Ready to Start Your Career?

By: ram
August 7, 2015
The Unconventional Guide to Network Security 1.2

By: ram
August 7, 2015
Network Security 1.2
Based on CompTIA’s list of Security + exam objectives (their PDF list of domains is found here: http://certification.comptia.org/docs/default-source/exam-objectives/comptia-security-sy0-401.pdf ), I’ll go through each one, giving examples and details where possible, so you know better what each listed item means, does and looks like. The examples are not in any particular order, preference, or even recommendation – they’re just quick-and-easily-found examples. I have no affiliations with any of the companies or products mentioned.I mention these products and examples because:1. When you’re starting out it can be difficult to get a grasp of what’s what;2. If you’re in charge of a virtual environment, you probably won’t come in contact with many of these because they’re managed solely by your VM provider (e.g., firewall and NIDS); and,3. If you’re in a small business you might not have any use for a host of load balancers, NIDs, routers, and switches, and/or may not have the resources (e.g., money and space) to try your hand at these.This is the second installment.Let's begin... DOMAIN 1.0 Network Security1.2 Apply and implement secure network administration principlesRule-based ManagementRules, rules, rules. You set the rules, filters or values. Examples of things that manage events using rules are firewalls, proxies and IPs. Whether the devices needs specific value input (e.g., Block Port 22) or an if-then statement (e.g., if port=22 then deny), you need to double-check the priority and sequence of the rules to make sure they don’t negate each other (if Deny All takes precedence, then no other port will be allowed). Firewall RulesWhen it comes to firewalls and since they’re typically defaulted to Implicit Deny/Deny All, it’s important to specify what you will and won’t allow. Allow All/Explicit Allow isn’t an option for security. You have to setup Inbound and Outbound rules for programs, services, port, protocols, users, computers and scopes. The rules are typically ordered and the last rule is Default Deny. This means “This rule is applied, then that rule and after all rules have been applied, Deny everything else.”Here’s a CLI view of some firewall rules might look like:ip access-list standard workstations
remark Permit only Cybrary computer through
permit 172.16.2.88
remark Do not allow BadGuy computer through
deny 172.16.3.13Here’s what the text of the GUI might look like:
No. | Permit | Source | Destination | Service | Interface | Dir. | Desc. |
1 | Yes | 172.16.42.88 | Any | IP | Eth0 | In | Permit |
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet 3/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end
Switch# show port-security interface fastethernet 3/12
Port Security :Enabled
Port Status :Secure-up
Violation Mode :Shutdown
Aging Time :0
Aging Type :Absolute
SecureStatic Address Aging :Enabled
Maximum MAC Addresses :5
Total MAC Addresses :0
Configured MAC Addresses :0
Sticky MAC Addresses :11
Last Source Address :0000.0000.0401
Security Violation Count :0802.1xThis can be used on wired networks, but it’s very often seen in reference to wireless networds. It’s the umbrella term for 802.11a/b/g/i/n 802.16, et al. Your computer is the Supplicant; the router is the Authenticator (using WEP, WPA, etc.); the Authenticator uses EAP to connect to the server, which is the Authentication Server. Then, when you’re authenticated it lets you in. Get familiar with the IEEE, who provides standards like this. And, be familiar with LAN, WLAN, EAP, EAPOL, MD5, PKI, TLS and Man-in-the-Middle (MitM) attacks. Flood GuardsThese are controls that you set to prevent things like DoS, ping floods, SYN floods/attack and MAC floods. You set rules on your firewall to prevent other devices from overwhelming your network with bogus traffic (e.g., 150,000 requests per minute). Your network has only so many connection points, so a flood will slow or cripple your network. Get familiar with SYN. An internal loop (see the next item) can create a flood. Loop ProtectionWhen you plug in two unmanaged switches to each other (accidentally, of course!), they’ll send packets to each other, never resolving where the traffic goes. Switch 1 (S1) gets the packet and forwards it through all ports (let’s say two ports) to Switch 2 (S2). S2 now gets 2 packets, and send those 2 through its 2 ports to S1, which now receives 4 packets, until the# of packets overwhelms the network and it slows down dramatically. It’s a Layer 2 (Ethernet) and Layer 3 (IP) event. To protect from this, we have Spanning Tree and Loop Protection. In short, these technologies look for loops by monitoring the traffic behavior and then disabling the port(s). cf. HP ProCurve Switches.For a perfect example of how this can disable a network, see these articles about the network collapse of CareGroup in 2003:1. http://geekdoctor.blogspot.com/2008/03/caregroup-network-outage.html2. http://www.computerworld.com/article/2581420/disaster-recovery/all-systems-down.html Implicit DenyMany devices come with this by default. Unless something has been explicitly allowed, it’s implicitly denied. The configuration could look like this:
access-list 1 permit host 192.168.10.1You’ll notice that there’s nothing to say “deny everything else.” Because Implicit Deny is the default, you have to state explicitly that the host 92.168.10.1 is allowed. Everything else, at this point, is denied.It can be a pain, but going through the training of configuring something when starting from Implicit/Default Deny helps you understand ports, protocols, and your network much better. Prevent Network Bridging by Network SeparationNetwork Bridging is where one network can see another network’s traffic. E.g., if you want to separate a guest wireless network from your real network, then make a new VLAN on your switch and direct ports/cable/traffic to that side of the switch (you’ll need 2 internet feeds, BTW– one going to your work network VLAN, and one feeding your WiFi VLAN). Otherwise, if you just try to hide your network from a guest WiFi that you’ve setup on your normal network (only obfuscation, not separation), then anyone who knows that the internal addresses are 192.168.x, 172.16.x, or 10.0.x can use something like AngryIP to scan and start detecting the IP scheme and devices on your network. Log AnalysisIf you administer a network, you’ll need to check your Event, System, Application, et al. logs to see what’s taking place. A couple of free log analyzers are Splunk Log Analyzer (http://www.splunk.com/en_us/solutions/solution-areas/log-management.html) and Log Parser (by Microsoft, though old). Search the internet for Security Event ID Cheat Sheet and you’ll find lots of free resources to help you decipher log details. Thanks for reading! Good luck with your next steps.