• Security Zones: Segments with distinct trust levels (Internet, DMZ, Internal, Management/OOB); traffic controlled by firewalls/ACLs
• DMZ/Screened Subnet: Buffer zone between Internet and LAN; hosts public services (web, email, DNS) with restricted backplane access to internal net
• Single Points of Failure (SPoF): One device/link failure brings down service; mitigate via redundant paths, HSRP/VRRP, dual-homing, and UDLD for fiber links
• Complex Dependencies: Hidden inter-service reliance (e.g., DNS failure breaks auth); document flows to prevent cascade failures
• Availability vs. Confidentiality: High-availability designs may sacrifice strict segmentation (e.g., disabling deep inspection to reduce latency); balance with business needs
• Documentation/Change Control: Lack of network diagrams or ad-hoc changes creates shadow routes and misconfigured ACLs; enforce version-controlled updates
• Overdependence on Perimeter: "Hard shell, soft center" risk; once inside, lateral movement is easy—requires internal segmentation (Zero Trust)
• Physical Port Security: Lockable switch cabinets, port locks, disabled unused ports (administratively down) to prevent rogue device insertion
• MAC Filtering: Static MAC address tables or sticky MAC (learned dynamically then locked); prevents MAC spoofing but hard to scale
• 802.1X: Port-based NAC; Supplicant (client) → Authenticator (switch) → Authentication Server (RADIUS); EAP methods (PEAP, EAP-TLS) tunnel credentials
• RADIUS: Central AAA for network access; UDP 1812/1813; supports EAP for wireless/dot1x
• Air Gap: Physically isolated network (no external connectivity); protects critical ICS/SCADA but patch management requires manual media (sneakernet), increasing operational friction
• Placement: Inline (traffic must pass through—firewalls, IPS); Zone Border (between trust zones); Within Zone (internal segmentation); Tap/Span (passive monitoring for IDS)
• Traditional Firewall: Stateless packet filter (ACLs on IPs/ports); inspects headers only, no session awareness
• Stateful Firewall: Tracks connection state (TCP handshake, session tables); allows return traffic automatically; blocks unsolicited inbound
• Layer 4/7 Firewalls: L4 = TCP/UDP port inspection; L7 = Application-layer (inspects HTTP, DNS payload); NGFW combines both with integrated IPS, app-ID, and threat intelligence
• Proxy Server: Intermediary for outbound traffic; hides internal IPs (NAT), caches content, inspects SSL/TLS (MITM for security), enforces URL filtering
• IDS vs IPS: IDS (Detection) = passive alerts (out-of-band); IPS (Prevention) = inline blocking (latency risk); both use signatures and anomaly detection
• UTM: All-in-one appliance (NGFW + VPN + IDS/IPS + AV + content filter); convenient for SMBs but single point of failure/performance bottleneck
• WAF: Web Application Firewall; Layer 7 proxy specifically for HTTP/S; blocks SQLi, XSS, CSRF; placed in front of web servers/DMZ
• Load Balancers: Distribute traffic across pools; Algorithms: Round-Robin (sequential), Least Connections, Weighted (capacity-based), IP Hash (session persistence); health checks remove failed nodes
• Site-to-Site VPN: Connects branch offices to HQ; encrypted tunnel over public Internet; typically IPsec (L3) or SSL/TLS (L4/7)
• IPsec: Protocol suite (AH/ESP) for confidentiality/integrity; IKE (Internet Key Exchange) negotiates tunnels (v1/v2); Phase 1 (authentication/key exchange), Phase 2 (data tunnel)
• TLS Tunneling: SSL VPN (port 443); clientless or thick-client; easier to traverse NAT/firewalls than IPsec but inspects at app layer
• Remote Desktop: RDP (TCP 3389); high-risk if exposed to Internet (brute force); use VPN or Gateway (RD Gateway) with MFA
• SSH: Secure remote shell (TCP 22); use key-based auth, disable root login, non-standard ports for obscurity (security through obscurity layer)
• Out-of-Band (OOB) Management: Isolated network for device administration (dedicated NICs, serial consoles); prevents lateral compromise from production network
• Jump Server (Bastion Host): Hardened intermediary in DMZ; admins SSH/RDP to jump box first, then to internal targets; logs all sessions, restricts direct internal access
Quick Checks: Stateful tracks sessions; NGFW adds app control; IPS blocks inline (latency), IDS alerts only; 802.1X needs RADIUS; Air gap = high security, low agility; DMZ is not LAN—limit east-west from DMZ to internal.