# Module 6: Network Security Infrastructure :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 6.1 Security Devices --- #### **6.1.2 Firewalls** A **firewall** is a system, or group of systems, that enforces an access control policy between networks. **Properties of Firewalls**: - **Resistant to attacks**: All traffic passes through firewalls. - **Access control**: Enforces security policies for network traffic. **Benefits**: - Protect sensitive hosts and data. - Sanitize protocol flaws to block malicious data. - Simplify network security management. **Limitations**: - Misconfiguration can cause vulnerabilities. - Cannot secure data from certain applications. - May reduce network performance. --- #### **6.1.3 Common Security Architectures** 1. **Private and Public Network**: - **Private (trusted)**: Permits outgoing traffic (HTTP, SMTP). - **Public (untrusted)**: Blocks incoming traffic unless explicitly allowed.  2. **Demilitarized Zone (DMZ)**: - **Private → Public/DMZ**: Permitted with inspection. - **DMZ → Private**: Blocked unless explicitly allowed. - **Public → DMZ**: Selectively permitted for services (HTTP, DNS).  3. **Zone-Based Policy Firewalls (ZPF)**: - Groups interfaces into **zones**. - Policies control traffic between zones. - Traffic within the same zone flows freely by default.  --- #### **6.1.4 Types of Firewalls** | **Type** | **Description** | |-------------------------------|---------------------------------------------------------------------------------------------------| | **Packet Filtering** | Stateless; filters traffic at Layer 3/4 based on IP and port. | | **Stateful Firewall** | Maintains state of connections; operates at Layers 3-5. | | **Application Gateway** | Proxy-based; filters at Layers 3, 4, 5, and 7. | | **Next-Generation Firewall** | Includes intrusion prevention, application control, and advanced threat detection capabilities. | | **Host-based Firewall** | Installed on devices; protects local traffic. | | **Transparent Firewall** | Filters IP traffic between bridged interfaces. | | **Hybrid Firewall** | Combines features of different firewalls (e.g., stateful + application inspection). | :::danger **Check Your Understanding - Identify the Type of Firewall** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/12-2-4-check-your-understanding-identify-the-type-of-firewall-answers.html). ::: --- #### **6.1.6 IDS and IPS Characteristics** - **IDS (Intrusion Detection System)**: Detects and logs malicious activity offline without blocking traffic. - **IPS (Intrusion Prevention System)**: Inline system that actively blocks or drops malicious traffic in real-time. **Key Characteristics** | **Feature** | **IDS** | **IPS** | |--------------------------|-------------------------------------------|-------------------------------------------| | **Traffic Impact** | No impact on latency or performance. | Can introduce latency or jitter. | | **Reaction** | Detects and alerts but cannot block. | Actively blocks malicious packets. | | **Placement** | Deployed offline. | Deployed inline. | | **Evasion Techniques** | More vulnerable to evasion techniques. | Uses stream normalization to counter evasion. |  **Deployment Recommendations** - Use **IDS** for threat analysis and **IPS** for real-time protection. - Place **IDS** sensors offline for deeper inspection; deploy **IPS** inline at critical traffic points. - Combine both systems for robust security: IDS validates IPS operations while IPS blocks immediate threats. --- #### **6.1.7 IDS vs IPS** | **Solution** | **Advantages** | **Disadvantages** | |--------------|-----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------| | **IDS** | No network impact (latency, jitter); continues functioning if sensor fails or is overloaded. | Cannot stop trigger packets; requires tuning; vulnerable to evasion techniques. | | **IPS** | Can block packets (trigger or source); uses **stream normalization** for better evasion defense. | Can introduce latency/jitter; sensor failures can disrupt traffic; performance must meet application needs. | --- #### **6.1.8 Types of IPS** 1. **Host-Based IPS (HIPS)**: - Installed on individual hosts to monitor local traffic. - Detects abnormal activity (e.g., registry changes, buffer overflows). - **Advantages**: Specific to host OS, protects decrypted data. - **Disadvantages**: OS-dependent, lacks network-wide visibility. 2. **Network-Based IPS**: - Monitors network traffic in real-time at critical points. - Detects unauthorized activity and prevents malicious actions. - **Advantages**: Monitors traffic across the network. - **Disadvantages**: Requires proper deployment and management.  --- #### **6.1.9 Specialized Security Appliances** 1. **Cisco Advanced Malware Protection (AMP)**: - **Before**: Strengthens defenses against known/emerging threats. - **During**: Blocks exploit attempts and malicious files. - **After**: Monitors for malicious behavior and alerts if detected. 2. **Cisco Web Security Appliance (WSA)**: - Secures web traffic by blocking risky or unknown sites. - Centralized reporting and controls for malware protection. - **Note**: Use **Cisco Cloud Web Security (CWS)** for offsite protection. 3. **Cisco Email Security Appliance (ESA)**: - Blocks spam, malware, and phishing emails. - Provides advanced malware protection (AMP) and outbound message control. :::danger **Check Your Understanding - Compare IDS and IPS Characteristics** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/question/select-the-corresponding-delivery-method-for-each-characteristic). ::: >[!Warning]Recap >There are several different types of firewalls. Packet filtering (stateless) firewalls provide Layer 3 and sometimes Layer 4 filtering. Firewall design is primarily about device interfaces permitting or denying traffic based on the source, the destination, and the type of traffic. A stateful inspection firewall allows or blocks traffic based on state, port, and protocol. Application gateway firewalls (proxy firewall) filter information at Layers 3, 4, 5, and 7. Next-generation firewalls provide additional services beyond application gateways such as Integrated intrusion prevention, application awareness and control to see and block risky apps, access to future information feeds, and techniques to address evolving security threats. Intrusion prevention systems (IPS) and intrusion detection systems (IDS) are used to detect potential security risks and alert/stop unsafe traffic. IDS/IPS can be implemented as host-based or network based with specific advantages and disadvantages to each implementation. Specialized security appliances are available including Cisco Advanced Malware Protection (AMP), Cisco Web Security Appliance (WSA), and Cisco Email Security Appliance (WSA). These security appliances utilize the services of the Cisco Talos Security Intelligence and Research Group. Talos detects and correlates threats in real time using the largest threat-detection network in the world. ### 6.2 Security Services --- #### **6.2.2 Traffic Control with ACLs** - **Purpose**: ACLs control traffic by permitting or denying packets based on packet header information. - **Key Uses**: - Limit traffic to enhance network performance (e.g., block video traffic). - Control routing updates to ensure legitimate sources. - Restrict network access (e.g., HR access restricted to authorized users). - Filter traffic by type (e.g., permit email, block Telnet). - Screen hosts for network service access.  - **Types**: - **Standard ACLs**: Filter based on source IPv4 address only. - **Extended ACLs**: Filter based on multiple attributes, including protocol type and ports. - **Features**: - Can log traffic based on permit/deny rules. - Can restrict TCP traffic to established sessions. --- #### **6.2.5 SNMP (Simple Network Management Protocol)** - **Purpose**: Manage and monitor devices such as routers, switches, and firewalls. - **Components**: - **SNMP Manager**: Collects and modifies data from SNMP agents. - **SNMP Agents**: Store device data in the Management Information Base (MIB). - **Operations**: - **Get**: Retrieve data from an agent. - **Set**: Modify agent configurations. - **Traps**: Notifications sent by agents to the manager. - **Use Case**: Detect network issues, optimize performance, and plan for growth.  --- #### **6.2.6 NetFlow** - **Purpose**: Provide statistics on IP packets flowing through a network. - **Applications**: - Security monitoring. - Traffic analysis and bottleneck identification. - IP accounting for billing. - **Core Fields**: - Source/Destination IP and port. - Layer 3 protocol. - ToS marking and interface.  --- #### **6.2.7 Port Mirroring** - **Purpose**: Duplicate traffic on a switch port for monitoring. - **Use Case**: Send traffic to a packet analyzer or IDS for inspection. - **Example**: Monitor communication between two devices without interrupting original traffic flow.  --- #### **6.2.8 Syslog** - **Purpose**: Provide system messages for network monitoring and troubleshooting. - **Features**: - Logs system events to a central **Syslog Server**. - Configurable for message type and destination. - **Benefits**: - Centralized monitoring. - Simplifies troubleshooting and performance analysis.  --- #### **6.2.9 NTP (Network Time Protocol)** - **Purpose**: Synchronize time across network devices. - **Structure**: - **Stratum 0**: Authoritative time sources (e.g., atomic clocks). - **Stratum 1**: Directly connected to Stratum 0. - **Stratum 2+**: Sync with higher strata for consistency. - **Importance**: Enables accurate timestamps for logs and security events.  --- #### **6.2.10 AAA Servers** - **Functions**: - **Authentication**: Verifies user identity. - **Authorization**: Determines resource access and permissions. - **Accounting**: Tracks user activity. - **Protocols**: - **TACACS+**: - Encrypts entire packet. - Uses TCP for reliable transport. - Supports granular command authorization. - **RADIUS**: - Encrypts only passwords. - Uses UDP for faster performance. - Extensive accounting capabilities. --- #### **6.2.11 VPN** - **Purpose**: Securely connect remote sites or users over the internet. - **Key Features**: - **Encryption**: Ensures data confidentiality. - **Protocols**: GRE, MPLS, IPsec. - **Topologies**: - **Site-to-Site**: Connects offices securely. - **Remote Access**: Provides secure access for traveling users. - **IPsec**: Offers authentication, integrity, and encryption.  :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/12-3-12-check-your-understanding-identify-the-network-security-device-or-service-answers.html). ::: >[!Warning]Recap >Network security services include the following technologies. ACLs are a series of statements that control whether a device forwards or drops packets based on information found in the packet header. NTP synchronizes the system time across all devices on the network to ensure accurate and consistent timestamping of system messages. Syslog servers compile and provide access to the system messages generated by networking devices. SNMP enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth. NetFlow provides statistics on packets that are flowing through a Cisco router or multilayer switch. Port mirroring is a feature that allows a switch to make duplicate copies of traffic that is passing through the switch, and then send it out a port that has a network monitor attached. AAA is a framework for configuring user authentication, authorization, and accounting services. AAA typically uses a TACACS+ or RADIUS server for this purpose. VPNs are private networks that are created between two endpoints across a public network.