Limiting Traffic to Enhance Network Security
Question
You are a network designer and have been asked to consult with your server operations team to further enhance the security of the network.
The operations team provides you with these details about the network: - A pool of servers is accessed by numerous data centers and remote sites.
- The servers are accessed via a cluster of firewalls.
- The firewalls are configured properly and are not dropping traffic.
- The firewalls occasionally cause asymmetric routing of traffic within the server data center.
Which technology would you recommend to enhance security by limiting traffic that could originate from a hacker compromising a workstation and redirecting flows at the servers?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
In this scenario, the goal is to enhance network security by limiting the traffic that could potentially be originated by a hacker who has compromised a workstation and redirecting flows at the servers.
Option A: Access control lists (ACLs) can be used to limit the sources of traffic that exit the server-facing interface of the firewall cluster. ACLs can filter traffic based on source IP address, destination IP address, and other parameters. While ACLs can be an effective security measure, they do not directly address the issue of asymmetric routing caused by the firewalls.
Option B: Poisoning certain subnets by adding static routes to Null0 on the server farm core switches is a technique used to prevent traffic from reaching a particular subnet. This can be useful in situations where traffic needs to be blocked, but it does not address the issue of asymmetric routing caused by the firewalls.
Option C: Unicast Reverse Path Forwarding (uRPF) in strict mode is a security feature that validates the source IP address of the incoming packet against the routing table. If the source IP address is not found in the routing table, the packet is dropped. This technique can prevent spoofing attacks where the attacker modifies the source IP address of a packet to bypass security measures. However, strict mode uRPF can also cause legitimate traffic to be dropped if the routing table is not properly updated.
Option D: Unicast Reverse Path Forwarding (uRPF) in loose mode is a less restrictive version of strict mode uRPF. In loose mode, the source IP address is validated against the routing table, but the packet is not dropped if the source IP address is not found in the table. Instead, the packet is forwarded to the Null0 interface, where it is dropped. Loose mode uRPF can prevent spoofing attacks and can also mitigate the asymmetric routing caused by the firewalls.
Based on the information provided, option D is the most appropriate choice as it addresses the issue of asymmetric routing caused by the firewalls and provides an additional layer of security by preventing traffic from reaching its destination if it is originating from a potentially compromised workstation. However, it is important to note that uRPF in loose mode can have performance implications, so it should be carefully implemented and tested in a lab environment before deploying it in production.
