Network Security Quiz: Firewalls and Perimeter Networks

Questions and Answers

What is the primary function of a perimeter network in relation to external communications?

• To permit secure communications with third parties (correct)
• To increase network complexity
• To enhance risk assessment processes
• To evaluate the costs of security implementation

Which of the following is NOT a method of attack that firewalls protect against?

• Brute force attacks
• SYN floods
• Ping of death
• Social engineering attacks (correct)

How do firewalls manage data flow between networks?

• By inspecting packets and determining their transmission (correct)
• By establishing trust zones within the network
• By conducting regular risk assessments
• By enhancing cost-effectiveness of network security

What is a potential drawback of having a firewall as a single point of network access?

It creates a bottleneck in data traffic management (C)

Which of the following contributes to a defence-in-depth strategy within perimeter security?

Implementing multiple layers of security controls (B)

Which of the following statements accurately describes security policy?

A security policy is a document that states specific requirements or rules. (C)

Which of the following best represents a component of Defence-in-Depth strategy?

Using multiple layers of security controls. (C)

What does the acronym CIA stand for in the context of network security?

Confidentiality, Integrity, Availability (B)

Which of the following is a key purpose of keeping log files at the network perimeter?

To detect external attacks and intrusions. (C)

What is the role of firewalls in risk management?

To reduce the likelihood of unauthorized access. (C)

In the context of risk assessment, which of the following best describes the term 'vulnerability'?

A weakness that can be exploited by a threat. (B)

What is the main purpose of a security standard?

To establish system-specific or procedural requirements. (C)

Which of the following devices would typically be included in network complexity considerations?

Intrusion Detection Systems (IDS) (D)

What does Annual Loss Expectancy (ALE) represent?

Money allocated to handle risks on an annual basis (D)

Which layer is NOT part of the defence-in-depth strategy?

Firewall layer (C)

What is the function of the outermost perimeter in a network?

To separate the network from the ISP's network (B)

Which of the following is considered a semi-trusted network?

A demilitarized zone (DMZ) (C)

How is Single Loss Expectancy (SLE) calculated?

Total cost incurred if the risk occurs (A)

What is the primary goal of deploying a defence-in-depth strategy?

To provide multiple layers of protection against network attacks (B)

Which of the following best describes untrusted networks?

Networks that are outside the security perimeter (B)

In the risk assessment context, what does Annualized Rate of Occurrence (ARO) measure?

Frequency of a risk occurring in a year (D)

Which of the following statements about internal perimeters is true?

They are the boundaries you keep your protected networks within. (A)

Flashcards

Network Perimeter Defense

Protecting a trusted network by using devices at the edge of the network to regulate traffic.

CIA

Confidentiality, Integrity, and Availability; crucial in network security.

DAD

Disclosure, Alteration, and Denial; the opposite of CIA.

Security Policy

Rules that must be met; defines requirements for security.

Security Standard

System-specific requirements that everyone must meet.

Risk Assessment

Identifying potential dangers and creating strategies to mitigate risks to digital security.

Firewall

A security system that controls network traffic based on a defined policy.

Risk Factors in Digital Security

Factors such as the worth of an asset, the threat posed, and the likelihood of a vulnerability affecting it.

Perimeter Network

A network zone that enforces security measures at the boundary of a private network, controlling access to and from external networks. It uses firewalls and routers to selectively allow or deny data flows based on criteria like protocol, source, destination, and content.

DMZ (Demilitarized Zone)

A buffer zone in a perimeter network, designed to isolate sensitive internal networks from potentially less trusted external networks, allowing controlled access to specific services while protecting the internal network.

What do Firewalls protect against?

Firewalls protect against various security threats such as denial-of-service attacks, ping of death, teardrop attacks, SYN floods, LAND attacks, brute force attacks, smurf attacks, and IP spoofing.

How do Firewalls Work?

Firewalls examine incoming and outgoing network traffic, checking against defined rules and security policies. They inspect packets and sessions to determine if they should be allowed or blocked, effectively acting as a gatekeeper for network access.

Firewall Scripts

Sets of rules used to control network access, defining parameters like allowed applications, addresses, and user access to protect connectivity to external networks and data centers.

Annualized Rate of Occurrence (ARO)

The likelihood of a risk happening in a year expressed as a percentage. It helps you understand how often a specific risk might occur.

Single Loss Expectancy (SLE)

The total cost of a risk if it actually happens. This includes things like downtime, repairs, and stolen data.

Annual Loss Expectancy (ALE)

The likely cost of a risk happening over an entire year. Calculated by multiplying the ARO and SLE.

Network Perimeter

The virtual boundary that surrounds and protects your network from outside access.

Defense-in-Depth

A multi-layered security strategy that protects your network using multiple layers of defense at different points.

Trusted Network

The inner core of your network that you are trying to protect, accessible only by authorized users.

Semi-Trusted Network

A network that has some level of restricted access, like a webserver or DNS server, but doesn't contain sensitive data.

Untrusted Network

Any network outside your control, like the public internet, that is considered potentially dangerous.

Outermost Perimeter

The first layer of security between your network and the outside world, often involving routers and firewalls.

Internal Perimeters

Additional security layers within your network, used to protect sensitive data and systems even further.

Study Notes

Firewall Technologies

• Firewall technologies are used for network perimeter defense.
• Security is a primary concern in designing networks.
• CIA (Confidentiality, Integrity, Availability) is the goal of security.
• DAD (Disclosure, Alteration, Denial) is the opposite of CIA.
• Firewalls, authentication, and authorization measures aim to reduce unauthorized intrusions.

Learning Objectives

• Understanding network perimeter defense is a key objective.
• Identifying the perimeter of a trusted network is vital.
• Identifying devices that provide defense at the network perimeter is essential.
• Understanding the functions of devices located at the perimeter of a network is crucial.
• Designing firewalls to implement the policies of devices at the perimeter is needed.
• Understanding the need for keeping log files of devices at the perimeter is paramount.

Introduction

• Security is crucial when designing networks.
• Security means protecting or maintaining CIA.
• CIA stands for Confidentiality, Integrity, and Availability.
• DAD is the opposite of CIA, standing for Disclosure, Alteration, and Denial.
• A comprehensive network security solution with formal measures for authentication, authorization, confidentiality, availability, and integrity is needed to reduce unauthorized intrusions.

Security Policy

• Security policy documents outline specific requirements and rules.
• Security policies are usually point-specific and cover a single area.
• Password policies must include sufficient standards to properly secure resources.
• Security standards provide a collection of requirements for systems and procedures.
• Password standards specify the need for password generators.
• Security guidelines offer best practice suggestions for systems and procedures.
• Password guidelines list recommended password generators.

Network Complexity

• Different types of networks include the internet, intranet, extranet, public servers, and internal servers.
• These are interconnected using devices like IDS, firewalls, scanners, filters, and VPNs.

Risk Assessment

• Risk factors include worth, attraction, threat, vulnerability, and probability.
• Countermeasures include prevention (cryptography, firewalls, vulnerability scanning), and detection (intrusion detection systems, log analysis, digital signatures).
• Proper risk management is key to digital security.

Cost of Security & Risk Assessment

• Annualized Rate of Occurrence (ARO) calculates the likelihood of a risk occurring within a year.
• Single Loss Expectancy (SLE) is the potential cost of a risk occurring.
• Annual Loss Expectancy (ALE) is the total cost of a risk occurring, and is equal to ARO x SLE.
• Example: A web server failing has a 30% (ARO) probability. Website downtime for 2 hours costs $10,000/hour, and the repair cost is $6,000. Total Cost of risk (SLE) is 10,000 x 2 + 6000 = $26,000. Calculation of ALE is 26,000 x 0.3 = $7,800

What is network perimeter?

• Every network has a perimeter, a gateway to the internet.
• A perimeter surrounds the network with a single entry point for external traffic.
• A fortified boundary of our network.
• The concept of using multiple layers of defense to mitigate security threats is known as defense-in-depth.
• This uses traditional techniques like IP filtering gateways, proxy gateways, and combinations (defense in depth).

Defence-in-Depth

• A multilayer model for network protection.
• Each layer provides network and host defense.
• Each layer can stop network or host attacks.
• This is the fundamental aspect of network security.
• Multi-chokepoints to contain malicious activity and stop the spread.
• Four Main Layers: Authentication, perimeter, host intrusion prevention layer, and security best practices.

Types of Network

• Networks are categorized as trusted, semi-trusted, and untrusted based on the level of access and security.

Network Classifications

• Trusted networks are inside the security perimeter.
• Semi-trusted networks allow access to data and email resources.
• Untrusted networks are outside the perimeter and often include the DMZ.

Perimeter Networks

• Classifications of perimeters include the outermost and internal perimeters covering unknown networks, public servers, external routers, internal routers, firewall and trusted networks.

Perimeter Classification

• Outermost perimeter is the point of separation between your assets and those of the internet service provider.
• This perimeter is the most insecure area.
• It typically contains routers, firewalls, and servers, like HTTP, FTP, or Gopher.
• Internal perimeters are additional boundaries for other security measures, containing your critical networks.

Perimeter Devices

• Network hardware devices are important perimeter devices (routers, firewalls, modems, switches, and wireless hubs)
• Servers could be considered perimeter devices based on their connectivity to the internet and intranet.
• Clients from outside the perimeter may connect to the internal network.
• Perimeter security is traditionally provided by security perimeter devices like firewalls.
• Perimeter devices route traffic between networks.

A SMB network

• A firewall alone doesn't represent the only perimeter device.
• Outermost, Dirty, and Protected DMZs are part of the perimeter network.
• Firewalls, perimeter routers, servers, and internal servers are examples of devices in the perimeter.

Perimeter-Ownership

• Defines a perimeter device as any device that routes packets between two networks (firewall, router, switch).
• Devices shown in a diagram are considered perimeter devices depending on their access.

Perimeter Security Topologies

• Firewalls and routers place secure communication channels at the network's edge for organizations and third parties.
• Key enabling technologies include DMZs, extranets, and intranets.
• The goal of the perimeter network is selective data flow based on criteria like type, source, destination, and content.

Firewalls

• Hardware or software that secures a network from unwanted access.
• Protects networks from intrusions.
• May be a dedicated physical device or a software feature within routers, switches.
• Firewalls inspect packets and sessions to determine if they should be transmitted.
• Firewalls are a single point of entry for network access.
• Firewalls use scripts to control application, address, and user parameters.

What Do Firewalls Protect Against?

• Firewalls protect against denial-of-service (DoS) attacks such as ping of death, teardrop or raindrop attacks, SYN flood, and LAND attacks.
• Firewalls provide protection against brute-force, smurf attacks, and IP spoofing.

How Do Firewalls Work?

• Firewalls use network address translation (NAT).
• Firewalls use basic packet filtering.
• Firewalls use stateful packet inspection (SPI).
• Firewalls use application gateways.
• Firewalls will use access control lists (ACL).

Routers

• Network management devices connecting network segments and routing traffic.
• Critical for enabling communication between networks and the internet.
• Act as "digital traffic cops" handling packet filtering in addition to their primary function.

How a Router Moves Information

• Routers examine packets, compare the destination address to lookup tables, and then determine the next router for the packet, as needed.
• Routes packets to make sure information comes to its right destination

Perimeter/Firewall Router Functions

• The functionality of a perimeter/firewall router is varied.
• Protection Services/Methods control evesdropping, unauthorized access, session replay, inbound connections, outbound connections, packet filtering.

Switches

• Network devices that provide bridges, dividing collision domains but using ASICs (optimized).
• Improve network security by minimizing the collision domain to only two nodes.
• Collision domain separation reduces sniffing. (Switches use ACLs and VLANs)

Security Problems with Switches

• Default passwords on switches pose a security risk.
• Sniffing networks to gain administrator passwords via SNMP or Telnet can be problematic.

Securing a Switch

• Isolate management interfaces and use a serial port for management.
• Secure shells (SSH) or other encrypted methods are secure.
• Separate switches for DMZs to physically isolate them.
• Using VLAN jumping for preventing unauthorized access is a good measure.
• Keeping the switch updated with the latest versions of software and security patches.
• Product documentation is useful to determine the processes and steps.

VLAN (Virtual Local Area Network)

• VLANs separate subnets and create dedicated security zones.
• VLANs offer complete isolation between zones.
• VLAN compromises can lead to significant denial-of-service attacks.
• Can be "destroyed" to lead to an overall denial-of-service attack.

Virtual Local Area Networks

• Broadcast domain in a switched network.
• Has encryption to control user access.
• Prevents data interception.
• Clusters users into smaller groups, increasing security.
• Decreases the threat of broadcast storms.

Layer 2 Attacks

• Layer 2 attacks can target different aspects of the network, including MAC, ARP, and various VLAN attacks.
• Different attacks target aspects of how the network functions.

Perimeter Expansion

• Increased bandwidth (remote offices, telecommuters, roaming users, partners) leads to more potential vulnerabilities and harder detection.
• Improvements in technology (cryptography, content scanning, intrusion detection, vulnerability scanning) are needed, as well as countermeasures (prevention and detection techniques).

What we can do at the perimeter?

• Application systems, presentation systems, and session layers are parts of the layer architecture.
• Proxy systems, Stateful inspection, and packet filtration tools are used to prevent attacks.
• These tools are used to detect and control access into protected networks.

Packet filters (Routers)

• Packet filtering at the application, presentation, session, transport, network, data link, and physical layers.
• Advantage features are high performance, scalability, and application independence.
• Disadvantages include low security, no screening in upper layers, no state or application information.

Proxy systems/Application Layer Gateways

• Proxy systems are used in the application, presentation, session, transport, network, data link, and physical layers.
• Proxy systems have advantages like good security and application awareness.
• Disadvantages include poor performance and limiting application support.

Stateful Inspection

• Inspection in the application, presentation, session, transport, and network layers.
• Advantages are high security, scalability, and independence from application layer awareness,
• Disadvantages include an expensive solution.

Security Processes

• Security is an ongoing process, requiring ongoing analysis of new vulnerabilities and appropriate actions.
• Security is a process, and expert teams are needed.

Event Logging

• Complete and finely-grained event logging is vital for prevention, analysis, detection, and statistics.
• It's easily processed, readable, and suitable for manual, statistic, and expert system log analysis.

Logging

• Logging process controls the distribution of logs to various destinations such as logs, terminal lines, a syslog server, and the severity level.
• Logging enables timestamping of messages.
• Logging can be turned on with a RouterA(config)# logging on command.

Logging Level

• Logging level controls logging messages to the console, terminal lines, and syslog servers, depending on severity and configuration.

Syslog Severity Levels and Their Messages

• Severity levels range from emergency to debugging.
• Different levels categorize the severity of network events.
• Descriptions of these messages are detailed.

SYSLOG

• Syslog is a protocol used to inspect device behavior.
• Using a syslog server daemon on a PC can monitor all devices configured for syslog.
• Configure network devices to use the syslog server on a PC using commands like RouterA#config t, Router(config)#logging 150.100.1.242, RouterA#(config)#logging trap warnings, RouterA#(config)#end.

Chapter Summary

• A perimeter is a fortified boundary of a network.
• A trusted network is within the security perimeter.
• Perimeter devices like firewalls and routers route packets between networks.
• Firewalls inspect packets to determine if they should be allowed through.
• Event logging provides useful data for analysis, detection, prevention, and statistics gathering.

Review Questions

• Review questions cover topics like CIA, SLE, possible threats from inside an organization, the definition of a perimeter, network classifications, perimeter devices, switch security methods, and security mechanisms. There are questions about security at the perimeter such as firewall, network devices, VPN concentrators, proxy systems and more.

Thank You

• A concluding acknowledgment.