Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This section introduces you to the work of network administration, what that entails, and why types of rules/strategies and guidelines determine what happens on the network. We'll explain the concept of Rules Based Management & Secure Router Management; tie them into the use of firewalls, proxies and what that means in terms of network traffic and the management of that traffic. Hello, my name is John Oyeleke, subject matter expert for the security plus exam. Welcome to cybrary.IT. Today we will be talking about network administration principles. We will be looking at flood guards, A.2.1X, we will be looking at rule based management, firewall rules, root protection, implicit deny, log analysis and a few other topics. We'll start off with rule based management. Rule based management typically applies to our firewalls where we set up a set of rules to dictate what type of traffic, should be allowed in or out of the network across the firewalls. The network administrators will follow the policy to configure the firewalls in such a way that only traffic that is meant to leave the network can leave the network and only traffic that should come through the network, should come through the firewalls. Based on these rules which we call the firewall rules, based on these rules the firewalls will manage traffic coming in and out. These rules are typically either to allow the traffic or to deny the traffic. Your rules will typically consist of, to allow traffic or to deny traffic. It will be traffic to particular ports, traffic to particular IP addresses or the type of files or packets that are actually moving across the network. The, allow or deny, constitute your rules. These are your firewall rules to allow traffic or to deny the traffic. Where you just deploy a firewall on your network without proper configuration, the default settings could be to allow all traffic and this could be disastrous for your network if you allow all traffic in and out of your network. Malicious persons out there on the internet or even internal users that have malicious intent could now move packets in and out of the network. With your firewall rules, using the rule based management you are able to dictate what can transverse your firewalls and what cannot leave your network. You must also do secure router management. Secure router management involves securing our routers with passwords such that the routing tables within the routers could not just be maliciously changed without proper authorization. By ensuring that the routers have proper passwords to lock them down, the routing tables, we can maintain the integrity of the routing tables. Otherwise, some malicious person could connect to your router and alter the routing tables thereby redirecting your traffic through other systems on the network. Secure router management ensures that your routers are secure before you deploy them on your networks. It is bad practice to deploy our routers exactly as we receive them, they could be in their default configurations. Their default names could even be the name of the device. Malicious persons could just do a simple search of that name on the internet and discover the logon name to configure the tables on the device. We must practice secure router configurations. This locks down our routers to secure the network. Access control lists, these are lists generated within our systems or our servers, also on the firewalls to determine what users can have access or what systems would have access. Basically, the access control list is the metrics to determine the capability of a user or a system when it gains access to the network. This way we can dictate or limit what users can do or not do within the period with which they have access to the network or to a system. The access control list is simply a metric to show what capabilities every system or user, having access to the network can carry out. Then we talk about port security. When we discuss port security, we have to talk about logical security and physical security. For physical security you want to have your devices locked down in such a way that you are able to restrict physical access to the ports. You could lock down devices within cabinet to restrict physical access to ports. You could also ensure that rooms are locked so that not just anybody and everybody has physical access to systems and can connect devices to ports. For logical ports, these ports, you could disable them within the system. You could also even disable physical ports within the system if you connect into BIOS (basic input, output system). Within the BIOS settings you could disable your USBs for example, these are the physical ports. You could disable the ports on the system. You could also disable ports that are not in use, best practice. Ports that are not used, these are logical ports, you disable them, such that if these ports were to be left open, malicious persons will discover them and they would use them, and when they do certainly not in your favor. You could also implement A.2.1X. A.2.1X. This is a port based authentication standard to ensure that rogue devices do not connect to our networks. If you implement A.2.1X, this is done on the switches, not just anybody can connect a device to the switch or to the ports on the wall. These ensures anybody connecting a device must authenticate, no malicious person could just sneak into your building, plug in a router to the port on the wall or the switch and go stay in the car park hoping to track or capture your network, they must authenticate. A.2.1X is a port based authentication standard to secure your network so that rogue devices cannot function even if they connect to your networks. Now we will look at flood guards. Flood guards could be standalone devices or devices that are built into your firewall to ensure that they keep your network safe. Flood guards, when we have different, we could have different types of floods, you could have ping flood, a sync flood or all other types of floods. Some malicious persons could try to overwhelm your devices, your servers on your networks by flooding those servers with requests. Usually, our networks would allow a ping, ping is to test for connectivity, if you have your network configured, somebody else could ping your servers or ping systems on your network to see if they are available. However, malicious persons are able to flood that server with pings in such a way that the server becomes overwhelmed trying to process those ping requests, thereby passing a denial of service attack. Once the server is overwhelmed with all the pings, it's unable to cater for legitimate requests or even a sync flood. Malicious persons could craft the sync packets in such a way that the machine becomes overwhelmed trying to process these packets. Administrators could ensure that their flood guards are activated so that when these flood guards detect a flood, the flood guards will block further traffic so the servers are not overwhelmed trying to process these packets. This is to ensure we secure our networks against denial of service attacks. When we set up our routers and switches, our routers especially, when we set up our routers on the network, the routers have the algorithm within them in such a way that if we accidentally are to create a loop, we don't want loops on our networks. If we are to accidently, create a loop, the spanning tree protocol could be implemented to prevent looping. This is to break any loops that are created as a result of, maybe it could be as a result of a configuration error on our networks. The spanning tree protocol is usually triggered to prevent the loops. Loops are not very good on our networks and will allow traffic to keep running around on the network and this could ultimately bring down or bring your network to a standstill. Using the spanning tree protocol we are able to prevent loops. If we detect a loop, a link could be broken that way to stop the loop and make your network secure. We could also implement something called implicit deny. For implicit deny, this is a network strategy, secure strategy in which we say all traffic unless explicitly allowed should be deemed suspect. If we present the principle of implicit deny, everything should be seemed suspect unless explicitly allowed, nothing should be allowed. If you have, say for example firewalls and it's been configured, such that you want to allow a certain type of traffic, You will say, "Allow, so, so, so traffic," but some other traffic if not dictated that you are to allow it, should be denied. That is what the principle of implicit deny dictates. Everything should be deemed suspect unless explicitly allowed. If it is not said that this traffic can go through, it should be denied. We must also do log analysis. To secure our networks, we must do log analysis. Everything that transpires on a network is capture in a log. We have different types of logs, we have your event logs, you have your incident logs, you have your successful logs and you have your failed logs. You must do log analysis to check what transpired on the network, what failed, what was successful, what logons were successful, what accesses were successful, access to the printer, access to the server, access to systems? It's not just good practice to just capture the logs and we don't analyze the logs. Logs could be very good. Logs could tell you what has happened. Logs could also tell you what is happening and by reviewing your logs carefully you could infer what could happen? You logs are good for the past, present and possibly for the future. By doing careful log analysis you would go to your servers and you would review the logs within the servers. Best practice is that our log should be secured on systems that are NTFS based so that we can ensure their integrity. If you review these logs, you can tell what transpired on your network. It could be an incidence occurred where nobody was there, an incident occurred and nobody could see it, even if people are there but by Reviewing the logs, you can determine what is happening. It is good practice that you must review your logs. A lot of organizations today will use some tools. We have security incidents events managers. They are tools that can allow you capture the precise logs that are very important to you because you could have millions of logs for activities taking place on your systems. It is good practice that you use some solution that can alert you precisely to specific logs that are very important. That way you are not just having tons and tons of logs to review, this becomes a burden and nobody wants to do it. Using a security incidents event manager, you are able to bring to one interface all the logs that are of high priority to yourself. The last topic within the network administration principles is unified threat Management. When we talk about unified threat management, these means you are booting all together, all the solutions to manage threats within one device. You unify your threat management within one device. A lot of organizations are building what we call next generation devices or next generation firewalls. You have devices that would have the firewall intrusion detection system, intrusion prevention system, all in one. You unify your threat management capabilities such that you buy one box you've bought all the solutions. This is a beautiful strategy but there are some downsides to such a solution. If you have 1 device to take care of your intrusion detection system, intrusion prevention system, Your firewalls, you could have something called a single point of failure. If you have a single point of failure, If you have a single point of failure, that one device goes down, your firewall is gone, your detection system is gone. Your prevention system is gone. In as much as they appear to be a beautiful solution, the downside is that you could have a single point of failure. You unify all your threat management capabilities within one device. You could do your content filtering, your malware inspection, intrusion detection system, intrusion prevention system, your firewall as well, all within one device. We refer to that as you are unifying your threat management. You unified threat management devices.