoming traffic across multiple targets, such as Amazon EC2 instances. This increases the availability of your application.

What is the biggest advantage of network printing setup connectivity flexibility all jobs go to one machine supplies? ›

Advantages of network printers

Shared resources – Multiple users across the network can easily access network printers, which fosters collaboration and flexibility in the workplace.

Which of the following is an advantage of networking a printer? ›

Which of the following is an advantage of connecting a printer to a network? Multiple users can print to the same printer. Connecting a printer to a network lets multiple users print to the same printer. Network printers are often more expensive than non-networked printers.

What are the major advantages of digital printing? ›

Advantages of digital printing
  • Full color. Various design possibilities with full color and gradation print without the limitation of colors.
  • Quick delivery. ...
  • Color matching time is reduced. ...
  • Low cost. ...
  • Simple. ...
  • Small volume production. ...
  • High added value. ...
  • Environmentally friendly.

What is the advantage of having a printer with a built-in print server and network interface? ›

What is an advantage of having a printer with a built-in print server and network interface? The ability to queue and separate print jobs becomes much easier. When would you use a TCP/IP port when configuring a printer object? When a printer is not directly/physically connected to a Windows work station.

Top Articles
Latest Posts
Article information

Author: Prof. An Powlowski

Last Updated:

Views: 6144

Rating: 4.3 / 5 (64 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Prof. An Powlowski

Birthday: 1992-09-29

Address: Apt. 994 8891 Orval Hill, Brittnyburgh, AZ 41023-0398

Phone: +26417467956738

Job: District Marketing Strategist

Hobby: Embroidery, Bodybuilding, Motor sports, Amateur radio, Wood carving, Whittling, Air sports

Introduction: My name is Prof. An Powlowski, I am a charming, helpful, attractive, good, graceful, thoughtful, vast person who loves writing and wants to share my knowledge and understanding with you.