2.1 Install and configure network components, both hardware and software-based, to support organizational security. Flashcards
Firewall - ACL
In general, an access control list (ACL) is a table or data file that specifies whether a user or group has access to a specific resource on a computer or network.
Specifically to Firewall, its access control lists (ACLs) determines what is allowed in (in terms of traffic, data, applications, or whatever other terms for criteria you want to use) and what is left out.
Firewall - Application-based vs. Network-based
Application-based (Host-based)
A host-based firewall monitors traffic going in and out of a single host, such as a server or a workstation. It monitors traffic passing through the NIC and can prevent intrusions into the computer via the NIC. Many operating systems include software-based firewalls used as host-based firewalls. For example, Microsoft has included a host-based firewall on operating systems since Windows XP. Additionally, many third-party host-based firewalls are available.
Network-based
A network-based firewall is usually a dedicated system with additional software installed to monitor, filter, and log traffic. For example, Cisco makes a variety of different network-based firewalls. Many of them are dedicated servers with proprietary firewall software installed. A network-based firewall would have two or more network interface cards (NICs) and all traffic passes through the firewall. The firewall controls traffic going in and out of a network. It does this by filtering traffic based on firewall rules and allows only authorized traffic to pass through it. Most organizations include at least one network-based firewall at the border, between their intranet (or internal network) and the Internet.
Firewall - Stateful vs. Stateless
Stateless
A packet-filtering firewall, also known as a stateless firewall, can block or allow traffic (known as filtering traffic) based on the source or destination IP address and the source or destination port number
When configuring the packet-filtering firewall, you specify rules that control what type of traffic is allowed to pass through the firewall and what traffic is to be blocked. With packet-filtering firewalls, the rules can filter traffic based on source address, destination address, protocol, and source and destination port address.
Stateful
Packet-filtering firewalls look like a great type of firewall at first, but they are not all that intelligent because it is easy for a hacker to spoof a packet so that it meets the rules of the firewall.
For example, if you open port 80 on a packet-filtering firewall, any packets destined for port 80 will bypass the firewall. Like packet-filtering firewalls, a stateful packet inspection firewall can filter traffic based on the source and destination IP address or port number, but can also look at the context of the conversation and determine if the packet is supposed to be received at that point in the conversation. If the firewall receives a packet in the correct context of the conversation and the packet follows one of the rules, it allows the packet into the network.
Stateful packet inspection firewalls use rules to filter traffic as well, but they also are smart enough to know the context of the conversation.
An example of a stateful packet inspection firewall knowing about the context of a conversation is that if a hacker tries to send malicious commands to the firewall with a destination port of 80 and the hacker has not performed a three-way handshake first, the firewall says, “Nope, sorry, you are not allowed in because I don’t see that we have established a connection.”
Stateful packet inspection firewalls know that before TCP communication can occur, there needs to be a three-way handshake.
Firewall - Implicit Deny
Any service not specifically allowed is implicitly denied
Firewall
A firewall filters incoming and outgoing traffic for a single host or between networks. In other words, a firewall can ensure only specific types of traffic are allowed into a network or host, and only specific types of traffic are allowed out of a network or host.
VPN Concentrator
A VPN concentrator allows you to centralize your virtual private network (VPN) access by having all employees VPN into the network through the VPN concentrator, where you configure the authentication and encryption protocols. The VPN concentrator also supports high availability so that it is always available to answer VPN requests from clients.
VPN Concentrator - Remote Access vs. Site-to-site
Remote Access
When implementing your VPN solution, you can configure the VPN concentrator to allow clients to connect remotely to
the network.
Site-to-site
(Or) you could implement remote access where the VPN concentrators are used to connect from one site to another site (known as site-to-site) to allow entire offices to communicate over a secure connection. In this scenario, the client computers would not need to establish the VPN connection manually like they would in a client access scenario.
VPN Concentrator - IPSec
Internet Protocol security (IPsec) as a method of encrypting data-in-transit.
(Continue on AH uses protocol #51 & ESP #50) The term protocol number might look like a typo, but it isn’t. AH and ESP are identified with protocol numbers, not port numbers.
A basic packet-filtering firewall can filter packets based on IP addresses, ports, and some protocols, such as Internet Control Message Protocol (ICMP) and IPsec. Packet filters use the protocol numbers to identify AH and ESP traffic.
IPsec uses Internet Key Exchange (IKE) over port 500 to authenticate clients in the IPsec conversation. IKE creates security associations (SAs) for the VPN and uses these to set up a secure channel between the client and the VPN server.
In short, IPsec is a secure encryption protocol used with VPNs. Encapsulating Security Payload (ESP) provides confidentiality, integrity, and authentication for VPN traffic. IPsec uses Tunnel mode for VPN traffic and can be identified with protocol ID 50 for ESP. It uses IKE over port 500. A full tunnel encrypts all traffic after a user has connected to a VPN. A split tunnel only encrypts traffic destined for the VPN’s private network.
VPN Concentrator - IPSec - Tunnel Mode
Tunnel mode encrypts the entire IP packet used in the internal network and is the mode used with VPNs transmitted over the Internet. The benefit is that the IP addressing used within the internal network is encrypted and not visible to anyone who intercepts the traffic. If someone does intercept the traffic, he can see the source IP address from the client and the destination address to the VPN server, but the internal IP address information remains hidden.
VPN Concentrator - IPSec - Transport Mode
Transport mode only encrypts the payload and is commonly used in private networks, but not with VPNs. If traffic is transmitted and used only within a private network, there isn’t any need to hide the IP addresses by encrypting them.
VPN Concentrator - IPSec - AH
Note: 2 for 2 - IA
IPsec includes an Authentication Header (AH) to allow each of the hosts in the IPsec conversation to authenticate with each other before exchanging data. AH provides authentication and integrity. AH uses protocol number 51
VPN Concentrator - IPSec - ESP
Note: 3 for 3 - CIA
IPsec includes Encapsulating Security Payload (ESP) to encrypt the data and provide confidentiality. ESP includes AH so it provides confidentiality, authentication, and integrity. ESP uses protocol number 50.
VPN Concentrator - Split Tunnel vs. Full Tunnel
Imagine that Lisa connects to a company VPN server using IPsec from her home computer. The VPN is using ESP so all traffic in the tunnel is encrypted. Now, Lisa wants to do an Internet search on saxophones. Will her computer connect directly to the Internet for her search? Or will her computer make a connection through the VPN server first? It depends on how the VPN is configured.
Split Tunnel
In a split tunnel, a VPN administrator determines what traffic should use the encrypted tunnel. For example, it’s possible to configure the tunnel to only encrypt traffic going to private IP addresses used within the private network. If Lisa did an Internet search with the VPN server configured in a split tunnel configuration, her Internet search traffic will not go through the encrypted tunnel. Instead, her search will go directly to Internet sites via her ISP.
Full Tunnel
In a full tunnel, all traffic goes through the encrypted tunnel while the user is connected to the VPN. If Lisa was connected to the VPN and then tried to connect to a public web site, the traffic would first go through the encrypted tunnel and then out to the public web site from within the private network. If the private network routed Internet traffic through a unified threat management (UTM) device, Lisa’s traffic would go through the UTM device. The web site would send web pages back to the UTM device and the VPN server would encrypt it and send it back to Lisa via the encrypted tunnel.
As a reminder, a UTM device can perform URL filtering, malware inspection, and content inspection of all traffic sent through it. This is one of the reasons why an organization may choose to use a full tunnel for users connected to a VPN server. A disadvantage is that it can be slow. Not only is the Internet traffic taking an indirect route through the VPN server, but it’s also being encrypted and decrypted a couple of times.
VPN Concentrator - TLS
Some tunneling protocols use Transport Layer Security (TLS) to secure the VPN channel. As an example, Secure Socket Tunneling Protocol (SSTP) encrypts VPN traffic using TLS over port 443. Using port 443 provides a lot of flexibility for many administrators and rarely requires opening additional firewall ports. It is a useful alternative when the VPN tunnel must go through a device using NAT, and IPsec is not feasible. OpenVPN and OpenConnect are two open source applications that can use TLS to create a secure channel. While this can also use Secure Sockets Layer (SSL), SSL has known weaknesses and TLS is the designated replacement.
VPN Concentrator - Always-on VPN
Some VPNs are always-on VPNs. They can be used with both site-to-site VPNs and remote access VPNs. When used with a site-to-site VPN, the two VPN gateways maintain the VPN connection. In contrast, some site-to-site VPNs use an on-demand connection. The VPN connection is only
established when a user connects to a remote system.
Several vendors have always-on VPNs for remote access VPNs. They attempt to create the VPN connection as soon as the user’s device connects to the Internet. For a home user, this might be right after the user turns on a desktop PC or laptop computer.
When configured on mobile devices, such as cell phones, the device will connect to the always-on VPN anytime the device connects to an Internet connection. As an example, if a user visits a coffee shop that has free Internet access and the user connects to the network, the device will automatically
connect to the always-on VPN.
NIPS/NIDS
Intrusion detection systems (IDSs) monitor a network and send alerts when they detect suspicious events on a system or network. Intrusion prevention systems (IPSs) react to attacks in progress and prevent them from reaching systems and networks.
NIDS
A network-based intrusion detection system (NIDS) monitors activity on the network. An administrator installs NIDS sensors or collectors on network devices such as routers and firewalls. These sensors gather information and report to a central monitoring server hosting a NIDS console. A NIDS is not able to detect anomalies on individual systems or workstations unless the anomaly causes a significant difference in network traffic. Additionally, a NIDS is unable to decrypt encrypted traffic. In other words, it can only monitor and assess threats on the network from traffic sent in plaintext or nonencrypted traffic. Finally, the biggest disadvantage of a NIDS is that it is passive, meaning it only detects attacks; to protect against, or prevent, these attacks, you need something active, you need a NIPS.
NIPS
A network intrusion prevention system (NIPS) is designed to inspect traffic and, based on its configuration or security policy, either remove, detain, or redirect malicious traffic that it becomes aware of. The NIPS (as well as the NIDS) is considered to be an application-aware device, meaning it can divine different types of packets, define what application they are based on, and ultimately permit or disallow that traffic on the network. More and more companies are offering NIPS solutions in addition to, or instead of, NIDS solutions. Examples of NIPS solutions include Check Point security appliances (https://www.checkpoint.com), and the aforementioned Snort, which is actually a NIDS/NIPS software package that should be installed on a dual-homed or multihomed server. Not only can a NIPS go above and beyond a NIDS by removing or redirecting malicious traffic, it can also redirect a recognized attacker to a single computer known as a padded cell, which contains no information of value and has no way out.
NIPS/NIDS - Signature-based
Overview:
Network traffic is analyzed for predetermined attack patterns. These attack patterns are known as signatures.
Detail:
Signature-based IDSs (also called definition based) use a database of known vulnerabilities or known attack patterns.
For example, tools are available for an attacker to launch a SYN flood attack on a server by simply entering the IP address of the system to attack. The attack tool then floods the target system with synchronizing (SYN) packets but never completes the three-way Transmission Control Protocol (TCP) handshake with the final acknowledge (ACK) packet. If the attack isn’t blocked, it can consume resources on a system and ultimately cause it to crash.
However, this is a known attack with a specific pattern of successive SYN packets from one IP to another IP. The IDS can detect these patterns when the signature database includes the attack definitions. The process is very similar to what antivirus software uses to detect malware. You need to update both IDS signatures and antivirus definitions from the vendor on a regular basis to protect against current threats.
NIPS/NIDS - Heuristic/Behavioral
Overview:
Looks at the previous behavior of applications, executables, and/or the operating system and compares that to current activity on the system. If an application later behaves improperly, the monitoring system will attempt to stop the behavior. Requires a baseline.
Detail:
A behavior-based monitoring system looks at the previous behavior of applications, executables, and/or the operating system and compares that to current activity on the system. If an application later behaves improperly, the monitoring system will attempt to stop the behavior. This has advantages compared to signature-based and anomaly-based monitoring in that it can to a certain extent help with future events, without having to be updated.
However, because there are so many types of applications, and so many types of relationships between applications, this type of monitoring could set off a high amount of false positives. Behavior monitoring should be configured carefully to avoid the system triggering alarms due to legitimate activity.
More Details:
Heuristic analysis is often used in combination with behavior-based monitoring as it relates to antivirus software and IDS/IPS solutions. A heuristic in computer science is an algorithm that consistently performs quickly, and provides good results based on a set of rules. Heuristic analysis is designed to detect malicious behavior without uniquely identifying it (as is done in a signature-based system). It can find previously unknown malicious behavior by comparing it to known and similar malicious behavior. Then it “guesses” whether something is malicious or not. This can lead to low accuracy and a high percentage of false positives.
NIPS/NIDS - Anomaly
Overview:
Establishes a performance baseline based on a set of normal network traffic evaluations. Requires a baseline.
Detail:
An anomaly-based monitoring system (also known as statistical anomaly-based) establishes a performance baseline based on a set of normal network traffic evaluations. These evaluations should be taken when the network and servers are under an average load during regular working hours. This monitoring method then compares current network traffic activity with the previously created baseline to detect whether it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered and sent to the administrator (as long as the system was configured properly). This type of monitoring is dependent on the accuracy of the baseline. An inaccurate baseline increases the likelihood of obtaining false indicators, such as false positives. Normally, false positives are when the system reads a legitimate event as an attack or other error. This can happen with an improperly configured IDS or IPS solution. If too many false indicator alerts are received by the security administrator, then the IDS/IPS should be reconfigured and baselines recollected, and/or those types of false alarms should be disabled.
NIPS/NIDS - Inline vs. Passive
Passive
A passive IDS monitors for suspicious activity, and when it detects activity it considers suspicious, it simply logs the activity to a log file and sends notification to the administrator. It is important to understand that a passive IDS does nothing to try to protect the network from further suspicious activity. Note that a passive IDS configured this way is typically connected to a monitoring port or a network tap to allow the IDS to receive all network traffic.
Inline
An inline IPS is an IPS that is placed in the pathway of the packets so that the packets pass through the IPS to reach the destination. The benefit of this is that the IPS can take action such as block the traffic if it is suspicious traffic. Another benefit of an inline IPS is that if the IPS fails, then no packets can make it through the system until the IPS is fixed.
With a passive IDS that is simply receiving a copy of all data and monitoring the data, if the IDS fails, the traffic still reaches the destination but isn’t inspected.
NIPS/NIDS - In-band vs. Out-of-band
In the IDS and IPS context, in-band refers to an IPS that is placed inline, which means that the traffic must pass through it to make it to the destination systems. This allows the IPS to not only monitor but block the traffic if it is suspicious.
Out-of-band refers to an IDS/IPS that simply monitors traffic that travels through the network by having a copy of the traffic sent to it. In this scenario, the IDS can only trigger alerts or send notification to the administrator of the suspicious traffic.
NIPS/NIDS - Rules
When configuring the IDS, you configure rules to indicate the type of traffic that is considered suspicious and what action to take when that traffic is detected.
NIPS/NIDS - Analytics
The analytics engine is the component of the IDS that does the analysis of the traffic collected. The analytics engine uses the rules you have configured on the IDS to determine what is considered suspicious traffic. The action in the rule tells the IDS how to respond to the suspicious traffic.
NIPS/NIDS - Analytics - False Positive
A false positive is when the IDS states there was suspicious activity (positive), but in reality, there was not (a false assumption). In simple terms, the IDS reports suspicious activity but none occurred.
NIPS/NIDS - Analytics - False Negative
A false negative is when the IDS does not see any suspicious activity, and again that was false—there really was some! In simple terms, the IDS fails to detect suspicious activity that actually occurred and thus doesn’t report it.
Router
A router connects multiple network segments together into a single network and routes traffic between the segments. As an example, the Internet is effectively a single network hosting billions of computers.
Routers route the traffic from segment to segment. Because routers don’t pass broadcasts, they effectively reduce traffic on any single segment.
Segments separated by routers are sometimes referred to as broadcast domains. If a network has too many computers on a single segment, broadcasts can result in excessive collisions and reduce network performance. Moving computers to a different segment separated by a router can significantly improve overall performance.
Similarly, subnetting networks create separate broadcast domains.
Router - ACLs
Access control lists (ACLs) are rules implemented on a router (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within an ACL provide rule-based management for the router and control inbound and outbound traffic.
Router ACLs provide basic packet filtering. They filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers
Router - Antispoofing
Attackers often use spoofing to impersonate or masquerade as someone or something else. In the context of routers, an attacker will spoof the source IP address by replacing the actual source IP address with a different one.
This is often done to hide the actual source of the packet. You can implement antispoofing on a router by modifying the access list to allow or block IP addresses. As an example, private IP addresses should only be used in private networks. Any traffic coming from the Internet using a private IP address as the source IP address is obviously an attempt to spoof the source IP address.
Switch
A switch can learn which computers are attached to each of its physical ports. It then uses this knowledge to create internal switched connections when two computers communicate with each other.
Switch - Port Security
Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.
