Describe IP subnets and communication within an IP subnet and between IP subnets.
IP subnets are used to divide a network into smaller broadcast domains. Communication within an subnet is done directly from one host to another using ARP for resolving the MAC address of the host. When a host on one subnet communicates with a host on another subnet, a gateway or router must be used. The traffic is sent to the default gateway who then hands it off to the other subnet.
Describe the relationship between VLANs and data visibility.
VLANs logically segment a network. Without inter-VLAN routing through a layer 3 switch or router, a host in one VLAN can’t communicate with another host in a different VLAN. VLANs also keep broadcast traffic within themselves.
Describe the operation of ACLs applied as packet filters on the interfaces of network devices.
Access Control Lists (ACLs) can be applied to network interfaces. They can be placed either in or out (some switchports may only allow in). The lines of an ACL define what traffic is permitted or denied. All ACLs have an implicit deny all at the bottom so if traffic is not specifically allowed, it will be denied.
Compare and contrast deep packet inspection with packet filtering and stateful firewall operation.
Packet filtering is the most basic of these technologies. A packet filter only looks at the source and destination IP address and the port that is in the packet header.
Stateful firewalls use the same information as a packet filter, but they also keep track of the TCP handshake. This allows them to allow traffic to pass from the outside to the inside if the session was already initiated by an inside host. For example, a client reaches out to a website on port 80, but during the establishment of the connection it negotiates a random high port for the server to communicate back to the client on. The firewall will allow this because it maintains the state of the connection being established.
Deep Packet Inspection
Deep packet inspection allows the filter to look into all of the headers along with the actual payload. An example would be a filter looking at the DNS request traffic to make sure that it is actually DNS. A stateful firewall or packet filter would only be able to make a decision based on the port being udp/53.
Compare and contrast inline traffic interrogation and taps or traffic mirroring.
Inline Traffic Interrogation
To review traffic inline, the security device must be able to handle line rate traffic with minimal latency. This often requires a large amount of CPU resources and specially tuned network interfaces. This type of packet interrogation can become a bottleneck or a point of failure.
Taps use special hardware (copper) or prisms (fiber) to replicate the signals on the line to a a secondary port for analysis. The original signals are passed through without being altered (except for signal strength loss). Security tools can then be placed on the tap output to see all of the traffic that goes through the tap. One drawback is that since the traffic isn’t inline, the analysis can only detect, not block traffic.
Also known as Switched Port Analyzer (SPAN) ports or port mirroring, traffic mirroring is performed by a network switch. The switch will take the packet and create a copy to send to the designated port. This functions like a tap, but the packet is actually copied by the software of the switch. Care must be taken when using SPAN ports to not overwhelm the switch CPU.
Compare and contrast the characteristics of data obtained from taps or traffic mirroring and NetFlow in the analysis of network traffic.
Traffic mirroring and taps produce copies of the entire packet for analysis. This allows for inspection of the IP headers along with the packets payload. With NetFlow, only the five-tuple of source IP, destination IP, source port, destination port and the protocol.
Identify potential data loss from provided traffic profiles.
Data Loss Prevention software (DLP) uses patterns to detect potentially sensitive data being transmitted outside of an organization. An example would be seeing social security numbers inside of an e-mail going to an external address. DLP can actually block the e-mail or flag and log it.