16 CCNA Security 210-260 Official Cert Guide Ee Denial-of-service (DoS) attack and distributed denial-of service (DDoS) attack An example is using a botnet to attack a target system. If an attack is launched froma single device with the intent to cause damage to an asset, the attack could be considered a DoS attempe, as opposed to a DDoS. Both types of attacks want the same result, and whether iti called a DoS or DDoS attack just [depends on how many source machines are used in the attack. A more advanced and increasingly popular type of DDoS attack i called a reflected DDoS (RDD0S) attack. An RDDoS takes place when the source of the initial (query) packets is actually spoofed by the attacker. The response packets are then reflected” back from the unknowing participant tothe victim of the attack; that is, the original (poofed) source of the initial (query) packets. Applying Fundamental Security Principles to Network Design This section examines the holistic approach o improve the security posture of your network before. during. and after your network implementation. Guidelines ‘You want some basic principles and guidelines in place in the early stages of designing and nplementing a network. Table 1-7 describes such key guidelines (RB Table 1-7 Guidelines for Secure Network Architecture Topic Rule of — ] This rule states that minimal access is only provided to the required network least resources, and not any more than that. An example of this isan access list applied privilege |ro an interface for filtering that says “deny all” Before this, specific entries could be added allowing only the bare minimum of required protocols, and only then between the correct source and destination addresses. [Defense in [This concept suggests that you have security implemented on nearly every point depth of your network. An example is filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches your servers, and using host based security precautions at the servers, as well. Additional methods that ean be used to implement a defense-in-depth approach include using authentication and authorization mechanisms, web and e-mail security, content security, application inspection monitoring, traffic monitoring, and malware protection, The concept behind defense in depth is tha if a single security technology fails, additional levels, or mechanisms, of security are still in place to protect the data, applications, and devices on the network. Separation | When you place specific individuals into specific role, there can be checks and fof duties balances in place regarding the implementation of the security policy. Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being addressed, because a person who moves into a new role will be required to review the policies in place. UnknownChapter t: Networking Security Concepts 17 Eton ‘Auditing This refers to accounting and keeping records about what is occurring on the network. Most of this can be automated through the features of authentication, Jautborization, and accounting (AAA) (covered later inthis book). When events hhappen on the network, the records of those events can be sent to an accounting, server. When the separation-of-duties approach is used, those who are making changes on the network should not have direct access to modify or delete the accounting records that are kept on the accounting server. (ayy Network Topologies UES There exist a number of network topologies that depend on the size and type of each orga ization. Some organizations will havea presence of each of the following topologies while ‘others may only utilize a subset of this ist. Refer tothe list that follows and Figure 1-1 through Figure 1-4 fora description and depiction of each of the different topologies that ‘organization’ network 1 Campus-Area Network (CAN): A campus-area network, as illustrated in Figure 1, is the network topology used to provide connectivity, data, applications, and services to users ‘of an organization that are physically located atthe corporate office (headquarters). The CAN includes a module for each building in the campus, for the data center for WAN Aggregation, and for the Internet Edge. Security with the Campus Area Network. yoo Devices asa MDM Stang Active Certticate Directory Authonty as (aD) (CA) Sits Campus o Cio SE Data Center Figure 1-1. Cumpus-Area Network Topology Unknown18 CCNA Security 210-260 Official Cert Guide ‘m Cloud, Wide-Area Network (WAN): The cloud and WAN provide a logical and physical location for data and applications that an organization prefers to have moved off-site, as illustrated in Figure 1-2. This alleviates an organization from having to expend resources to operate, maintain, and manage the services that have been previously located within the organization's purview. ‘Aggregation ‘Serves outer (ASR) Data Center Figure 1-2. Cloud/WAN Topology ‘w Data Center The Data Center network contains the Unified Computing System (UCS) servers, voice gateways, and CUCM servers supporting the VoIP environment, all of hich is provided network connectivity by a series of Nexus switches, as illustrated in Figure 1-3. The entire Data Center network is protected by a set of firewalls atthe edge that filters all trafic ingressing and egressing the Data Center, 1m Small office/Home office (SOHO): The remote SOHO site will provide connectivity 10 the SOHO users through the use of WAN routers that find their way hack to the WAN Aggregation module in the CAN via MPLS WANs, as illustrated in Figure 1-4. Within the SOHO, users are provided network connectivity through the presence of access switches. Unknown