1 / 146

Security+

Security+. Domain #1. Domain 1 Network Security. 1.1 Explain the security function and purpose of network devices and technologies 1.2 Apply and implement secure network administration principles 1.3 Distinguish and differentiate network design elements and compounds

deirdra
Télécharger la présentation

Security+

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security+ Domain #1

  2. Domain 1 Network Security 1.1 Explain the security function and purpose of network devices and technologies 1.2 Apply and implement secure network administration principles 1.3 Distinguish and differentiate network design elements and compounds 1.4 Implement and use common protocols 1.5 Identify commonly used default network ports 1.6 Implement wireless network in a secure manner

  3. 1.1 Explain the security function and purpose of network devices and technologies • Firewalls • Routers • Switches • Load Balancers • Proxies • Web security gateways • VPN concentrators • NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic) • Protocol analyzers • Sniffers • Spam filter, all-in-one security appliances • Web application firewall vs. network firewall • URL filtering, content inspection, malware inspection

  4. Firewall • Typically used to filter packets • Sometimes called a packet filter • Designed to prevent malicious packets from entering the network • A firewall can be software-based or hardware-based • Hardware firewalls usually are located outside the network security perimeter • As the first line of defense

  5. Firewall (continued)

  6. Firewall (continued) • The basis of a firewall is a rule base • Establishes what action the firewall should take when it receives a packet (allow, block, and prompt) • Stateless packet filtering • Looks at the incoming packet and permits or denies it based strictly on the rule base • Stateful packet filtering • Keeps a record of the state of a connection between an internal computer and an external server • Then makes decisions based on the connection as well as the rule base

  7. Stateless Firewall Rules

  8. Stateful Firewall Rules State = Established

  9. Inbound and Outbound Traffic Filtering • Most personal software firewalls today also filter outbound traffic as well as inbound traffic • Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading • But it annoys them with these alerts

  10. Personal Software Firewalls • Firewall, sometimes called a packet filter • Designed to prevent malicious packets from entering or leaving computers • Can be software-based or hardware-based • Personal software firewall • Runs as a program on a local system to protect it against attacks • Many operating systems now come with personal software firewalls • Or they can be installed as separate programs

  11. Proxy Server • Clients never directly connect to the Internet • This saves bandwidth, because one copy of a popular Web page can be used many times • Allows a company to block forbidden Web sites • It also prevents many attacks the same way NAT does • Reverse proxy • Does not serve clients but instead routes incoming requests to the correct server

  12. Proxy Server I will get yahoo.com and save a copy I want to see yahoo.com Internet Here is my copy of yahoo.com

  13. Traffic Control Methods (cont’d) • You must configurea host to work witha proxy server • The host's effective IP address is the same as the proxy server

  14. Types of Firewall Protection Firewalls in the OSI Model

  15. Routers Router • Routers are like intersections; switches are like streets

  16. Understanding Routers • Routers are hardware devices used on a network to send packets to different network segments • Operate at the network layer of the OSI model

  17. Routing Protocols • Routers tell one another what paths are available with Routing Protocols • Link-state routing protocol • Each router has complete information about every network link • Example: Open Shortest Path First (OSPF) • Distance-vector routing protocol • Routers only know which direction to send packets, and how far • Example: Routing Information Protocol (RIP) • Path-vector routing protocol • Used on the Internet Backbone • Example: Border Gateway Patrol (BGP)

  18. Load Balancing • Mission-critical • Integral, key part of the company’s core operations • Must maximize firewall’s uptime and smooth operation • Load balancing • Distributing the work placed on the firewall so that it is handled by two or more firewall systems • Load sharing • Configuring two or more firewalls to share the total traffic load

  19. Load Balancing (cont’d.) • Traffic between firewalls distributed by routers using special routing protocols • Open Shortest Path First (OSPF) • Border Gateway Protocol (BGP) • Layer four switches • Network devices with the intelligence to make routing decisions based on source and destination IP address or port numbers

  20. Virtual Private Networks (VPNs) • A Virtual Private Network (VPN) is an encrypted tunnel that provides secure, dedicated access between two hosts across an unsecured network • Types of VPNs • Workstation to server • Firewall to firewall • Workstation to workstation

  21. Virtual Private Networks (cont’d) • In firewall-to-firewall communication, hosts must exchange public keys

  22. Virtual Private Networks (cont’d) • Tunneling • Tunneling components • Passenger protocol • Encapsulation protocol • Transport protocol • Benefits of tunneling • Point-to-Point Tunneling Protocol (PPTP) • PPTP vs. Point-to-Point Protocol (PPP) • PPTP and Generic Routing Encapsulation (GRE) protocol • Layer 2 Tunneling Protocol (L2TP) • L2TP elements • Encryption and L2TP • VPN vulnerabilities • Comparing L2TP and PPTP

  23. Virtual Private Networks (VPNs) • One of the most common types of RAS • Uses an unsecured public network, such as the Internet, as if it were a secure private network • Encrypts all data that is transmitted between the remote device and the network • Common types of VPNs • Remote-access VPN or virtual private dial-up network (VPDN) • Site-to-site VPN

  24. Virtual Private Networks (VPNs) • VPN transmissions are achieved through communicating with endpoints • Endpoint • End of the tunnel between VPN devices • VPN concentrator • Aggregates hundreds or thousands of multiple connections • Depending upon the type of endpoint that is being used, client software may be required on the devices that are connecting to the VPN

  25. Virtual Private Networks (VPNs) • VPNs can be software-based or hardware-based • Software-based VPNs offer the most flexibility in how network traffic is managed • Hardware-based VPNs generally tunnel all traffic they handle regardless of the protocol • Generally, software based VPNs do not have as good performance or security as a hardware-based VPN

  26. VPN Advantages • Cost savings (no long-distance phone call) • Scalability (easy to add more users) • Full protection (all traffic is encrypted) • Speed (faster than direct dial-up) • Transparency (invisible to the user) • Authentication (only authorized users can connect) • Industry standards

  27. VPN Disadvantages • Management • Availability and performance • Interoperability • Additional protocols • Performance impact • Expense

  28. Intrusion Detection • Basic definition • The real-time monitoring of network activity behind the firewall • Detects and logs network and/or host-based traffic • Intrusion-detection strategies • Signature detection • Anomaly detection • Typical actions taken by an IDS • IDS application types • Host-based • Network-based

  29. Network Intrusion Detection Systems (NIDS) • Network intrusion detection system (NIDS) • Watches for attempts to penetrate a network • NIDS work on the principle of comparing new behavior against normal or acceptable behavior • A NIDS looks for suspicious patterns • Passive intrusion detection just logs the traffic and sends alerts

  30. Network Intrusion Detection Systems (NIDS) (continued)

  31. Host Intrusion Detection Systems (HIDS) • Monitors network traffic • Detects and possibly prevents attempts to • HIDS are software-based and run on a local computer • These systems can be divided into four groups: • File system monitors • Logfile analyzers • Connection analyzers • Kernel analyzers • HIDS compare new behavior against normal behavior

  32. Host-Based Intrusion Detection • Management structure

  33. Intrusion Prevention Systems • Finds malicious traffic and deals with it immediately • Also called Active Intrusion Detection • A typical IPS response may be to block all incoming traffic on a specific port

  34. Host Intrusion Prevention Systems (HIPS) • Installed on each system that needs to be protected • Rely on agents installed directly on the system being protected • Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks

  35. Host Intrusion Prevention Systems (HIPS) • Most HIPS monitor the following desktop functions: • System calls • File system access • System Registry settings • Host input/output • HIPS are designed to integrate with existing antivirus, anti-spyware, and firewalls • HIPS provide an additional level of security that is proactive instead of reactive

  36. Network Intrusion Prevention Systems (NIPS) • Work to protect the entire network and all devices that are connected to it • By monitoring network traffic NIPS can immediately react to block a malicious attack • NIPS are special-purpose hardware platforms that analyze, detect, and react to security-related events • Can drop malicious traffic based on their configuration or security policy

  37. False Positives and False Negatives • A false positive occurs when the IDS/IPS mistakes legitimate traffic for illegitimate traffic • Caused by old signature databases • Caused by low thresholds • A false negative is whenever an IDS does not detect an intrusion, even though one is occurring • Causes • The IDS is on a switched network • Improper configuration • DOS/DDOS attacks meant to mask other illegitimate traffic • Encrypted traffic

  38. Protocol Analyzers • Three ways for detecting a potential intrusion • Detecting statistical anomalies (unusual traffic) • Examine network traffic and look for well-known patterns of attack • Use protocol analyzer technology • Protocol analyzers • Can fully decode application-layer network protocols • Parts of the protocol can be analyzed for any suspicious behavior • Such as an overly long User-Agent field in an HTTP GET request

  39. Protocol Analyzers • Also called a sniffer • Captures each packet to decode and analyze its contents • Can fully decode application-layer network protocols • Common uses include: • Network troubleshooting • Network traffic characterization • Security analysis

  40. Blocking Spam • Image spam cannot be easily filtered based on the content of the message • To detect image spam, one approach is to examine the context of the message and create a profile, asking questions such as: • Who sent the message? • What is known about the sender? • Where does the user go if she responds to this e-mail? • What is the nature of the message content? • How is the message technically constructed?

  41. 1.2 Apply and implement secure network administration principles • Rule-based management • Firewall rules • VLAN management • Secure router configuration • Access control lists • Port Security • 802.1x • Flood guards • Loop protection • Implicit deny • Prevent network bridging by network separation • Log analysis

  42. 1.3 Distinguish and differentiate network design elements and compounds • DMZ • Subnetting • VLAN • NAT • Remote Access • Telephony • NAC • Virtualization • Cloud Computing • Platform as a Service • Software as a Service • Infrastructure as a Service

  43. Configuring Firewalls • Default firewall stances • Default open (Implicit Allow):: Allows all traffic by default. You add rules to block certain types of traffic. • Default closed (Implicit Deny): Allows no traffic at all by default. You add rules to allow only certain types of traffic. • Configuring an Access Control List (ACL) • Source address • Source port • Destination address • Destination port • Action

  44. Demilitarized Zone (DMZ) • A separate network that sits outside the secure network perimeter • Outside users can access the DMZ but cannot enter the secure network

  45. DMZ with One Firewall

  46. DMZ with Two Firewalls

  47. Types of Bastion Hosts • Triple-homed bastion host

  48. Types of Bastion Hosts • Alternative DMZ configuration

More Related