This chapter is the start of part 3 of CompTIA Security+… Architecture and Design.
Part of it is rehashing previous chapters (providing more details on security devices). Some of it is reviewing frameworks and very high-level methods of adding security.
This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.
Industry-Standard Frameworks and Reference Architectures
Industry-standard frameworks and reference architectures refer to conceptual blueprints that help to define the structure and operation of IT systems. They help align IT and security with an organization’s business strategy. Frameworks are more generic than architectures.
As far as Security+ is concerned, there are four major groupings of frameworks:
- Regulatory frameworks are typical for industries under government regulation.
- Non-regulatory frameworks are those that are neither industry-specific nor regulatory. Instead, they’re technology-focused. One such example is NIST’s Cybersecurity Framework (CSF). In the case of NIST CSF, it’s mandated for gov’t agencies, but voluntary for everyone else.
- National vs international refers to the frameworks developed and enforced by a governmental body. The US government has the Federal Risk and Authorization Management Program, while the EU has its own laws. In some cases governments cooperate to create shared frameworks that pass muster under their respective laws. One example is the US-EU Privacy Shield Framework.
- Industry-specific frameworks are those developed by entities within a particular industry. They might be developed due to regulatory needs, or industry-specific issues.
Benchmarks and Secure Configuration Guides
These guides “offer guidance for setting up and operating computer systems to a secure level that is understood and documented.” I take this mean to mean something less stringent than the frameworks and architectures. Benchmarks are consensus-based.
Benchmark guides can come from manufacturers, the government, or an independent organization such as CIS (Center for Internet Security).
When it comes to setting up secure services, platform- or vendor-specific guides can be useful.
- Web servers are a means for users (clients) to access web pages or other data, and thus are prone to attacks. The vendors, such as Microsoft, Apache, etc. can provide guides. So can CIS.
- Operating systems are the interface for applications used to perform tasks, and the physical hardware. CIS, and the DoD’s DISA STIG program has guides.
- Application servers are crucial to enterprise IT systems. Examples include email servers, database servers, messaging platforms, and so on. Again, the manufacturer, CIS, or DoD’s DISA STIG should have guides.
- Network infrastructure devices are the “switches, routers, concentrators, firewalls and other specialty devices” used to make a network function. Their criticality makes them targets.
Defense-in-Depth and Layered Security
Defense-in-depth is a security principle that uses multiple, differing security elements to increase the level of security.
Vendor diversity means having multiple suppliers. You might have multiple, separate vendors for firewalls, operating systems, and so on.
Control diversity is layered security in administrative and technical policies to guide user actions. Administrative controls are policies, regulations, and laws that apply to management aspects of an organization. Technical controls are those that operate through technological intervention in the system. Examples include passwords, logical access control, AV, firewalls, IDS/IPS and so on.
User training is important because users are a vital part of any enterprise. They’re crucial for defense, and also are a major source of vulnerabilities. The book recommends user training that is specific to each person’s role.
Zones and Topologies
Zones and topologies allow for layers of defense in an organization, with the innermost layers having the highest protection.
DMZ is a term that I’ve never heard applied to computers/IT, but here it is. It’s a reference to the demilitarized zone and refers to a semi-trusted area. This area is protected from the rest of the internet by an outer firewall, and the trusted network zone by an inner firewall. Web servers that serve external content, remote-access servers and external email servers might exist in this zone.
An extranet is “an extension of a selected portion of a companies intranet to external partners.” It implies both privacy and security.
An intranet is a network that exists completely inside the trusted area of a network. This means that it is under the security controls of the sysadmins. If users in the intranet need to access outside information, a proxy server should be used to mask the requestor’s location.
Wireless networking is transmission of data through radio waves instead of physical cabling. These networks can either be hub-and-spoke (one main access point and wireless clients that connect to this AP) or a mesh network (where there is no central access point).
A guest zone is “a network segment that is isolated from systems that guests should never have access to.” A honeynet, described in an earlier chapter, is a “fake” network designed to look like the real thing, and thus attract attackers.
The book also covers Network Address Translation, or NAT. NAT is used to compensate for the lack of available IP address spaces. It translates private, non-routable IP addresses into public, routable ones. Not every system needs every IP address to be routable, and in fact, it’s better if the organization’s topology is mostly hidden from outsiders.
A NAT device will remove the internal source’s IP address out of packets, and replace it with the NAT device’s public (routable) address. It does the inverse on the way back into the network.
There are different implementation approaches to NAT: a static mapping of internal-to-external addresses, a dynamic mapping or Port Address Translation (PAT). PAT allows many internal private addresses to share a single external IP address.
Lastly, the book covers ad hoc networks, which is a mesh topology where systems can send packets to each other without a central router or switch. This is an easy (lol) and cheap means of direct communication. On the other hand, it’s more difficult to manage traffic stats and security.
Segregation, Segmentation and Isolation
As mentioned in a previous chapter, Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP) were developed to prevent loops in layer 2 networks. However, it takes time to calculate the traffic paths, which can cause efficiency problems. This has resulted in a push for flat networks, which aren’t necessarily good for security.
Instead, the book recommends the use of “enclaves” which are sections of a network that are logically isolated from the rest of the network. They are like the gated neighborhoods of your network.
There are different ways of segmenting a network:
- Physical segmentation uses physical equipment that is separate for each type of traffic. This means the switches, routers, and cables are separate. More secure, but also more $$$.
- Logical segmentation is done using a VLAN. A LAN is a set of devices with similar functionality and communication needs that operate off a single switch. This is the lowest level of network hierarchy. VLANs are a (virtual) logical implementation of a LAN.
Virtualization offers logical server isolation while still allowing for physical co-location. Think virtual machines.
Air gap is when no data path exists between two networks that are not connected in any way, except a physical air gap. There is no physical or logical path that directly connects them. However, this security goes down the drain if someone uses a USB or other means to transfer information in/out.
Tunneling and VPNs
We’re gonna cover VPNs again! Virtual private networking allows two networks to connect securely across a non-secure stretch of network.
This link can be site-to-site. This means that two or more networks are connected across an intermediary network layer (usually, the internet). There’s also remote access, which is when a user needs access to a network but cannot make a physical connection.
Security Device and Technology Placement
Previous chapters have discussed security devices. Now, we’re going to cover where they need to be placed. Hint: the answer is almost always “inline.”
Sensors capture data. They can be network-based to cover more ground (but limited by traffic needs). They can also be host-based, which is limited to one machine but can sense more specific data.
Collectors are essentially concentrators for multiple sensors. Their collected data then goes to other systems.
Correlation engines take the collected data and match it against known patterns. Of course, if the traffic is routed around a sensor, the engine won’t “see” it, either.
Process filters look at packets at a network interface, and filter them based on source/destination, ports, protocols, and so on. These filters have to be placed inline with the traffic.
Proxies are servers that act as a go-between between clients and other systems. The proxy must be in the natural flow of traffic for it to work.
Firewalls are devices that determine whether traffic can pass or not based on a set of rules. They must be inline with the traffic that they’re regulating, and are commonly placed between network segments.
VPN concentrators take multiple VPN connections and terminate them into a single network point. Wherever this termination occurs better be in a network segment that you would allow all of the users to directly connect to.
SSL accelerators, also discussed in a previous chapter, help speed up SSL/TLS encryption at scale. They need to be placed between the web servers and clients that they serve.
Load balancers help distribute incoming traffic between multiple severs. The load balancer must reside between the requestors of a server and the server providing that service.
A DDoS mitigator helps protect against DDoS attacks, so it needs to be outside the area it is protecting. It would be the first device a packet would encounter on its way from the internet into a network (assuming the device was present).
Aggregation switches provide connectivity for multiple other switches. This is a many-to-one connection. Needs to be upstream from the “many” devices.
Switch Port Analyzers (SPAN) or port mirrors allow for the copying of traffic. This can be an issue if traffic is very heavy. A Test Access Point (TAP) is a passive signal-copying option between two points on a network. TAP devices would be your better option for high amounts of traffic monitoring.
The book has a number of routing examples, where you have to identify the correct one.
The outermost device would be a DDoS mitigator. After that, a firewall, then “DMZ,” then another firewall. Then, an SSL accelerator, then a load balancer, then a server (database, web, etcetera).
- Firewall – DMZ – firewall – SSL accelerator – load balancer – web server
- Firewall – DMZ – firewall – load balancer – database server