- By Michael Gregg
- Objective 1.1: Explain the security function and purpose of network devices and technologies
- Objective 1.2: Apply and implement secure network administration principles
- Objective 1.3: Distinguish and differentiate network design elements and compounds
- Objective 1.4: Implement and use common protocols
- Objective 1.5: Identify commonly used default network ports
- Objective 1.6: Implement wireless networks in a secure manner
Objective 1.2: Apply and implement secure network administration principles
In this exam Objective, you might be tested on techniques that are used to implement secure administration principles.
Exam need to know…
Understand rule-based management
For example: Can you name the two parts of a firewall–rule-based management?
Understand how routers can be used to increase security by using access control lists, rules, and secure router configuration
For example: Can you explain why it is important to communicate securely with the router?
Describe the various methods by which switches can enhance security, such as flood guards, loop protection, and port security
For example: Do you know how to use port security to prevent common network attacks?
Rule-based management is a way to configure firewalls to filter specific types of traffic. The rule base is made up of two parts: the firewall rule, and the action. The firewall rule determines if a specific packet matches the rule criteria. The action defines what happens if the rule is applied. As an example, when a specific packet type is detected, it might be allowed or denied.
True or false? A firewall rule can include a source or destination port.
Answer: True. Firewall rules can include source or destination ports, IP addresses, websites, or the service to which it is trying to connect.
True or false? Firewalls process rules in a top-down order.
Answer: True. Firewalls typically process rules in a top-down order, moving from first to last.
Firewall rules are processed in a top-to-bottom order and can be applied to traffic entering or leaving a network. As an example, a firewall rule might be created to only allow web traffic into a network to a specific web server, yet insiders might be allowed to browse external websites.
True or false? Best practice is to start by not allowing any traffic and then allowing only traffic that is approved.
Answer: True. A deny-all approach states that no traffic is allowed and that ports and applications are opened on the firewall only as needed.
True or false? Firewall rules typically allow ports 25 and 80 into the network.
Answer: True. Port 25 is used for simple mail transfer protocol (email), and port 80 is used for HTTP.
VLAN management allows for the software configuration of end stations to be grouped together, even if they are not located on the same network switch. This allows the grouping of hosts with a common set of requirements to communicate as if they were attached to the same broadcast domain. As an example, accounting, sales, and marketing each can be placed on their own separate VLAN. Even though these devices might be in diverse locations, VLANS allow each group to communicate with others in their VLAN, regardless of their physical location.
True or false? Switches typically have visual, built-in methods that indicate VLAN port members to personnel who work in a wiring closet.
Answer: False. A security professional must typically connect to a switch and look at its configuration to see how the VLANS are configured.
True or false? VLANS operate at Layer 4 of the OSI model.
Answer: False. VLANS work at Layer 2 of the OSI model and allow the segmentation of physical traffic.
Secure router configuration
Secure router configuration is a key concern for a security professional. Ideally, the configuration should be local, via a console cable. When this is not possible, remote configuration should make use of encryption. Secure Copy Protocol (SCP) is one method to secure remote configuration. When configuring both locally and remotely, it is important to save a backup copy of the configuration so that the router can be easily re-sorted should something go wrong.
True or false? The use of trivial file transfer protocol (TFTP) is acceptable for secure remote configuration of a router.
Answer: False. You should use a secure protocol such as SCP. TFTP does not make use of encryption.
Access control lists
The most basic way to configure firewall rules is by means of an access control list (ACL). An ACL is used for packet filtering and for selecting types of traffic to be analyzed, forwarded, and/or influenced in some way by a firewall or other device. Typical, firewalls block traffic based on the source/destination address, port, packet type, and so on. Rules placed in an ACL are used as a form of stateless inspection. Stateless devices look only at a list and make a simple yes/no, allow/disallow decision. ACLs can be used for more than just allowing or blocking traffic. As an example, rules can also log activity for later inspection or to record an alarm.
True or false? An ACL is used for stateful inspection.
Answer: False. ACLs are a very basic form of firewall and are considered stateless inspection.
Port security can mean different things to different people; however, generally it is described as the process of controlling access to ports. This includes physical and logical access. As an example, riser rooms, telecommunication closets, and other areas where there is access to cables, ports, and equipment should be secured. Logical port security can include VLANs, 802.1x, and MAC address filtering.
True or false? Equipment closets should be locked and secured.
Answer: True. Even though many IT professionals think of security in terms of logical control, physical control is also critical. Physical security of access points, telecommunication closets, and any other area where cable access is possible should be closely controlled.
802.1X is an IEEE standard for port-based Network Access Control. 802.1x is widely used in wireless environments and relies on extensible authentication protocol. 802.1x acts as an application proxy because it acts as a middle man in the authentication process.
True or false? 802.1x makes use of password authentication protocol (PAP).
Answer: False. PAP is not used with 802.1x and is considered insecure. 802.1x utilizes extensible authentication protocol (EAP), which offers strong authentication.
Flood guards are tools that you can use to prevent Denial-of-Service (DoS) attacks. This technology is typically built in to network equipment such as routers and intrusion prevention equipment. It is designed to detect network floods and then block this traffic. Flood guards help block malicious traffic from entering a network.
True or false? Flood guards are used to prevent broadcast loops.
Answer: False. Flood guards are not used to prevent broadcast loops; however, they help to protect against DoS attacks.
True or false? Flood guards detect traffic that is already in the local network and alert the network administrator as to its malicious use.
Answer: False. Flood guards are used to block malicious traffic at the edge of a network and prevent it from ever entering an organization’s internal domain.
Loop protection is designed to prevent Layer 2 broadcast loops. Loop protection works by sending periodic loop test frames to detect loops within the network cabling. Loop protection can then shut off specific ports to prevent the loops from occurring. Loop protection is typically implemented with spanning tree protocol (STP). STP learns all available paths and then looks for traffic to be looped back.
True or false? Loop protection is implemented on Layer 3 of the OSI model.
Answer: False. Loop protection is implemented on Layer 2 of the OSI model because it deals with physical frames. Logical traffic at Layer 3 is prevented from looping by the TTL field in the IP header.
True or false? STP is used to provide loop protection.
Answer: True. Ethernet looping is resolved by STP. This unique protocol looks for repeating transmission paths and can work as a filter to block ports, preventing this from occurring.
Firewall rules are based on an implicit-deny principle: any traffic that is not explicitly allowed by a firewall rule is blocked. This activity is accomplished by the implicit deny-all rule that is logically at the bottom of every firewall rule list. This means the firewall rule set does not explicitly allow a specific type of traffic. If it’s blocked, it creates an implicit deny-all.
True or false? By placing a deny-all statement at the beginning of a firewall rule set, you can block all unwanted traffic.
Answer: False. There are several common errors made by firewall administrators when setting up a firewall rule, and this is one of them. If you place a deny-all at the beginning of a firewall rule set, you will block all remaining rules and no traffic will be allowed through the firewall.
True or false? If you want to block a specific website, a generic allow-all web traffic rule should be placed before the deny rule that blocks a specific website.
Answer: False. Here again is another of the common errors made by firewall administrators. If you place an allow-all statement, all traffic will be passed.
Prevent network bridging by network separation
Years ago, network bridges were widely used because they offered a simple way to separate collision domains. The problem with bridges was that they were slow, introducing latency into a network. Also, bridges offered no security. Today, routers and firewalls are used for network separation. Routers offer the ability to separate the network on Layer 3 of the OSI model and can also provide some security by means of ACLs. Firewalls can offer even more security and can provide deeper packet inspection, allowing for greater control of ingress and egress of traffic.
True or false? Bridges provide logical segmentation.
Answer: False. Bridges provide physical segmentation and have the ability to block Layer 2 broadcast traffic.
True or false? Bridges offer multilayer traffic management.
Answer: False. Bridges only operate on Layer 2 of the OSI model, whereas routers and firewalls can operate at higher layers. This can provide a much more granular approach to traffic management.
Log analysis is something that is widely discussed and not always properly implemented. Log analysis is the review of audit logs and records. It is considered a detective control because logs are reviewed after the fact. Logs should be moved off of host systems and encrypted for tighter security and to prevent tampering. In many environments, logs may not be reviewed until something goes wrong. Logs should be reviewed periodically to look for anomalies. This can help to reveal problems early on, before they become worse. Logs should be reviewed for configuration errors and signs of malicious activity.
True or false? Log analysis is considered a preventive control.
Answer: False. Log analysis is considered a detective control because it is used to uncover errors, problems, and misconfigurations after they have occurred.
True or false? Logs should contain a timestamp and hash.
Answer: True. Logs should contain a timestamp and hash to prevent and detect tampering.
Can you answer these questions?
You can find the answers to these questions at the end of this chapter.
A new intern has connected all five of the company’s switches together into a massive loop, causing a brief broadcast storm. What technology can prevent this from becoming an even bigger problem?
You have an RJ-45 port in a meeting room that is accessible by all, but should only be used with one laptop that is assigned to that area. What can you do to prevent other laptops from using the port?
You have been tasked with setting up some basic controls to govern what traffic can ingress or egress your network. Is there some way that you can do this on the router?
There are many types of controls that a security professional should understand such as preventive, detective, and corrective. What type of control is log analysis?
Are bridges considered a smart device?