#CompTIA Security+ 501 exam Chapter05 Understanding Network Components Part 2
Posted by Superadmin on November 16 2018 15:12:42

Security information and event management

 

A security information and event-management (SIEM) system automates the collection of log files from multiple hosts, servers, and network devices, such as firewalls, in real time to identify potential risks to the network. The types of functionality from a SIEM system are:

 

 

Mail gateway

 

A Mail Gateway is a device that sits in a DMZ to scan incoming and outgoing email for viruses. It can also act as a spam filter, preventing spam emails from reaching the internal mail server.

 

 

Cloud-based email

 

Due to email being a critical function for businesses, more and more companies are moving away from in-house, server-based solutions, and are using Microsoft Office 365 or Google G Suite. The benefits of cloud-based email are that the cloud provider is responsible for scanning the incoming email as well as providing the hardware to run the mail servers.

 

 

Media gateway

 

A Media Gateway is a translation device or service that converts media streams between disparate telecommunications technologies. An example of this is Karaka, which is an XMPP Gateway that allows communication between Jabber and Skype.

 

 

Hardware security module

 

A Hardware Security Module (HSM) is a physical device that stores the X509 certificates used on a network. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

 

 

Software-defined network

 

Traditional networks route packets via a hardware router and are decentralized; however, in today's networks more and more people are using virtualization, including cloud providers. A software-defined network (SDN) is where packets are routed through a controller rather than traditional routers, which improves performance.

 

 

Secure network architecture concepts

 

Securing networks and protecting them is vital to protect a company's assets. We use different zones and topologies, network separation and segmentation, and install firewalls to prevent unauthorized access to the network. First of all, let's look at different zones and topologies. There are three main zones—LAN, WAN and DMZ:

Example:

An upscale store sells designer sneakers at $230, however, the shop's owner purchases them from the manufacturer by placing orders on the extranet server. Access to the extranet web server is via a unique username and password, and the price the shop purchases the sneakers at is $125, allowing for a profit of $105. On the intranet, web server is the manufacturing price of the sneakers, which are made in China, for a mere $5 a pair:

Figure 15: Zones

From this information, you should ask yourself three simple questions:

You can see why data in a LAN needs to be secure and not freely available to the general public.

 

 

Network address translation

 

Network Address Translation is where a request from a private internal IP address is translated to an external public IP address, hiding the internal network from external attack. See Figure 16:

Figure 16: NAT

A NAT could be set up to hide a R&D network where new products are designed. Remember, a competitor may try to steal your new ideas and get them to market before you. A NAT could be set up on a firewall or a NAT server.

 

 

Port address translation

 

Port address translation (PAT) is where multiple internal requests are translated to an external IP address, see Figure 17:

Figure 17: PAT

A proxy server could be used for PAT as it gets many internal requests that are translated to one external IP address.

 

 

Network access control (NAC)

 

If you have a Windows desktop or laptop and you go away on holiday for 2-3 weeks, when you come back your device may need multiple updates. After a remote client has authenticated NAC, it then checks that the device being used is fully patched. See Figure 18:

Figure 18: NAC

When the user is authenticated, the health authority (HAuth) checks against the registry of the client device to ensure that it is fully patched. A fully patched machine is deemed compliant and allowed access to the LAN. In the preceding diagram, Laptop 2 is compliant. If the device is not fully patched, it is deemed noncompliant and is redirected to a boundary network, which could also be known as a quarantine network. The components of NAC are:

 

 

Honeypot

 

When security teams are trying to find out the attack methods that hackers are using, they set up a website similar to the legitimate website with lower security, known as a honeypot. When the attack commences, the security team monitors the attack methods so that they can prevent future attacks. Another reason a honeypot is set up is as a decoy so that the real web server is not attacked. A group of honeypots is called a honeynet.

Exam tip:
A honeypot can be used to examine the attack method that hackers use.

 

 

Secure Socket Layer accelerators

 

Secure Socket Layer (SSL) is used to encrypt data so that when it is in transit it cannot be stolen or altered. SSL encryption is a processor-intensive operation and most servers, such as database servers, are working very hard as it is. SSL acceleration refers to offloading the processor-intensive SSL encryption and decryption from a server to a device, such as a reverse proxy, to relieve the pressure from the server.

 

 

SSL/TLS decryptor

 

When traffic comes into your network from the internet and it is encrypted, the firewall, NIPS, NIDS, DLP, or any network device cannot examine the data. Therefore, after the traffic has passed through the external firewall, the SSL/TLS decryptor will decrypt the data before it passes through an inline NIPS. This then means that the NIPS can examine and prevent malicious traffic accessing the local area network.

 

 

Sensor/collector

 

A sensor/collector can be a device, tap, or firewall log whose purpose is to alert the NIDS of any changes in traffic patterns within the network. If you place your first sensor on the internet side of your network, it will scan all of the traffic from the internet.

 

 

Tap/port mirror

 

A tap or a port mirror is set up on a port of a switch so that when the data arrives at that port, a copy is stored on another device for later investigation or it is sent to a sensor who will investigate the traffic and, if needs be, inform the NIDS of changes in traffic patterns.

 

 

DDoS mitigator

 

A Distributed Denial of Service (DDoS) attack is where a very large amount of traffic is sent to a switch or a server so that it is overwhelmed and cannot function. A DDoS mitigator is a device, such as a stateful firewall on the external interface of your DMZ or a flood guard on an internal switch, that can identify the DDoS attack at an early stage and prevent it from being successful.

Exam tip:
Capturing the data flowing through a port on a switch can be done by port mirroring, also known as a tap.

 

 

Segregation/segmentation/isolation

 

Cyber crime is rife and is the largest growing criminal industry. In today's word, most businesses are interconnected and use the internet. Maintaining the security and integrity of data, including research and development, is paramount. We need to be able to isolate, segment, and segregate our network, both physically and virtually. Let's look at the options we may have:

Figure 19: Two VLANS in a switch

A VLAN is created by using the software on the switch where you can bond a number of ports to work together as a separate logical network. If you look at Figure 19, you can see that port numbers 1-4 have been used to create a VLAN for the IT department, and then ports 20-24 have been used to create another VLAN for the finance department. Although both of these departments are on an internal device, creating the VLANs isolates them from other VLANs and the company's network. An important factor is that a VLAN tag is set up so that when traffic arrives at the switch, it knows where to send it.

 

 

Security device/technology placement

 

It is important for a security or network administrator to understand the functionality that each device provides and where best to place them to ensure that your network is safe. Figure 20 shows the placement of each device:

Figure 20: Security device placement

If we look at Figure 20, the first thing you will notice is that the three network zones that have been established are the LAN, DMZ, and WAN. These networks are divided by two firewalls that are in a back-to-back configuration so that if traffic manages to get through the first firewall, we hope that the next firewall stops it. As resources, such as our website, are in the DMZ, the external firewall may have one or two ports open that the internal firewall between the DMZ and LAN does not.

 

 

DMZ device placement

 

Between the WAN and DMZ there is a network firewall. The purpose of this firewall is to prevent unauthorized access to the network. Directly behind the external firewall is an SSL/TLS decryptor that decrypts the traffic coming in so that other security devices can examine it.

The next stage is that the decrypted traffic is placed through an inline NIPS. As it is inline, all traffic must pass through it. The purpose of the NIPS is as an additional layer of security and should be placed close to the external firewall.

Behind the NIPS is the NIDS in passive mode, where traffic does not travel through it but it is scanning the network for changes in traffic patterns. The NIPS in the DMZ scans the network and also has sensors/collection places in the DMZ to alert it to changes in traffic patterns.

 

 

LAN device placement

 

The firewall dividing the DMZ and the LAN will be a stateful firewall that will prevent DDoS attacks and knows of the acceptable commands used by each application. Directly behind the firewall will be another inline NIPS examining the traffic as it comes into the LAN. Another NIDS and a set of sensors/collectors are placed in the LAN.

The internal switch connects all of the internal devices, and it will be a managed switch using 802.1x so that it authenticates all devices connecting to the network and stops unauthorized devices and rogue WAP from connecting the to the network. The switch will have a flood guard installed to prevent DDoS and MAC flooding attacks. The switch may have a port mirror installed on one of the ports so that a copy of the traffic, stored on backup device for later investigation, is sent to a sensor. Should the sensor identify anything abnormal, it will notify the NIDS in the LAN. A port mirror is also known as a tap.

 

 

Aggregation switches

 

Depending on the number of users that reside in your LAN, you may need several switches to be operating, and these switches need to move traffic between each other. Therefore, rather than having a daisy chain, which would take more time to move the traffic around, we install an aggregation switch. The aggregation switch connects multiple switches in a mode called link aggregation:

Figure 21: Aggregation switch

Link aggregation is a way of joining Ethernet links together so they act like a single, logical link. If you connect all of the switches together, you can balance the traffic among these links to improve performance. An important reason for using link aggregation is to provide fast and transparent recovery in case one of the individual links fails.

 

 

Implementing secure protocols

 

A protocol is the rules required by different applications for the exchange of data where the application can perform actions such as running commands on remote systems, sending and receiving email, or maybe downloading files from the internet. Each application has a special port number it uses for communication. If you think of ports as being TV channels, if we want to watch sport we go to the sports channels, if we want to watch news we go to the news channel. Applications are the same; if we want to send an email, we use a mail application, and they all have a distinct port number for communication.

There are two types of ports: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). The main difference between the two is that the TCP is connection-orientated as it uses a three-way handshake, and UDP is faster but less reliable as it is connectionless. See Figure 22 for the three-way handshake:

Figure 22: Three-way handshake

In a three-way handshake, the first packet that is sent is called a SYN packet, where the sending host informs the receiving host of the number of its next packet. The receiving host sends a SYN-ACK packet where it says what its next packet is. The Ack packet acknowledges both, and then the data is sent. The data is sent in chunks, and where it is received, an acknowledgement is sent that tells the sending host to send more packets. Once all of the data is sent, a three-way handshake confirms all of the data is intact and the session closes.

In a UDP session, the application is responsible for ensuring that everything is received, and because a three-way handshake is not used, the connection is faster but less reliable. You would use UDP for streaming video, where speed is paramount.

For the purpose of the Security+ examination, you will need to know when to choose the correct protocol and which port it uses. A list of common protocols is listed here with their uses afterwards.

As most protocols use TCP ports, I will only mention the UDP ports and therefore you can assume if it is not labelled UDP, it is TCP.

Exam tip: Knowing why we use each protocol is more important than knowing the port numbers. There will be a review at the end of the book testing port numbers.

Protocol

UDP

Port

Use

File Transfer Protocol (FTP)

 

21

File transfer—passive FTP

Secure Shell (SSH)

 

22

Run remote command—securely

Secure Copy Protocol (SCP)

 

22

Secure copy to UNIX/LINUX

Secure FTP (SFTP)

 

22

Secure FTP download


Telnet

 

23

Run remote command—unsecure

Simple Mail Transport Protocol (SMTP)

 

25

Transport mail between Mail Servers

Domain Name System (DNS)

UDP

53

53

53

Host name resolution

Zone transfer

Name queries

Dynamic Host Configuration Protocol (DHCP)

UDP

67/68

Automatic IP address allocation

Trivial File Transfer Protocol (TFTP)

UDP

69

File transfer using UDP

Hypertext Transport Protocol (HTTP)

 

80

Web browser

Kerberos

 

88

Microsoft authentication using tickets

Post Office Protocol 3

 

110

Pull mail from mail server, no copy left on mail server

NETBIOS

UDP

137-139

NETBIOS to IP address resolution

Internet Message Access Protocol (IMAP 4)

 

143

Pull mail from mail server

Simple Network Management Protocol (SNMP)

UDP

161

Notifies the status and creates reports on network devices

Simple Network Management Protocol Version 3 (SNMP v3)

UDP

162

Secure version of SNMP

Lightweight Directory Access Protocol (LDAP)

 

389

Stores X500 objects, searches for active directory information

Lightweight Directory Access Protocol Secure (LDAPS)

 

636

Secure LDAP where the session is encrypted

Secure Internet Message Access Protocol (IMAP 4)

 

993

Secure IMAP4

Secure Post Office Protocol 3

 

995

Secure POP3

File Transfer Protocol Secure (FTPS)

 

989/990

Download of large files securely

Remote Desktop Protocol (RDP)

 

3389

Microsoft remote access

Session Initiated Protocol (SIP)

 

5060/5061

Connects internet based calls

Secure Real Time Protocol (SRTP)

 

5061

Secure voice traffic

 

 

Use case

 

A Use Case is where everyone in a company tries to achieve a goal. An example would be if you called a company, their customer services take your order, their finance department processes the payment, production would make the product, and then dispatch would mail it to you. Another way of looking at use cases is that they are an example of how something is used. In the following examples, we will see use cases for different protocols.

 

 

File transfer – use case

 

Transferring files is a common function. When we purchase an e-book, it is immediately available to download onto our Kindle. There are four different protocols that we can use for file transfers:

Exam Tip:
SSH is a secure method of running a command on a router.

 

 

Remote access – use case

 

There are various ways of obtaining remote access, we are going to look at each in turn, and decide when we would choose to use them:

 

 

Email – use case

 

There are different types of email, some are web-based and some use the MAPI client on the desktop, Let's look at each of them and understand when we would use them:

An easy way to remember the port number for IMAP4 is to pretend the first letter of IMAP is number 1. Then take the last figure, which is 4, for the second digit, and then take 1 from 4 to get for to get 3 for your third digit, giving you 143 the actual port number.

 

 

Name resolution – use case

 

There are two types of name resolution: hostname resolution, which is the most common, and NETBIOS, which is a legacy name resolution that is very rarely used.

 

 

Hostname

 

The most common form of name resolution is that hostname resolution that comprises of a database of hostnames to IP addresses called DNS that uses a flat file called the hosts file:

Example: A user would like to visit the website of http://ianneil501.com; to get there, they would enter www.ianneil501.com in their web browser as per Figure 23. The hostname resolution follows a strict process:

Figure 23: Hostname resolution

In Figure 23, the hostname resolution adopts a strict process and takes the first entry for that hostname no matter whether it is right or wrong, this is a pitfall of the process. Let's look at this process starting with the DNS Cache:

 

 

DNSSEC

 

To prevent someone poisoning DNS records, DNSSEC was introduced to protect the DNS traffic. Each DNS Record is digitally signed, creating an RRSIG record to protect against attacks assuring you that they are valid and their integrity has been maintained.

Exam tip:
DNSSEC produces a RRSIG record for each host.

 

 

NETBIOS

 

NETBIOS is a Microsoft legacy naming convention that has a flat namespace of a maximum of 15 characters with a service identifier. Each computer name has three separate entries in its database, called WINS and it uses a flat file, called the LMHosts file.

The entry for PC1 as a WINS database would be:

 

 

Web – use case

 

The majority of people use the internet to make purchases and research information, so it is important that we know what the protocols used when accessing websites are:

 

 

Voice and video – use case

 

In the past, when companies wanted meetings, such as a sales meeting, a date was set and the salespeople kept their schedule open, travelling to the location of the meeting the night before and booked themselves into a hotel. This was very costly and time-consuming; nowadays we use videoconferencing where everyone connects to the meeting, does not have to travel, and can free their schedule, making them more productive. In the Security+ exam, we need to be able to understand which protocols are used. There are three main protocols and these are:

Exam tip:
Voice traffic should be placed in its own VLAN to ensure reliability.