- By Michael Gregg
- Objective 1.1: Explain the security function and purpose of network devices and technologies
- Objective 1.2: Apply and implement secure network administration principles
- Objective 1.3: Distinguish and differentiate network design elements and compounds
- Objective 1.4: Implement and use common protocols
- Objective 1.5: Identify commonly used default network ports
- Objective 1.6: Implement wireless networks in a secure manner
Objective 1.3: Distinguish and differentiate network design elements and compounds
In this exam Objective, you might be tested on your ability to distinguish and differentiate network design elements and compounds. A security professional must understand how a network functions and what each of the components do. For example, items such as DMZs VLANs, and NACs, all have a specific security purpose. Even items such as remote access and telephony systems must be closely watched to ensure that they are not used inappropriately.
Exam need to know…
Explain how to deploy a DMZ and what its purpose is
For example: Do you know that a DMZ resides between the untrusted external network and the internal trusted network?
The role of subnetting and how it is used to provide segmentation and security
For example: Do you know that subnetting is used to allocate network addresses into usable blocks?
Define how network address translation (NAT) is used and its role in providing security and extending the lifespan of IPv4 addresses
For example: Do you know that NAT provides a level of security by blocking outsiders from seeing the internal structure of a network?
Discuss remote access and how it is a portal for legitimate users and potential attackers
For example: Do you know that remote access allows users to access internal resources?
Detail the purpose of NAC and how it provides greater network security
For example: Do you know that NAC offers organizations an advanced method of policy enforcement?
Explain how virtualization is used by most organizations today to better utilize existing resources
For example: Do you know that virtualization is widely used for development and testing?
Define cloud computing and identify some related common security concerns
For example: Do you know that cloud computing offers both advantages and security concerns?
Even though the term “DMZ” might conjure up the image of “no-mans land” between North Korea and South Korea, as it relates to networking, it is actually a technical term that describes a special purpose perimeter network which resides between a trusted and untrusted network. The DMZ is designed to allow untrusted outsiders in to use public access services, such as web, FTP, DNS, and so on. Most DMZs are deployed through the use of a multi-homed firewall via three interfaces. These interfaces include the Internet, an organization’s private LAN, and the DMZ.
True or false? A DMZ is used to host public services.
Answer: True. Organizations use DMZs to host public services such as web, email, FTP, and DNS. The DMZ allows outsiders limited access to a private network via a specialized security zone.
One advantage of an IP network is that the local portion of the address can be divided into smaller groups. These groups (or subnets) create a more manageable and user-friendly network. Organizations usually create subnets for a combination of reasons that can include:
Performance problems or high-traffic volume
Security issues and a need to segment sensitive data
Connectivity issues and a need to connect distant locations by using a WAN
The need to connect disparate protocols (for example, Ethernet, Token Ring, Frame Relay, or ATM)
To determine the subnets into which a network has been divided, look at the subnet mask that has been applied. All IP networks use a subnet mask to separate the network portion of the address from the host portion. The subnet mask defines the point at which the network ends and the host begins. The subnet mask is a 32-bit binary number that indicates which portions of a host IP address defines the network ID and which portions define the host ID. As an example, a class A address has an 8-bit mask, a class B address has a 16-bit mask, and a class C address has a 24-bit mask. These are expressed as follows:
Class A 255.0.0.0
Class B 255.255.0.0
Class C 255.255.255.0
Using class C as an example, the first 24 bits of the subnet mask are used to identify the Internet-unique part of the address. To determine the number of subnets into which a network has been divided, look at the subnet mask that has been applied. Table 1-1 shows an example.
Table 1-1. Example of Network Subnet
Decimal subnet mask
Binary subnet mask
14 subnets/14 hosts per subnet
True or false? The natural mask for a class A network is 255.255.0.0.
Answer: False. The natural mask for a class A network is 255.0.0.0. Whereas a class A network can use a 255.255.0.0, it would mean that the network has been subnetted.
True or false? You cannot subnet a class C network.
Answer: False. A class C network can be subnetted. For example, a class C network with a 255.255.255.340.0 mask would have 14 subnets, with 14 usable host addresses on each subnet.
VLANs originated as a security and traffic control that was used to separate network traffic. The VLANs model works by separating its users into workgroups, such as engineering, marketing, and sales. VLANs are created by using switches; they function in much the same way as a subnet because they segment Layer 2 traffic. Security administrators can use VLANs to separate traffic without altering the physical topology. Security administrators also use the functionality of VLANs to block broadcast traffic. Today, many organizations prefer campus-wide VLANs because VLANs have to span and be trunked across the entire network. VLANs block broadcast storms and add security and protection against sniffing.
True or false? VLANS protect against sniffing because each one is treated as a separate subnet.
Answer: True. One of the real benefits of a VLAN is its ability to reduce the threat of sniffing. If someone gained access to the accounting department’s VLAN and installed a sniffer, he would not see the contents of the VLAN for the sales department.
True or false? Broadcast traffic is evasive because it must be processed by the receiving systems.
Answer: True. Broadcast does interrupt the operation of devices because they must pass the data up the stack and evaluate it to see if it must be acted upon. VLANs limit broadcast traffic to only specific segments of the network.
Network address translation (NAT) was designed to provide a level of security and help to better manage the allocation of IP addresses. Using NAT, an organization can have many internal IP addresses and only one public, external IP address. For example, at your house, you might have 5 to 10 devices connected to your network. Each requires an address, but must they all be public? No, probably not. With NAT, all these internal devices can use one public IP address. This technology helps better allocate the remaining IPv4 addresses and provides some security, because outsiders cannot directly see your internal address scheme. NAT can use any one of three private address ranges, which include the following:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
NAT can be deployed as a one-to-one address translation, static address translation, or port address translation (PAT). PAT is one common approach because many internal (private) addresses can share one common public address. The edge device or router knows with which internal device to communicate by tracking ports used and the specific IP address being used for translation.
True or false? If an outsider scans a NAT network, she can directly see the IP address scheme of the internal network.
Answer: False. NAT hides the internal address scheme because it is situated between the internal and external network, which prevents outsiders from directly accessing internal systems. The router or NAT device is the only party allowed to maintain a conversation between the external network and the internal private network. NAT maintains a translation table to translate packets to and from the internal and external networks.
True or false? NAT was implemented primarily as a cost-saving measure for ISPs.
Answer: False. The true purpose of a NAT is to extend the usability of IPv4–based addresses. Without NAT, every device on an internal network would be required to have a public-addressable IP address. NAT makes it possible to reduce the need for public IP addresses because an end user can have many internal devices, but need only one or even just a few external IP addresses.
True or false? NAT provides some amount of security.
Answer: True. With NAT, an outsider cannot directly connect to an internal device. The internal device must request a connection or set up static NAT for a dedicated allowance. Although NAT does not provide a high level of security, it does add one additional layer that prevents an outsider from directly seeing an internal addressing scheme.
Remote access describes any technology that is used to connect users to remote services. Such systems have historically been used so that users can connect to an organization’s servers from other locations via modems and dial-up connections. More recently, remote access servers (RAS) can support modems, VPN links, and terminal services connections. Even though modems are the slowest of the possible connection options, they are still used because of their wide availability. Remote access security can be strengthened by using callback and caller ID. One common attack against dial-up connections is wardialing. Wardialing is a technique by which an attacker dials a large range of numbers and identifies any that connect to a modem. Once identified, this number can be targeted for additional attacks.
True or false? Wardriving is an attack that is used against RAS systems.
Answer: False. Wardriving is not an attack against RAS systems. Wardriving is an attack against wireless networks.
True or false? Dial-back is a good defensive measure against unauthorized use of RAS systems.
Answer: True. Dial-back is a good defense against unauthorized use of RAS. When the user dials in, dial-back authenticates the user by dialing back to a predefined authorized number.
True or false? RAS can make use of a “plain old telephone service” (POTS) system.
Answer: True. POTs is simply a standard phone line that is used for dial-up modem connections on the public switched telephone network (PSTN). Dial-up with the use of modems is the most common RAS type.
Telephony was born with the invention of the telephone by Alexander Graham Bell. Telephony can be described as any means to deliver telephone services to an organization or individual. Traditionally, telephony was delivered via POTS lines and modems, but today, telephony also encompasses Voice over IP (VoIP), VPNs, and private branch exchange (PBX).
A PBX is a private telephone system designed for use by businesses and other organizations. Many companies might have one or more public phone lines and might use the PBX to connect these lines to many internal private extensions. The primary issue with PBX is security. A misconfigured PBX can provide the means for malicious user to place free long-distance calls or even alter a PBX configuration or setup. Security professionals should know the basic methods to secure a PBX, which include changing all default passwords, changing access codes, enabling logging and mandating their periodic review, and restricting long-distance calling.
VoIP, although much newer than PBX, also has security vulnerabilities. These include, sniffing, interception, and DoS attacks.
True or false? A PBX system does not present a real security concern.
Answer: False. A PBX system is much like other technologies, and it must be secured. One major issue with PBX is toll fraud.
True or false? Outside call routing and call forwarding are not PBX security concerns.
Answer: False. Outside call routing and call forwarding are two major PBX issues because both can give an attacker the ability to call in to a PBX and dial out to a long-distance number. This can cost an organization hundreds or thousands of dollars in long-distance phone charges.
Network access control (NAC) was developed as a response to the increased need for security that both large and small organizations face. NAC offers administrators a way to verify that devices meet certain “health” standards before they are connected to the network. Laptops, desktop computers, or any device that doesn’t comply with predefined requirements are unable to join the network or might even be shunted to a restricted network where access is limited until the device complies with required standards.
There are several different ways to implement NAC. These include infrastructure-based NAC, endpoint-based NAC, and hardware-based NAC. Infrastructure-based NAC requires that an organization upgrade its hardware and/or operating systems. Endpoint-based NAC requires the installation of software agents on each network client. These devices are then managed via a centralized management console. Hardware-based NAC requires the installation of a network appliance. The appliance monitors for specific behavior and can limit device connectivity in the event that non-compliant activity is detected.
True or false? There are two basic ways to implement NAC.
Answer: False. There are three basic ways to implement NAC: infrastructure-based NAC, endpoint-based NAC, and hardware-based NAC. Many companies have released NAC products, including Microsoft, Cisco, and Symantec. Each uses one of the three primary approaches.
True or false? The concept of NAC is to control access through strict adherence to and implementation of security policies.
Answer: True. The goal of NAC is to aid in the strict control of access policies. For example, an employee’s laptop might contain all types of malware upon returning to work after a long weekend. NAC offers administrators a method to verify that devices such as these meet certain health standards before connection to the network.
Virtualization emulates hardware within a virtual machine and offers security professionals a means to separate hardware from software. Virtualization duplicates the physical architecture needed for a program or process to function. It is widely used today with virtual machines. A virtual machine is simply one that is set up as if it has its own hardware, yet it is actually sharing hardware with a physical machine and possibly one or more other virtual machines. CPU, memory, and storage resources are all split between the physical and virtual machine. This approach offers a much better utilization rate for servers while providing the capability to isolate applications and activities. Common examples include Microsoft Virtual PC, Microsoft Virtual Server, Microsoft Hyper-V, VMware, and VirtualBox.
True or false? Virtualization offers faster recovery than traditional physical servers when hardware fails.
Answer: True. One of the primary advantages of virtualization is faster recovery. A virtual image can be quickly moved to another physical server and recovered in the event of a hardware failure.
Cloud computing is a business model that delivers computing as a service by providing on-demand access to a pool of computing resources, including software, infrastructure, and hardware facilities, over a network. Some potential cloud computing security concerns can include data protection, identity management, physical security, availability, data privacy, and accountability.
True or false? Cloud computing can be described as a service whereby computing and processing of data is performed elsewhere and not on premises.
Answer: True. Cloud computing is often thought of as Internet-based computing, because an organization or individual is using the resources of a third party for data storage, processing, retrieval, or even application services.
Platform as a Service
With Platform as a Service (PaaS), users “rent” hardware, operating systems, storage, and network capacity over the Internet. Using this service delivery model, a customer can purchase virtualized servers and associated services to run existing applications or develop and test new ones.
PaaS involves some risk of “lock-in” if the provider’s offerings require proprietary service interfaces or development languages. Another PaaS risk is that the flexibility of offerings might not meet the needs of some users whose requirements evolve rapidly.
True or false? PaaS is a development environment in which a customer can create and develop services on a provider’s computing environment.
Answer: False. PaaS is actually used for applications so that a customer can create and develop applications on a provider’s computing environment.
Software as a Service
Software as a Service (SaaS) is a software distribution model by which applications are hosted by a vendor or service provider and are made available to customers over a network, typically the Internet. With PaaS you are renting hardware to deliver your own private applications, whereas with SaaS, you are using open applications that are provided to all, such as Google Docs and Microsoft Office Online.
SaaS is becoming an increasingly prevalent delivery model because the underlying technologies that support web services and service-oriented architecture (SOA) are continuing to mature and new developmental approaches, such as Ajax, are becoming popular. Benefits of the SaaS model include easier administration, automatic updates, patch management, and global accessibility.
True or false? Microsoft Office 365 and Google Docs are examples of SaaS.
Answer: True. Both Microsoft Office Online and Google Docs are examples of Saas. With SaaS, applications are hosted by a cloud provider and made available to customers over the Internet.
Infrastructure as a Service
Infrastructure as a Service (IaaS) is a provision model by which an organization outsources the equipment used to support operations, including storage, hardware, servers, and networking components.
The service provider owns the equipment and is responsible for facilities, operations and maintenance. The client typically pays on a per-use basis.
True or false? IaaS allows companies to scale up internal services by using third-party software.
Answer: False. With IaaS, organizations can scale up by using a cloud provider’s infrastructure, precluding the need to install massive hardware at their own site.
Can you answer these questions?
You can find the answers to these questions at the end of this chapter.
Has a Class C network with a 255.255.255.240 mask been subnetted?
By which form of cloud-based service do you use someone else’s equipment for development?
What is the name of a phone system that is used internally and is private to the organization?
VMware and Virtual PC are examples of what?
What technology is designed to enforce adherence to security policy?