The "Foundation Summary" section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each "Foundation Summary" section before taking the exam.
Within the SAFE SMR model, the medium-sized network design consists of three modules:
Corporate Internet module
Campus module
WAN module
The Corporate Internet module consists of the key devices outlined in Table 15-9.
Device | Description |
|---|---|
Dial-in server | Terminates analog connections and authenticates individual remote users |
DNS server | Serves as the authoritative external DNS server and relays internal requests to the Internet |
Edge router | Provides basic filtering and Layer 3 connectivity to the Internet |
File/web server | Provides public information about the organization |
Firewall | Provides network-level protection of resources, stateful filtering of traffic, granular security of remote users, and VPN connectivity for remote sites |
Layer 2 switch | Provides Layer 2 connectivity for devices and can also provide private VLAN support |
Mail server | Acts as a relay between the Internet and the intranet mail servers and provides content security of mail |
NIDS appliance | Provides Layer 4-to-Layer 7 monitoring of key network segments in the module |
VPN concentrator | Authenticates individual remote users and terminates their IPSec tunnels |
The most likely point of attack within the Corporate Internet module is on the public services segment. Positioned on this segment are the publicly addressed servers. The anticipated threats against publicly addressed servers and the mitigation actions to counter them are described in Table 15-10.
Threat | Threat Mitigation |
|---|---|
Application layer attacks | Mitigated by using host-based IPSs and NIDSs |
Denial of service | Mitigated by using CAR at the ISP edge and TCP setup controls at the firewall to limit exposure |
IP spoofing | Mitigated by using RFC 2827 and RFC 1918 filtering at ISP edge and edge router of the medium-sized network |
Network reconnaissance | Mitigated by using IDS protocols filtered to limit effectiveness |
Packet sniffers | Mitigated by using a switched infrastructure and host-based IPS to limit exposure |
Password attacks | Mitigated by limiting the services that are available to brute force; operating system and IDS can detect the threat |
Port redirection | Mitigated by using restrictive filtering and host-based IPS to limit attack |
Trust exploitation | Mitigated by using a restrictive trust model and private VLANs to limit trust-based attacks |
Unauthorized access | Mitigated by using filtering at the ISP, edge router, and corporate firewall |
Virus and Trojan-horse attacks | Mitigated by using host-based IPS, virus scanning at the host level, and content filtering on e-mail |
The VPN services that are found within the Corporate Internet module of the medium-sized network design are also vulnerable to attack. The expected threats and the mitigation actions for these services are outlined in Table 15-11.
Threat | Threat Mitigation |
|---|---|
Man-in-the-middle attacks | Mitigated by encrypting remote traffic |
Network topology discovery | Mitigated by using ACLs on the ingress router to limit access to the VPN concentrator and firewall, if terminating VPN traffic, to IKE and ESP from the Internet |
Packet sniffers | Mitigated by using a switched infrastructure to limit exposure |
Password attacks | Mitigated by using OTPs |
Unauthorized access | Mitigated by using firewall filtering and by preventing traffic on unauthorized ports |
Table 15-12 describes the filter parameters that can be applied on the ISP and edge routers to restrict perimeter traffic flow and the corresponding threat mitigation.
Filter Location | Flow | Filter Description | Mitigation |
|---|---|---|---|
ISP router | Egress | The ISP rate-limits nonessential traffic that exceeds a predefined threshold | DDoS |
ISP router | Egress | RFC 1918 and RFC 2827 filtering | IP spoofing |
Edge router | Ingress | Coarse IP filtering for expected traffic | General attacks |
Edge router | Ingress | RFC 1918 and RFC 2827 filtering | IP spoofingverifies ISP filtering |
Edge router | Ingress | VPN- and firewall-specific traffic | Unauthorized access |
The key devices that make up the Campus module are described in Table 15-13.
Device | Description |
|---|---|
ACS | Provides authentication services to the network devices |
Corporate servers | Provides services to internal users such as e-mail, file, and printing services |
Layer 2 switch | Provides Layer 2 connectivity and supports private VLANs |
Layer 3 switch | Provides route and switch production and management traffic within the Campus module, provides distribution layer services to the building switches, and supports advanced services such as traffic filtering |
NIDS appliance | Provides Layer 4-to-Layer 7 monitoring of key network segments in the module |
NIDS host | Provides alarm aggregation for all NIDS devices in the network |
OTP server | Authenticates OTP information that is relayed from the ACS |
SNMP Management Host | Provides SNMP management for devices |
Syslog host(s) | Aggregates log information for firewall and NIDS hosts |
System admin host | Provides configuration, software, and content changes on devices |
User workstations | Provides data services to authorized users on the network |
Within the medium-sized network Campus module, the expected threats and the mitigation actions to counter them are outlined in Table 15-14.
Threat | Threat Mitigation |
|---|---|
Application layer attacks | Mitigated by keeping operating systems, devices, and applications up to date with the latest security fixes and protected by host-based IPS |
IP spoofing | Mitigated by using RFC 2827 filtering to prevent source-address spoofing |
Packet sniffers | Mitigated by using a switched infrastructure to limit the effectiveness of sniffing |
Password attacks | Mitigated by using an ACS to enforce strong two-factor authentication for key applications |
Port redirection | Mitigated by using host-based IPSs to prevent port redirection agents from being installed |
Trust exploitation | Mitigated by using private VLANs to prevent hosts on the same subnet from communicating unless necessary |
Unauthorized access | Mitigated by using host-based IPS and application access control |
Virus and Trojan-horse applications | Mitigated by using host-based virus scanning |
The Cisco IOS Firewall router in the WAN module provides routing, access-control, and QoS mechanisms to remote locations.
Within the WAN module, the expected threats and the mitigation actions to counter them are outlined in Table 15-15.
Threat | Threat Mitigation |
|---|---|
IP spoofing | Mitigated by using Layer 3 filtering on the router |
Unauthorized access | Mitigated by using simple access control on the router, which can limit the types of protocols to which branches have access |