CompTIA Security+ (SY0-601): Network Design

Attempt to overwhelm the limited switch memory set aside to store the MAC addresses for each port

Switches can fail-open when flooded and begin to act like a hub

Occurs when an attacker masks their own MAC address to pretend they have the MAC address of another device
MAC Spoofing is often combined with an ARP spoofing attack

Limit static MAC addresses accepted
Limit duration of time for ARP entry on hosts
Conduct ARP inspection

De-Militarized Zone:
A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports

Focused on providing controlled access to publicly available servers that are hosted within your organizational network

Sub-zones can be created to provide additional protection for some servers
Everything behind the DMZ is invisible to the outside network

Specialized type of DMZ that is created for your partner organizations to access over a wide area network

Intranets are used when only one company is involved

Hosts or servers in the DMZ which are not configured with any services that run on the local network

To configure devices in the DMZ, a jumpbox is utilized

A hardened server that provides access to other hosts within the DMZ

An administrator connects to the jumpbox and the jumpbox connects to hosts in the DMZ

The jumpbox and management workstation should only have the minimum required software to perform their job and be well hardened

Network Access Control:
Security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network

If a device fails the inspection, it is placed into digital quarantine

A piece of software that is installed on the device requesting access to the network

Uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan

Segment the network

Reduce collisions

Organize the network

Boost performance

Increase security

Attacker configures their device to pretend it is a switch and uses it to negotiate a trunk link to break out of a VLAN

Attacker adds an additional VLAN tag to create an outer and inner tag

Prevent double tagging by moving all ports out of the default VLAN group

Efficient use of IP addresses
Reduced broadcast traffic
Reduced collisions
Compartmentalized

Subnet’s policies and monitoring can aid in the security of your network

Network Address Translation:
Process of changing an IP address while it transits across a router
Using NAT can help us hide our network IPs

Port Address Translation:
Router keeps track of requests from internal hosts by assigning them random high number ports for each request

Term used to describe devices that provide voice communication to users

A device that could modulate digital information into an analog signal for transmission over a standard dial-up phone line

Basically brute-force dialing numbers until you get a modem’s number

Protect dial-up resources by using the callback feature

Public Branch Exchange:

Internal phone system used in large organizations

IoT networking (IEEE 802.15.4 PAN)
Alternative to WiFi & Bluetooth
Longer distances than Bluetooth
Less power than WiFi
Mesh network of all Zigbee devices in your home
Uses ISM band (900MHz & 2.4GHz frequencies in US)
(Industrial, Scientific, Medical)