November 2, 2015
The Unconventional Guide to Network Security 1.3
November 2, 2015
Network Security 1.3
Based on CompTIA’s list of Security + exam objectives (their PDF list of domains is found here: http://certification.comptia.org/docs/default-source/exam-objectives/comptia-security-sy0-401.pdf ), this article covers the first domain, Network Security (1.0), with its third sub-heading (1.3).
I mention any products and examples because:1. When you’re starting out it can be difficult to get a grasp of what’s what;2. If you’re in charge of a virtual environment you probably won’t come in contact with many of these (e.g., firewall and VPN concentrators) because they’re managed solely by your VM provider/datacenter; and,3. If you’re in an SMB you might not have any use or resources for things like virtualization.
This does not replace all other training. This is simply to augment your training by providing some examples and to help clarify a lot of the tech lingo, long documents, and other confusing aspects of other training. Definitely watch the great videos and read the other great material on Cybrary!Network Security 1.01.3 Distinguish and differentiate network design elements and components DMZ – DeMilitarized ZoneAKA Perimeter Network, this is the set of servers that faces the world-at-large, allowing them to “see” something on your network; very likely where your company’s website is there. Anybody is allowed some access to it, even though it’s typically behind your firewall. The firewall directs traffic to the DMZ, lets valid traffic through to your network, and can include your website, mail, and FTP servers.Devices in the DMZ are the most susceptible to attack, as they are external-facing, and directly, or closely, attached to an untrusted network (the internet).Visitors (not just people, but also computers) can only reach so far into your network – giving you a presence on the web, but not allowing traffic to get to your real network. SubnettingThis takes a network (e.g., 192.168.1.x) and divides it up into smaller networks using CIDR notation (e.g., 192.168.0.0/23, which means that there are 23 bits for the network). So you can have one network for Engineering, one for HR, and one for Accounting, all by using a subnet mask.Simple Example:Network ID | Host ID192.168.2. |1 = IP Address255.255.255. |0 = Subnet MaskGet familiar with 4 aspects of subnetting: IP Address, Subnet, Subnet Mask, and Interface. It’s a Layer 3 technology. Also get familiar with the terms CIDR, host portion, network portion, and binary. When CIDR (Classless InterDomain Routing) came on the scene, the need for the terms Classes A-E have become anachronistic, though it’s good to be aware of them as the main divisions and subnet masks of those classes may show up on the exam. Get familiar with VLSM (Variable Length Subnet Mask). A fun way to get used to binary is to get a binary clock.Search for subnetting here on Cybrary for great and extended explanations and examples! VLAN – Virtual LAN Before VLANs, you had to use a different switch for each LAN that you wanted to separate (e.g., Engineering here, HR there). The Virtual LAN allows you to use one switch or router to both:A. separate the network for reasons of routing, data flow management, and security; and,B. allow traffic to route between the networks as needed (e.g., mail server needs to cross all VLANs to reach recipients). VLANs are based on a logical (Layer2/Data Link), not physical (Layer 1/Physical), connections.With VLAN Management, you can have different switches with different VLANS, yet be able to manage all of them from a central location.It’s different from a subnet in that it:1. Creates a more manageable separation (though not isolation) of the traffic; and,2. Allows you to use ACLs for security.Compared to subnetting it’s an advanced technological way of separating traffic, lending itself to an easier-to-use method of maintaining the network.EXAMPLE:-----------------------------------------SWITCH CONFIGURED WITH:VLAN10:192.168.0.1/28 à GOES TO à .2, .3VLAN11 191.168.16/28 à GOES TO à .18, .19VLAN12 192.168.0.32/28 à GOES TO à .33----------------------------------------- NAT (Network Address Translation)This is simply translating one IP address to another. It includes one-to-one translation, but very often NAT is used as many-to-one and one-to-many. E.g., a company uses the 172.16.x (private/inside) network, but the company only has 1 public IP. When 1 of those private devices goes to the internet, the router auto-translates the private IP to the single public IP. When the destination has been reached by the device, the returning packets (based on information in the packet) run back through the router and are returned to the appropriate device.NOTE: To find your public IP, go to www.whatismypublicip.comA couple examples to search for and check out are Routing and Remote Access for Windows (included in Windows Server, but works differently in different versions) and IPFilter for Unix.
EXAMPLE OF NATTING FROM INTERNAL TO EXTERNALINTERNAL PC à GATEWAY IP / PUBLIC IP à INTERNET192.168.0.10 à 192.168.0.1 / 188.8.131.52 à Devices see you as 208. address Remote AccessThis is when your employees are connecting from outside the network back into your network. You want to make remote access (RA), whether wireless or wired, secure; so this is where things like VPN (e.g., software such as OpenVPN) running as a service on the remote machine and going through https:// (such as Citrix) come into play.An example setup would be a laptop connecting from a coffee shop: the laptop has a softvpn client running as a service. As soon as the laptop is powered on the service is running. When the user connects to the public wi-fi, the network connection is already authenticated and the data is already encrypted. You can also firewalls and other controls on the network side to insure that only those in your domain, and even only certain devices, can connect.RA includes all connections to and from your network, things like VNC, which is used to remotely troubleshoot. Be familiar with Remote Desktop, ISDN, Dial-up, DSL, and VPN.Three examples to check out are Routing and Remote Access for Windows (included in Windows Server); Citrix; and is RemoteApp. TelephonyYou’ll see various forms of the word “telephony” used almost interchangeably: Telecommunications, VoIP, Internet Telephony, IP Telephony, and Digital Telephony. Amongst all of this is the idea of transmitting audio (even video), to others. You can use a hosted solution (e.g., OnSip) or in-house (e.g., Cisco). Also get familiar with the terms application gateway, POTS, and PSTN. Some other examples are Skype Phone, Cisco 7940, and Polycom. NAC – Network Access ControlExplaining and describing NAC can be pretty slippery, as the methods of providing it continue to change. Its use of protocols, application and enforcement of policies, and ways of authenticating, will vary depending on your network technology. But in short NAC is how your devices determine who and what is allowed to access your network. An available network jack could be a vulnerability, so if you can close or disable that port, do so; someone in the wrong AD group poses a risk of infiltration; you could set policies so that only certain MAC addresses are allowed. Section 5 of the Security+ study materials goes in-depth on the areas of access control.Sample simple flowComputer (Supplicant) à Access Control systems (e.g., switch port, firewall, and AD) à Network VirtualizationTransforming your hardware to VMs can provide great cost- and time-savings, but it comes with a different set of considerations. Relating to security, one consideration is the trust issue – do you trust that the provider is not snooping? Do you trust that the VLANs are secure? The main goal, pertaining to security, is figuring out how you’ll maintain and monitor those VMs. You have to make sure that only the right people in your org have access to the VMs. Those who have access to them VMs should only be able to do what they need to do – can they just remote to it? Can they view the list of all VMs? Can they modify the VMs? And access to the VMs is different than access to the server itself – maybe a Domain Admin can only view the VM itself, but as a Domain Admin he can do whatever he wants to the OS. So it adds some layers of security issues. Cloud ComputingThe next few terms are part-and-parcel of cloud computing, which is the umbrella term. When you see all the mentions of cost savings, realize that starting out may be less costly, but if you already have the gear your company needs, it can be pretty expensive to switch. This is where looking at the 5 or 10+ year financial forecast comes into play to see what the real $$ ROI is.When it’s all combined, you can use a thin client (essentially any old computer –except for XP/2003 and earlier since they’re out of compliance!) and do all that you need to do!The 3 terms below are out-of-order in the cloud computing stack, which is, from bottom to top, IaaS, Paas, and SaaS. Platform as a ServicePaaS (pronounced “pass”) allows you to take care of your web apps. It can be costly to have your own in-house platforms, so places like Amazon and MS offer AWS and Azure respectively. Developers can more economically build and maintain your companies’ web services. You might run across the term “cloud-enabled application platform.” Some types and terms for PaaS are: Public, Private, Enterprise, Hybrid, Mobile, and Open. Some examples are: MS Azure, Google App Engine, and Amazon EC2. Software as a Service SaaS (pronounced “sass”) is software licensing based on subscription. AKA on-demand software. One strategy in keeping IT from becoming a resource-hog (or a drain on the company’s resources) is to reduce the in-house cost of hosting apps onsite. It’s common for a company to outsource, among many other things, accounting, CRM, and HR software. Whatever the app(s), you just connect to the web, and then the app, so using the online software is often independent of what computer you use. Some examples are: Google Apps, WebEx, and Salesforce. Infrastructure as a ServiceThe pronunciation is usually just saying the letters separately. Infrastructure is all the stuff (e.g., hardware, software, cooling systems) that is used to run your IT department. Search online for a definition that suits you, because there’s not a 100% agreed-upon definition. For examples of IaaS, look up VMWare, Citrix Xen products, Amazon AWS, Hyper-V. I hope this information was helpful to you. Please leave your comments below.