CompTIA CYSA+ CS0-002 – Network Architecture and Segmentation Part 2

3. Segmentation (OBJ 2.1)

Segmentation. In this lesson we’re going to talk about one major architectural design strategy that you can use. It’s called segmentation. Now, segmentation involves taking all of your different parts of your network and then separating them up into different zones or different networks or subnetworks. For instance, here I have multiple people and I want to take all the green people over here and the blue people over here and the red people over here. By keeping things isolated like this, I can group them based on similar functions and apply different security measures into those different groups. And this is something that segmentation allows us to do. Now there’s lots of different types of segmentation though. We have segmentation that involves system isolation or air gaps.

We have other segmentation that involves physical segmentation, some that involves virtual segmentation and some that involve zones and access control lists. In this lesson we’re going to review each of these four types. Now, when we talk about system isolation or an air gap, this is a type of network isolation that physically separates a network from all other networks. Now essentially what you’re trying to do here is provide an air gap, a gap of air, meaning there’s space between these different networks. So if I wanted to take something from one network to another, I’d have to physically take some data, burn it to a CD, put it on a USB drive, put it on a hard drive, and then carry that over to the network and plug it in. That’s the idea of an air gap.

Now, the problem with air gaps is they can create management issues for you because you have to do this cross network transfer when you want to bring things over. For instance, if I want to work on this network, that’s air gapped, I have to physically walk over to that, plug in a laptop and then start configuring it. That’s not as easy as sitting behind my desk and reaching out to it over the network. Now, why would you want to use an air gap network or use this form of system isolation? Well, let’s say you worked for a nuclear power plant. Do you think you’d want to have your nuclear reactor control systems on the Internet that anybody can touch? Obviously not, right? This is a great case for having system isolation.

So if we can have an air gap between our corporate networks that are connected to the Internet and this reactor control network, we can keep that reactor control plant safer. That’s the idea here. We deal with air gaps. But again, it does become a management concern because every time I do a software update or a firmware update or something like that, I have to physically bring devices and connect it to this network to bring those things with it. And that brings its own vulnerabilities because if I connect that laptop to this network, it now can bring any malware with it from that laptop onto that network. If you look at Stuxnet from back in the early 2010, 2012 timeframe, there was a nuclear reactor plant that got infected with viruses.

The way that happened was because of this air gap and somebody carried information from the internet and plugged it into their reactor plant and that caused the infection. So this is the idea. When you’re dealing with air gaps, you need to make sure you maintain that isolation. And anything you’re going to plug in, you have to check it twice, three times, and make sure it is absolutely clean. The next type we have is known as physical segmentation. Now physical segmentation is where each network segment has its own switch and only the devices connected tothat switch can communicate with each other. So for instance, if you look at this network diagram, I have an Internet, a firewall and a router, but there’s no connection between that router and the WiFi, or that router and the hub.

So all the devices connected to the WiFi are in one area and they are physically segmented from everything else. Everything is connected to the Hub is physically segmented from everything else. And so these are two physical segments. Now, if I want them to talk together, I would connect the router to the WiFi and the Hub to the router. And now there’s a connection path that takes all those devices from the WiFi. They can go up through the router, down to the Hub, and then over to those devices. Now there’s a connectivity between them. So when we deal with physical segmentation, there is a physical segmentation by having those Hubs and WiFi even in this configuration where they’re connected to the router.

Because at the router we’re only routing traffic to those segments based on rules and ACLs, which we’ll talk about later. But the physical segmentation part is everything connected to one device, they’re all on WiFi or they’re all on the Hub, and that way we can physically segment those things down based on that physical equipment. Now, the problem with that is it can get really expensive because if I want to have a lot of segments, I have to have a lot of switches. So there’s this thing called virtual segmentation. And this is where network segmentation relies on VLANs to create the equivalent segmentation that would occur if you use physical switches. So instead of having a whole bunch of switches, I can have one switch and use virtual segmentation using VLANs to create what looks like many other similar switches.

You can see here all these different VLANs have a different purpose. I have one for the wireless, one for the guest wireless, one for the intranet, one for the application servers, one for the department lands and all those type of things. But they all might sit on 196 port switch, one physical switch that is virtually segmented based on those VLANs. Now, the next thing we need to talk about is zones. Now, zones are the main unit of a logically segmented network where the security configuration is the same for all the hosts within it. So I might create one zone that is my demilitarized zone. You’ve probably heard that term before. And in that zone we can put all of our forward facing servers. We’ll talk more about that as we go through this lesson.

Now, the way we create these zones is by using access control lists. An Access Control list or ACL is a list of IP addresses and ports that are allowed or denied access to a particular network, segment or zone. So for instance, here I have a diagram and I have an inside zone, an outside zone and a DMZ. So in this diagram I have things from the outside being allowed to and from the DMZ. But the inside zone can’t get traffic from the outside unless they’ve requested it first. So if I’m on PC two and I go to Facebook. com, then Facebook can come in through the firewall and back into the inside zone. That’s the way these ACLs were set up to create these three different zones. Now, this is the basics of how a DMC works and how you’re going to use zones in ACLs. We are going to go more in depth in it as we go through this section.

4. Jumpbox (OBJ 2.1)

Jump box. In the last lesson, I introduced the concepts of zones and I started talking about DMZ. In this lesson I want to dig a little bit further into that and then talk about how we can manage them. So the first thing I had mentioned was if you have an Internet facing host. Now, I didn’t really go into what that was, so let me take a step here and go ahead and define it for you. When I’m talking about something that’s internet facing, like an Internet facing host or an Internet facing server, I’m talking about a host or server that accepts inbound connections from the internet. So if I have a web server in my DMZ, that is an internet facing host. So you can see here again, if I bring up my diagram, I have my inside zone, my DMZ and my outside zone. In that DMZ I have two internet facing hosts. I have an email server and a web server.

Now only the email and web servers that are in the DMZ are going to be able to get traffic from the outside even though they haven’t requested it. So if you want to connect to my web server, you’re going to go to Deontraining. com and it’s going to go through my DMZ into my web server and then give you back your response. Now if you wanted to get to PC Two or PC Three in my inside network, you couldn’t do that because the firewall would block you. Those are not internet facing. They have access to the Internet, but they are not facing the Internet. Meaning they are not open and waiting for a connection. That’s the difference when you’re dealing with Internet facing hosts. Now anytime you have Internet facing host, you want to place them into some place secure like your DMZ.

Now your DMZ is actually a segment that is isolated from the rest of the private network by one or more firewalls. And it’s set up to accept connections from the Internet over designated ports. Now the reason we do this is we want to keep all those forward facing servers out of our internal network. We don’t want people from the internet touching our internal network. We only want them in our DMZ. And that’s why we have this DMZ. It’s this place that is kind of the semi trusted zone. And we know that anything that’s behind the DMZ, such as my inside zone, is actually invisible to the outside network. So if you start scanning my network from the outside, you’re not going to see all those PCs inside of the inside zone. Instead you’re only going to see the web server and the email server because those are forward facing and they are internet facing.

Now the next thing we need to talk about in terms of the DMC is what kind of stuff should you put in the DMZ? You could see here that I have my email and my web server in the DMC. But any other kind of communication servers, proxy servers, or remote access servers should also be in the DMZ. Anything that somebody from the Internet needs access to should be placed in your DMZ. This is essentially anything that provides public services or even extranet capabilities. Any of your hosts that are in the DMZ, we don’t fully trust those, even though there are devices. So we want to make sure that we harden them as best as we can. And we have to remember that those devices, because they’re forward facing, they could be touched by an attacker, they could be compromised by an attacker.

So that’s why they are not fully trusted to our internal network, and that’s why we actually have it go through the firewall. Anything that’s going from the DMZ to the inside and from the inside back to the DMZ. It’s another good place to put intrusion detection systems to make sure that you’re catching anything that may be going from your DMZ. Because a common technique for an attacker is to compromise something in the DMZ and then use that to pivot into your network. So you want to protect yourself against that. Now, any kind of host you put in the DMZ should really be what we consider a bastion host. This is a host or server that we put into the DMZ, which is not configured with any services that run on the local network.

So I don’t want to run something like Active Directory inside the DMZ. That’s an internal network service. Instead, I only want to run things that should be in the Internet. Things like email, things like Web, things like remote access. Those things can be hardened and put into the DMZ because we know that they’re going to be more vulnerable to attack. Now, when we want to configure our devices inside the DMZ, what are we going to do? Well, we’re going to use something known as a jump box. Now, a jump box is a hardened server that provides access to other hosts within the DMZ. So essentially, we have this one server, and it is what can talk to the DMZ, and we configure all the access control to make sure that only the jumpbox can communicate from the internal network to the DMZ.

Now, because of that, that jump box has to be heavily hardened. It needs to be protected. And what ends up happening is the administrator will connect to the jump box, and then the jump box will connect to the host and the DMZ. That’s why we call it a jump box, because we’re almost pivoting off of it. We’re going to connect from me to the jump box and the jump box to the server I want to configure, and that’s why we call it a jump box. Now, this jump box can be a physical PC, or it can be a virtual machine. Either one is fine. A lot of people use virtual machines as a jump box because you can have it hardened and secured. You can use it for the time you need and then destroy it and rebuild a new one.

Because it’s very quick to rebuild an image from a virtual machine if you already have a known good image. And so a lot of people will do it that way. Now the jumpbox and the management workstation that you’re using to connect to that jump box should have only the minimum required software to perform their job and they should be well hardened. Again, this is the one box that has the permissions to go through the firewall and touch the DMZ from your internal network. So you want to make sure it is well protected. This is why you want to make sure that management workstation and the jump box are fully hardened and they have the least amount of software on them to make sure they are fully hardened and fully secured.

• Category: Uncategorized