Security 020 at CompTIA

Dan K.

• 26

cards

LAN Review

local area network (LAN) technologies, including devices, architectures, and secure networking principles.

SECURING NETWORKS

discussing network devices and how to configure them securely, the design elements that go into a secure network, and, finally, different security methods and technologies that help make up secure network administration.

Securing Network Devices

Firewalls

We’ll discuss the security aspects of routers, switches, and load balancers as well

Firewalls

specialized hardware device or software that runs on a traditional operating system.

separate networks and filter traffic between those networks.

inspecting the traffic based upon preconfigured rules

separates the public network (such as the Internet) from the internal private network.

blocks undesirable traffic from coming in and prevents sensitive traffic from going out.

ingress filtering, vs egress filtering.

network-based (usually hardware devices) or host-based (usually software-based

Network-based firewalls protect entire network segments.

Firewalls can filter traffic based upon criteria,

port, protocol, network service, time-of-day, source or destination host, and even users or entire domains.

advanced firewalls do deep-level traffic inspection, denied due to the content of its traffic.

HTTP traffic is normally allowed through a firewall, so firewall rules might allow it based upon protocol alone.

advanced firewall might inspect the HTTP traffic and discover that a hacker has embedded malicious code into this traffic.

In this case, the firewall would drop the traffic and possibly alert the administrator to it, or at least write the event to a log.

Routers

send IP traffic from one LAN to another, usually across a wide area network (WAN).

As a security device, mirrors what a firewall can do, although not at the same level.

router can also filter traffic just as a firewall does.

criteria might include source or destination IP addresses or domain, port, protocol, service, and so on.

Additionally, this is not the router’s main function

Using a router to filter traffic offloads the “low-hanging fruit” of bad traffic.

more complex traffic requiring the advanced features of a firewall are passed through and left for the firewall to deal with.

Switches

separate collision domains

cut down on the amount of network “noise”

Where a router separates LANs

a switch segments LANs

a switch can be used to prevent network sniffing.

switch eliminates the ability of a sniffer to “hear” traffic from other hosts.

The only way a sniffer can be used on a switched network is to place it explicitly on a spanned port

prevent unauthorized hosts from connecting to the network.

port security allows, only specified MAC addresses

logically separate hosts into entirely different LANs, called virtual LANs (VLANs).

separate sensitive hosts from other hosts based upon a logical VLAN assignment.

Load Balancers

provide efficient and rapid workload sharing between network devices

providing for high availability.

This helps provide for efficiency, eliminates delays or latency, and provides for system and data availability in the event that a member of the cluster is unable to fulfill requests.

It may base its decisions on network traffic conditions, for example, or it may use a turn-based system (otherwise known as a round-robin type of system).

NAC

prohibiting hosts from connecting to the organization’s infrastructure unless they meet certain criteria.

entry point or gateway into the network, typically for remote or mobile clients.

This device checks the health and security settings of the client

For example, a NAC device could check for the latest antivirus signatures,

update the client dynamically

A NAC could also be used to authenticate devices, allowing only authorized devices to connect.

Normally, a NAC would be placed on a secure segment within a demilitarized zone (DMZ) network.

SECURE NETWORK DESIGN

how and where to place different components makes a difference in whether these secure network devices are effective at doing their job.

In the next few sections, we’ll discuss elements of secure network design, such as DMZs, VLANs, and so on.

Secure Architecture

take into account the entry and exit points (logical and physical), traffic flows, placement of devices, traffic filtering, and network separation.

These considerations affect the design and structure of the network, both from performance and security points of view.

Bastion Host

a single secure host could separate an internal network from an external or non-secure network.

This is referred to as a bastion host and is usually a single hardened device that provides a choke point for traffic entering into and leaving from the internal network.

A bastion host has several issues, however.

First, it is a single point of failure.

Second, performance could be an issue during high traffic situations

an attacker has to get through only one host

DMZ

a perimeter network structure, consisting of security devices and other hosts that serve as a buffer between the internal network and any other non-secure networks, such as the Internet.

A DMZ provides a buffer for traffic coming into the organization’s networks.

also sends traffic to an appropriate network location.

So the web server would be placed in the DMZ, and security devices would route the appropriate traffic to that particular host.

You normally would not put any host in the DMZ that contains sensitive data,

some designs include the use of two firewalls,

a secure DMZ segment might be used for a business partner, for example.

Network Separation

sensitive hosts can be segregated from others, protecting them from unwanted access.

Hosts can be assigned to different networks,

plugging hosts into physically separate devices

Logical separation, on the other hand, enables administrators to separate hosts, and entire network segments, based upon the use of network protocols, such as IP, while maintaining flexibility, security, and functionality.

Logical separation involves the use of different IP subnetworks, VLANs, Network Address Translation (NAT), and other means.

Subnetting

divide up networks (based upon IP address ranges) logically into separate subnetworks (subnets).

This lets you place hosts logically in a different network,

divide up those networks based upon the number of bits in the subnet mask.

Organizations subnet the default address classes to gain more networks,

IP address of 192.121.14.7

host is on the 192.121.14.0 network,

254 possible host addresses

subnet that address

new subnet mask of 255.255.255.128

two new network IDs, 192.121.14.0 and 192.121.14.128.

126 possible host addresses

used to segment groups of hosts from each other.

separating networks can cut down on traffic that may affect availability, such as broadcast traffic.

convenient grouping for hosts to which policies can be assigned when applying security policies in routers, firewalls, and other security devices.

Subnets can be physically separated, enabling some degree of physical security, but they can also be logically separated, as in the case of VLANs, discussed next.

VLAN Management

VLANs are created on layer 3 switches, by configuring the switches to establish and recognize VLANs with certain characteristics.

These characteristics include a particular IP subnet as well as VLAN membership.

Different hosts can be assigned to different VLANs, even if they are plugged into the same switch and sitting right next each other.

VLANs contribute to security because they allow administrators to separate hosts from each other, usually based upon sensitivity.

You can control what types of traffic can enter or exit the VLAN, and you can restrict access to hosts on that VLAN via a single policy.

You can also provide for increased network performance by using VLANs to eliminate broadcast domains

NAT

IP version 4 (IPv4) address space was at its limits.

provide a way for larger organizations to use very limited numbers of public IP addresses, NAT was used, along with the private IP address space mentioned earlier.

a network device capable of handling public-to-private IP address mappings, such as a router or security device.

a few public IP addresses.

public IP addresses can be dynamically mapped to internal private IP addresses during communications sessions.

ways to do this.

one public IP address could be temporarily mapped to a single private IP address.

Or a public IP address could be mapped to a pool of private IP addresses.

Port Address Translation (PAT),

internal client’s source port is kept in a table

used in the translation process,

the device handling NAT knows which client the traffic is intended for.

use a pool of public IP addresses, if you have more than one, in the same manner.

static NAT, which creates a persistent mapping of a public IP address to a private one.

internal host needs to receive traffic constantly from external clients, such as a web server.

NAT enables the organization to hide its internal IP address range from external networks and clients.

prevent attacks on particular hosts,

prevent certain types of attacks that require spoofing of a victim’s IP address.

Secure Network Administration Principles

using security devices

how they are placed

securely administering a network.

day-to-day administration of the network is vitally important to ensure that it stays up and running and remains secure.

ways that you can keep your networks available and ensure the confidentiality and integrity of the data and systems that use it.

Rule-Based Management

security devices use rule-based management configuration

rules tell the device how to filter made up of parameter you configure as part of the rule.

include filterable elements, such as port, protocol, service, user, source or destination addresses, and so on.

preconfigured groups or domains as rule elements.

take allow or deny actions.

elements that allow you to log a particular event,

listed in a sequential form, traffic enters the device, checked against each rule, one at a time

traffic matches rule checking process normally stops; And if there’s no match, rule checking continues.

If no match occurs traffic is usually dropped implicit deny

Implicit Deny

The concept of implicit deny essentially means that after all other rules have been applied in a rule set, whether they are allow or deny rules, any traffic that makes it through all of those rules without a match is automatically denied.

In some firewall rule sets, an implicit deny is enough;

some administrators still choose to place a catch-all explicit deny rule at the bottom of the rule set,

placed at the very bottom of the rule set.

Rule placement is very important, as you can see, within a rule set.

Access Control Lists

Access control lists (ACLs), when discussed in the networking context, are simply rule sets that are normally found on network devices, usually routers.

They usually follow the same types of rules that we discussed earlier regarding firewall rule sets.

firewalls can normally perform advanced filtering operations

ACLs, on the other hand, are usually very simplistic,

An ACL is normally applied to each interface of a router,

only the very basic elements used in traffic filtering

port, protocol, source IP address or destination IP address, and so on.

Secure Router Configuration

securely managing routers.

several aspects.

use of ACLs is a must;

impose different security rules on different network interfaces,

keeping the router OS updated and patched

applying the principle of least privilege to router access.

only authorized network administration personnel should be able to access

only through a secure means, such as SSH, for example.

Telnet, should be disabled,

Physical interfaces to the router should be disabled unless absolutely needed;

using only a secure version of the Simple Network Management Protocol (SNMP).

You should use at least a minimum of SNMP version 3

change the community strings used for the SNMP configuration

Follow the minimum functionality principle

avoid the use of unsecure protocols whenever practical

FTP, TFTP, and of course Telnet.

802.1X

port security is an important concept

securing the physical ports that allow hosts to plug into a network device

logically securing those ports.

Ports configured such that only specified hosts can connect to them

based upon MAC address or other criteria.

Ports should be completely turned off

One key security control

iport-based authentication system,

IEEE standard 802.1X.

provides for port-based authentication

used on both wired and wireless networks.

More commonly seen on wireless networks,

only when a more robust security method, such as WPA/WPA2 Enterprise is used.

802.1X can use a wide variety of authentication protocols

Extensible Authentication Protocol (EAP),

and allows for user and device authentication as well.

provides for mutual authentication among users, hosts, and the network.

can be implemented on network devices to provide for authentication of wired devices.

Any unauthorized host attempting to connect is denied access and unable even to detect any traffic.

Flood Guards

flooding from excessive or malformed traffic that enters a network.

SYN floods, which are excessive amounts of SYN segments sent to a host

denial-of-service attack against it.

ICMP floods,
(UDP) floods,
MAC floods,

conduct denial-of-service attacks

hosts and network devices don’t always react very favorably to excessive amounts of traffic or malformed traffic.

flooding is a routine tactic

modern network devices have flood protection built into their systems.

detecting excessive traffic
take steps to block the traffic or drop it

Loop Protection

more than one logical or physical path exists between two networks.

multiple physical cables are plugged into ports

device tries to adjust for the new network conditions, sometimes sending wrong or excessive traffic out to the different networks.

this traffic can loop right back

Loops contribute to an increased amount of unnecessary network traffic,

affects network availability.

Hosts may be unable to communicate

mechanisms built into their operating system to check for looping conditions and correct them.

This may mean rerouting traffic or reconfiguring ports on the fly,

From a security perspective, loop protection is very important, since network availability is a security issue.

Remote Access

dial-up over a modem, ISDN services, and of course VPN connections.

Remote access these days typically means VPN connections, some type of remote desktop connections, or even remote shells.

Two critical elements in remote access are encryption and authentication.

All of these connection methods require encryption and authentication.

most common types of protocols

IPsec for security,

Layer 2 Tunneling Protocol (L2TP) tunneling and encapsulation protocol.

Another common type of VPN connection uses secure sockets layer (SSL).

ensure that remote access connections are authenticated as well as encrypted.

The VPN client and the concentrator side must support the same levels of encryption and authentication, which should be configured in advance; otherwise, a secure connection can’t be established.

For remote shell connections, ensure that you’re using only secure protocols, such as SSH, for example.

Telnet, rexec, and rsh (remote shell), are non-secure

SSH, provides for secure authentication and encryption

can use public and private key technologies to generate key pairs and certificates for local and remote hosts.

SSH can be used for secure file copy

using SCP

and secure file transfer for multiple hosts (with SFTP).

Remote desktop technologies provide varying degrees of security,

non-secure remote desktop protocols can be tunneled through other secure protocols, such as IPsec, SSL, or SSH.

Telephony

unify all communication services, including voice, into the network,

network and security administrators are controlling more telephone and voice services in their jobs.

Previous telephone setups involved PBX internal telephone switch

Older security vulnerabilities with PBXs were associated with a lack of administrative controls

accounts and passwords, backdoor entry points via dial-up, and the lack of auditing.

take advantage of poorly configured PBXs to access the organization’s network,

use the phone switch to make free long-distance phone calls,

Voice-over-IP (VoIP) protocols are more secure,

VoIP can use firewalls, VLANs, and even encryption.

VoIP is vulnerable to several attacks, including spoofing, denial-of-service, interception and eavesdropping, and spam.

Recent Class Questions

security+ final exam answers

which of the following is a specific set of actions used to encrypt data?