16 CCNA Security 210-260 Official Cert Guide
Ee
Denial-of-service (DoS) attack and distributed denial-of service (DDoS) attack
An example is using a botnet to attack a target system. If an attack is launched
froma single device with the intent to cause damage to an asset, the attack
could be considered a DoS attempe, as opposed to a DDoS. Both types of
attacks want the same result, and whether iti called a DoS or DDoS attack just
[depends on how many source machines are used in the attack. A more advanced
and increasingly popular type of DDoS attack i called a reflected DDoS
(RDD0S) attack. An RDDoS takes place when the source of the initial (query)
packets is actually spoofed by the attacker. The response packets are then
reflected” back from the unknowing participant tothe victim of the attack; that
is, the original (poofed) source of the initial (query) packets.
Applying Fundamental Security Principles to Network
Design
This section examines the holistic approach o improve the security posture of your network
before. during. and after your network implementation.
Guidelines
‘You want some basic principles and guidelines in place in the early stages of designing and
nplementing a network. Table 1-7 describes such key guidelines
(RB Table 1-7 Guidelines for Secure Network Architecture
Topic
Rule of — ] This rule states that minimal access is only provided to the required network
least resources, and not any more than that. An example of this isan access list applied
privilege |ro an interface for filtering that says “deny all” Before this, specific entries could
be added allowing only the bare minimum of required protocols, and only then
between the correct source and destination addresses.
[Defense in [This concept suggests that you have security implemented on nearly every point
depth of your network. An example is filtering at a perimeter router, filtering again at a
firewall, using IPSs to analyze traffic before it reaches your servers, and using host
based security precautions at the servers, as well. Additional methods that ean be
used to implement a defense-in-depth approach include using authentication and
authorization mechanisms, web and e-mail security, content security, application
inspection monitoring, traffic monitoring, and malware protection,
The concept behind defense in depth is tha if a single security technology fails,
additional levels, or mechanisms, of security are still in place to protect the data,
applications, and devices on the network.
Separation | When you place specific individuals into specific role, there can be checks and
fof duties balances in place regarding the implementation of the security policy. Rotating
individuals into different roles periodically will also assist in verifying that
vulnerabilities are being addressed, because a person who moves into a new role
will be required to review the policies in place.
UnknownChapter t: Networking Security Concepts 17
Eton
‘Auditing This refers to accounting and keeping records about what is occurring on the
network. Most of this can be automated through the features of authentication,
Jautborization, and accounting (AAA) (covered later inthis book). When events
hhappen on the network, the records of those events can be sent to an accounting,
server. When the separation-of-duties approach is used, those who are making
changes on the network should not have direct access to modify or delete the
accounting records that are kept on the accounting server.
(ayy Network Topologies
UES There exist a number of network topologies that depend on the size and type of each orga
ization. Some organizations will havea presence of each of the following topologies while
‘others may only utilize a subset of this ist. Refer tothe list that follows and Figure 1-1
through Figure 1-4 fora description and depiction of each of the different topologies that
‘organization’ network
1 Campus-Area Network (CAN): A campus-area network, as illustrated in Figure 1, is the
network topology used to provide connectivity, data, applications, and services to users
‘of an organization that are physically located atthe corporate office (headquarters). The
CAN includes a module for each building in the campus, for the data center for WAN
Aggregation, and for the Internet Edge. Security with the Campus Area Network.
yoo
Devices
asa MDM
Stang Active Certticate
Directory Authonty
as (aD) (CA)
Sits
Campus
o
Cio SE
Data Center
Figure 1-1. Cumpus-Area Network Topology
Unknown18 CCNA Security 210-260 Official Cert Guide
‘m Cloud, Wide-Area Network (WAN): The cloud and WAN provide a logical and physical
location for data and applications that an organization prefers to have moved off-site, as
illustrated in Figure 1-2. This alleviates an organization from having to expend resources
to operate, maintain, and manage the services that have been previously located within
the organization's purview.
‘Aggregation
‘Serves
outer (ASR)
Data Center
Figure 1-2. Cloud/WAN Topology
‘w Data Center The Data Center network contains the Unified Computing System (UCS)
servers, voice gateways, and CUCM servers supporting the VoIP environment, all of
hich is provided network connectivity by a series of Nexus switches, as illustrated in
Figure 1-3. The entire Data Center network is protected by a set of firewalls atthe edge
that filters all trafic ingressing and egressing the Data Center,
1m Small office/Home office (SOHO): The remote SOHO site will provide connectivity 10
the SOHO users through the use of WAN routers that find their way hack to the WAN
Aggregation module in the CAN via MPLS WANs, as illustrated in Figure 1-4. Within the
SOHO, users are provided network connectivity through the presence of access switches.
Unknown