Flood guard network definition

Flood guard network definition DEFAULT

FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks

Abstract: This paper addresses one serious SDN-specific attack, i.e., data-to-control plane saturation attack, which overloads the infrastructure of SDN networks. In this attack, an attacker can produce a large amount of table-miss packet_in messages to consume resources in both control plane and data plane. To mitigate this security threat, we introduce an efficient, lightweight and protocol-independent defense framework for SDN networks. Our solution, called FloodGuard, contains two new techniques/modules: proactive flow rule analyzer and packet migration. To preserve network policy enforcement, proactive flow rule analyzer dynamically derives proactive flow rules by reasoning the runtime logic of the SDN/OpenFlow controller and its applications. To protect the controller from being overloaded, packet migration temporarily caches the flooding packets and submits them to the OpenFlow controller using rate limit and round-robin scheduling. We evaluate FloodGuard through a prototype implementation tested in both software and hardware environments. The results show that FloodGuard is effective with adding only minor overhead into the entire SDN/OpenFlow infrastructure.

Published in: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

Article #:

Date of Conference: 22-25 June 2015

Date Added to IEEE Xplore: 17 September 2015

ISBN Information:

Electronic ISBN: 978-1-4799-8629-3

USB ISBN: 978-1-4799-8628-6

ISSN Information:

Print ISSN: 1530-0889

Electronic ISSN: 2158-3927

INSPEC Accession Number: 15473384

DOI: 10.1109/DSN.2015.27

Persistent Link: https://ieeexplore.ieee.org/servlet/opac?punumber=7265894
More »

Publisher: IEEE

Sours: /document/

Prepare Yourself to Take the CompTIA Security+ Exam

All-in-one Security Appliances

All-in-one security appliances license different modules of the most popular and critical security controls that organizations commonly use separately at the Internet gateway. These are then combined to offer an attractive all-in-one security solution, preferably at a lower cost. All-in-one security appliances feature security solutions such as…


  • IPS
  • IDS
  • Web filtering
  • Email filtering
  • Malware scanning
  • VPN support
  • Combined firewalls
  • Others

Anti-SPAM and Email Hygiene

Anti-SPAM and email hygiene are part of data loss prevention mechanism that organizations implement for regulations compliance and best practices application. Messaging systems also offer secure email programs to reroute and encrypt messages according to predefined conditions. Anti-SPAM and email hygiene measures seek to protect against threats such as:

  • SPAM
  • Scams
  • Phishing attacks
  • Malicious code attachments
  • Other unsolicited email messages

Email filtering solutions come in both hardware and software versions. These ensure delivery of legitimate emails and denial of unsolicited ones. Email filtering strategies include…


  • Black listing (Blockage)
  • White listing (Approval)
  • Heuristic analysis
  • Scanning of malware
  • Content filters
  • Bayesian analysis
  • Scoring of reputations
  • Addressing of harvesting prevention
  • DNS reverse lookup (Sender ID, SPF)
  • Cloud leverage to identify zero hour/zero day spam attacks

Email filtering solutions are best placed nearest the sources of messages that need to be filtered. Ex. Internet-based email should be filtered at the gateway. Note: The unsolicited email problem now extends to other technological divides such as phone-based text message and VoIP systems spamming.

Content Inspection Uses

This type of filter evaluates displayed web page content for irrelevant, sensitive, and objectionable data to a business’ operations. Content inspection is commonly used as…


…data loss prevention control as well as to deny access to specific content.

What Are Firewalls?

Most commonly the first line of defense against Internet-based attacks, firewalls are an integral component of network security strategies. Firewalls are a software package or appliance that segregates public and private networks in a logical manner. It supervises transmitted traffic between the two in both ingress (network inbound) and egress (network outbound) directions. Firewalls use network rule sets and traffic filtering mechanisms to recognize traffic that should be allowed or denied access to a network. It can also be used to extend protection to internal sub-networks under the main network scope. Previously, firewalls were developed according to their functions, platform support and placement and positioning within a network. Modern firewalls today are…


…capable of network traffic deep packet analysis through a combination of application filtering and use of intrusion prevention technology into a single unit. These are often used not only on network perimeters but also on internal networks, workstations, and servers in response to menacing progress observed in threats.

Application Filtering Firewall

application filtering assess port usage, service requests (DNS, FTP, web, etc.), and input/output commands. Second generation firewalls filtered network traffic content by operating through 1-7 layers of the OSI model. Application filtering firewalls are an integral part of…


…Next Generation firewalls and are used to stop peer-to-peer network traffic. Note: Application filtering firewalls are used in a process called baselining. This means that application firewalls are applied in a proxy or reverse proxy configuration where they require pre-defined rule sets to ‘learn’ what is regarded as ‘normal’ application ‘behavior’.

Dual-Homed and Multi-Homed Firewalls

As their names suggest, dual-homed and multi-homed firewalls differ in the number of network interfaces they use. Dual-home firewalls use separate interfaces for the external and internal networks while multi-homed firewalls contain multiple interfaces for both connections. Multiple interfaces are typically used to…


…define demilitarized zone (DMZ) segments. These allow Internet facing services (such as email, servers and DNS) to function without exposing an internal network to risk.

What is a Next-Generation Firewall?

This latest generation of firewalls seek to merge several of the most widely-used network perimeter security controls into one powerful system. This practice often results in the coupling of application filters with an…


…intrusion prevention system (IPS). Some providers include URL content inspection as well as identification of malware. Vendor’s offerings in this area are often varied. Note: Many security analysts and providers use the term Next Generation Firewalls due to its popularity.

Packet Filtering Firewalls

determines access by checking packet data against information established in pre-defined network rule sets. These were used by first generation firewalls as security controls in network traffic monitoring. Packet filtering firewalls function at the first three layers of the OSI model: Physical, Data-Link and Network. Rule sets or access control lists (ACL) are generally configured to evaluate packets through analysis of packet headers for source and destination addresses, ports (TCP/UDP), protocols or a combination of these. Based on these assessments, packet filtering firewalls will make a decision whether…


….to allow or deny packets access. Packet filtering firewalls are scalable, useful for restricting traffic flow and usually perform well. However, they are also vulnerable to attacks, particularly those that exploit potential loopholes in applications. Packet filtering firewalls are also incapable of recognizing packets that bear falsified or spoofed network addresses. Packet filtering firewalls are scalable, useful for restricting traffic flow and usually perform well. However, they are also vulnerable to attacks, particularly those that exploit potential loopholes in applications. Packet filtering firewalls are also incapable of recognizing packets that bear falsified or spoofed network addresses. Note: Routers also use packet filtering technology.

Stateful Firewalls

Considered as third generation firewalls, stateful firewalls limit traffic flow between hosts by using stateful packet inspection. These operate at the OSI model’s one through four layers. Stateful firewalls record communication sessions by…


…keeping a state table which is checked for existing connections when packets are received. Once it is confirmed that the packet data doesn’t have any relative connections to the state table, the packet will be checked against the firewall’s access control list to see if a new connection should be permitted.

Web Application Firewalls

fulfill a special function in web-based application protection, particularly those accessed by Internet users. Web filtering firewalls are used for supervising web traffic directed at a web server. Web application firewalls scan for:


  • Cross-site scripting
  • SQL injection attacks
  • Vandalism
  • Other malicious codes

Aside from scanning for threats, web application firewalls also validate user input, sanitize output and learn how an application should operate. Organizations that process Internet-based credit card transactions and need to comply with PCI standards use web application firewalls or submit a vulnerability assessment of the web application environment. The Open Web Application Security Project (OWASP) is the authority that certifies whether web application firewalls meet or go beyond requirements. Note: Web application firewalls differ from network firewalls because they fulfill a specific role and provide countermeasures that network firewalls don’t.

Internet Content Filters

because no restrictions exist regarding the content posted on the Internet, individuals and organizations alike set their own policies to manage content delivery using Internet content filters. These filters restrict different types of information by scanning for questionable or malicious:


  • Keywords
  • Hostnames
  • URLs
  • Malware

Web security gateways, all-in-one security appliances and host-based solutions address risks linked with accessing Internet hosted content.

What are Load Balancers?

load balancers disperse a huge load across multiple systems, devices and networks to avoid overload on a single unit. It comes in both hardware and software forms, with different options for services. Another kind of load balancing is known as round robin DNS, which does not need dedicated hardware or software. Round robin DNS instead designates multiple IP addresses to one specified fully qualified domain name (FQDN). Load balancers are often required in business continuity plans to act as…


…a compensating control in event of a load balancer resource attack or outage resulting in failure. This way, services can maintain availability and function. In addition, load balancers provide:

  • Redundancy in event of system failure
  • Control against DoS attacks against resources connected to the load balancer

Note: Load balancing solutions can be improved with clustering or application of redundancy measures.

Performing Malware Inspection

also known as malware scanning engines, these filter web content and files being downloaded/uploaded to the Internet for malicious software. Pairing malware inspection at the Internet gateway with…


…with host-based malware scanning systems is a strongly recommended security measure.

Network Intrusion Prevention Systems

almost identical to NIDS in terms of duties but serves in a more active role. Where NIDS alerts administrators, NIPS takes action immediately without need for…


…human interaction. NIPS enacts predefined action upon confirmation of certain attacks. Immediate measures may include connection termination, activating firewall blocks, etc.

Network Protocol Analyzers

protocol analyzers configure a computer’s network interface to a more permissive state, also known as promiscuous mode configuration. This allows network stack processing of packets intended for other units which are usually filtered by NIC. Network protocol analyzers act as a viewfinder into network traffic protocol and patterns. By doing so, administrators are able to…


…observe private conversations, transactions of sensitive nature, and other activities between workstations for troubleshooting or investigatory reasons. It follows that use of packet sniffers and network protocol analyzers offer opportunities for abuse like eavesdropping, espionage, and interception of critical protocol transactions.

All About Proxies

proxies assess connection requests according to administrative rule sets and may judiciously filter traffic that corresponds to criteria. A proxy acts as a mediator between…


…client and server, concealing internal machines behind anonymity and improving network performance by caching resources which are commonly requested.

Note: Proxy placement may either be centralized at a gateway server or positioned at individual workstations.

Reverse Proxy Functions

these process requests originating from external sources and forwards them to dedicated systems for handling. This is the reason why reverse proxies are often deployed on an Internet facing segment serving web pages or Internet-based apps. Using reverse proxies…


…adds a layer of protection by keeping internal networks hidden and then acting as their representative to outside requests.

What Are Routers?

are defined as packet-switching devices capable of enhanced traffic handling. Routers communicate in OSI layer 3 protocol packets. Multi-protocol routers act as…


…a translator between different network protocols. Routers also forward packets according to source and destination IP addresses, and may offer forms of basic security through use of ACLs. Sometimes used together with firewalls in cases of Internet-facing connections, some routers are also designed with firewall capabilities. Routers perform network address translation (NAT) to hide system addresses behind the router. This is to guard against systems that establish connections using the router’s external interface. In these cases the router replies to the connections with unique addresses. Traffic is forwarded to their proper destinations using router tables. Routers are not meant to replace firewalls, which are designed and dedicated to security. Therefore strict guidelines should be enforced when a router is added to a network to address exposure issues. Unlike internal network routers or physically connected routers, wireless routers/wireless access points/Internet facing routers are more exposed. Note: Switches join local network segments while routers set up connectivity between networks (public, private, or separate).

Screened Subsets

screened subnets are defined by a configuration where external traffic passes through a router first before going through a firewall. Traffic must pass through…


…an additional firewall if it is destined for hosts within an internal network. Note: DMZ can be configured as screened subnets.

What Do Switches Do?

switches restrict network traffic by exclusively delivering traffic to the switch a host is connected to. To accomplish this, switches keep a table which map device MAC addresses to switchport numbers. Switches function at OSI protocol layers one to three devices that connect network segments and individual computers. They come in a variety of sizes and shapes from compact four-port Ethernet units to 48-port Gigabit units. Network switches are able to establish virtual LANs (VLANs) for improved corporate network administration and security. VLAN is the logical grouping of systems based on security, resource, or business reasons rather than physical location. Modern multi-layer switches are capable of:


  • Inspecting packets
  • Ranking traffic priority
  • Performing as Routers
  • Serving as Load Balancers
  • Adding Quality of Service (QoS) to network traffic

However, switches are susceptible to several kinds of attacks such as:

  • Denial of Service (DoS)
  • ARP spoofing
  • MAC spoofing / flooding

To properly guard against such threats, switches and VLANs alike need to be configured correctly. Note: Hubs broadcast traffic on all ports while switches deliver exclusively.

Uniform Resource Locator Filtering

URL filters check hyperlinks and URL for specific commands, keywords, and malicious code. This type of filtering is usually utilized by web and email scanning engines. URL filters use reputation services and usually access the…


…the suspicious content in a sandboxed environment to check if a resource request is questionable in nature. For tiny URLs, a plug-in is necessary for URL filtering. Note: Use of tiny or short URLs is a technique often used by cyber attackers.

Virtual Private Network Concentrators

offer remote users a secure way for Internet-based connection into an organization’s internal network. VPN concentrators are used where a network requires support for massive incoming VPN connections. VPN concentrators are offered by vendors in various feature set model by model. These can be used to establish connections between remote offices and organizations. VPN concentrators come in both IPSec and SSL configuration (few providers offer support for both). Superior VPN concentrators are able to encrypt…


…entire sessions and wipe them out once they are concluded. Other VPN concentrators integrate firewall technologies to permit or deny access according to health checks of connecting systems like security patches and antivirus programs. VPN concentrators may offer remediation options for discovered issues as well.

Web Security Gateways

are used to filter inbound and outbound web traffic, suspicious codes, malicious content, and usage of applications to guard against Internet-based attacks. In cases of outdated web browsers and neglected security updates…


…web security gateways serve as an essential feature in defense-in-depth strategy residing at an organization’s Internet Gateway. Web security gateways are generally available as appliances which offer several modules and licensing options. Note: Application firewalls are frequently deployed in reverse proxy configurations. Using a web security gateway offers the following benefits:

  • Filtering of web traffic (malicious content and code)
  • Detect and take action on applications
  • Avert information leakage
  • Impose email security controls

In addition, web security gateways protect networks against drive-by downloads and Internet based zero-day or zero-hour threats. These are downloads or program installations that take place on a user’s system without their approval.

What is 802.1x?

802.1x originated from the discovery of vulnerabilities in Wired Equivalent Privacy (WEP). Since then, the Institute of Electrical and Electronics Engineers (IEEE) port authentication standard 802.1x has been established to control network access and deny rogue system infiltration. 802.1x is commonly used with:


  • RADIUS systems
  • Network Access Control (NAC)
  • Network Access Protection (NAP)
  • Others

802.1x wraps Extensible Authentication Protocol (EAP) in Ethernet frames before sending it over both wired and wireless networks. The EAP method offers a variety of authentication procedures such as token IDs, passwords and digital certificates once network connections are made. However, 802.1x doesn’t use the Point-to-Point Tunneling protocol that EAP traditionally requires. In fact, 802.1x is fully capable of creating encrypted tunnels where credentials can pass between devices and the authentication server. Devices requesting connection to the network, also known as supplicants, are first sent to an authenticator to be fitted with credentials (e.g., user ID/password set). The credentials are forwarded by the authenticator to the authentication server to be validated for access permission or denial.

Defining Access Control Lists

ACLs constitute basic security checklists that are used in assessing permitted access and actions. An access control list dictates which actions a user may execute when modifying, accessing or creating a specific object such as applications and services. These are defined by administrators as basic permission schemes to specify how a subject or group of subjects may interact with a protected data or resource. ACLs are derived by leveraging information defined in:


  • Rule-based (action) access models
  • Role-based (job function) models
  • Mandatory access (security labels)
  • Discretionary access (group membership)

Several technologies from file permissions to firewalls are deployed to preserve ACL and avert illegal access to protected resources.

Firewall Rules

firewall rules should be set to ‘deny all’ unless purposely allowed. This can be configured by setting the last rule in the set to either deny-any or block. Firewalls rules in this context are specified to deny traffic that failed to meet pre-defined criteria in the rule set. By following the deny-all concept…


…firewall rules achieve the most secure design. It also presents an effective point of discussion in cases where business requirement validation necessitates a new rule or modification in the existing rule set.

Functions of Flood Guards

flood guards serve as preventive control against denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks. Flood guards are available either as standalone devices or as firewall components. It is capable of monitoring network traffic to identify DoS attacks in progress generated through packet flooding. Examples of DoS and DDoS attacks are:


  • Ping flood
  • MAC flood
  • UDP flood
  • ICMP flood
  • SYN flood

These attacks seek to disrupt or take down network services by overwhelming the target network with requests. When a flood guard detects a DoS attack it drops the packets or applies filters rule sets on switches and routers.

The Implicit Deny Security Stance

The ‘implicit deny’ security stance treats everything not given specific and selective permission as suspicious. Network boundaries that follow an implicit deny concept only allow specific IP addresses and/or service ports while blocking all others. On the contrary, a network implicitly allows traffic when it operates on…


…an open computing environment to which any connection may be established. The “implicit deny” concept generally applies to information security. Note: An ‘explicit deny’ security stance blocks traffic from particular addresses and towards specific ports.

Loop Protection

Looping can be taken advantage of by attackers to initiate DoS attacks because of its repetitive nature. When transmissions loop, they needlessly consume bandwidth and disrupt network services. Loop protection consists of enabling STP (spanning tree protocol) on the network switches. The STP records available network paths and then…


…enacts pre-defined decisions regarding active and standby routes. STP then closes down routes deemed vulnerable to looping. Bridges also support STP for loop protection.

Network Bridging Uses

network bridging is purposefully used in some cases but introduces several risks if it occurs unintentionally. Some of these are:


  • Operational problems
  • Security risks
  • Possible looping
  • Degradation of network performance

One common way of network bridging is when a laptop simultaneously connects to both a wired and a wireless network, creating a passage for traffic to move from one network to the other. Network bridging can be prevented using two methods:

  • Network separation – physically separates networks to avoid bridging.
  • Ethernet port configuration – configuring Ethernet ports to automatically disconnect once bridging is recognized on a host machine.

VLANs can be specified in switches to establish firewall routers and logically isolated networks to prevent network bridging.

Port Security Categories

port security can be divided into two categories based on the OSI model.

Network ports are usually scanned by attackers to identify…


…available ports and the services allowed on them. Security professionals should ensure that only ports crucial to a business’ operations are left open, with strict rules sets to govern traffic. The amount of traffic should also match the port’s requirements. Note: A technique called port knocking considers all ports closed until a connection request is made to a particular port. In the event of a connection request, firewall rules are immediately changed once the connecting system supplies an encrypted packet or sends the correct sequence on the connection string.

Rule-Based Security Management

This type of security management uses rule sets to define the scope of what kind of activities should be allowed on a network. If the requested activity fails to match the pre-defined rules for the network it is implicitly denied. This entails that the last rule in the set should default to a deny action or decision. Rule-based security management designs are supported by systems that utilize rule-driven controls or filters security policy monitoring and implementation on communications and other IT-related activities. Examples of systems that use a rule-based security model are:


  • Firewalls
  • IPS
  • Proxies
  • Email filters
  • Web filters
  • IDS

Secure Router Configuration

While existing designs of routers incorporate firewall technologies such as port-blocking, routers are not replacements for security devices and are susceptible to threats. Routers need to be securely configured before they are positioned on a network. Some of the steps taken to securely configure routers are:


  • Supplying a unique name to a device
  • Defining IP addresses as well as ranges
  • Assign a password (encrypted if possible)
  • Disable unneeded ports
  • Backup the configuration
  • Block ICMP redirect traffic

The last step mentioned above, blocking the ICMP redirect traffic, acts as a preventive security control against attacks such as ICMP floods and the ping of death that leverage ICMP protocol for malicious purposes. Note: Setting up wireless routers and wireless access points for secure router configuration require additional steps.

Security Event Managers (SEM)

also known as Security Information event managers (SIEM), these are key components that store, analyze and mine data from several logs on multiple systems across a network. SEMs records a local copy of received logs and are able to provide a forensically-sound archive in the event of original log loss…


…Additionally, SEMs are able to send alerts based on its identification of similar events in multiple logs. SEMs can also provide an interface for efficient scouring of log data.

The VLAN Management Model

A VLAN management model necessitates configuring specific deny functions or removing creation of unjustifiable routes to deny access to network resources or other VLANs. Some switches come with…


…an integrated VLAN management solution that enables administrators to view and control their VLAN environments.

What is Cloud Computing?

is an environment hosted by an Internet-based server/network of servers or a private network cloud. In cloud computing, all activities such as applications, data, and processing take place in the cloud environment. Companies that rely on cloud computing and cloud-based resources should take effective means to implement stable and secure Internet connection. Multiple Internet connections, failover, and load-balancing should also be considered when using cloud services. Cloud computing is a powerful tool that carries its own benefits and risks. Companies should weigh these carefully before using cloud computing for their operations.


While cloud computing reduces cost and need for additional resources, it carries significant security risks that companies need to be prepared for.

Defining the Demilitarized Zone (DMZ)

a DMZ is a portion of a network kept separate from the protected internal network for security purposes. The DMZ sets up a physically separate buffer zone meant for public-facing private company servers like web and FTP. DMZs provide a compromise between…


…public services and private servers operation without full exposure to threats and high-risk environments.

What Is Network Access Control (NAC)?

a frequently used networking security solution, NAC seeks to validate existing functional security controls on a system requesting connection before it is allowed access to the network. NAC checks for and defines security controls such as:


  • Firewalls
  • Operating system
  • Virus protection
  • Service packs
  • 1x
  • Other network security enforcement procedures

NAC is useful for implementing system health requirements upon network access. Systems that are recognized to be unhealthy are either administratively denied access or redirected to an issue resolution site relevant to its security issues. For example, a system with outdated anti-malware protection may be forwarded to an Intranet Web site to mitigate its security issues. Once the security risk has been addressed, users are usually allowed to reconnect.

Network Address Translation (NAT)

NAT is a one-to-many or one-to-one mapping of public-to-private IP address spaces. Using NAT lessens the need for multiple public IP addresses through an ISP. This is accomplished by establishing an address pool mapping (defined by administrators) of the internal network and bundling the connections as a single source without unnecessary exposure of internal endpoints on the Internet. The repackaged connections are typically centralized at a router device or gateway service. NAT enables a company to share a single public external connection among multiple internal computers. The Internet Assigned Numbers Authority (IANA) reserves the routable IP addresses range below for private Intranet use according to the RFC 1918.


What Does Remote Access Mean?

offers convenient remote connection to networks. Remote access solutions can be applied in a variety of ways such as:


  • Remote desktop or terminal services (Windows)
  • Dial-up
  • VPN
  • Others

Remote access servers that allow access to internal network resources should be protected irrespective of the remote access solution used. It is recommended that publicly accessible RAS systems be audited and monitored for security purposes.

Remote Access Servers

These systems provide connection to a server for authentication and access grant to internal network resources. Connections usually are made through modem from the Internet. RAS implements policies on connecting systems regulating requirements and operation of sessions within particular parameters. These include:


  • Time boundaries
  • Availability
  • Session length
  • Timeouts
  • Implementation of particular authentication mechanism
  • Directing network traffic to travel along specified route

RAS servers are frequently positioned in DMZ, with firewall devices next in line along the route.

What is Subnetting?

is the logical division of a network into classes of smaller networks, or subnets. Subnetting prevents Ethernet collisions and conflicts in address assignment. A subnet is a compartmentalized collection of designated layer 3 IP addresses. These addresses are compatible with gateway devices, servers, network endpoints, and end-user units among other intermediary devices. Subnets are classified into…


…Class A, B and C segments according to their progressively smaller sizes. These can be individually protected by firewalls as well as given various access rights and network permissions based on their job functions.


supplies long haul connections for communication purposes by transmitting and translating analog voice data into digital voice formats. The term telephony is synonymous with telecommunications and embraces the general use of communication devices such as:


  • Wired/wireless phones
  • Voicemail systems
  • Digital computers

Virtualization Uses

virtualization is available in both hardware and software. It is used to establish multiple virtual operating systems (guests) on a host (usually a single physical device). The logical systems residing inside a single physical system are usually independent of their host and run in their logically segment memory space. Virtualization is useful for:


  • Data center designing
  • New technologies testing
  • Business continuity procedures creation
  • System consolidation

Both guest systems and the physical system should have security measures implemented such as firewalls and virus protection. Note: Some security products include protection measures for virtual environment components. Ex. Prevention of terminating virtual machine processes.

Virtual Local Area Network (VLAN) Definition

VLAN is logically arranging a single physical switched network into segments of multiple logical networks. A single company may use multiple VLAN broadcast domains to…


…quarantine cross-contaminations and manage departments. Each VLAN broadcast domain may be individually protected according to the needs of the network. LAN segments may be dispersed across a single campus or throughout various regions in the country.

Commonly Used Default Network Ports

Port usage is assigned by the Internet Assigned Numbers Authority (IANA) to applications and processes. These are divided into three ranges:


  • Well known –0-1023 range
  • Registered – 1024-41951 range
  • Private/dynamic – 41952-65535 range

Port usage is frequently checked when utilizing technology in environments. As a basic security measure, default ports should be changed and well-known ports communicate to questionable sources through a firewall. List of default network ports:

What is a DNS?

DNS is a key network component that preserves hosts records and resolves host names to IP addresses for system access through name or IP address. A company’s name servers need auditing and assessment to avoid security risks facing DNS such as:


  • Exposure of organizational footprint including server roles/versions and network devices
  • Domain reversal inconsistencies
  • Zone transfer
  • RFC non-compliance
  • Outdated versions

File Transfer Protocol Secure (FTPS)

FTPS incorporates additional support to FTP for TLS and SSL so that connecting systems can securely transfer files. FTPS operates in two modes: Explicit Mode

  • FTPS-aware customers negotiate with the FTP server to determine the proper encryption method to use
  • In cases where clients lack FTPS, the FTPS server chooses one of these actions:

a. Drop connection b. Allow connection but with limited functionality c. Allow connection with no restrictions

Implicit Mode

  • All clients must be FTPS-aware
  • Upon connection, clients must establish encrypted session with FTPS server


Note: Secure FTP and SSH File Transfer Protocol are not the same as FTPS.

Commonly Used Default Network Ports:

Port usage is assigned by the Internet Assigned Numbers Authority (IANA) to applications and processes. These are divided into three ranges:

  • Well known –0-1023 range
  • Registered – 1024-41951 range
  • Private/dynamic – 41952-65535 range

Port usage is frequently checked when utilizing technology in environments. As a basic security measure, default ports should be changed and well-known ports communicate to questionable sources through a firewall. List of default network ports:


Protocol Port File Transfer (FTP) 21 Secure FTP / SSH FTP (SFTP) 22 FTP Secure (FTPS) 989 (data), 990 (command) Trivial File Transfer Protocol (TFTP) 69 Telnet 23 Hypertext Transfer Protocol (HTTP) 80 Hypertext Transfer Protocol Secure (HTTPS) 443 Secure Copy (SCP) 22 Secure Shell (SSH) 22 Simple Mail Transport Protocol (SMTP) 25 Simple Network Management Protocol (SNMP) 160, 161, 162 NetBIOS 137 (name service), 138 (datagram), 139 (session)

Hypertext Transfer Protocol Secure (HTTPS)

HTTPS is a standard TCP mechanism for content and message exchange between web servers and browsers. HTTPS is responsible for most of visually presentable content on the Internet. Use of HTTP offers unlimited flexibility and delivery of multimedia, file formats, and documents but is also susceptible to malicious activities and attacks. HTTP is technically defined as an application layer OSI layer 7 transport method. It operates in plaintext which sends transmissions in unencrypted format. To guard against potential eavesdroppers, TLS and SSL are often used…


…to secure HTTP especially when positioned between endpoints of secured conversations. HTTPS connections operate below application layers for HTTP messages encryption before being transmitted. This is also applicable to incoming message decryption upon arrival. Web browsers generally integrate HTTPS for page request encryption and decryption across TCP port 443 instead of port 80 (usually used with HTTP). Note: HTTPS is not the same as secure HTTP (S-HTTP, RFC 2660). The latter is an alternative though commonly used for web transaction encryption.

Internet Control Message Protocol (ICMP)

ICMP is part of the Internet Protocol (IP) suite and used in error message transmission (not data). ICMP is utilized by traceroute, pings and other similar tools. Routers can block ICMP traffic delivery to avoid network attacks such as ICMP flooding and ping of death. The ICMP provides data authenticity, anti-relay protection, non-repudiation and powerful encryption. The following outline explains how the ICMP provides all of these things:


Provides Data Authenticity

  • by first verifying identities of parties engaged in a conversation.
  • IP spoofing and man-in-the-middle attacks are averted.

Provides Anti-replay Protection

  • through serialization of messages with sequence numbers.
  • Integrity of transmitted data is ensured on the receiving end.
  • Packets that have been captured cannot be reused.

Provides Non-repudiation

  • for complete proof of message source of origin.
  • Ownership cannot be denied nor messages forged once messages are digitally signed, sealed and sent.

Provides Powerful Encryption

  • for susceptible network delivery services and plaintext communication protocols.
  • Eavesdropping, sniffing attacks and interception are avoided.

Internet Protocol Security (IPSec)

IPSec is an OSI layer 3 network level cryptographic framework that provides authentication header (AH) and encapsulating security payload (ESP) services. Using AH and ESP together enables secure communication and data integrity through the following steps: IPSec functions in two modes of operation:


IPSec Operation Modes Function Application Transport Mode Only encrypts packet payload (Note: Plaintext Telnet sessions can travel between workstation to router via IPSec) Endpoints connections

Ex. Host-to-host Host-to-gateway Tunnel Mode Serves like a proxy to accommodate hidden hosts Encrypts entire packet including the header Used between gateways in network topology

Ex. Secure connectivity between branch office-headquarters, house-workplace, etc.

IPSec Key Management Functions

The Internet security association and key management protocol (ISAKMP) establishes key management functionality for IPSec. Key functions include authentication, distribution and generation of cryptographic keys for secure communications. ISAKMP also integrates mechanisms for negotiation, establishment, modification, and deletion of security associations (SAs) including respective attributes. Through ISAKMP, cryptographic Internet Key Exchange (IKE) keys and SAs can be dispersed in a scalable and standard method. ISAKMP also provides procedures for:


  • Peer authentication
  • Creation, generation, and management of keys or SAs
  • Neutralization of well-known network attacks

IPv4 vs. IPv6

Both IPv4 and IPv6 are essential computer networking protocols but differ from each other in several respects.2128, or approximately 3.4×1038 addresses, or more than 7.9×1028 times as many as IPv4.



  • Most widely used protocol
  • IPv4 addresses use 32-bit value (typically displayed in dotted decimal form ex.…
  • Created to succeed IPv4
  • IPv6 addresses use 128-bit…


Continued… IPv4 IPv6

  • Comprised of 2×32 or more than 4.2 billion unique addresses

  • Feared to running out of addresses

  • Comprised of an estimated 3.4×1038 addresses (more than 7.9×1028 times as many compared to IPv4)

Network address translation (NAT) addressed IPv4 exhaustion concerns but IPv6 remains relevant. Note: IPv6 requires IPSec support.

Secure Copy Definition

SCP is a protocol for transferring files through a SSH session using RCP commands on a Unix system. Unlike FTP, SCP retains file permissions and timestamps through inclusion with the transferred files themselves, thereby ensuring data confidentiality during transit.


Note: SCP sessions are not susceptible to packet sniffers.

What is Secure FTP?

also known as SSH FTP (SFTP) and FTP Secure (FTPS. Both supply mechanisms for secure file transfer but vary in method. FTPS – uses SSL or TLS for traffic flow encryption SFTP – uses SSH to tunnel an FTP session to a SFTP server SFTP clients must transact with…


…a SFTP client or run a command line. SFTP servers will not work with standard FTP clients and vice versa.

Secure Shell (SSH) Functions

SSH was traditionally designed to secure remote administrative login and shell. SSH establishes secure activities between networked devices such as logins, channels, and transfers. SSH prevents malicious third party attacks such as eavesdropping, connection tampering, and interception. Because Telnet, FTP and NFS…


…are vulnerable to attacks due to transmission of details in cleartext (ex. login credentials), SSH supplies the need for cryptography to ensure network privacy. SSH2 uses public key cryptography as well as traditional username/password logins for authentication. Note: SSH uses port 22 for operation.

What is SSL? (Secure Socket Layer)

SSL is an OSI layer 4 transport layer encryption protocol used for securing end-to-end tunnels that HTTP and application traffic use to pass through. SSL sessions are ‘stateful’ because connection states are kept from initiation to connection teardown.


Note: TLS rendered SSL, SSLv2, SSLv3 versions obsolete.

Simple Network Management Protocol

SNMP collects network events and statistics from network-attached devices using SNMP agents. SNMP can configure devices (up to a certain degree); provide relevant information to network performance and alert administrations regarding issues. SNMP agents monitor services such as WINS and DHCP. Activated agents also monitor devices such as hubs, printers, servers and routers. SNMP is available in 3 versions with their respective functions and abilities…


  • SNMP Versions 1 and 2–transmits in clear text, sets default community strings to read/write.
  • SNMP Version 3 – provides additional confidentiality and integrity by incorporating packet encryption to transmitted data.

Note: SNMP should be disabled on devices that do not require it. Default community strings preferably should be changed once SNMP is installed.

Transmission Control Protocol / Internet Protocol (TCP/IP)

TCP/IP are networking components considered part of TCP/IP protocol suites.

Function TCP

  • Commonly used by Internet applications, email, file transfers, etc.
  • Supplies a stable data stream between programs from different systems
  • Able to request package resending if they fail to arrive or corrupt ones are received





  • Addresses hosts and routes packets from source to destination over networks
  • Host-assigned IP addresses can be subnetted into multiple networks which IP protocol can route over
  • Works with TCP to establish data integrity

Note: TCP and IP are melded into one term (TCP/IP) because they are frequently used together.

How Transport Layer Security Works

TLS is preceded by the SSLv3 protocol, which it phased out. TLS follows the same Internet Engineering Task Force (IETF) standards track RFC 5246 originally based on early SSL specification. TLS is not backward-compatible with its predecessor SSL but creates cryptographically-secure endpoint (ex. host-to-host) connectivity that can guard against attacks like tampering, message forgery, and eavesdropping. Both parties of a conversation can be mutually authenticated using TLS thanks to its bidirectional authentication mode.

Below is a table of the phases and protocol layers associated with TLS:


Phases Protocol Layers

  • Algorithm support through negotiating with peers
  • Key exchange and authentication of endpoints
  • Authentication of messages and symmetric cipher encryption
  • TLS Record protocol – encapsulates information for secure exchange and operates at the lowest level
  • TLS Handshake protocol – uses a complex protocol exchange involving parameter and properties definition to establish secure client-server connectivity
Sours: https://www.cybrary.it/resources/study-guides/comptia-security-plus/
  1. Fire mountain homes for sale
  2. Moonstone raw crystal
  3. Imágenes de campesinos
  4. Free real time otc quotes

CompTIA Security+ Rapid Review: Network Security

Objective 1.2: Apply and implement secure network administration principles

In this exam Objective, you might be tested on techniques that are used to implement secure administration principles.

Exam need to know…

  • Understand rule-based management

    For example: Can you name the two parts of a firewall–rule-based management?

  • Understand how routers can be used to increase security by using access control lists, rules, and secure router configuration

    For example: Can you explain why it is important to communicate securely with the router?

  • Describe the various methods by which switches can enhance security, such as flood guards, loop protection, and port security

    For example: Do you know how to use port security to prevent common network attacks?

Rule-based management

Rule-based management is a way to configure firewalls to filter specific types of traffic. The rule base is made up of two parts: the firewall rule, and the action. The firewall rule determines if a specific packet matches the rule criteria. The action defines what happens if the rule is applied. As an example, when a specific packet type is detected, it might be allowed or denied.

True or false? A firewall rule can include a source or destination port.

Answer: True. Firewall rules can include source or destination ports, IP addresses, websites, or the service to which it is trying to connect.

True or false? Firewalls process rules in a top-down order.

Answer: True. Firewalls typically process rules in a top-down order, moving from first to last.

Firewall rules

Firewall rules are processed in a top-to-bottom order and can be applied to traffic entering or leaving a network. As an example, a firewall rule might be created to only allow web traffic into a network to a specific web server, yet insiders might be allowed to browse external websites.

True or false? Best practice is to start by not allowing any traffic and then allowing only traffic that is approved.

Answer: True. A deny-all approach states that no traffic is allowed and that ports and applications are opened on the firewall only as needed.

True or false? Firewall rules typically allow ports 25 and 80 into the network.

Answer: True. Port 25 is used for simple mail transfer protocol (email), and port 80 is used for HTTP.

VLAN management

VLAN management allows for the software configuration of end stations to be grouped together, even if they are not located on the same network switch. This allows the grouping of hosts with a common set of requirements to communicate as if they were attached to the same broadcast domain. As an example, accounting, sales, and marketing each can be placed on their own separate VLAN. Even though these devices might be in diverse locations, VLANS allow each group to communicate with others in their VLAN, regardless of their physical location.

True or false? Switches typically have visual, built-in methods that indicate VLAN port members to personnel who work in a wiring closet.

Answer: False. A security professional must typically connect to a switch and look at its configuration to see how the VLANS are configured.

True or false? VLANS operate at Layer 4 of the OSI model.

Answer: False. VLANS work at Layer 2 of the OSI model and allow the segmentation of physical traffic.

Secure router configuration

Secure router configuration is a key concern for a security professional. Ideally, the configuration should be local, via a console cable. When this is not possible, remote configuration should make use of encryption. Secure Copy Protocol (SCP) is one method to secure remote configuration. When configuring both locally and remotely, it is important to save a backup copy of the configuration so that the router can be easily re-sorted should something go wrong.

True or false? The use of trivial file transfer protocol (TFTP) is acceptable for secure remote configuration of a router.

Answer: False. You should use a secure protocol such as SCP. TFTP does not make use of encryption.

Access control lists

The most basic way to configure firewall rules is by means of an access control list (ACL). An ACL is used for packet filtering and for selecting types of traffic to be analyzed, forwarded, and/or influenced in some way by a firewall or other device. Typical, firewalls block traffic based on the source/destination address, port, packet type, and so on. Rules placed in an ACL are used as a form of stateless inspection. Stateless devices look only at a list and make a simple yes/no, allow/disallow decision. ACLs can be used for more than just allowing or blocking traffic. As an example, rules can also log activity for later inspection or to record an alarm.

True or false? An ACL is used for stateful inspection.

Answer: False. ACLs are a very basic form of firewall and are considered stateless inspection.

Port security

Port security can mean different things to different people; however, generally it is described as the process of controlling access to ports. This includes physical and logical access. As an example, riser rooms, telecommunication closets, and other areas where there is access to cables, ports, and equipment should be secured. Logical port security can include VLANs, 802.1x, and MAC address filtering.

True or false? Equipment closets should be locked and secured.

Answer: True. Even though many IT professionals think of security in terms of logical control, physical control is also critical. Physical security of access points, telecommunication closets, and any other area where cable access is possible should be closely controlled.


802.1X is an IEEE standard for port-based Network Access Control. 802.1x is widely used in wireless environments and relies on extensible authentication protocol. 802.1x acts as an application proxy because it acts as a middle man in the authentication process.

True or false? 802.1x makes use of password authentication protocol (PAP).

Answer: False. PAP is not used with 802.1x and is considered insecure. 802.1x utilizes extensible authentication protocol (EAP), which offers strong authentication.

Flood guards

Flood guards are tools that you can use to prevent Denial-of-Service (DoS) attacks. This technology is typically built in to network equipment such as routers and intrusion prevention equipment. It is designed to detect network floods and then block this traffic. Flood guards help block malicious traffic from entering a network.

True or false? Flood guards are used to prevent broadcast loops.

Answer: False. Flood guards are not used to prevent broadcast loops; however, they help to protect against DoS attacks.

True or false? Flood guards detect traffic that is already in the local network and alert the network administrator as to its malicious use.

Answer: False. Flood guards are used to block malicious traffic at the edge of a network and prevent it from ever entering an organization’s internal domain.

Loop protection

Loop protection is designed to prevent Layer 2 broadcast loops. Loop protection works by sending periodic loop test frames to detect loops within the network cabling. Loop protection can then shut off specific ports to prevent the loops from occurring. Loop protection is typically implemented with spanning tree protocol (STP). STP learns all available paths and then looks for traffic to be looped back.

True or false? Loop protection is implemented on Layer 3 of the OSI model.

Answer: False. Loop protection is implemented on Layer 2 of the OSI model because it deals with physical frames. Logical traffic at Layer 3 is prevented from looping by the TTL field in the IP header.

True or false? STP is used to provide loop protection.

Answer: True. Ethernet looping is resolved by STP. This unique protocol looks for repeating transmission paths and can work as a filter to block ports, preventing this from occurring.

Implicit deny

Firewall rules are based on an implicit-deny principle: any traffic that is not explicitly allowed by a firewall rule is blocked. This activity is accomplished by the implicit deny-all rule that is logically at the bottom of every firewall rule list. This means the firewall rule set does not explicitly allow a specific type of traffic. If it’s blocked, it creates an implicit deny-all.

True or false? By placing a deny-all statement at the beginning of a firewall rule set, you can block all unwanted traffic.

Answer: False. There are several common errors made by firewall administrators when setting up a firewall rule, and this is one of them. If you place a deny-all at the beginning of a firewall rule set, you will block all remaining rules and no traffic will be allowed through the firewall.

True or false? If you want to block a specific website, a generic allow-all web traffic rule should be placed before the deny rule that blocks a specific website.

Answer: False. Here again is another of the common errors made by firewall administrators. If you place an allow-all statement, all traffic will be passed.

Prevent network bridging by network separation

Years ago, network bridges were widely used because they offered a simple way to separate collision domains. The problem with bridges was that they were slow, introducing latency into a network. Also, bridges offered no security. Today, routers and firewalls are used for network separation. Routers offer the ability to separate the network on Layer 3 of the OSI model and can also provide some security by means of ACLs. Firewalls can offer even more security and can provide deeper packet inspection, allowing for greater control of ingress and egress of traffic.

True or false? Bridges provide logical segmentation.

Answer: False. Bridges provide physical segmentation and have the ability to block Layer 2 broadcast traffic.

True or false? Bridges offer multilayer traffic management.

Answer: False. Bridges only operate on Layer 2 of the OSI model, whereas routers and firewalls can operate at higher layers. This can provide a much more granular approach to traffic management.

Log analysis

Log analysis is something that is widely discussed and not always properly implemented. Log analysis is the review of audit logs and records. It is considered a detective control because logs are reviewed after the fact. Logs should be moved off of host systems and encrypted for tighter security and to prevent tampering. In many environments, logs may not be reviewed until something goes wrong. Logs should be reviewed periodically to look for anomalies. This can help to reveal problems early on, before they become worse. Logs should be reviewed for configuration errors and signs of malicious activity.

True or false? Log analysis is considered a preventive control.

Answer: False. Log analysis is considered a detective control because it is used to uncover errors, problems, and misconfigurations after they have occurred.

True or false? Logs should contain a timestamp and hash.

Answer: True. Logs should contain a timestamp and hash to prevent and detect tampering.

Can you answer these questions?

You can find the answers to these questions at the end of this chapter.

  1. A new intern has connected all five of the company’s switches together into a massive loop, causing a brief broadcast storm. What technology can prevent this from becoming an even bigger problem?

  2. You have an RJ-45 port in a meeting room that is accessible by all, but should only be used with one laptop that is assigned to that area. What can you do to prevent other laptops from using the port?

  3. You have been tasked with setting up some basic controls to govern what traffic can ingress or egress your network. Is there some way that you can do this on the router?

  4. There are many types of controls that a security professional should understand such as preventive, detective, and corrective. What type of control is log analysis?

  5. Are bridges considered a smart device?

Sours: https://www.microsoftpressstore.com/articles/article.aspx?p=2224050&seqNum=2
02 05 SYN Flood Attacks

MAC flooding

Technique employed to compromise the security of network switches

In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches. The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go.

Attack method[edit]

Switches maintain a MAC table that maps individual MAC addresses on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as an Ethernet hub does. The advantage of this method is that data is bridged exclusively to the network segment containing the computer that the data is specifically destined for.

In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table.[1]

The effect of this attack may vary across implementations, however the desired effect (by the attacker) is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be flooded out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name.

After launching a successful MAC flooding attack, a malicious user can use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an ARP spoofing attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack.

MAC flooding can also be used as a rudimentary VLAN hopping attack.[2]

Counter measures[edit]

To prevent MAC flooding attacks, network operators usually rely on the presence of one or more features in their network equipment:

  • With a feature often called "port security" by vendors, many advanced switches can be configured to limit the number of MAC addresses that can be learned on ports connected to end stations.[3] A smaller table of secure MAC addresses is maintained in addition to (and as a subset to) the traditional MAC address table.
  • Many vendors allow discovered MAC addresses to be authenticated against an authentication, authorization and accounting (AAA) server and subsequently filtered.[4]
  • Implementations of IEEE 802.1X suites often allow packet filtering rules to be installed explicitly by an AAA server based on dynamically learned information about clients, including the MAC address.
  • Security features to prevent ARP spoofing or IP address spoofing in some cases may also perform additional MAC address filtering on unicast packets, however this is an implementation-dependent side-effect.
  • Additional security measures are sometimes applied along with the above to prevent normal unicast flooding for unknown MAC addresses.[5] This feature usually relies on the "port security" feature to retain all secure MAC addresses for at least as long as they remain in the ARP table of layer 3 devices. Hence, the aging time of learned secure MAC addresses is separately adjustable. This feature prevents packets from flooding under normal operational circumstances, as well as mitigating the effects of a MAC flood attack.


Sours: https://en.wikipedia.org/wiki/MAC_flooding

Definition network flood guard

Skip to main content
A flood guard is a protection feature built into many firewalls that allow the administrator to tweak the tolerance for unanswered login attacks.

It tracks network traffic to identify scenarios that will overwhelm our network through conditions such as SYN, ping, port floods, etc. By reducing this tolerance, it is possible to reduce the likelihood of a successful DoS attack. If a resource—inbound or outbound—appears to be overused, then the flood guard kicks in.


  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • Get link
  • Facebook
  • Twitter
  • Pinterest
  • Email
  • Other Apps


Popular posts from this blog

DNS poisoning and ARP poisoning DNS and ARP poisoning are types of man-in-the-middle (MITM) attacks, which are types of spoofing attacks. A spoofing attack is an attempt by someone to masquerade as someone else. Address Resolution Protocol (ARP) cache poisoning (sometimes also known as ARP Poison Routing) allows an attacker on the same network segment (subnet) as its victims to eavesdrop on all network traffic between the victims. ARP poisoning, tries to convince the network that the attacker's MAC address is the one associated with an IP address so that traffic sent to that IP address is wrongly sent to the attacker's machine. In ARP poisoning, the MAC (Media Access Control) address table of the victim host is ‘poisoned’ with false data. Incorrect data for a victim host is interjected into the MAC table of the victim host to force the victim to communicate with the wrong host. By faking this value, it is possible to make it look as if the data came from a network that
Docker Command Flowchart Inspired by a post at www.troubleshooters.com this flowchart illustrates some of the Docker objects and the commands that apply to them. For example, to preserve changes made in a container object and convert it into an image , use the docker commit command. References: http://www.troubleshooters.com/linux/docker/docker_newbie.htm Licensed under a Creative Commons Attribution 4.0 International License .
Docker Compose Particularly with multi-tiered applications, your Dockerfile and runtime commands get increasingly complex. Docker Compose is a tool to streamline the definition and instantiation of multi-tier, multi-container Docker applications. Compose requires a single configuration file and a single command to organize and spin up the application tier. Docker Compose simplifies the containerization of a multi-tier, multi-container application, which can be stitched together using the docker-compose.yml configuration file and the docker-compose command to provide a single application service. The Compose file provides a way to document and configure all of the application’s service dependencies (databases, queues, caches, web service APIs, etc.) Docker Compose defines and runs complex services: define single containers via Dockerfile describe a multi-container application via single configuration f
Sours: http://neokobo.blogspot.com/2012/01/128-flood-guards.html
Switch Flooding

Network Components

This chapter is from the book 

Internal Security

After traffic has passed through the perimeter, the packets need to be properly routed. In some instances, only internal routing occurs because the traffic is strictly internal and doesn’t need to leave the organization. In this case, devices are used that do not route traffic or that prevent traffic from leaving a subnet. Devices that perform this role include routers, switches, and bridges.


Routers operate at the network layer of the OSI model. They receive information from a host and forward that information to its destination on the network or the Internet. Routers maintain tables that are checked each time a packet needs to be redirected from one interface to another. The tables inside the router help speed up request resolution so that packets can reach their destination more quickly. The routes can be added manually to the routing table or can be updated automatically using the following protocols:

  • Routing Information Protocol (RIP/RIPv2)

  • Interior Gateway Routing Protocol (IGRP)

  • Enhanced Interior Gateway Routing Protocol (EIGRP)

  • Open Shortest Path First (OSPF)

  • Border Gateway Protocol (BGP)

  • Exterior Gateway Protocol (EGP)

  • Intermediate System-to-Intermediate System (IS-IS)

Although router placement is primarily determined by the need to segment different networks or subnets, routers also have some good security features. One of the best features of a router is its capability to filter packets by source address, destination address, protocol, or port. These filters are actually access control lists (ACLs).

Part I, “Threats, Attacks, and Vulnerabilities,” describes attacks such as IP spoofing and covers Domain 1 of the Security+ exam. Basic Internet routing is based on the destination IP address, so a router with a default configuration forwards packets based only on the destination IP address. In IP spoofing, an attacker gains unauthorized access to a network by making it appear (by faking the IP address) that traffic has come from a trusted source.

Because routers are the lifeblood of the network, it is important to properly secure them. The security that is configured when setting up and managing routers can make the difference between keeping data secure and providing an open invitation to hackers. The following are general recommendations for router security:

  • Create and maintain a written router security policy. The policy should identify who is allowed to log into the router and who is allowed to configure and update it. The policy also should outline the logging and management practices.

  • Comment and organize offline master editions of your router configuration files. Keep the offline copies of all router configurations in sync with the actual configurations running on the routers.

  • Implement access lists that allow only the protocols, ports, and IP addresses that network users and services require. Deny everything else.

  • Test the security of your routers regularly, especially after any major configuration changes.

Keep in mind that, no matter how secure your routing protocol is, if you never change the default password on the router, you leave yourself wide open to attacks. At the opposite end of the spectrum, a router that is too tightly locked down can turn a functional network into a completely isolated network that does not allow access to anyone.


Switches are the most common choice when it comes to connecting desktops to the wiring closet. Switches generally operate at the data link layer (Layer 2) of the OSI model. Their packet-forwarding decisions are based on Media Access Control (MAC) addresses. Switches allow LANs to be segmented, thus increasing the amount of bandwidth that goes to each device. Each segment is a separate collision domain, but all segments are in the same broadcast domain. Here are the basic functions of a switch:

  • Filtering and forwarding frames

  • Learning MAC addresses

  • Preventing loops

Managed switches are configurable. You can implement sound security with your switches similarly to configuring security on a firewall or a router. Managed switches allow control over network traffic and who has access to the network. In general, you do not want to deploy managed switches using their default configuration. The default configuration often does not provide the most secure network design. In such cases, these switches require no Layer 2 functionality.

A design that properly segments the network can be accomplished using VLANs. VLANs provide a way to limit broadcast traffic in a switched network. This creates a boundary and, in essence, creates multiple, isolated LANs on one switch. VLANs are a logical separation of a physical network and often combine Layer 2 and Layer 3 switches. Layer 3 switches can best be described as routers with fast forwarding done through hardware. Layer 3 switches can perform some of the same functions as routers and offer more flexibility than Layer 2 switches.

Designing the network the proper way from the start is important to ensure that the network is stable, reliable, and scalable. Physical and virtual security controls must be in place. Locate switches in a physically secure area, if possible. Be sure that strong authentication and password policies are in place to secure access to the operating system and configuration files.


Port security is a Layer 2 traffic control feature on switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses to come in through the port. Its primary use is to keep two or three users from sharing a single access port. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. By default, a port security violation forces the interface into the error-disabled state. Port security can be configured to take one of three actions upon detecting a violation. In addition to using the default shutdown mode, you can set protect mode or restrict mode. In protect mode, frames from MAC addresses other than the allowed addresses are dropped. Restrict mode is similar to protect mode, but it generates a syslog message and increases the violation counter.

A flood guard is an advanced firewall guard feature used to control network activity associated with DoS attacks and distributed denial-of-service (DDoS) attacks.

For example, in Cisco firewalls, the floodguard command is enabled by default and the firewall actively reclaims TCP user resources when an inbound or outbound authorization connection is being attacked. Flood guards are available as either standalone devices or firewall components.


Bridges are often used when two different network types need to be accessed. Bridges provide some network layer functions, such as route discovery, as well as forwarding at the data link layer. They forward packets only between networks that are destined for the other network. Several types of bridges exist:

  • Transparent basic bridge: Acts similarly to a repeater. It merely stores traffic until it can move on.

  • Source routing bridge: Interprets the routing information field (RIF) in the LAN frame header.

  • Transparent learning bridge: Locates the routing location using the source and destination addresses in its routing table. As new destination addresses are found, they are added to the routing table.

  • Transparent spanning bridge: Contains a subnet of the full topology for creating a loop-free operation.

Looping problems can occur when a site uses two or more bridges in parallel between two LANs to increase the reliability of the network. A major feature in Layer 2 devices is Spanning Tree Protocol (STP), a link-management protocol that provides path redundancy while preventing undesirable loops in the network. Multiple active paths between stations cause loops in the network. When loops occur, some devices see stations that appear on both sides of the device. This condition confuses the forwarding algorithm and allows duplicate frames to be forwarded. This situation can occur in bridges as well as Layer 2 switches.

A bridge loop occurs when data units can travel from a first LAN segment to a second LAN segment through more than one path. To eliminate bridge loops, existing bridge devices typically employ a technique referred to as the spanning tree algorithm. The spanning tree algorithm is implemented by bridges interchanging special messages known as bridge protocol data units (BPDUs). The STP loop guard feature provides additional protection against STP loops.

An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs, based on the port role. The loop guard feature makes additional checks. If BPDUs are not received on a nondesignated port and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state instead of the listening/learning/forwarding state. Without the loop guard feature, the port assumes the designated port role. The port then moves to the STP forwarding state and creates a loop.

Sours: https://www.pearsonitcertification.com/articles/article.aspx?p=2861453&seqNum=2

Now discussing:


2676 2677 2678 2679 2680