Professional Documents
Culture Documents
DES 214 Securing Infrastructure Architecture
DES 214 Securing Infrastructure Architecture
Table of Contents
Course Overview and Objectives ............................................................................................................................... 3
Security Principles .......................................................................................................................................................... 5
Network Topologies ...................................................................................................................................................... 7
Perimeters and Zones ................................................................................................................................................... 9
Demilitarized Zones ...................................................................................................................................................... 11
Securing Routers .......................................................................................................................................................... 12
Routing and Discovery Protocols............................................................................................................................. 15
Securing Network Switches ....................................................................................................................................... 17
Identify Tasks to Secure Switches and Routers .................................................................................................... 19
Securing Bridges ......................................................................................................................................................... 20
Securing Firewalls ........................................................................................................................................................ 21
Secure a Network Zone ............................................................................................................................................. 23
Securing Wireless Access Points ............................................................................................................................. 25
Match Definition to Access Point Type ................................................................................................................. 28
Securing Transmission Media .................................................................................................................................. 29
Network Authentication ............................................................................................................................................. 31
Securing Servers .......................................................................................................................................................... 33
Course Summary ......................................................................................................................................................... 35
Thank You ..................................................................................................................................................................... 36
Page 1 of 36
DES 214 – Securing Infrastructure Architecture
Narration
On screen text
DES 214
Securing Infrastructure Architecture
Page 2 of 36
DES 214 – Securing Infrastructure Architecture
Narration
This course is designed for NICE Workforce roles Enterprise Architect (SP-ARC-001) and System
Administrator (OM-ADM-001). The objectives of this course align with the NIST Cybersecurity
Framework.
On successful completion of this course, you should have the knowledge and skills required to
understand the fundamentals of securing your infrastructure architecture following common security
principles and to assess the components of your infrastructure for security risks and implement industry
best practices to mitigate potential threats.
On screen text
This course is designed to cover the deployment phase of the software development lifecycle.
This course is designed for NICE Workforce roles Enterprise Architect (SP-ARC-001) and System
Administrator (OM-ADM-001). The objectives of this course align with the NIST Cybersecurity
Framework.
On successful completion of this course, you should have the knowledge and skills required to:
Page 3 of 36
DES 214 – Securing Infrastructure Architecture
Page 4 of 36
DES 214 – Securing Infrastructure Architecture
Security Principles
Narration
Security principles are fundamental time-tested tenets that serve as the foundation for all security
guidance. Applicable to most aspects of security, these security principles should guide your network
design and implementations. Understanding these principles is key to developing requirements for a
secure infrastructure.
There are a variety of security principles, but there are several that we will focus on in this course:
Defense in depth is creating multiple layers of security defenses to account for potential failures of outer
defenses. Even the most sophisticated security mechanisms are prone to failures. With multiple layers of
defense, each layer increases the difficulty and efforts required to compromise the application. Defense
in depth ensures that all but the most sophisticated and determined attacks will fail.
Minimizing attack surface reduces the number of attack vectors to the absolute minimum necessary.
The attack surface of an organization describes the sum of all the entry and exit points of the network.
The principle of least privilege begins with the idea that any network can and will be compromised by a
determined attacker. To reduce the impact of a compromise, a network infrastructure should limit
access to the minimum required for required operations.
And compartmentalization is a principle that works in conjunction with defense in depth and least
privilege. Instead of a single large network, you break it into smaller organizational or security segment
zones. Compartmentalization helps ensure that a breach of one segment does not lead to a breach of
the entire organization.
Page 5 of 36
DES 214 – Securing Infrastructure Architecture
Security through obscurity is relying upon secrecy for security. Although a legitimate strategy for
avoiding casual attacks, security should stand on its own without secrecy. For that reason, use security
through obscurity sparingly and always as a secondary practice. Weak security through obscurity would
be hiding a key under a doormat. A better alternative would be to keep the key secure but conceal the
door with the lock.
On screen text
Security Principles
Security principles are fundamental time-tested tenets that serve as the foundation for all security
guidance.
Defense in Depth
Creating multiple layers of security defenses
Minimize Attack Surface
Reducing attack vectors to the minimum
Least Privilege
Limiting all access to the minimum necessary
Compartmentalization
Dividing a network or system into smaller, isolated segments
Security Through Obscurity
Using secrecy as a secondary security countermeasure
These security principles should guide your network design and implementations. Understanding these
principles is key to developing requirements for a secure infrastructure.
Page 6 of 36
DES 214 – Securing Infrastructure Architecture
Network Topologies
Narration
Computing requirements and priorities differ greatly among organizations, as do their network
topologies. Factors such as organization size, type of hosts, transmission media, and other factors might
influence a network design.
Here we will look at a simple topology to better understand how design can affect security.
Some of the elements we will cover in this course are:
network perimeters and zones,
routers and firewalls,
network switches,
wireless access points,
and servers.
On screen text
Network Topologies
Page 7 of 36
DES 214 – Securing Infrastructure Architecture
NETWORK DIAGRAM
INTERNAL NETWORK
EDGE ROUTER
FIREWALL/ROUTER
SWITCHES
WI-FI
PUBLIC SERVERS
INTERNAL SERVERS
Page 8 of 36
DES 214 – Securing Infrastructure Architecture
Narration
A network perimeter is the fence that defines the difference between the inside of your network and
outside of your network. While your network may seem to have a clearly defined perimeter starting with
your primary router or firewall, modern technology and cloud services can sometimes blur the lines
between the inside and outside of your network. Most often, the best strategy is to build your network
as a collection of smaller subnets or zones, each with their own perimeters.
You might define perimeters by security level, organizational group, or exposure to outside risks. A
simple rule to remember when defining perimeters is that any packets that travel from one zone to
another should pass through a packet filter, whether it be in the form of a router, firewall, or other
security systems.
When designing a network, watch out for security zones that might need special considerations. Some
of these are:
Virtual Private Networks (VPNs) allow you to create a tunnel from one network or endpoint to another.
For example, an employee working at home might be able to connect to the corporate network via a
VPN. Unfortunately, you might not have control over the devices—such as a user’s home computer—
that connect through a VPN, so you should isolate these connections into their own security zone and
control what other zones they might be able to access.
Page 9 of 36
DES 214 – Securing Infrastructure Architecture
While it is easy to keep network cables inside your physical premises, a wireless network may be
accessible to anyone within the vicinity. Even when encrypted and authenticated, wireless networks are
still a risk given an attacker with enough time or resources. For this reason, wireless networks should be
in their own zone with stricter access controls and limits on connectivity.
Mobile phones might be a risk because, if not managed and secured by the organization, they may
contain malware that has access to both your internal network and an external mobile provider’s
network.
And finally, virtual machines on a single physical host may not exist in the same security zone and
therefore any virtual switches and bridges must take this into account.
On screen text
EDGE ROUTER
FIREWALL/ROUTER
PUBLIC SERVERS
SWITCHES
WI-FI
INTERNAL NETWORK
INTERNAL SERVERS
Wireless Networks
Mobile Phones
Virtual Machines
Page 10 of 36
DES 214 – Securing Infrastructure Architecture
Demilitarized Zones
Narration
One special type of network zone is called a demilitarized zone, or DMZ. This zone is for placing servers
that expose public services to the internet, such as web and email servers. Because of this high number
of attacks and risk of compromise on these hosts, using a DMZ is a smart strategy because it allows you
to isolate these servers from the rest of your network. This helps limit any security breaches to the DMZ
without further compromising other network segments.
Sometimes within a DMZ you might create an additional isolated sub-network for sensitive backend
servers such as database or application servers. These would be servers that need not be exposed to the
internet but must be accessible to those servers that are exposed to the internet.
On screen text
Demilitarized Zones
EDGE ROUTER
FIREWALL/ROUTER
DMZ
BACKEND SERVERS
Page 11 of 36
DES 214 – Securing Infrastructure Architecture
Securing Routers
Narration
Routers are network devices that forward packets from one IP network to another, for example, from a
corporate network to the internet. Because they are typically a single point of entry at the perimeter of a
network or network zone, routers often serve as firewalls and VPN endpoints, protect network segments
using network address translation (NAT), and can enforce network access controls.
With their typical role as gateways into internal networks, routers are attractive targets for attack.
Therefore, it is essential that you keep your routers as secure and resilient as possible.
Using the security principles mentioned earlier, we can develop a strategy for securing your routing
infrastructure.
For defense in depth, make use of advanced router features such as packet filtering, routing policies,
encryption, and authentication, even if these seem redundant.
To minimize attack surface, disable unused management services and protocols on the router and set IP
address restrictions for services and protocols in use.
To enforce least privilege, use packet filter rules to block all traffic by default, then set additional rules to
allow the minimal necessary allowed traffic.
For router access, set up security groups or roles to limit router management features that users have
access to.
Page 12 of 36
DES 214 – Securing Infrastructure Architecture
You can segment your network using physical ports, for example, to isolate the DMZ and other internal
networks. Use VLANs and subnets to limit broadcast domains and reduce the scope of network traffic.
Make use of IPSec and other tunneling protocols to further isolate network and host traffic.
To help reduce the number of drive-by and other casual attacks, set service ports to non-default values.
You may also wish to change administrative usernames, SNMP communities, and other defaults.
In addition to these strategies, other important best practices are to keep your router firmware up to
date and have good backups and change control for your router configurations.
On screen text
Securing Routers
EDGE ROUTER
FIREWALL/ROUTER
• Firewalls
• VPN endpoints
• Network address translation (NAT)
• Network access controls
Defense in Depth
Make use of advanced router features
Minimize Attack Surface
Disable unused services and protocols
Set IP restrictions
Least Privilege
Block all traffic by default
Use security groups
Segmentation
Create isolated network segments
Use VLANs and subnets
Use IPSec
Page 13 of 36
DES 214 – Securing Infrastructure Architecture
Page 14 of 36
DES 214 – Securing Infrastructure Architecture
Narration
Routing protocols allow routers to communicate with each other to discover network topology and
share knowledge of the routes they manage. Some routing protocols you might encounter are Routing
Information Protocol (RIP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Enhanced
Interior Gateway Routing Protocol (EIGRP), and Intermediate System to Intermediate System (IS-IS). As
these protocols have matured, they have become more secure, but may still be susceptible to attack.
Discovery protocols allow for the mapping of devices and services on a local network. Discovery
protocols seen on your network might include Link Layer Discovery Protocol (LLDP), Link Layer Topology
Discovery (LLTD), Universal Plug and Play (UPnP), Bonjour, or Cisco Discovery Protocol (CDP).
Since routing and discovery protocols typically use broadcast or multicast addresses to communicate,
the general strategy for limiting exposure to attack is to limit broadcast domains to smaller groups
either through routing or VLANs.
Attacks on routing and discovery protocols sometimes involve injecting fake packets to trick hosts into
connecting to a device under an attacker’s control. To limit these attacks, always use static IP and MAC
addresses on critical infrastructure and make use of static ARP entries whenever practical.
Many routers provide some form of protocol filtering to limit the scope of routing broadcasts and
prevent broadcast flooding. Carefully select filters to prevent routes from broadcasting unnecessarily
and from receiving out-of-scope broadcasts.
Page 15 of 36
DES 214 – Securing Infrastructure Architecture
And finally, since some of these protocols have been around for a long time, it is always best to
implement the latest versions of a protocol and make use of any encryption or authentication features
that might be available.
On screen text
Routing protocols allow routers to communicate with each other to discover network topology and
share knowledge of the routes they manage.
Discovery protocols allow for the mapping of devices and services on a local network
Page 16 of 36
DES 214 – Securing Infrastructure Architecture
Narration
Switches are intelligent network devices that extend networks and connect multiple physical segments.
Using packet switching to process network communications, switches are a key component to the
network topologies most common today.
Managed switches provide a variety of functions to improve security:
Port security allows an administrator to restrict access on switch ports through MAC address controls.
VLANs allow for segmentation of broadcast domains, although not as secure as physical segmentation.
802.1x allows for network authentication on a port-level basis.
Other features might include protection from packet flooding, rule-based switching, and port mirroring
for network monitoring.
On screen text
Switches are intelligent network devices that extend networks and connect multiple segments
Page 17 of 36
DES 214 – Securing Infrastructure Architecture
• Port security
• VLANs
• 802.1x
• Flood protection
• Rule-based switching
• Port mirroring
Page 18 of 36
DES 214 – Securing Infrastructure Architecture
Narration
Here are two to-do lists for securing network devices. Drag the sticky notes to the correct lists.
On screen text
Page 19 of 36
DES 214 – Securing Infrastructure Architecture
Securing Bridges
Narration
Bridges are network devices that connect two separate networks into a single larger network. Bridges
are most commonly seen as linking two types of networks—such as wired and wireless—or combining
multiple network adapters or ports into a single network.
Standalone bridges are not common anymore, but devices such as routers and switches do perform
bridging functions.
The most important security consideration when bridging two networks is to make sure they are both in
the same security zone. Otherwise, you should use a router or firewall to control traffic across these
networks.
On screen text
Securing Bridges
Bridges are network devices that connect two separate networks into a single larger network.
Page 20 of 36
DES 214 – Securing Infrastructure Architecture
Securing Firewalls
Narration
Firewalls include a broad range of hardware devices or software that monitor and control the traffic that
flows through a network chokepoint. They have always been a central element of infrastructure security.
Although still critical, numerous other technologies complement firewalls, making them all important
links in the chain of network security.
What we call a firewall may take different forms. They may be part of a router, a standalone device, or
applications running on individual computers. They may also work on various OSI layers. An application
firewall, for example, has knowledge of the application layer and can perform actions such as blocking
attacks on a web application.
Firewalls may also include features such as basic routing, network address translation (NAT), intrusion
detection and prevention, web proxy, and VPN and other tunneling protocols.
A firewall’s primary purpose is to protect a perimeter and demilitarized zones by filtering packets. In
doing so, it acts as a gatekeeper for all incoming and outgoing traffic, which is why routers often take
on that role. In larger or security-sensitive networks, firewalls are most often a standalone device or
group of redundant devices dedicated to security.
In a typical network, the perimeter is not just the outside of the network but can include many internal
zones and individual hosts. Even on a protected network, it is a good defense-in-depth strategy to
employ firewalls at each zone border as well as host-based firewalls to protect individual computers.
Firewalls are a good example of the principle of least privilege—the default rule blocks all traffic, and
you add rules to only allow the minimum necessary traffic required for the organization.
Page 21 of 36
DES 214 – Securing Infrastructure Architecture
Because of their potentially complex configurations and error-prone rule sets, it is a good practice to
always test new firewall rules before deployment. It is also important to regularly audit firewalls and
implement configuration change control.
On screen text
Securing Firewalls
Firewalls are hardware devices or software that monitor and control the traffic that flows through a
network chokepoint.
Page 22 of 36
DES 214 – Securing Infrastructure Architecture
Narration
In this network, some internal servers are in their own zone. Which device would you place between
these zones? Drag the best device to the empty space with a question mark.
On screen text
Page 23 of 36
DES 214 – Securing Infrastructure Architecture
Page 24 of 36
DES 214 – Securing Infrastructure Architecture
Narration
A wireless access point (AP) is a device that transmits and receives Wi-Fi signals and connects wireless
clients to the local wired network. Wi-Fi APs are usually routers that provide client access as well as
firewall features and network address translation (NAT). However, although less common, they might
also be simple bridges that provide little security between networks.
An organization's wireless network is often its weakest point. There are numerous attacks against Wi-Fi,
many of which are difficult to prevent. Because a wireless signal may extend far outside the physical
organization, anyone within the vicinity may be able to exploit or disrupt the network.
Piggybacking is when unauthorized users access an unprotected wireless network or discover a
password on a protected network.
Rogue access points are unauthorized wireless access points set up by someone in the organization.
These could be physical devices used by a department or employee without administrative
authorization, or a hotspot set up on a computer or mobile device. Rogue access points can be
dangerous as they could bridge two networks, bypassing other security controls and packet filtering
that is in place.
A malicious access point is a kind of rogue access point designed to lure others to connect to with the
aim of obtaining sensitive information either through phishing or man-in-the-middle attacks.
Page 25 of 36
DES 214 – Securing Infrastructure Architecture
On screen text
Page 26 of 36
DES 214 – Securing Infrastructure Architecture
Page 27 of 36
DES 214 – Securing Infrastructure Architecture
Narration
There is a difference between a rogue access point and a malicious access point. Are these definitions
correct or should you swap them?
On screen text
Page 28 of 36
DES 214 – Securing Infrastructure Architecture
Narration
When securing your network infrastructure, you should take into consideration the strengths and
weaknesses of the transmission media in use, whether it be copper wire, fiber optic, or wireless signals.
First, let’s discuss Wired Ethernet.
Copper twisted pair ethernet cables are the standard for most modern networks. The greatest threats to
ethernet cables are easy tapping and unauthorized access. Mostly running through walls and ceiling
plenum, ethernet cables are usually concealed and inaccessible. However, this also means that a
network tap could equally remain concealed.
Ethernet cables are also susceptible to strong EMI interference and electrical surges or lightning strikes
that could interrupt communications or even damage equipment. Shielded cables and proper
grounding can prevent these issues.
With wired networks, it is important to only enable jacks that are in use to prevent unauthorized access.
For sensitive networks, you can also use locking boxes or lockable cables to prevent others from
accessing the cable to unplug it.
Next, let’s look at Wireless Networks.
Any wireless medium is susceptible to unauthorized access and interference due to the inability to
effectively limit the range or accessibility of the signals. Any attacker in proximity of the signal could
potentially snoop on traffic or create a denial of service with radio interference.
Page 29 of 36
DES 214 – Securing Infrastructure Architecture
Due to the insecurity of the medium, highly sensitive or mission-critical communications should avoid
wireless networks.
Finally, let’s consider Fiber Optic Cables.
Mostly reserved for network backbones and for long distances, fiber optic cables have greater
bandwidth, allow longer runs, and are not susceptible to disruptions from EMI or RFI. Although still
tappable, doing so requires more specialized skills, will temporarily disrupt the network, and taps are
detectable.
Though the costliest medium, it is the most secure choice for sensitive networks, mission-critical
networks, and backbones that carry aggregate traffic from multiple security zones.
On screen text
Page 30 of 36
DES 214 – Securing Infrastructure Architecture
Network Authentication
Narration
With the increasing number of threats on modern networks, authentication is increasingly more
commonplace. In managing and securing a network, you will encounter many authentication protocols,
some new and some old and obsolete.
Authentication, authorization, and accounting, or AAA, refers to the group of protocols that
authenticate users and authorize their scope of access and accounting for network and resource use for
monitoring, auditing, or billing purposes. AAA protocols you may see depending on your network
include RADIUS, TACACS+, XTACACS, Kerberos, LDAP, NTLM, PAP, CHAP, SAML, and EAP.
Web, FTP, SSH, and SMTP servers will have users who must authenticate to access these applications.
Because there are a large number of protocols that may be in use, you should become familiar with
each application and how users authenticate to ensure that none of these have been deprecated for
security flaws. You should also make sure these protocols are either secure by themselves or
communicate only over encrypted connections.
On screen text
Network Authentication
Page 31 of 36
DES 214 – Securing Infrastructure Architecture
Page 32 of 36
DES 214 – Securing Infrastructure Architecture
Securing Servers
Narration
In most cases, an organization’s servers are high-value objectives and the most likely to be targeted for
attack. And because they often face the internet for public access or are visible to all LAN users, they are
also the most vulnerable.
While securing operating systems, services, and applications are each large topics, you can significantly
improve security by following the basic security principles:
For defense in depth, follow hardening guides specific to the operating system to increase resilience to
attack.
To minimize attack surface, use a host-based firewall to limit accessible ports, remove unused services
and features, and only make servers visible and accessible to those who will use them.
To practice least privilege, only users who need access to a server should have accounts. User accounts
should only have the minimum rights and privileges necessary. File permissions should only allow access
to a minimal set of users. And services should run with low-privilege accounts.
For segmentation, limit each server to a single role. Place servers in protected network segments such as
a demilitarized zone. And use separate user accounts for running individual services.
In addition to these, always keep your operating systems and software up to date and be aware of the
latest guidance. For help with securing specific operating systems or services, refer to the guidance at
csrc.nist.gov, cisecurity.org, or individual vendor websites.
Page 33 of 36
DES 214 – Securing Infrastructure Architecture
On screen text
Securing Servers
Defense in Depth
Operating system hardening
Minimize Attack Surface
Least Privilege
Segmentation
Page 34 of 36
DES 214 – Securing Infrastructure Architecture
Course Summary
Narration
In this course, you learned about securing your infrastructure architecture.
Included in the topics discussed were the fundamentals of securing your infrastructure architecture
following common security principles and securing the core components of your network infrastructure,
the security risks inherent in each, and industry best practices to mitigate threats.
On screen text
Course Summary
Page 35 of 36
DES 214 – Securing Infrastructure Architecture
Thank You
Narration
Thank You
Page 36 of 36