We covered secure network architecture design concepts such as VLANs, security zones, access control lists, DNS snooping and ARP inspection. VLANs are used to separate computers and devices into logical compartments for effective implementation of traffic control and security. VLANs are divided into security zones such as trusted, DMZ and zero trust zones. ACLs control traffic flow by writing rules in the firewall that permit/drop packets based on source/destination IP/port. This was part of TryHackMe Secure Network Architecture.

Get Blue Team Notes

Networking is one of the most critical components of a corporate environment but can often be overlooked from a security standpoint. A properly designed network permits not only internet usage and device communication but also redundancy, optimization, and security.

In a well-designed network, if a switch goes down, then packets can be redistributed through another route with no loss in uptime. If a web server is compromised, it cannot traverse the network and access important information. A system administrator should be confident that their servers are secure if a random device joins a network, knowing that the device is segmented from the rest of the network and cannot access those systems.

All of these concepts and scenarios are what separate a functional network from a well-designed network.

With the introduction of VLANs, there is a shift in network architecture design to include security as a key consideration. Securityoptimization, and redundancy should all be considered when designing a network, ideally without compromising one component.

This brings us to the question, how do we properly implement VLANs as a security boundary? Security zones! Security zones define what or who is in a VLAN and how traffic can travel in and out.

Depending on whom you speak to, every network architect may have a different approach/opinion to the language or requirements surrounding security zones. In this task, we will immerse you in the most commonly accepted security zone standards, keeping a minimalist approach to segmentation.

While security zones mostly factor in what will happen internally, it is equally important to consider how new traffic or devices will enter the network, be assigned, and interact with internal systems. Most external traffic (HTTP, mail, etc.) will stay in the DMZ, but what if a remote user needs access to an internal resource? We can easily create rules for resources a user or device can access based on MAC, IP addresses, etc. We can then enforce these rules from network security controls.

SSL/TLS Inspection

SSL/TLS inspection uses an SSL proxy to intercept protocols, including HTTP, POP3, SMTP, or other SSL/TLS encrypted traffic. Once intercepted, the proxy will decrypt the traffic and send it to be processed by a UTM (Unified Threat Management) platform. UTM solutions will employ deep SSL inspection, feeding the decrypted traffic from the proxy into other UTM services, including but not limited to web filters or IPS (Intrusion Prevention System), to process the information.

 

This solution may seem ideal, but what are the downsides? Some of you may have already noted that this requires an SSL proxy or MitM (Man-in-the-Middle). Even if a firewall or vendor has already implemented the solution, it will still act as a MiTM between your devices and the outside world; what if it intercepts potentially plain-text passwords? A corporation must assess the pros and cons of this solution, dependent on its calculated risk. You could allow all applications that you know are safer to prevent potential cons, but this solution will still have disadvantages. For example, an advanced threat actor could route their traffic through a cloud provider or a trusted domain.

Room Answers

How many trunks are present in this configuration?

What is the VLAN tag ID for interface eth12?

From the above table, what zone would a user connecting to a public web server be in?

From the above table, what zone would a public web server be in?

From the above table, what zone would a core domain controller be placed in?

According to the corresponding ACL policy, will the first packet result in a drop or accept?

According to the corresponding ACL policy, will the second packet result in a drop or accept?

What is the flag found after filling in all blanks on the static site?
Does SSL inspection require a man-in-the-middle proxy? (Y/N)

What platform processes data sent from an SSL proxy?

Where does DHCP snooping store leased IP addresses from untrusted hosts?

Will a switch drop or accept a DHCPRELEASE packet?

Does dynamic ARP inspection use the DHCP binding database? (Y/N)

Dynamic ARP inspection will match an IP address and what other packet detail?

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles