CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Tebyan

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید











  • Foundation Summary


    The "Foundation Summary" section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each "Foundation Summary" section before taking the exam.

    Within the SAFE SMR model, the medium-sized network design consists of three modules:

    • Corporate Internet module

    • Campus module

    • WAN module


    The Corporate Internet module consists of the key devices outlined in Table 15-9.

    Table 15-9. Corporate Internet Module Devices

    Device

    Description

    Dial-in server

    Terminates analog connections and authenticates individual remote users

    DNS server

    Serves as the authoritative external DNS server and relays internal requests to the Internet

    Edge router

    Provides basic filtering and Layer 3 connectivity to the Internet

    File/web server

    Provides public information about the organization

    Firewall

    Provides network-level protection of resources, stateful filtering of traffic, granular security of remote users, and VPN connectivity for remote sites

    Layer 2 switch

    Provides Layer 2 connectivity for devices and can also provide private VLAN support

    Mail server

    Acts as a relay between the Internet and the intranet mail servers and provides content security of mail

    NIDS appliance

    Provides Layer 4-to-Layer 7 monitoring of key network segments in the module

    VPN concentrator

    Authenticates individual remote users and terminates their IPSec tunnels

    The most likely point of attack within the Corporate Internet module is on the public services segment. Positioned on this segment are the publicly addressed servers. The anticipated threats against publicly addressed servers and the mitigation actions to counter them are described in Table 15-10.

    Table 15-10. Threats Against Corporate Internet Module Public Services and Threat Mitigation

    Threat

    Threat Mitigation

    Application layer attacks

    Mitigated by using host-based IPSs and NIDSs

    Denial of service

    Mitigated by using CAR at the ISP edge and TCP setup controls at the firewall to limit exposure

    IP spoofing

    Mitigated by using RFC 2827 and RFC 1918 filtering at ISP edge and edge router of the medium-sized network

    Network reconnaissance

    Mitigated by using IDS protocols filtered to limit effectiveness

    Packet sniffers

    Mitigated by using a switched infrastructure and host-based IPS to limit exposure

    Password attacks

    Mitigated by limiting the services that are available to brute force; operating system and IDS can detect the threat

    Port redirection

    Mitigated by using restrictive filtering and host-based IPS to limit attack

    Trust exploitation

    Mitigated by using a restrictive trust model and private VLANs to limit trust-based attacks

    Unauthorized access

    Mitigated by using filtering at the ISP, edge router, and corporate firewall

    Virus and Trojan-horse attacks

    Mitigated by using host-based IPS, virus scanning at the host level, and content filtering on e-mail

    The VPN services that are found within the Corporate Internet module of the medium-sized network design are also vulnerable to attack. The expected threats and the mitigation actions for these services are outlined in Table 15-11.

    Table 15-11. Threats Against VPN Services of a Corporate Internet Module and Threat Mitigation

    Threat

    Threat Mitigation

    Man-in-the-middle attacks

    Mitigated by encrypting remote traffic

    Network topology discovery

    Mitigated by using ACLs on the ingress router to limit access to the VPN concentrator and firewall, if terminating VPN traffic, to IKE and ESP from the Internet

    Packet sniffers

    Mitigated by using a switched infrastructure to limit exposure

    Password attacks

    Mitigated by using OTPs

    Unauthorized access

    Mitigated by using firewall filtering and by preventing traffic on unauthorized ports

    Table 15-12 describes the filter parameters that can be applied on the ISP and edge routers to restrict perimeter traffic flow and the corresponding threat mitigation.

    Table 15-12. Perimeter Traffic Flow Filtering

    Filter Location

    Flow

    Filter Description

    Mitigation

    ISP router

    Egress

    The ISP rate-limits nonessential traffic that exceeds a predefined threshold

    DDoS

    ISP router

    Egress

    RFC 1918 and RFC 2827 filtering

    IP spoofing

    Edge router

    Ingress

    Coarse IP filtering for expected traffic

    General attacks

    Edge router

    Ingress

    RFC 1918 and RFC 2827 filtering

    IP spoofingverifies ISP filtering

    Edge router

    Ingress

    VPN- and firewall-specific traffic

    Unauthorized access

    The key devices that make up the Campus module are described in Table 15-13.

    Table 15-13. Campus Module Devices

    Device

    Description

    ACS

    Provides authentication services to the network devices

    Corporate servers

    Provides services to internal users such as e-mail, file, and printing services

    Layer 2 switch

    Provides Layer 2 connectivity and supports private VLANs

    Layer 3 switch

    Provides route and switch production and management traffic within the Campus module, provides distribution layer services to the building switches, and supports advanced services such as traffic filtering

    NIDS appliance

    Provides Layer 4-to-Layer 7 monitoring of key network segments in the module

    NIDS host

    Provides alarm aggregation for all NIDS devices in the network

    OTP server

    Authenticates OTP information that is relayed from the ACS

    SNMP Management Host

    Provides SNMP management for devices

    Syslog host(s)

    Aggregates log information for firewall and NIDS hosts

    System admin host

    Provides configuration, software, and content changes on devices

    User workstations

    Provides data services to authorized users on the network

    Within the medium-sized network Campus module, the expected threats and the mitigation actions to counter them are outlined in Table 15-14.

    Table 15-14. Threats Against a Campus Module and Threat Mitigation

    Threat

    Threat Mitigation

    Application layer attacks

    Mitigated by keeping operating systems, devices, and applications up to date with the latest security fixes and protected by host-based IPS

    IP spoofing

    Mitigated by using RFC 2827 filtering to prevent source-address spoofing

    Packet sniffers

    Mitigated by using a switched infrastructure to limit the effectiveness of sniffing

    Password attacks

    Mitigated by using an ACS to enforce strong two-factor authentication for key applications

    Port redirection

    Mitigated by using host-based IPSs to prevent port redirection agents from being installed

    Trust exploitation

    Mitigated by using private VLANs to prevent hosts on the same subnet from communicating unless necessary

    Unauthorized access

    Mitigated by using host-based IPS and application access control

    Virus and Trojan-horse applications

    Mitigated by using host-based virus scanning

    The Cisco IOS Firewall router in the WAN module provides routing, access-control, and QoS mechanisms to remote locations.

    Within the WAN module, the expected threats and the mitigation actions to counter them are outlined in Table 15-15.

    Table 15-15. WAN Module Threats and Threat Mitigation

    Threat

    Threat Mitigation

    IP spoofing

    Mitigated by using Layer 3 filtering on the router

    Unauthorized access

    Mitigated by using simple access control on the router, which can limit the types of protocols to which branches have access


  • / 290