CND (312-38) Network Defense Simulation
Welcome to this CND module. You will learn to identify baseline infrastructure requirements necessary for continuous network monitoring and persistent VPN tunnels.
Network Scenario
You are a Network Security Analyst tasked with securing connectivity for several remote branch offices. Corporate policy dictates a "Defense-in-Depth" strategy where all remote traffic must route through a centralized Next-Generation Firewall (NGFW) via a persistent IPsec VPN tunnel.
Furthermore, the local Intrusion Detection System (IDS) at the branch must continuously stream Syslog telemetry back to the centralized SIEM. To ensure the VPN tunnel remains active and telemetry is uninterrupted, the physical ISP connection type chosen must inherently support a continuous, active state without manual dialing or circuit-switching delays.
Traffic & Logs
Review the SIEM log snippet detailing VPN behavior from two different branch sites with different ISP link types:
Note: Branch A has an uninterrupted connection, while Branch B relies on an intermittent, dial-on-demand infrastructure.
Question
Expert Analysis
1. What is happening in the network
The network is experiencing intermittent telemetry and VPN tunnel drops from Branch B. Branch B is utilizing an on-demand, circuit-switched connection which drops when idle, causing gaps in security monitoring. Branch A maintains an always-on connection, allowing continuous telemetry streaming to the SIEM.
2. Identify the behavior
This is an infrastructure availability issue affecting the organization's defense posture. If a site lacks an always-on connection, continuous monitoring (IDS logging, heartbeat checks) is impossible. Attackers can exploit the "dark time" when the tunnel is down, or the act of establishing the connection may be too slow to alert analysts of an ongoing intrusion.
3. Why the correct answers are correct
B (Cable modem) & D (DSL): Both Digital Subscriber Line (DSL) and Cable modems operate on broadband technology that maintains constant synchronization with the ISP's local exchange or CMTS. They are inherently "always on", holding an active IP address lease and allowing persistent, un-triggered traffic flow—ideal for maintaining permanent VPN tunnels and real-time security logging.
4. Why the others are wrong
A (Digital modem) & C (Analog modem): Analog modems rely on the Public Switched Telephone Network (PSTN) to dial a connection. "Digital modem" often refers to ISDN terminal adapters, which also "dial" discrete B-channels on demand. Both are circuit-switched, transient connections that disconnect when idle to save costs, breaking continuous network monitoring.
5. Defensive action
Upgrade remote sites to broadband (DSL, Cable, or Fiber) connections. Configure the perimeter firewall/router at the remote site to establish a persistent site-to-site IPsec VPN with Dead Peer Detection (DPD) enabled to ensure the tunnel stays actively monitored by the SOC 24/7.
MINI LESSON: Network Availability & Security
- Continuous Telemetry: Modern SIEMs and SOC operations rely on uninterrupted data streams. Connection drops mean blind spots.
- On-Demand Vulnerability: Dial-on-demand routing (DODR) introduces latency in alerting. An IDS detecting a critical event must wait for the dial-up process to complete before sending the alert to the SIEM, delaying incident response.
- Defense-in-Depth: Reliable physical layer (Layer 1/2) connectivity is the foundation of network security. Without it, higher-layer security controls (VPNs, SIEM, IDS) fail to operate effectively.
Ready for the next challenge?
Advance your Blue Team skills with more real-world network defense scenarios.
Explore more CND simulations