I’m back from lots of travel, and am diving back into my Security+ studying. The first chapter in section two of CompTIA’s Security+ study guide is about network components. As with all the other chapters, it’s a questionably organized whirlwind tour. I’ll leave the topics in the order that they appear, which is by component, with bunch of sub-topics per component.
This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.
A firewall is hardware or software (or a combo of the two) used to enforce network security policies across network connections. The network administrator(s) will determine security policies: what traffic is allowed, and what traffic to block or deny. These rules can be very nuanced and specific to different ports, machines, applications, users, and so on. Firewalls can be specific to an application or (sub) network but at a minimum, your org should have a firewall between your network and the internet. They’re meant to block attacks before they reach the target (web servers, mail servers, DNS servers, databases, etc).
Firewalls, how do they work
- Network Address Translation (NAT): an IPv4 technique used to link private IP addresses to public ones. NAT isn’t needed in IPv6 from an address shortage perspective. Still, it might be kept because it also hides internal addressing schemes from outside connections.
- Basic packet filtering: look at the packets, their ports/protocols/source+destination addresses. Then, determine if the packet is allowed by the security rules configured on the firewall. If not, block.
- Firewalls can also provide some protection against flooding attacks.
- Firewall rules: a mirror of the network policy constraints. Not sure why this gets its own section.
- Access control lists (ACLs): lists of users and their permitted actions. Can be identified by ID, network address, or token. Use permit statement(s) followed by a deny all to enforce an implicit deny approach.
- Application-based vs Network-based: app-based firewalls look at traffic and block/allow actions within applications (even web-connected ones). Network-based firewalls are, um, network-based and look at IP addresses and ports. They are broader and less specific than app-based.
- Stateful vs Stateless: everything is easier without state, of course. But stateful firewalls allow you to act based on previous actions. For example, if you’re getting a response for a request you didn’t send, that’s probably something you want to block. You wouldn’t know that without keeping track of state, though.
- Implicit deny: if it isn’t explicitly allowed, then deny it.
- Security network administration principles ensure a properly configured set of hardware, software, and operation/maintenance actions. Another orphaned section… not sure why.
- Rule-based management: define desired operational states so that they can be represented as rules. Similar to the software concept of making illegal states unrepresentable… not an exact connection but it forces admins/devs to think about what states should be allowed and which are dangerous.
A VPN concentrator is a way of managing multiple VPN conversations on a network while keeping them isolated from each other.
VPNs can be remote-access or site-to-site. Site-to-site connects machines between two networks on an ongoing basis (you don’t have to go through setup each time). Remote-access is more temporary and allows remote hosts to connect to a network.
Here, the book starts a long section on IPSec details. It seems like the book sections got mixed around because it references “AH” and “ESP” before they are defined/discussed. Anyway…
IPSec is a set protocols for securely exchanging packets at the network layer (layer 3). IPSec is used in VPN connections for establishing connections. The chapter does not discuss SSL-based VPNs.
- IPSec’s tunnel-mode means that the data, as well as source and destination addresses are encrypted. Outside observers can’t decipher packet contents or identities of communicating parties.
- Transport mode encrypts only the data, allowing an observer to see that a transmission is happening. The original IP header is exposed.
- There are three modes of connection: host-to-server, server-to-server, host-to-host
- A security association (SA) is an established combo of algorithms, keys, etc used between the parties. An SA is a unidirectional combination, so bidirectional traffic requires two SAs.
- In IPv4, IPSec is an add-on and adoption is up to individual vendors. Full integrated into IPv6 though (native on all packets).
- Authentication Headers (AH) are a type of header extension that ensure data integrity and authenticity of the data’s origin. Encapsulating Security Payload (ESP) header extensions provide confidentiality but do not help with data integrity.
- Split-tunnel VPNs do not route all traffic through the VPN. This helps avoid bottlenecks that might come from encrypting all traffic. All traffic going over VPN is called a full tunnel VPN.
- Transport Layer Security (TLS) can be used for VPNs, to exchange keys and create secure tunnels for communication. The book notes that IPSec-based VPNs can have issues crossing multiple NAT domains.
- “Always on” VPNs are pre-configured and… always on, by default.
NIDS stands for a network-based intrusion detection system. These detect, log and respond to unauthorized network usage. This can be in real-time or after the fact.
The unfortunately acronym’d “NIPS” stands for network-based intrusion prevention systems. NIPS are like NIDS but can take automated action to block an attack, as determined by pre-set rules.
An intrusion detection system (IDS) doesn’t need to be network-based. It could be host-based instead. An IDS usually contains the following components:
- Traffic collector to collect event via log files, other logs, copying traffic, etc.
- An “analysis engine” that examines the collected events and compares them to known malicious patterns.
- A signature database that stores the patterns or signatures of malicious activity.
- A user interface for displaying and reporting data based on alarm level, etc.
An IDS can be signature-based, meaning it detects intrusion based on known signature definitions. Alternatively, it can be heuristic- or behavioral-based. This means that “normal” behavior is defined, and behavior that is outside of those bounds is considered malicious or bad. This can have a high false-positive rate. Anomaly-based is similar and looks for traffic that is anomalous based on known “normal” behavior. The type of NIDS/NIPS system you have will determine the complexity of the rules (book provides the example of Snort to Bayesian)
IDS can be inline, meaning it monitors data as it flows through the device, or passive, meaning that it copies off the data and examines it offline.
It can be in-band, meaning that it examines data and can take actions within that system (if something looks bad, don’t send it along). Out-of-band cannot.
Routers are “network traffic management devices used to connect different network segments together.” Routers are located at gateways where two or more networks connect. They look at each packet and its destination address, and then determine optimal paths across a network.
Remote access is often a necessity, especially for big organizations with routers spread all over the globe. Unauthorized access is bad a thing, so avoid mishaps like: leaving the default password, sending passwords in cleartext, or using Telnet (or other insecure/deprecated protocols; use SSH instead).
Routers use access control lists (ACL) to determine if a packet should be allowed to enter a network, based on its source address. Apparently, if you have a fancy router you can configure it to examine packets in a stateful way.
Routers have insight into expected source IP addresses, so they can check the stated source IP address, which might be spoofed. If they don’t match, the router should drop the packet as an anti-spoofing measure.
Routers operate at the network layer (layer 3) of the OSI model. Switches operate at the data link layer (layer 2). Switches connect together devices on a network. They pose a security risk because access means that an attacker can eavesdrop on all communications. Similar to routers, switches also have insecure methods of access (notably Telnet or older versions of SNMP, use SNMPv3 instead).
As switches move packets from inbound connections to outbound connections, it’s possible for them to inspect the packet headers. Port security means that switches can control which devices connect on each port via allowed MAC addresses (still, they can be spoofed). Port security can be configured to assign a specific MAC address to a port (static learning), to allow switches to “learn” acceptable MAC addresses (dynamic learning) or to persist accepted MAC addresses (sticky learning).
Switches use Open Shortest Path First (OSPF) to route traffic and the Spanning Tree Protocol (STP) to avoid loops. Switches also commonly have flood guards to protect against flooding attacks.
Proxy servers are a way of filtering traffic and can be used to further the security goals of an organization. A proxy intercepts requests from a client and either forwards them to their intended destination.
Proxies can be forward, meaning that they intercept a request and then forward them to the destination. They can be reverse, meaning that they’re installed on the server-side of a connection and intercept incoming requests.
They can be transparent, meaning they examine the request and pass it along (or not). Alternatively, they can alter requests.
Anonymizing proxies hide information about the client making the request. Caching proxies store local copies of content to help with performance. Content-filtering proxies compares requests to an acceptable use policy (AUP) and filters out the bad stuff. Open proxies are proxies available to any internet user. A web proxy is used to handle web traffic (also called a web cache).
Load balancers move loads across several resources. This helps to avoid overloading a server and helps increase fault tolerance. Load balancing is easiest in stateless systems.
- Load balancers can be affinity-based. This means a host connects to the same server across a given session. On the other hand, round-robin means that each new request goes to a new server in rotation.
- Load balancers can be active-passive, meaning that one system is balancing everything, with another system ready to step in if the primary one fails. Active-active means that all the load balancers are active at once.
- Because you’ve got many servers in a load balancing environment, virtual IP addresses are used to make multiple systems appear as a single IP address.
Wireless access points (APs) are “the point of entry and exit for radio-based network signals into and out of a network.”
- An SSID is a service set identifier. This is a unique identifier for a network, at most 32 characters. When a client wants to join the network, they have to perform a handshake to associate with an AP. The packet must include the SSID. This is broadcast by default, but you can also turn that feature off.
- APs can use MAC filtering, which was mentioned earlier. However, since an attacker can observe valid MAC addresses on the network and spoof them, this isn’t a foolproof defense.
- The book covers signal strength, which is intuitively understood by most people. The transmitting power of the AP, as well as the physical environment can play a role in signal strength.
- As more things are wirelessly connected, the wireless band is getting kind of crowded. We now have 5GHz (802.11a, n and ac) in addition to 2.4GHz (802.11b/g and n).
- Wifi is radio-based, so you need antennas. Antenna types determine transmission patterns and gain factors. Gain is a measure antenna efficiency. Antenna placement (hopefully) ensures maximal coverage over an area. You can also transmit outside your building, which isn’t always a good thing. Yagi and panel antennas are two types of directional antennas.
- Access points can be “fat” (standalone) or “thin” (controller-based). Standalone often includes encryption, authentication and channel management capabilities. Controller-based makes it easier to have centralized management.
SIEM stands for security information and event management. SIEM systems are hardware and software meant to analyze aggregated security data. They rely on a few different concepts:
- Aggregation of data: event logs, firewall logs security, application logs… all in one place.
- Correlation, meaning that events or behaviors can be related based on time, common events, etc.
- Automated alerts and triggers: you can set rules to alert you based on certain patterns. Your SIEMS can have automated reactions, too.
- Time synchronization: I don’t know if you, dear reader, have ever had to map events in one timezone to events in another timezone, but it sucks. SIEMs can render events in UTC and local time(s).
- Event de-duplication: SIEMs can remove redundant event info so that the signal-to-noise ratio is better.
Aaand we’ve jumped from SIEMs to data loss prevention (DLP). I told you the order of topics was a little wonky.
Here, DLP refers to methods of detecting and preventing unauthorized transfers of data across an organization.
- USB blocking: either physically disabling the points, or a software-based solution.
- Cloud-based DLP gets harder, since you have to move _some _data to and from the cloud.
- Organizations might disallow or scan email attachments.
Large organizations can have a LOT of connected workstations and servers. Managing these connections at scale is difficult. Network access control (NAC) is a case-by-case management methodology. Network Access Protection (NAP) is the Microsoft option, Network Admission Control (NAC) is the Cisco option.
Microsoft’s NAP measures system health of connecting machines. Metrics include operating system patch level, antivirus protection and system policies. NAP has been around since Windows XP SP3.
Cisco’s NAC enforces policies based on the network admin, and verifies policy settings, software updates, and so on.
Neither of these systems are widely adopted. Both run health checks on a host before letting it connect to the network.
NAP or NAC related agents can be permanent deployed to a host. They an also be dissolvable, meaning that they are used (and discarded) on an as-needed basis. They can be agent-based, meaning that there’s code stored and activated on a host machine. They can also be agentless, if the code resides on the network and doesn’t persist in the host machine’s memory after use.
Mail gateways are machines that process email packets on a network. They also filter spam, manage data loss and handle encryption.
- Gateways can filter spam through blacklisting known spam sources by domain or IP address (alternatively, you can whitelist trusted sources). They can filter on keywords. There are more sophisticated checks involving delays, reverse DNS checks or call back verification. Additionally, tools like Gmail “learn” from their users, who can mark messages as spam or junk. Much spam filtering happens at the network or SMTP server level.
- Again, data loss prevention is an issue in email attachments.
- Email is plaintext by default, but email can be encrypted. Even though options exist (like PGP) there isn’t wide adoption.
Somehow, we’re back to bridges. Bridges work at the layer 2 level and connect two separate network segments. This can play into security concerns because traffic separation can keep sensitive information more sequestered.
I’m throwing the remaining categories here, since they seem like they were thrown at the end of the chapter as an afterthought.
- Encryption takes time and processing power. SSL/TLS accelerators are dedicated devices that help alleviate encryption bottlenecks within organizations.
- SSL decryptors allow for traffic screening. They’re effectively a man-in-the-middle attack, and decrypt information, check it, and then re-encrypt and forward it.
- Media gateways are machines meant to handle different media protocols, including translating from one protocol to another. Handy for organizations that use a lot of voice or video signals.
- Hardware security modules (HSMs) are devices meant to manage or store encryption keys. They can also help with other encryption, hashing or digital signature functionality.