Chapter 7 - 02 - Discuss Security Benefits of Network Segmentation_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Network Security Controls - Technical Controls PDF
- Chapter 7 - 02 - Discuss Security Benefits of Network Segmentation - 01_ocred_fax_ocred.pdf
- Chapter 7 - 02 - Discuss Security Benefits of Network Segmentation - 02_ocred_fax_ocred.pdf
- Chapter 7 - 02 - Discuss Security Benefits of Network Segmentation - 03_ocred_fax_ocred.pdf
- Chapter 7 - 02 - Discuss Security Benefits of Network Segmentation - 05_ocred_fax_ocred.pdf
- Secure Network Design PDF
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Module Flow Discuss Essential Network Understand Different Types of Security Protocols Proxy Servers and their Benefits - o Discuss Fundamentals of VPN Discuss Security Benefits 000 and its importance in Network of Network Segmentation "\\' a@l Security Understand Diffexent Types Discuss Other Network Security of Firewalls and their Role Controls Understand Different Types Discuss Importance of Load of IDS/IPS and their Role Balancing in Network Security Understand Different Types Understand Various of Honeypots Antivirus/Anti-malware Software Copyright © by EC- L All Rights Reserved. Reproduction is Strictly Prohibited Discuss Security Benefits of Network Segmentation Network segmentation enhances the network security by creating layers of the network and separating the servers containing sensitive information from the rest of the servers. The objective of this section is to explain the role of network segmentation in network security. Module 07 Page 730 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls What is Network Segmentation? Proxy Email Web O Network segmentation is the practice of splitting Server server Server a network into smaller network segments and separating groups of systems or applications from each other | \ DMZ1 ZONE O In a segmented network, groups of systems or applications that have no interaction with each other w m&zn will be placed in different network segment - [=] = an O Security benefits of Network Segmentation v Improved Security E. v Better Access Control E. Internal 2::[2 v Improved Monitoring Servers ‘ v Improved Performance | | & EE oj|o ! o v Better Containment Applicalien Servers Datehase Servers What is Network Segmentation? Network segmentation is the practice of splitting a network into smaller network segments, separating groups of systems or applications from each other. Whether it is a physical or virtual network segmentation, both can restrict communication throughout a network and also restrict network attacks. In a segmented network, groups of systems or applications that have no interaction with each other are placed on different network segments. Even if an attacker/an insider manages to penetrate the perimeter security, they cannot access the network resources from one segment to another. Network segmentation overcomes the drawback of a traditional flat network where all the network resources (servers, workstations, etc.) are placed on the same network. If an attacker manages to penetrate through the perimeter defense, they can see and have an easy access to a flat network, since most detective tools focus on what is going outside a network. Though it is easy to manage a flat network infrastructure, it is always open to various attacks. Security benefits of network segmentation: * |Improved security: It isolates network traffic to prevent access between network segments. = Better access control: It allows accessing specific network resources. * Improved monitoring: It provides event logging, monitoring, and denying internal connections, and detecting malicious actions. = Improved performance: It reduces local traffic, with fewer hosts per subnet, and isolates broadcast traffic to the local subnet. = Better containment: It limits any network issues that might occur to the local subnet. Module 07 Page 731 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Working Principle of Network Segmentation Proxy Email Web Server Server Server INTERNAL DMZ1 ZONE ZONE User giFEm Workstations E AR == z Internet) L ~F-} DMZ2 Internal ZONE Servers Application Database Servers Servers Figure 7.28: Working principle of network segmentation In the above diagram, network segmentation is used for separating servers in which one firewall, two DMZ zones (demilitarized zones and an isolated layer3 subnet), and an internal zone are used. Web servers and email servers are separated from the servers that do not require direct internet access, since both servers need to be internet-facing and they are vulnerable to attacks. Even if one of the internet-facing servers is compromised, the separation of both servers can reduce the damage. Bidirectional traffic is allowed from the internal zone and DMZ2 for backups/authentication via the active directory, whereas one-way traffic is only allowed from the internal zone to DMZ1. The proxy, email, and web servers of the DMZ1 are separated from the application and database servers of DMZ2 for enhanced security. The firewall allows internet traffic to DMZ1 via certain ports (80, 25, 443, etc.) and closes all the other ports (transmission control protocol (TCP)/user datagram protocol (UDP)), whereas it does not permit internet traffic to DMZ2. If user workstations on the internal zone require internet access, the access gets directed through an HTTP proxy server in DMZ1 since the internal zone is isolated from the internet traffic. Even if a server in DMZ1 is compromised, the internal zone will remain secured since the traffic from the internal zone to DMZ1 is permitted only in one way. The segmentation in the above diagram represents a firewall security zone segmentation that can optimize the network security. For added security, a cloud-based web filtering solution (e.g., WebTitan, TitanHQ, SolarWinds MSP, etc.) can be used which can allow filtering of the website requests and prevent end-users from accessing malicious websites. Module 07 Page 732 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Types of Network Segmentation ? Physical segmentation is a process of splitting FRYSARE Saguesnteten ° a larger network into smaller physical components Segment 3 g - B E Shared hub g = HEEEH HHHH A : Device 1 Device 2 Device 3 These segments can communicate via §. ° intermediary devices such as switches, hubs, ’ Router 1 o thub or routers C).i. !.......... !.......... ! _l; ; HHH HHHH R Device 1 Device 2 Device 3 : : Segment 1.. : : Shared hub Physical network segmentation can be an easy Q ! !........... ! ° approach to divide a network, but it is — T it win expensive as it occupies more space E Services Device 1 Device 2 Device 3 Copyright © by EC-{ L All Rights Reserved. Reproduction s Strictly Prohibited Types of Network Segmentation (Cont’d) Q H Logical Segmentation QO Logical segmentation utilizes VLANs, which are _ isolated logically without considering the physical : _—. Xiasid locations of devices ' VIAN ‘ Switch 1 ‘ ‘ Q Each VLAN is considered an independent logical @ e} et. unit, and the devices within a VLAN communicate i as though they are in their own isolated network 2 Router | ((l,)___.:_"—......... -_]........... ! ! Q In this approach, firewalls are shared, and : o= el el el switches handle the VLAN infrastructure P Q Itisi easier i to implement and flexible i to operate 5: CO: e T [/ S A| !... !.- ! Services Device 3 Device 3 Device 3. Copyright © by EC-{ L All Rights Reserved. Reproduction is Strictly Prohibited Module 07 Page 733 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Types of Network Segmentation (Cont’d) Sales Department Virtual Network Marketing Department Virtual Network Network Virtualization 0O Network virtualization is a process of combining all the available network resources and enabling security professionals to share these resources amongst the network users Virtualization Layer using a single administrative unit Physical Layer % " X & o O Network virtualization enables each user to access available network resources such as files, folders, computers, printers, hard drives, etc. from their system Copyright © by EC-{ IciL All Rights Reserved. Reproduction is Strictly Prohibited. Types of Network Segmentation Network segmentation can be implemented in three ways, namely, physical segmentation, logical segmentation, and virtualization, wherein the network is isolated physically, isolated logically (through virtual local area networks or VLANS), and entirely virtualized, respectively. * Physical Segmentation: Physical segmentation is a process of splitting a larger network into smaller physical components. These segments can communicate via intermediary devices such as switches, hubs, or routers. Physical segmentation is generally used for isolating two or more devices from each other. For instance, all web servers are separated and placed in one segment, with database servers and File Transfer Protocol (FTP) servers in two other segments; these segments communicate only through their individual switches. Physical network segmentation can be an easy approach to divide a network, but it is expensive as it occupies more space and creates unwanted issues such as traffic conflicts. It is also known to be a secure mechanism but is difficult to implement as each segment in the network should have individual network connections, physical cabling, and firewall implementations. Module 07 Page 734 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Segment 3 MvaaWEiN T - | Shared hub Devicel Device2 Device3 Segment 2 Souber Shared hub ! ! 'l-.:'......'....ll!llllllllll| l Devicel Device 2 Device3 : Segment 1 » Shared hub Q :-..'. l|lllllll!........... !IIIIIIII.IO ! Internet sssus CEE HEHHH Services Devicel Device 2 Device3 Figure 7.29: Physical segmentation of network = Logical Segmentation: To overcome the problems associated with physical segmentation, organizations choose the logical segmentation of their network. Logical segmentation utilizes VLANs, which are isolated logically without considering the physical locations of devices. Each VLAN is considered an independent logical unit, and the devices within a VLAN communicate as though they are in their own isolated network. This type of segmentation is easier to implement and flexible to operate. In this approach, firewalls are shared, and switches handle the VLAN infrastructure. Logical segmentation does not need new hardware, and the provided environment is managed with the existing hardware resources. This type of segmentation employs the built-in concepts incorporated within the network infrastructure such as the creation of independent VLANSs that share a physical routing device (switch), segregation of various asset types into different layer-3 subnets, and use of a router to allow data exchange between subnets. The following are the key advantages of logical segmentation: o It enables the creation of virtual workgroups irrespective of users’ locations. o It effectively controls the network broadcast. o Itimproves security by defining which network nodes can interact with each other. o It eliminates the physical boundaries between users. Module 07 Page 735 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls VLAN 1 VLAN 2 VLAN 3 VLAN Switch 1 _. T -.--lll ’ aaaan ' LE R BN l Devicel Devicel Devicel VLAN Switch 2 1_ Device2 Device2 Device 2 VLAN Switch 3 Services Device3 Device3 Device3 Figure 7.30: Logical segmentation of network = Network Virtualization: Network Virtualization (NV) is a process of combining all available network resources and enabling security professionals to share these resources amongst the network users using a single administrative unit. It abstracts network resources traditionally allocated as actual hardware to software. NV can combine multiple physical networks into one virtual, software-based network, or divide one physical network into separate, independent virtual networks. NV provides systems and users with efficient, controlled, and secured sharing of network resources (files, folders, computers, printers, hard drives, etc.). NV splits the available bandwidth into independent channels, which can be assigned or reassigned to a particular server or device in real-time. For example, a virtual LAN (VLAN) can unite network devices into one unit irrespective of their physical location, thereby enabling the creation of a subsection of the local area network (LAN). The following are the key advantages of network virtualization: o It enables efficient, flexible, and scalable usage of the network. o It logically segregates the underlay administrative domain with the overlay domain. o It accommodates the dynamic nature of server virtualization. o It provides security and isolation of traffic and network details from one user to another. Module 07 Page 736 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Sales Department Virtual Network Marketing Department Virtual Network Virtualization Layer Physical Layer E" Figure 7.31: lllustration of network virtualization Module 07 Page 737 Certified Cybersecurity Technician Copyright © by ECG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Introduction to Bastion Host A bastion host is a computer system designed and configured to protect network resources from attacks 000 A bastion host is the only host computer on the Internet that can be addressed directly from the public network It provides a limited range of services such as website hosting, and mail to ensure security ¢ Intranet Bastion Host Introduction to Bastion Host A bastion host is designed for defending a network against attacks. It acts as a mediator between inside and outside networks. A bastion host is a computer system designed and configured to protect network resources from attacks. It provides a limited range of services such as website hosting, and mail to ensure security. Traffic entering or leaving the network passes through a firewall. A bastion host has two interfaces: = A public interface directly connected to the Internet = A private interface connected to the intranet A bastion host is the only host computer on the Internet that can be addressed directly from the public network. As these components are exposed to substantial risk, enormous effort is required in designing and configuring bastion hosts to minimize the probability of attacks. Various other types of bastion hosts are web, mail, Domain Name System (DNS), and FTP servers. Bastion hosts also provide packet filtering and proxy services. Internet Intranet Firewall Bastion Host Figure 7.32: lllustration of Bastion Host Module 07 Page 738 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls 6 Need for Bastion Host o A a Minimize the chances of penetration by intruders Create all the logs, which can be used to identify attack or 6 attempts to attack In case of an attack, bastion host acts as scapegoat \H N 6 Provide an additional level of security @ Need for Bastion Host A bastion host is a system that has multiple network interfaces exposed to the Internet. The operating system on such a device is made tough to create more security than on any other computer in the network. After the configuration of the computer and installation of the software, the rule sets for internal and external traffic may be installed and configured on top of the hardened operating system. All the network services are disabled on the bastion hosts. They allow only specified Internet access. For example, there must not be any user accounts on the bastion server, which creates the possibility of a user logging on to the system and taking control of it and also accessing the Internet. Even the network file system, which offers access to files across the network, must also be disabled so that it does not create an opportunity to access the bastion server and files that can be accessed on the Internet. The safest place to place the host is in the subnet as a component of the firewall. The main advantage of placing them in their own network is that it makes it difficult to compromise them with no other resource on the network. Bastion servers create all the logs, which can be used by the intranet administrator, to tell if there has been an attack or attempts to attack. Two copies of system logs are maintained as the backup for various security reasons. One of the possible methods to back up the security logs is by connecting the bastion host to a dedicated computer, which functions only to keep track of the secure backup logs. Automated monitors are more complex programs than auditing software. Automated monitors frequently check the bastion server’s system logs, and it raises alarms if any suspicious activities are found in the system’s logs. For example, an alarm is raised if it finds any unsuccessful attempts by a user with three different logins. Module 07 Page 739 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls The number of bastion hosts in a firewall is not restricted to a certain number. Every bastion host can manage multiple Internet services on the same intranet. In some instances, the bastion host can be used as a victim machine. The victim machine can then be used to handle the Internet service that cannot be managed by the proxying or by those Internet services where security issues are not known. The services are substituted in the victim’s machine instead of the bastion host with other services. It acts as a backup to the bastion servers even if the server is down. If the filtering router is placed between the bastion host and the intranet, it can be an added security. The filtering router drops all the unauthorized packets after checking all the packets between the Internet and intranet. The bastion server cannot manage the requests such as sending a web page or delivering email when it receives a request for service. The request is sent across to the suitable intranet server. The intranet server processes the request, and the reply is sent back to the bastion server. The bastion server dispatches the requested service to the requester. A few bastion servers incorporate auditing programs, which check if an attack has been launched against them. There are several ways of auditing. One can use the checksum program to audit, which is used to check if any unauthorized person has modified any software on the bastion server. The checksum is calculated based on the size of an executable program installed on the server. This program calculates the checksum to see if there are any modifications. If there are any changes in the checksum, these changes are the indications of an attack. Module 07 Page 740 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Positioning the Bastion Host Physical Location / Network Location O Placed in a specially selected server room Set on a special network also known as with suitable environmental controls Demilitarized zone (DMZ) that does not carry sensitive data O Must be set up in a locked server cabinet QO Avoid placing the bastion host on internal with proper ventilation, cooling, and networks backup power O Should be located on an additional layer [ @ 1 known as a perimeter network Q Attach packet filtering router v Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited. N \ lll Positioning the Bastion Host (Cont’d) 7 N i ] N [_T_]._J z:ssttlson \.. ;.m Exterior g P Bt e e \ 4 Firewall : A A b INTOIMIET sonsmrmnar i aaa s L80838 s AN AAAVIALISS SO0 0S4 BOLAAAAMAMAAMIAS i DMZor Perimeter Network v mmmrior Firewall Intranet v v v Positioning the Bastion Host There are several options for positioning a bastion host within the network configuration, namely: = Physical Location: The bastion host is placed in a specially selected server room with suitable environmental controls (against extreme weather) and the required physical Module 07 Page 741 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls security devices. It must be set up in a locked server cabinet with proper ventilation, cooling, and backup power. Network Location: The host is placed on its own network, also known as the demilitarized zone, where no secret network traffic exists. It is recommended to avoid placing the bastion host on internal networks. The bastion host should be located on an additional layer known as a perimeter network, and a packet-filtering router should be attached to it. Bastion Exterior Hosts Firewall Internet Interior Firewall Intranet Figure 7.33: Positioning the bastion host Module 07 Page 742 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. el et anie ot — T PRAHNCIan Network Security Controls — Technical Controls Exam 212-82 Types of Bastion Hosts: Single Q Afirewall device wit h only one network interface Q Al the traffic, bot h incoming and out the bastion host going, is routed thr ough Q It tests data against security guidelines ang acts accordingly.B Single-homed : ' Bastion Host & Interior Firewall ‘ Exterior Firewal| Internet A \4 B Multi-homed. Bastion Host v ‘ Interior Firewall Module 07 Page 743 Certified Cybersecurit y Technician Copyright All Rights Reser © by EC-Councijl Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Types of Bastion Hosts: Internal Bastion Host They reside inside the internal network of an organization —e — It can be single-homed or multi-homed The internal network devices communicate with the internal bastion host Types of Bastion Hosts (Cont’d) ! Non-routing Dual-homed Hosts Victim Machines v They operate with multiple network v Victim machines allow any user to login com'\ections, b“? the network connections v They are useful in testing new applications don’t interact with each other whose security flaws are not yet known and to run services which are not secure............................................................................................................................................................ Y External Services Hosts One-box Firewalls v’ Bastion hosts are visible to everyone, which v If a machine is constructed as a firewall, it is makes them vulnerable to attack prone to more attacks v" They require only minimum access privileges v' The entire site’s security relies on this single to the internal network, providing only a few machine, so it is necessary to guarantee that this services machine is absolutely secure All Rights Reserved. Reproductionis Strictly Prohibited Types of Bastion Hosts In most of the configurations, the central bastion host is connected to certain internal hosts. For example, the bastion host may pass the email to an internal mail server, harmonizing with an internal name server. These internal servers are secondary bastion hosts, and they must be more organized and monitored like the bastion hosts than like internal hosts. A few services may be left enabled on these systems, but they must be configured in the same way as the bastion hosts are configured. Module 07 Page 744 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls = Single-homed Bastion Host A single-homed bastion host is a firewall device with only one network interface. All the traffic, both incoming and outgoing, is routed through the bastion host. It tests data against security guidelines and acts accordingly. 9 > EEE===E 157 1T ryterior Firewall Internet A. §< >B ~ Single-homed : ——_ Bastion Host Y e Interior Firewall Intranet v v v v \ = A = S @ g — Figure 7.34: Single-homed bastion host * Multi-homed Bastion Host A multi-homed bastion host is a firewall device with at least two network interfaces. This type of bastion host is capable of separating internal and external networks, thereby improving security. EELELERERERS = fi Exterior Firewall A\74 Internet B -~ Multi-homed —— Bastion Host A \4 % Interior Firewall Intranet V Figure 7.35: Multi-homed bastion host Module 07 Page 745 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls = |Internal Bastion Host Internal bastion hosts reside inside the internal network of an organization. They can be single-homed or multi-homed bastion hosts. The internal network devices communicate with the internal bastion host. Exterior Firewall Internet A4 :................................>: eorer] Interior Firewall v Intranet PV v Vv v v N \, £3 — B[E: v.’ Internal Bastion Host Figure 7.36: Internal bastion host * Non-routing Dual-homed Hosts A non-routing bastion host has a dual-homed host with multiple network connections that do not interact with each other. This type of the host is completely a firewall, or it might be a component of a multi-faceted firewall. If the host is a firewall, one must be careful that the configuration and the bastion host’s instructions must be followed with concern. = Victim Machines In cases where there is a necessity to run services that are not secure and certain new applications whose security flaws are not yet known; you can use a machine (a victim machine) to install them. Such machines allow any user to log in. There is no issue, even if such machines are compromised. A victim machine is disposable in the sense that it is only used for the applications with security implications and for no other purpose. Victim machines are configured in the procedure similar to a typical bastion host expecting that they will always have users to log in. It will be wise if pressures are resisted, such as the user’s desire for more services and programs than the ones that are provided on the usual bastion system. It must also be made sure that the user must not be comfortable with the victim machines, because the intended design may no longer work. The important factor that must be considered is that it is not reusable. Module 07 Page 746 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls External Services Hosts Bastion hosts, which provide exclusive services for the Internet, have a unique concern; they are visible to everybody. This makes it vulnerable to attacks and the increased vulnerability will be prone to more successful attacks. If one of the internal services provided to the internal users is compromised, it is not obvious that the outsiders can assess the services. If one of the pages of the website is replaced, then everyone will become aware of the change and take note of it. These machines should have more security features, and they do not have minimum features to make it easier to secure. They require only minimum access privileges to the internal network. One-box Firewalls If the machine is constructed as a firewall, rather than as part of a wall, then it is more prone to attacks. The entire site’s security relies on this one machine. It is always necessary to guarantee that this machine is absolutely secure. A replica of the original system can be used to test the new configuration without risking the Internet connection. Module 07 Page 747 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Network Segmentation Example: Demilitarized Zone (DM2Z) O A computer subnetwork is placed between the organization’s private network such as a LAN, and an outside public network such as the Internet, and acts as an additional security layer 0 Contains the servers that need to be accessed Internal Network from an outside network Threelegged Firewall * Web servers = Email servers = DNSservers 0O DMZ configurations = Both internal and external networks can connect to the DMZ = Hosts in the DMZ can connect to external networks * But hosts in the DMZ can not connect to internal networks Copyright © by EC-Council Al Rights Reserved. Reproduction s Strictly Prohibited. Network Segmentation Example: Demilitarized Zone (DMZ) A Demilitarized Zone (DMZ) is a small network which is placed in between the organization's private network and an outside public network. It prevents an outsider from gaining direct access to the organization's server. For example, if an attacker uses a public network to access a DMZ host and penetrates it, then only the information on that host will be compromised. In this way, a DMZ acts as an additional security layer for networks and lowers the threat of intrusion in the internal network. A DMZ consists of the following types of servers, which need to be accessible from outside the network: = Web servers = Email servers *= Domain name system (DNS) servers DMZ configurations: = Both internal and external networks can connect to a DMZ ®= Hosts in the DMZ can connect to external networks = Hosts in the DMZ cannot connect to internal networks Module 07 Page 748 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Internal Network Three-legged Firewall RS RS tzzssssssssssssssssssEssE R R R AR R R Internet FRE R o NN NN EEEEENENEEEESEEEEEREEEEE - " - SRsRENERENNRERRNERRRRRRRRT RN QRN RRRN " 566666 - -. -. -. - ". "...... DMZ Network - Figure 7.37: Depiction of a DMZ Advantages of DMZ: = Separation of DMZ from LAN enables high-level protection of LAN. = |t provides an increased control of resources. = |t uses multiple software- and hardware-based products of different platforms in order to provide an additional layer of protection. = |t provides a high level of flexibility for internet-based applications such as email, web services, etc. Module 07 Page 749 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Different Ways to Create a DMZ QO In this model, the network architecture containing the DMZ consists of three network interfaces Single O The first network interface connects the ISP to the firewall, forming the external Firewall DMZ network, whereas the second interface forms the internal network g O The third interface forms the DM2...................................................... Firewall Corporate Network Interface 1 A Interface 2................................ BERIESES ot oA e Incoming IRt o cercrsasesssnneens H '.'fff.'!?.c.e..a.................. packets DMz : JRTTPPTPPN pereeneden, : Public DNS Extranet Mail $ web server server server seives Internal Network Copyright © by EC-{ L All Rights Reserved. Reproduction is Strictly Prohibited. Different Ways to Create a DMZ (Cont’d) O This approach uses two firewalls to create a DMZ Dual Firewall O The first firewall allows only sanitized traffic to enter the DMZ, whereas the second firewall DMZ conducts a double check on it O Itis the most secure approach in implementing a DMZ Public Internal Firewall Firewall Internet Incoming packets Public DNS Extranet Mail Internal Network web server server server server Copyright © by I L Al Rights Reserved. Reproduction is Strictly Prohibited. Different Ways to Create a DMZ Two basic methods for designing a network with a DMZ are using a single firewall (three-legged model) and using dual firewalls. It is also possible to extend these configurations according to the network requirements. = Single firewall DMZ: In this model, the network architecture containing the DMZ consists of three network interfaces. The first network interface connects the internet Module 07 Page 750 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls service provider (ISP) to the firewall, forming the external network, whereas the second interface forms the internal network. The third interface forms the DMZ. The firewall acts as a single point of failure and should be able to manage all the traffic to the DMZ. Firewall ' Interface 1. Interface2 Internet : Incoming 7T T eeieissssssseasessnaaes 5........................... packets --------------------------------------- Public DNS Extranet Mail web server server server server Internal Network Figure 7.38: Single firewall DMZ = Dual firewall DMZ: The dual firewall approach uses two firewalls to create a DMZ. The first firewall allows only sanitized traffic to enter the DMZ, whereas the second firewall conducts a double check on it. The dual firewall approach is the most secure approach in implementing a DMZ and it also adds the most complexity. Public Internal Firewall Firewall Internet Incoming g’ BREE packets Public DNS Extranet Mail Internal Network web server server server Figure 7.39: Dual firewall DMZ Any server that requires exposure to a public network can be placed in the DMZ. It is possible for security professionals to place servers such as web servers, DNS servers, e-mail servers, and file transfer protocol (FTP) servers in the DMZ and enable access for internal and external clients. Module 07 Page 751 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exam 212-82 Certified Cybersecurity Technician Network Security Controls - Technical Controls East-West and North-South Traffic North-South Traffic O North-south traffic is the network traffic O East-west traffic is the network traffic between between an outside client and a server the servers inside a data center or the traffic inside a data center between data center Q Arequest transmitted to a data center O Increased virtualization increases east—-west through a firewall for accessing an traffic, gradually increases network latency, application server is south traffic, and the and impacts network performance response transmitted out from the data center is north traffic Copyright © by EC IL Al Rights Reserved. Reproduc tion Is Strictly Prohibited East-West and North-South Traffic (Cont’d) > External Network/ Internet —— Client Switches el YINOS-Yyuoy Spine Switches Leaf L Servers 1 East-West Traffic A Copyright © by All Rights Reserved. Reproduction s Strictly Prohibited Module 07 Page 752 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls East-West and North—-South Traffic (Cont’d) Considerations for Securing East-West and North-South Traffic East-west traffic is larger than north—south traffic and has a larger attack surface Best security practices should be implemented for east—west traffic to monitor infiltrated malware and insider threats The micro-segmentation technique should be implemented in data centers to reduce attack surface areas The internal network o ( - ! d on the 4 Appropriate security policies should be defined for each network segment e. The software-defined networking (SDN) approach should be implemented to provide an additional layer of security for east-west traffic Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited. East-West and North-South Traffic East—West Traffic East—west traffic is the network communication or network traffic between the servers inside a data center or the traffic between data centers. For instance, the server—server transfer of network packets inside the network boundaries of a data center is east—-west traffic. Because the use of virtual machines has been increasing in the recent past, east-west traffic is increasing drastically, and organizations are migrating to private cloud infrastructure instead of physical hardware infrastructure. The increased virtualization increases east—-west traffic and gradually increases network latency, negatively impacting network performance. North-South Traffic North—south traffic is the network communication or network traffic between a server inside a data center and a client outside the boundary of the data center. North—south traffic is client— server traffic, where a request transmitted to a data center through a firewall for accessing an application server is south traffic and the response transmitted out from the data center is north traffic. Module 07 Page 753 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls External Network/ Internet Client Switches Spine 1 Jujell yInos-yyioN B Switches Leaf L Servers 1 resources to enforce strict access control and monitor the network traffic flow Remote Employee - " : Private :'.'.' Vi endor.Service - -. ‘ Service = ) ° & Untrusted Client & Load Balancer App Server PCl Server Copyright © by EC-C L All Rights Reserved. ReproductionIs Strictly Prohibited Zero Trust Networks The Zero Trust model is a security implementation that by default assumes every user trying to access the network is not a trusted entity and verifies every incoming connection before allowing access to the network. It strictly follows the principle, “Trust no one and validate before providing a service or granting access permission.” This does not mean that the company’s employees would cause harm, but the network can be compromised or a person trying to use the network may not be trustworthy. This trust model prevents users/employees from accessing a network without being verified. It also allows companies to impose conditions, such as allowing employees to only access the appropriate resources required for their work role. Representation of Zero Trust Network As shown in the figure, the cloud control plane is a supporting system that coordinates and manages the data plane (every other component in the network). The control plane permits network access requests only from legitimate and verified users or devices. Fine-grain policies are applied at this layer based on the role in the organization, time of day, and device type. To access more secured Internet resources, users need stronger authentication. Once the access request is approved by the control panel, the data plane is configured to accept traffic only from that particular client. The idea behind implementing this model is to ensure a secure way of resource accessing, enforce strict access control, and monitor the network traffic flow. Zero Trust can be integrated with techniques such as encryption, multifactor authentication, privileged access management (PAM). This trust network follows the micro-segmentation method to break the network zone into smaller pieces to provide separate access to certain Module 07 Page 755 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. CA4Il £1&0& an Certified Cybersecurity Technici Security Cont rols — Tech nical Controls Network mentation prevents wor k. If any perime ter bre ach is identified, the micro-seg parts of the net tation. the network from further exploi Control Plane Internet !. ssssssssdessnnnnnnnn “, Secure Gatewaw/.egacv Service % ‘:\ Remote Employee , ", Vendor Service - PCl Server Load Balancer App Server Untrusted Client Figure 7.41: Zero Trust Network an Copyright © by Ec-Council Certified Cybersecurity Technici All Rights Reserved. Reproduction is Strictly Prohibited. Module 07 Page 756
