This chapter introduces the module construct of the “SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks” blueprint. In general, a network that is based on the SAFE design principles tries to follow a modular concept when dividing out network functions. It is not required that the design adhere strictly to the SAFE blueprint; however, it is important to realize that the security benefits of SAFE are derived from these blueprints and can be realized only if the network design meets the blueprint recommendations.
“Do I Know This Already?” Quiz
The purpose of the “Do I Know This Already?” quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.
The 11-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time.
Table 4-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?”
quiz questions that correspond to those topics.
Table 4-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundations Topics Section Questions Covered in This Section
SAFE Modules Overview 1
Understanding the Campus Module 2–5
Understanding the Corporate Internet Module 6–9
Understanding the WAN Module 10–11
CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter.
If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
1. Which of the following module(s) is not part of the “SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks” blueprint?
a. Campus module
b. E-Commerce module
c. Corporate Internet module
d. WAN module
e. Management module
2. Which of the following functions is not provided by the Layer 3 switch in the medium-sized network Campus module?
a. Routing and switching of production and management traffic
b. Distribution layer services such as routing, quality of service (QoS), and access control
c. Connectivity for the corporate and management servers
d. Firewall protections between VLANs
e. Traffic filtering between subnets
3. What does RFC 2827 cover in terms of network security?
a. RFC 2827 describes the address ranges for private networks.
b. RFC 2827 provides for the routing of VLAN traffic across a distribution switch.
c. RFC 2827 describes filtering to help reduce the risk of attack through source address spoofing.
d. RFC 2827 describes the process of setting up a connection between two systems using TCP.
e. RFC 2827 defines OSPF version 2.
4. What is the function of private VLANs in the SAFE blueprint and where are they implemented?
a. Private VLANs are used to help mitigate the risk associated with the exploitation of trust relationships, and they are implemented at the Layer 3 core switch.
b. Private VLANs are used to help mitigate the risk associated with VLAN hopping attacks, and they are implemented at the Layer 2 core switch.
c. Private VLANs are used to help mitigate the risk associated with VLAN hopping attacks, and they are implemented at the Layer 3 core switch.
d. Private VLANs are used to help mitigate the risk associated with the exploitation of trust relationships, and they are implemented at the Layer 2 distribution switches.
“Do I Know This Already?” Quiz 45
5. What is the purpose of the NIDS in the medium-sized Campus module?
a. To detect attacks originating from outside the Campus module that may result from a workstation compromised by an unauthorized dial-in modem or attacks from viruses, worms, or disgruntled employees.
b. To detect attacks originating from within the Campus module that may result from a workstation compromised by an unauthorized dial-in modem or attacks from viruses, worms, or disgruntled employees.
c. To detect attacks originating from within the Campus module that may result from a workstation compromised by an attacker gaining access through the Internet.
d. To detect attacks originating from outside the Campus module that may result from a workstation compromised by an attacker gaining access through the Internet.
e. The medium-sized network Campus module does not include a network intrusion detection appliance.
6. The ISP router is considered to be owned and managed by which of the following?
a. Owned by the ISP and managed by the ISP
b. Owned by the ISP and managed by the customer
c. Owned by the customer and managed by the ISP
d. Owned by the customer and managed by the customer
7. What is the primary purpose of the private VLANs in the medium-sized network Corporate Internet module?
a. To provide traffic segmentation for remote systems that are terminating their IPSec tunnels on the VPN concentrator
b. To mitigate trust exploitation attacks
c. To improve bandwidth outside of the firewall in the module
d. To facilitate the use of an IDS in the module
e. None of the above
8. Which of the following key devices are not present in the small network Corporate Internet module?
9. Where is the NIDS appliance(s) deployed in the medium-sized network Corporate Internet module blueprint?
a. In the public services segment
b. External to the firewall behind the edge router
c. Behind the firewall’s internal interface
d. On the VPN/remote-access segment of the firewall before the VPN concentrator
e. In front of the dial-in access server
10. Which of the following are factors in determining whether a WAN module is needed?
a. When there is an unjustifiable cost factor of migrating to IPSec VPNs
b. Whenever management feels that WANs are justified
c. When QoS requirements cannot be met through the use of IPSec VPNs
d. When private networks are needed for security reasons
e. When existing legacy WAN connections exist
11. Which of the following describe how ACLs are applied in the WAN module?
a. Inbound ACLs restrict the traffic that is permitted into the medium-sized network Campus module from the remote locations.
b. Inbound ACLs restrict the traffic that is permitted to reach the remote networks.
c. Outbound ACLs determine what traffic is permitted into the medium-sized network Campus module from the remote locations.
d. Outbound ACLs determine what traffic from the medium-sized network Campus module is permitted to reach the remote networks.
The answers to the “Do I Know This Already?” quiz are found in Appendix A, “Answers to the
‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step are as follows:
■ 9 or less overall score—Read the entire chapter. This includes the “Foundation Topics” and
“Foundation Summary” sections, and the “Q&A” section.
■ 10 or 11 overall score—If you want more review on these topics, skip to the “Foundation Summary” section and then go to the “Q&A” section. Otherwise, move to the next chapter.
Understanding the Campus Module 47