1. What are some common risks, threats, and vulnerabilities commonly found in the LAN-to-WAN Domain that must be mitigated through a layered security strategy? A layered security strategy will encompass Rouge protocols such as Bit mining and P2P, Unauthorized network scanning and probing, and unauthorized access to the network. 2. What is an Access Control List (ACL) and how is it useful in a layered security strategy? An ACL is a Control list which will allow or deny traffic or devices based on specifications defined in the ACL. This ACL generally is applied and configured on Firewalls. It is useful in a layered security approach because from an External standpoint it become the first line of defense when hosts attempt to connect to the network.
3. What is a Bastion Host? Provide an example of when a Bastion Host should be used and how. A “Bastion Host” is a host that is minimally configured software firewall containing only necessary software/services. These are also referred to as bare metal or “lite” and is managed to be overly secure through a minimalist approach. All traffic coming is directed to the Bastion or “screened host”. Outbound traffic is not sent through it. The most common threat to the Bastion Host is to the operating system that is not hardened with additional security applications.
4. Provide at least two examples of how the enclave requirement to place a firewall at the perimeter can be accomplished. a. Placing a firewall between two routers and another firewall before a DMZ would be the best requirement choice to use 5. What is the difference between a traditional IP Stateful Firewall and a Deep Packet Inspection Firewall? a. IP Stateful firewall inspection takes place in layer 4, when traffic attempts to traverse the firewall a requested a source port and a destination port pair become part of the session allowing the source to receive information. Stateful inspection firewalls solve the vulnerability of permitting all the high numbered ports by creating a table containing the outbound connections and their associated high numbered port(s). b. Firewalls utilizing deep packet inspection provides enhancements to Stateful firewalls’ Stateful firewall is still susceptible to attack even if the firewall is deployed and working as it should be. By adding application-oriented logic into the hardware, essentially combining IDS into the firewall traffic. Deep Packet Inspection uses an Attack Object Database to store protocol anomalies and attack traffic by grouping them by protocol and security level.
6. How would you monitor for unauthorized management access attempts to sensitive systems? Acl’s and audit logs can be leveraged to confirm which station is attempting to make the unauthorized connection. 7. Describe Group ID (Vulid): V-3057 in the Network IDS/IPS Implementation Guide provided by DISA? A management server is a centralized device that receives information from the sensors or agents 8. What is the significance of VLAN 1 traffic within a Cisco Catalyst LAN Switch? Describe the vulnerabilities associated if it traverses across unnecessary trunk. VLAN1 traffic will contain the STP or spanning tree traffic, CDP traffic, and Dynamic trunking traffic to name a few. If unnecessary traffic traverses the trunk it could cause the switch instability causing it to go down or become inoperable.
9. At what logging level should the syslog service be configured on a Cisco Router, Switch, or Firewall device? Syslogs traps should be configured at levels 0-6. Logging Level 2 10. Describe how you would implement a layered, security strategy within the LAN-to-WAN Domain to support authorized remote user access while denying access to unauthorized users at the Internet ingress/egress point. To implement a layered security strategy for remote user access, we would start with an application based login, such as a VPN -SSL authentication then pair it with LDAP on a radius or Tacacs+ service. LDAP is bound to Active directory which will leverage Role based access controls to check group permissions.
11. As defined in the Network Infrastructure Technology Overview, Version 8, Release 3, describe the 3 layers that can be found in the DISA Enclave Perimeter layered security solution for Internet ingress/egress connections (i.e., DMZ or Component Flow). 3 types of layers found in the Enclave Perimeter Component Flow include the Network layer security, Application layer security and security of the actual applications themselves. 12. Which device in the Enclave Protection Mechanism Component Flow helps mitigate risk from users violating acceptable use and unwanted websites and URL links? The Web Content Filter
13. True or False. The Enclave Protection Mechanism includes both an internal IDS and external IDS when connecting a closed network infrastructure to the public Internet. True, it is required to have external IDS as well as internal IDS. Requirements include having a firewall and IDS in between the
internet facing router and the internal, “premise”, and router. 14. True or False. Securing the enclave only requires perimeter security and firewalls. False, securing the enclave includes a layered firewall approach both on the inside and outside of the network. Sensitive data can be secured from other segments of the internal network (internal) as well as Internet links (external). 1
5. What is the primary objective of this STIG as is relates to network infrastructures for DoD networks? STIG, or Security Technical Implementation Guide, is an intended guide to decrease vulnerabilities and potential of losing sensitive data. The guide focuses on network security, giving security considerations for the implemented network. The STIG also covers the level of risks and the associated acceptable levels to said risks.