CompTIA Security+ Rapid Review: Network Security

Roughly 21 percent of the SY0-301 exam comes from this domain. You need to have a good grasp of implementing, distinguishing, and applying proper network security techniques. You need to know how to explain the function and purpose of basic network devices. Additionally, you need to know how to apply basic network security principles and how to distinguish network design elements, such as demilitarized zones (DMZs), remote access, cloud computing, and network access control (NAC). You also need to understand common protocols and their port numbers. Finally, you need to understand how to implement wireless systems in a secure manner. This chapter covers the following objectives:

This chapter covers the following objectives:

• Objective 1.1: Explain the security function and purpose of network devices and technologies

• Objective 1.2: Apply and implement secure network administration principles

• Objective 1.3: Distinguish and differentiate network design elements and compounds

• Objective 1.4: Implement and use common protocols

• Objective 1.5: Identify commonly used default network ports

• Objective 1.6: Implement wireless networks in a secure manner

Objective 1.1: Explain the security function and purpose of network devices and technologies

In this exam Objective, you might be tested on the security function and purpose of network devices and technologies. You might be asked about firewalls, routers, switches, intrusion detection systems (IDS), sniffers, and many other web firewalls and URL filtering devices.

Exam need to know…

• Specify the purpose and function of a firewall

  For example: Do you know that firewalls typically reside at the edge of the network between the Internet and the trusted internal network?

• Specify the security function and purpose of routers

  For example: Do you know that routers reside at Layer 3 of the Open Systems Interconnection (OSI) model and that they can be used as a basic packet filter?

• Specify the security function and purpose of a switch

  For example: Do you know that switches physically segment network traffic, make it harder for attackers to sniff traffic, and can be used to set up virtual LANs (VLANs)?

• Specify the security function and purpose of a load balancer

  For example: Do you know that a load balancer is used to distribute the workload among multiple computers or a cluster of computers?

• Specify the function and purpose of a proxy

  For example: Do you know that a proxy server acts as an intermediary that processes requests from clients seeking resources from other servers?

• Specify the function and purpose of a web security gateway

  For example: Do you know that a web security gateway filters unwanted traffic and malware from endpoint web/Internet traffic and enforces ingress and egress rules?

• Know the function and purpose of Virtual Private Network concentrators

  For example: Do you know that VPN concentrators are designed to handle a very large number of VPN tunnels?

• Know the function and purpose of a network intrusion detection system and a host intrusion detection system

  For example: Do you know what tool is used at the edge of the network to detect anomalies or unusual traffic?

• Explain protocol analyzers

  For example: Can you explain what hardware or software tool can be used to examine network traffic?

• Understand the purpose and function of sniffers

  For example: Do you know what tool can be used to capture clear text user names and passwords from a network connection?

• Know the purpose and security function of SPAM filters and all-in-one security devices

  For example: Do you know which tool can be used to block fake emails and messages from unknown recipients?

• Understand the purpose and function of web application firewalls and how they are different from network firewalls

  For example: Can you describe what type of tool can be used to protect web applications and filter malicious traffic such as SQL injection attacks?

• Define URL filtering, content inspection, and malware inspection

  For example: Do you know what type of service is needed to check the origin or content of a webpage against a set of rules as provided by a company or person?

Firewalls

Firewalls play a key role in network security because they reside at the edge of the network and act as a first line of defense. Firewalls are designed to inspect incoming and outgoing network traffic. Firewall rules can be configured to allow or block certain types of traffic.

True or false? Firewalls can use different types of screening techniques. As an example, a firewall can filter traffic based on a source or destination IP address.

Answer: True. Firewalls can filter traffic by many different criteria. This can include source or destination IP address, URL, traffic content, TCP or UDP settings, and so on.

True or false? A firewall can be embedded or part of a router.

Answer: True. Routers have the ability to act as basic firewalls.

Routers

Routers operate at Layer 3 of the OSI model, and as such, they deal with logical addresses. A commonly used logical addressing scheme is Internet Protocol (IP). Routers enhance networks by segmenting physical traffic. Routers also can be used to connect different network types and to span a distance. Routers provide a valuable security function because they can connect different networks and simultaneously provide some filtering of network traffic. This might be two or more LANs or WANs. Routers are considered edge devices because they are located where two or more networks connect.

True or false? By default, routers pass Layer 2, physical traffic.

Answer: False. Routers do not pass Layer 2 traffic. Routers deal with Layer 3 traffic.

True or false? A router can be used as a basic security device.

Answer: True. Routers have built-in functionality that can filter traffic. Routers also block physical traffic, so they can be used to separate departments; for example, You could set up a router so that accounting cannot see marketing network traffic.

True or false? Routers are only installed at the edge of corporate networks.

Answer: False. Although routers can be installed at the edge of a network, such as between a corporate network and the Internet, they can also be used to separate LANs.

Switches

Switches are one of the key components of most modern networks. Switches replaced hubs; they are a more intelligent piece of hardware. You can use switches to connect multiple computers and other network devices to one another. Switches segment traffic; for example, users on port A and port B can have a conversation while users on port C and port D carry on a separate conversation. Switches make it more difficult for an attacker to sniff traffic because the traffic is forwarded only to an appropriate connected device.

True or false? Switches offer better performance than a hub.

Answer: True. A switch is capable of inspecting traffic as it is received and then forwarding it only to the specified destination device. By delivering traffic only to the specified device, switches conserve network bandwidth.

True or false? Unlike hubs, switches make it easier for an attacker to intercept and sniff network traffic.

Answer: False. Switches make it more difficult to carry out an attack. Hubs send all traffic to all destination devices, whereas switches send traffic only to a specified device.

Load balancers

A load balancer is used to distribute many different types of traffic across a group or cluster of computers. Load balancers can be software or hardware. Load balancing serves a security function because it hides the addresses of the devices behind the load balancer.

True or false? One of the advantages of a load balancer is that it can distribute traffic to a busy website among many different web servers.

Answer: True. Load balancers are used to even out web traffic to busy sites. An organization might have many web servers; the load balancer distributes this load among many individual computers.

True or false? A load balancer can be used to hide internal IP addresses.

Answer: True. Load balancers can be used to hide the internal IP address of individual devices.

Proxies

A proxy is an entity that exists between two other entities and acts on behalf of one of those entities. The purpose of a proxy as it relates to networks is to act as a buffer between a user and a web server. Proxy servers can also be used to cache content.

True or false? Proxy servers request content on behalf of the client.

Answer: True. A proxy server provides web resources by connecting to a web server and requesting the service on behalf of the client.

True or false? Proxy servers offer no speed advantages.

Answer: False. Proxy servers can speed up access to resources by using caching.

Web security gateways

Web security gateways are designed to filter malicious traffic and to add a layer of protection for the web server.

True or false? Web security gateways offer secure communication between the client and the server.

Answer: False. Web server gateways do not protect web applications. This would be the role of Secure Sockets Layer (SSL) or application firewalls.

True or false? A web security gateway cannot be used to prevent end users from downloading known malware from the Internet.

Answer: False. A web security gateway filters unwanted software or malware from endpoint web/Internet traffic and enforces corporate and regulatory policy compliance.

VPN concentrators

Virtual Private Network (VPN) concentrators are used to manage large numbers of VPN connections. VPNs are critical because they provide a secure means of communication across open networks so that remote users can communicate with a company securely. VPN concentrators are ideal when you require a single device to handle a large number of incoming VPN tunnels.

True or false? One common type of VPN concentrator uses Internet Protocol Security (IPsec).

Answer: True. Two common types of VPN concentrators include IPsec and SSL.

NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic)

Intrusion detection plays a key role in monitoring for and detecting malicious activity. There are two main types of intrusion detection: network intrusion detection system (NIDS), and host intrusion detection system (HIDS). Network-based intrusion detection uses a network-based sensor (or sensors) that is connected to a switch or hub port to collect network traffic. Host-based intrusion detection consists of an agent on a host that analyzes system activity.

True or false? NIDS are effective for preventing attacks.

Answer: False. NIDS can detect attacks and set off an alarm, but they do not prevent an attack from occurring.

True or false? HIDS are effective at detecting malicious network traffic as it enters the network.

Answer: False. HIDS are installed on individual computers. They are not network-based devices; that is the role of NIDS.

Protocol Analyzers

Protocol analyzers are network or software devices that capture and analyze network traffic.

True or false? By default, protocol analyzers can be used to see all traffic on a switched network.

Answer: False. Protocol analyzers work best when used on a hub. If used on a switch, the protocol analyzer will only see the traffic on the specific port into which the analyzer is plugged. Higher-end switches can be configured to share traffic by means of spanning, but they must be configured to do so.

True or false? Protocol analyzers can be used to troubleshoot network problems.

Answer: True. Protocol analyzers are designed for network troubleshooting. Protocol analyzers vary in their capabilities, but most of them are able to display data in multiple views, automatically detect errors, and help the user to determine the cause of errors.

Sniffers

Sniffers are another name for a protocol analyzer. Generally, they describe a software product designed to capture and analyze network traffic. Sniffers work by placing the NIC into promiscuous mode so that the sniffer can detect all the traffic that is present. Depending on how the sniffer is configured, it can capture all network traffic or just the traffic from a single device within the network. When used with a switch, the sniffer must be specially configured to gain access to all traffic from other systems on the network.

True or false? Although sniffers are valuable troubleshooting tools, they can be used maliciously.

Answer: True. Sniffers can be used to capture traffic that is not encrypted. An attacker might be able to intercept and capture clear-text user names and passwords.

Spam filter, all-in-one security appliances

Blocking malicious traffic and filtering out bogus email is an important job for most security professionals. Surveys show that a large amount of email is spam. Spam filters are designed to filter out these unwanted emails before they reach the end user.

One way to do this is by using all-in-one security devices. These devices combine not just spam filtering, but they can also act as a firewall and a malware detection unit. The advantage of these multipurpose security devices is that they consolidate all the functions of a firewall, such as spam filtering, intrusion prevention, and more. An all-in-one device can be easy to manage, but you must also consider that it can be a single point of failure.

True or false? Although it might be annoying, spam is typically never malicious.

Answer: False. Spam can be nothing more than ads for fake products, but it can also be malicious and trick users into opening tainted attachments or visiting malicious websites.

True or false? Spam filtering is only performed on incoming email.

Answer: False. Spam filtering can be performed on incoming or outgoing email. Outbound mail filtering is useful to detect if an internal computer has been hacked and is being used to send spam.

Web application firewall vs. network firewall

Whereas network firewalls can be seen as general network devices, web application firewalls are more specialized devices. Web application firewalls are designed specifically to protect web applications against common attacks, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (XSRF).

True or false? Web application firewalls are designed to detect and block web application attacks.

Answer: True. Web application firewalls are very specialized devices. They are designed primarily for ecommerce.

True or false? Network firewalls are specifically designed to detect and prevent SQL injection attacks.

Answer: False. Network firewalls are not designed specifically to prevent attacks such as SQL injection.

URL filtering, content inspection, malware inspection

Controlling web traffic is an important task for most security professionals. This includes blocking or granting access to specific URLs. Most organizations will block specific sites that deal with topics such as gambling or pornography. Even though sites titled www.porn.com can be easily blocked, organizations might also want to monitor the content of specific sites and scan for malware.

True or false? URL filtering can be used to provide 100 percent protection and guarantee that users will not go to specific types of websites.

Answer: False. Although URL filtering is effective, it is not foolproof. Moreover, sites typically must be added to a list before being filtered.

True or false? Content inspection can be used to look for specific types of content within certain types of webpages.

Answer: True. Content inspection is used by many different organizations to look for specific types of web content such as pornography. Upon identifying specific types of content, a site can be flagged or a user might be warned not to revisit the site.

True or false? Malware inspection is a common technique used to detect malicious content such as Trojans and malware.

Answer: True. Malware inspection is just one of many techniques used by security professionals to protect internal users from websites that might host malicious content.

Can you answer these questions?

You can find the answers to these questions at the end of this chapter.

1. While using a sniffer program, you have captured some traffic that looks like an active FTP connection. Is it possible that you might be able to see the user name and password in clear text?

2. You currently manage a number of small customers that work from a shared office space. Each is utilizing independent anti-spam, firewall, and antivirus protection. Is there a way for you to centralize these services?

3. There has been a concern in the office over some of the websites that employees are visiting. Is there an easy way for you to deal with this problem and restrict access to specific sites?

4. Which type of intrusion detection system can be used to examine unencrypted network traffic?

5. Can an IDS that monitors network traffic decode encrypted HTTPS traffic?