CHAPTER Network Device Configuration - … 1: Network Device Configuration 5 All-In-One / CompTIA...

CHAPTER

3

All-In-One / CompTIA Security+™ All-in-One Exam Guide / Conklin, White, Davis / 124-5 / Chapter 1

1Network Device ConfigurationIn this chapter, you will

• Implement security configuration parameters on network devices• Implement security configuration parameters on other technologies

Networks are composed of devices and are configured via software to perform the desired activities. The correct configuration of network devices is a key element of securing the network infrastructure. Proper configuration can greatly assist in the network security posture. Learning how to properly configure network devices is important for passing the CompTIA Security+ exam.

Network DevicesA complete network computer solution in today’s business environment consists of more than just client computers and servers. Devices are used to connect the clients and servers and to regulate the traffic between them. Devices are also needed to expand this network beyond simple client computers and servers to include yet other devices, such as wireless and handheld systems. Devices come in many forms and with many functions, from hubs and switches, to routers, wireless access points, and special-purpose devices such as virtual private network (VPN) devices. Each device has a specific network function and plays a role in maintaining network infrastructure security.

EXAM TIP Expect questions on how to implement security configuration parameters on network devices.

FirewallsA firewall can be hardware, software, or a combination whose purpose is to enforce a set of network security policies across network connections. It is much like a wall with a window: the wall serves to keep things out, except those permitted through the window (see Figure 1-1). Network security policies act like the glass in the window; they permit

01-ch01.indd 3 10/31/14 9:46 AM

CompTIA Security+ All-in-One Exam Guide

4


some things to pass, such as light, while blocking others, such as air. The heart of a firewall is the set of security policies that it enforces. Management determines what is allowed in the form of network traffic between devices, and these policies are used to build rule sets for the firewall devices used to filter network traffic across the network.

Security policies are rules that define what traffic is permissible and what traffic is to be blocked or denied. These are not universal rules, and many different sets of rules are created for a single company with multiple connections. A web server connected to the Internet may be configured to allow traffic only on port 80 for HTTP and have all other ports blocked, for example. An e-mail server may have only necessary ports for e-mail open, with others blocked. The network firewall can be programmed to block all traffic to the web server except for port 80 traffic, and to block all traffic bound to the mail server except for port 25. In this fashion, the firewall acts as a security filter, enabling control over network traffic, by machine, by port, and in some cases based on application-level detail. A key to setting security policies for firewalls is the same as has been seen for other security policies—the principle of least access. Allow only the necessary access for a function; block or deny all unneeded functionality. How a firm deploys its firewalls determines what is needed for security policies for each firewall.

As will be discussed later, the security topology will determine what network devices are employed at what points in a network. At a minimum, the corporate connection to the Internet should pass through a firewall. This firewall should block all network traffic except that specifically authorized by the firm. Blocking communications on a port is simple—just tell the firewall to close the port. The issue comes in deciding what services are needed and by whom, and thus which ports should be open and which should be closed. This is what makes a security policy useful. The perfect set of network security policies for a firewall is one that the end user never sees and that never allows

Figure 1-1 How a firewall works

Enforce security policiesat firewall connection

between networks

Firewall

Untrusted networkconnections(Internet)

Trusted networkconnections

(internal network)

Workstations

Server(s)

PublicInternet

01-ch01.indd 4 10/31/14 9:46 AM

Chapter 1: Network Device Configuration

5


even a single unauthorized packet to enter the network. As with any other perfect item, it will be rare to find the perfect set of security policies for firewalls in an enterprise. When developing rules for a firewall, the principle of least access is best to use; you want the firewall to block as much traffic as possible, while allowing the authorized traffic through.

To develop a complete and comprehensive security policy, it is first necessary to have a complete and comprehensive understanding of your network resources and their uses. Once you know how the network will be used, you will have an idea of what to permit. In addition, once you understand what you need to protect, you will have an idea of what to block. Firewalls are designed to block attacks before they reach a target machine. Common targets are web servers, e-mail servers, DNS servers, FTP services, and databases. Each of these has separate functionality, and each has unique vulner-abilities. Once you have decided who should receive what type of traffic and what types should be blocked, you can administer this through the firewall.

How Do Firewalls Work?Firewalls enforce the established security policies through a variety of mechanisms, including the following:

●● Network Address Translation (NAT)

●● Basic packet filtering

●● Stateful packet filtering

●● Access control lists (ACLs)

●● Application layer proxies

One of the most basic security functions provided by a firewall is NAT, which allows you to mask significant amounts of information from outside of the network. This allows an outside entity to communicate with an entity inside the firewall without truly know-ing its address. NAT is a technique used in IPv4 to link private IP addresses to public ones. Private IP addresses are sets of IP addresses that can be used by anyone and, by definition, are not routable across the Internet. NAT can assist in security by preventing direct access to devices from outside the firm, without first having the address changed at a NAT device. The benefit is that fewer public IP addresses are needed, and from a security point of view, the internal address structure is not known to the outside world. If a hacker attacks the source address, he is simply attacking the NAT device, not the actual sender of the packet. NAT is described in detail in Chapter 3.

NAT was conceived to resolve an address shortage associated with IPv4 and is con-sidered by many to be unnecessary for IPv6. The added security features of enforcing traffic translation and hiding internal network details from direct outside connections will give NAT life well into the IPv6 timeframe.

Basic packet filtering, the next most common firewall technique, involves looking at packets, their ports, protocols, and source and destination addresses, and checking that information against the rules configured on the firewall. Telnet and FTP connections

PA

RT

I

01-ch01.indd 5 10/31/14 9:46 AM


6


may be prohibited from being established to a mail or database server, but they may be allowed for the respective service servers. This is a fairly simple method of filtering based on information in each packet header, such as IP addresses and TCP/UDP ports. Packet filtering will not detect and catch all undesired packets, but it is fast and efficient.

To look at all packets and determine the need for each and its data requires stateful packet filtering. Stateful means that the firewall maintains, or knows, the context of a conversation. In many cases, rules depend on the context of a specific communication connection. For instance, traffic from an outside server to an inside server may be allowed if it is requested but blocked if it is not. A common example is a request for a web page. This request is actually a series of requests to multiple servers, each of which can be allowed or blocked. Advanced firewalls employ stateful packet filtering to prevent several types of undesired communications. Should a packet come from outside the network in an attempt to pretend that it is a response to a message from inside the net-work, the firewall will have no record of it being requested and can discard it, blocking the undesired external access attempt. As many communications will be transferred to high ports (above 1023), stateful monitoring will enable the system to determine which sets of high communications are permissible and which should be blocked. A disad-vantage of stateful monitoring is that it takes significant resources and processing to perform this type of monitoring, and this reduces efficiency and requires more robust and expensive hardware.

EXAM TIP Firewalls operate by examining packets and selectively denying some based on a set of rules. Firewalls act as gatekeepers or sentries at select network points, segregating traffic and allowing some to pass and blocking others.

Some high-security firewalls also employ application layer proxies. Packets are not allowed to traverse the firewall, but data instead flows up to an application that in turn decides what to do with it. For example, a Simple Mail Transfer Protocol (SMTP) proxy may accept inbound mail from the Internet and forward it to the internal corporate mail server. While proxies provide a high level of security by making it very difficult for an attacker to manipulate the actual packets arriving at the destination, and while they provide the opportunity for an application to interpret the data prior to forwarding it to the destination, they generally are not capable of the same throughput as stateful packet inspection firewalls. The trade-off between performance and speed is a common one and must be evaluated with respect to security needs and performance requirements.

Firewalls can also act as network traffic regulators in that they can be configured to mitigate specific types of network-based attacks. In denial-of-service and distributed denial-of-service (DoS/DDoS) attacks, an attacker can attempt to flood a network with traffic. Firewalls can be tuned to detect these types of attacks and act as a flood guard, mitigating the effect on the network. Firewalls can be very effective in blocking a variety of flooding attacks, including port floods, SYN floods, and ping floods.

01-ch01.indd 6 10/31/14 9:46 AM


7


RoutersRouters are network traffic management devices used to connect different network seg-ments together. Routers operate at the network layer of the Open Systems Interconnec-tion (OSI) reference model (discussed in Chapter 3), routing traffic using the network address and utilizing routing protocols to determine optimal paths across a network. Routers form the backbone of the Internet, moving traffic from network to network, inspecting packets from every communication as they move traffic in optimal paths.

Routers operate by examining each packet, looking at the destination address, and using algorithms and tables to determine where to send the packet next. This process of examining the header to determine the next hop can be done in quick fashion.

Routers use ACLs as a method of deciding whether a packet is allowed to enter the network. With ACLs, it is also possible to examine the source address and determine whether or not to allow a packet to pass. This allows routers equipped with ACLs to drop packets according to rules built in the ACLs. This can be a cumbersome process to set up and maintain, and as the ACL grows in size, routing efficiency can be decreased. It is also possible to configure some routers to act as quasi-application gateways, per-forming stateful packet inspection and using contents as well as IP addresses to determine whether or not to permit a packet to pass. This can tremendously increase the time for a router to pass traffic and can significantly decrease router throughput. Configuring ACLs and other aspects of setting up routers for this type of use are beyond the scope of this book.

EXAM TIP ACLs can be a significant effort to establish and maintain. Creating them is a straightforward task, but their judicious use will yield security benefits with a limited amount of maintenance. This can be very important in security zones such as a DMZ and at edge devices, blocking undesired outside

contact while allowing known inside traffic.

One serious operational security issue with routers concerns the access to a router and control of its internal functions. Routers can be accessed using the Simple Network Management Protocol (SNMP) and Telnet and can be programmed remotely. Because of the geographic separation of routers, this can become a necessity, for many routers in the world of the Internet can be hundreds of miles apart in separate locked struc-tures. Physical control over a router is absolutely necessary, for if any device, be it server, switch, or router, is physically accessed by a hacker, it should be considered compro-mised; thus, such access must be prevented. It is important to ensure that the admin-istrative password is never passed in the clear, that only secure mechanisms are used to access the router, and that all of the default passwords are reset to strong passwords.

Just like switches, the most assured point of access for router management control is via the serial control interface port or specific router management Ethernet interface. This allows access to the control aspects of the router without having to deal with traffic-related issues. For internal company networks, where the geographic dispersion of routers may be limited, third-party solutions to allow out-of-band remote manage-ment exist. This allows complete control over the router in a secure fashion, even from a remote location, although additional hardware is required.

PA

RT

I

01-ch01.indd 7 10/31/14 9:46 AM


8


Routers are available from numerous vendors and come in sizes big and small. A typical small home office router for use with cable modem/DSL service is shown in Figure 1-2. Larger routers can handle traffic of up to tens of gigabytes per second per channel, using fiber-optic inputs and moving tens of thousands of concurrent Internet connections across the network. These routers, which can cost hundreds of thousands of dollars, form an essential part of the e-commerce infrastructure, enabling large enter-prises such as Amazon and eBay to serve many customers concurrently.

SwitchesSwitches form the basis for connections in most Ethernet-based local area networks (LANs). Although hubs and bridges still exist, in today’s high-performance network environment, switches have replaced both. A switch has separate collision domains for each port. This means that for each port, two collision domains exist: one from the port to the client on the downstream side and one from the switch to the network upstream. When full duplex is employed, collisions are virtually eliminated from the two nodes, host and client. This also acts as a security factor in that a sniffer can see only limited traffic, as opposed to a hub-based system, where a single sniffer can see all of the traffic to and from connected devices.

Switches operate at the data link layer of the OSI model, while routers act at the net-work layer. For intranets, switches have become what routers are on the Internet—the device of choice for connecting machines. As switches have become the primary net-work connectivity device, additional functionality has been added to them. A switch is usually a layer 2 device, but layer 3 switches incorporate routing functionality.

Switches can also perform a variety of security functions. Switches work by moving packets from inbound connections to outbound connections. While moving the packets, it is possible for switches to inspect the packet headers and enforce security policies. Port address security based on Media Access Control (MAC) addresses can determine whether a packet is allowed or blocked from a connection. This is the very function that a firewall uses for its determination, and this same functionality is what allows an 802.1x device to act as an “edge device.”

One of the security concerns with switches is that, like routers, they are intelligent network devices and are therefore subject to hijacking by hackers. Should a hacker break into a switch and change its parameters, he might be able to eavesdrop on specific

Figure 1-2 A small home office router for cable modem/DSL use

01-ch01.indd 8 10/31/14 9:46 AM


9


or all communications virtually undetected. Switches are commonly administered using the SNMP and Telnet protocol, both of which have a serious weakness in that they send passwords across the network in clear text.

EXAM TIP Simple Network Management Protocol (SNMP) provides management functions to many network devices. SNMPv1 and SNMPv2 authenticate using a cleartext password, allowing anyone monitoring packets to capture the password and have access to the network equipment. SNMPv3

adds cryptographic protections, making it a preferred solution.

A hacker armed with a sniffer that observes maintenance on a switch can capture the administrative password. This allows the hacker to come back to the switch later and configure it as an administrator. An additional problem is that switches are shipped with default passwords, and if these are not changed when the switch is set up, they offer an unlocked door to a hacker. Commercial-quality switches have a local serial console port or a management Ethernet interface for guaranteed access to the switch for purposes of control. Some products in the marketplace enable an out-of-band net-work, using these dedicated channels to enable remote, secure access to programmable network devices.

CAUTION To secure a switch, you should disable all access protocols other than a secure serial line or a secure protocol such as Secure Shell (SSH). Using only secure methods to access a switch will limit the exposure to hackers and malicious users. Maintaining secure network switches is even more important

than securing individual boxes, for the span of control to intercept data is much wider on a switch, especially if it’s reprogrammed by a hacker.

Load BalancersCertain systems, such as servers, are more critical to business operations and should therefore be the object of fault-tolerance measures. A common technique that is used in fault tolerance is load balancing. This technique is designed to distribute the process-ing load over two or more systems. It is used to help improve resource utilization and throughput, but also has the added advantage of increasing the fault tolerance of the overall system since a critical process may be split across several systems. Should any one system fail, the others can pick up the processing it was handling. While there may be an impact to overall throughput, the operation does not go down entirely. Load balancing is often utilized for systems handling websites, high-bandwidth file trans-fers, and large Internet Relay Chat (IRC) networks. Load balancing works by a series of health checks that tell the load balancer which machines are operating, and by a scheduling mechanism to spread the work evenly. Load balancing is best for stateless systems, as subsequent requests can be handled by any server, not just the one that processed the previous request.

PA

RT

I

01-ch01.indd 9 10/31/14 9:46 AM


10


ProxiesThough not strictly a security tool, a proxy server can be used to filter out undesirable traffic and prevent employees from accessing potentially hostile websites. A proxy server takes requests from a client system and forwards them to the destination server on behalf of the client. Proxy servers can be completely transparent (these are usually called gateways or tunneling proxies), or they can modify the client request before send-ing it on or even serve the client’s request without needing to contact the destination server. Several major categories of proxy servers are in use:

●● Anonymizing proxy An anonymizing proxy is designed to hide information about the requesting system and make a user’s web browsing experience “anonymous.” This type of proxy service is often used by individuals concerned with the amount of personal information being transferred across the Internet and the use of tracking cookies and other mechanisms to track browsing activity.

●● Caching proxy This type of proxy keeps local copies of popular client requests and is often used in large organizations to reduce bandwidth usage and increase performance. When a request is made, the proxy server first checks to see whether it has a current copy of the requested content in the cache; if it does, it services the client request immediately without having to contact the destination server. If the content is old or the caching proxy does not have a copy of the requested content, the request is forwarded to the destination server.

●● Content-filtering proxy Content-filtering proxies examine each client request and compare it to an established acceptable use policy (AUP). Requests can usually be filtered in a variety of ways, including by the requested URL, the destination system, or the domain name or by keywords in the content itself. Content-filtering proxies typically support user-level authentication so access can be controlled and monitored and activity through the proxy can be logged and analyzed. This type of proxy is very popular in schools, corporate environments, and government networks.

●● Open proxy An open proxy is essentially a proxy that is available to any Internet user and often has some anonymizing capabilities as well. This type of proxy has been the subject of some controversy, with advocates for Internet privacy and freedom on one side of the argument, and law enforcement, corporations, and government entities on the other side. As open proxies are often used to circumvent corporate proxies, many corporations attempt to block the use of open proxies by their employees.

●● Reverse proxy A reverse proxy is typically installed on the server side of a network connection, often in front of a group of web servers. The reverse proxy intercepts all incoming web requests and can perform a number of functions, including traffic filtering, Secure Sockets Layer (SSL) decryption, serving of common static content such as graphics, and performing load balancing.

●● Web proxy A web proxy is solely designed to handle web traffic and is sometimes called a web cache. Most web proxies are essentially specialized caching proxies.

01-ch01.indd 10 10/31/14 9:46 AM


11


Deploying a proxy solution within a network environment is usually done by either setting up the proxy and requiring all client systems to configure their browsers to use the proxy or by deploying an intercepting proxy that actively intercepts all requests without requiring client-side configuration.

From a security perspective, proxies are most useful in their ability to control and filter outbound requests. By limiting the types of content and websites employees can access from corporate systems, many administrators hope to avoid loss of corporate data, hijacked systems, and infections from malicious websites. Administrators also use proxies to enforce corporate acceptable use policies and track use of corporate resources.

Web Security GatewaysSome security vendors combine proxy functions with content-filtering functions to cre-ate a product called a web security gateway. Web security gateways are intended to address the security threats and pitfalls unique to web-based traffic. Web security gateways typically provide the following capabilities:

●● Real-time malware protection (also known as malware inspection) Some web security gateways have the ability to scan all outgoing and incoming web traffic to detect and block undesirable traffic such as malware, spyware, adware, malicious scripts, file-based attacks, and so on.

●● Content monitoring Some web security gateways provide the ability to monitor the content of web traffic being examined to ensure that it complies with organizational policies.

●● Productivity monitoring Some web security gateways measure how much web traffic is being generated by specific users, groups of users, or the entire organization as well as the types of traffic being generated.

●● Data protection and compliance Some web security gateways can scan web traffic for sensitive or proprietary information being sent outside of the organization as well as the use of social network sites or inappropriate sites.

VPN ConcentratorsA virtual private network (VPN) is a construct used to provide a secure communication channel between users across public networks such as the Internet. As described later in the book, a variety of techniques can be employed to instantiate a VPN connection. The use of encryption technologies allows either the data in a packet to be encrypted or the entire packet to be encrypted. If the data is encrypted, the packet header can still be sniffed and observed between source and destination, but the encryption protects the contents of the packet from inspection. If the entire packet is encrypted, it is then placed into another packet and sent via tunnel across the public network. Tunneling can protect even the identity of the communicating parties.

The most common implementation of VPN is via IPsec, a protocol for IP security. IPsec is mandated in IPv6 and is optionally back-fitted into IPv4. IPsec can be imple-mented in hardware, software, or a combination of both. VPNs terminate at a specific

PA

RT

I

01-ch01.indd 11 10/31/14 9:46 AM


12


point in the network, the VPN concentrator. VPN concentrators come in a variety of sizes, scaling to enable VPNs from small networks to large. A VPN concentrator allows multiple VPN connections to terminate at a single network point.

Intrusion Detection SystemsIntrusion detection systems (IDSs) are designed to detect, log, and respond to unau-thorized network or host use, both in real time and after the fact. IDSs are available from a wide selection of vendors and are an essential part of network security. These systems are implemented in software, but in large systems, dedicated hardware is required as well. IDSs can be divided into two categories: network-based systems and host-based systems. Two primary methods of detection are used: signature-based and anomaly-based:

●● Host-based IDS (HIDS) Examines activity on an individual system, such as a mail server, web server, or individual PC. It is concerned only with an individual system and usually has no visibility into the activity on the network or systems around it.

●● Network-based IDS (NIDS) Examines activity on the network itself. It has visibility only into the traffic crossing the network link it is monitoring and typically has no idea of what is happening on individual systems.

EXAM TIP Know the differences between host-based and network-based IDSs. A host-based IDS runs on a specific system (server or workstation) and looks at all the activity on that host. A network-based IDS sniffs traffic from the network and sees only activity that occurs on the network.

Whether or not it is network-based or host-based, an IDS will typically consist of several specialized components working together, as illustrated in Figure 1-3. These components are often logical and software-based rather than physical and will vary

Figure 1-3 Logical depiction of IDS components

Criticalfiles

Networktraffic

Trafficcollector

Analysisengine

Userinterface

Logfiles

Alarmstorage

Reports

Signaturedatabase

01-ch01.indd 12 10/31/14 9:46 AM


13


slightly from vendor to vendor and product to product. Typically, an IDS will have the following logical components:

●● Traffic collector (or sensor) This component collects activity/events for the IDS to examine. On a host-based IDS, this could be log files, audit logs, or traffic coming to or leaving a specific system. On a network-based IDS, this is typically a mechanism for copying traffic off the network link—basically functioning as a sniffer. This component is often referred to as a sensor.

●● Analysis engine This component examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database. The analysis engine is the “brains” of the IDS.

●● Signature database The signature database is a collection of patterns and definitions of known suspicious or malicious activity.

●● User interface and reporting This component interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.

Most IDSs can be tuned to fit a particular environment. Certain signatures can be turned off, telling the IDS not to look for certain types of traffic. For example, if you are operating in a pure UNIX environment, you may not wish to see Windows-based alarms, as they will not affect your systems. Additionally, the severity of the alarm levels can be adjusted depending on how concerned you are over certain types of traffic. Some IDSs will also allow the user to exclude certain patterns of activity from specific hosts. In other words, you can tell the IDS to ignore the fact that some systems generate traffic that looks like malicious activity because it really isn’t.

Some analysts break down IDS models even further into four categories depending on how the IDS operates and detects malicious traffic (the same models can also be applied to intrusion prevention systems, discussed a bit later).

Behavior BasedThis model relies on a collected set of “normal behavior”—what should happen on the network and is considered “normal” or “acceptable” traffic. Behavior that does not fit into the “normal” activity categories or patterns is considered suspicious or malicious. This model can potentially detect zero-day or unpublished attacks, but carries a high false-positive rate because any new traffic pattern can be labeled as “suspect.”

Signature BasedThis model relies on a predefined set of patterns (called signatures). The IDS has to know what behavior is considered “bad” ahead of time before it can identify and act upon suspicious or malicious traffic. Signature-based systems can be very fast and pre-cise, but they rely on having accurate signature definitions beforehand.

PA

RT

I

01-ch01.indd 13 10/31/14 9:46 AM


14


Anomaly BasedThis model is similar to behavior-based methods. The IDS is first taught what “normal” traffic looks like and then looks for deviations from those “normal” patterns. Anoma-lies can also be defined, such as Linux commands sent to Windows-based systems, and implemented via an artificial intelligence–based engine to expand the utility of specific definitions.

HeuristicThis model uses artificial intelligence to detect intrusions and malicious traffic. This is typically implemented through algorithms that help an IDS decide if a traffic pattern is malicious or not. For example, a URL containing a character repeated 10 times may be considered “bad” traffic as a single signature. With a heuristic model, the IDS will understand that if 10 repeating characters is bad, 11 is still bad, and 20 is even worse. This implementation of fuzzy logic allows this model to fall somewhere between signature-based and behavior-based models.

Intrusion Prevention SystemsAn intrusion prevention system (IPS) has as its core an intrusion detection system. However, whereas an IDS can only alert when network traffic matches a defined set of rules, an IPS can take further actions. IPSs come in the same two forms as IDSs, host based (HIPS) and network based (NIPS). An IPS can take direct action to block an attack, with its actions governed by rules. By automating the response, an IPS signifi-cantly shortens the response time between detection and action.

EXAM TIP Recognize that an IPS has all the same characteristics of an IDS but, unlike an IDS, can automatically respond to certain events, such as resetting a TCP connection, without operator intervention.

Protocol AnalyzersA protocol analyzer (also known as a packet sniffer, network analyzer, or network sniffer) is a piece of software or an integrated software/hardware system that can capture and decode network traffic. Protocol analyzers have been popular with system administrators and security professionals for decades because they are such versatile and useful tools for a network environment. From a security perspective, protocol analyzers can be used for a number of activities, such as the following:

●● Detecting intrusions or undesirable traffic (IDS/IPS must have some type of capture and decode ability to be able to look for suspicious/malicious traffic)

●● Capturing traffic during incident response or incident handling

●● Looking for evidence of botnets, Trojans, and infected systems

●● Looking for unusual traffic or traffic exceeding certain thresholds

●● Testing encryption between systems or applications

01-ch01.indd 14 10/31/14 9:46 AM


15


From a network administration perspective, protocol analyzers can be used for activities such as these:

●● Analyzing network problems

●● Detecting misconfigured applications or misbehaving applications

●● Gathering and reporting network usage and traffic statistics

●● Debugging client/server communications

Regardless of the intended use, a protocol analyzer must be able to see network traf-fic in order to capture and decode it. A software-based protocol analyzer must be able to place the network interface card (NIC) it is going to use to monitor network traffic in promiscuous mode (sometimes called promisc mode). Promiscuous mode tells the NIC to process every network packet it sees regardless of the intended destination. Normally, a NIC will process only broadcast packets (that are going to everyone on that subnet) and packets with the NIC’s MAC address as the destination address inside the packet. As a sniffer, the analyzer must process every packet crossing the wire, so the ability to place a NIC into promiscuous mode is critical.

With older networking technologies, such as hubs, it was easier to operate a proto-col analyzer, as the hub broadcast every packet across every interface regardless of the destination. With switches becoming the standard for networking equipment, placing a protocol analyzer became more difficult because switches do not broadcast every packet across every port. While this may make it harder for administrators to sniff the traffic, it also makes it harder for eavesdroppers and potential attacks.

To accommodate protocol analyzers, IDS devices, and IPS devices, most switch man-ufacturers support port mirroring or a Switched Port Analyzer (SPAN) port. Depending on the manufacturer and the hardware, a mirrored port will see all the traffic passing through the switch or through a specific VLAN(s), or all the traffic passing through other specific switch ports. The network traffic is essentially copied (or mirrored) to a specific port, which can then support a protocol analyzer.

A popular open-source protocol analyzer is Wireshark (www.wireshark.org). Available for both UNIX/Linux and Windows operating systems, Wireshark is a GUI-based protocol analyzer that allows users to capture and decode network traffic on any available network interface in the system on which the software is running (including wireless interfaces). Wireshark has some interesting features, including the ability to “follow the TCP stream,” which allows the user to select a single TCP packet and then see all the other packets involved in that TCP conversation.

EXAM TIP Expect questions on how to implement security configuration parameters on IT technology components.

Spam FilterThe bane of users and system administrators everywhere, spam is essentially unsolicited or undesired bulk electronic messages. While typically applied to e-mail, spam can

PA

RT

I

01-ch01.indd 15 10/31/14 9:46 AM


16


be transmitted via text message to phones and mobile devices, as postings to Internet forums, and by other means. If you’ve ever used an e-mail account, chances are you’ve received spam.

From a productivity and security standpoint, spam costs businesses and users bil-lions of dollars each year, and it is such a widespread problem that the U.S. Congress passed the CAN-SPAM Act of 2003 to empower the Federal Trade Commission to enforce the act and the Department of Justice to enforce criminal sanctions against spammers. The act establishes requirements for those who send commercial e-mail, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask e-mailers to stop spamming them. Despite all our best efforts, however, spam just keeps coming; as the technologies and techniques developed to stop the spam get more advanced and complex, so do the tools and techniques used to send out the unsolicited messages.

Here are a few of the more popular methods used to fight the spam epidemic; most of these techniques are used to filter e-mail, but could be applied to other mediums as well:

●● Blacklisting Blacklisting is essentially noting which domains and source addresses have a reputation for sending spam, and rejecting messages coming from those domains and source addresses. This is basically a permanent “ignore” or “call block” type capability. Several organizations and a few commercial companies provide lists of known spammers.

●● Content or keyword filtering Similar to Internet content filtering, this method filters e-mail messages for undesirable content or indications of spam. Much like content filtering of web content, filtering e-mail based on something like keywords can cause unexpected results, as certain terms can be used in both legitimate and spam e-mail. Most content-filtering techniques use regular expression matching for keyword filtering.

●● Trusted servers The opposite of blacklisting, a trusted server list includes SMTP servers that are being “trusted” not to forward spam.

●● Delay-based filtering Some Simple Mail Transfer Protocol (SMTP) servers are configured to insert a deliberate pause between the opening of a connection and the sending of the SMTP server’s welcome banner. Some spam-generating programs do not wait for that greeting banner, and any system that immediately starts sending data as soon as the connection is opened is treated as a spam generator and dropped by the SMTP server.

●● PTR and reverse DNS checks Some e-mail filters check the origin domain of an e-mail sender. If the reverse checks show the mail is coming from a dial-up user, home-based broadband, or a dynamically assigned address, or has a generic or missing domain, then the filter rejects it, as these are common sources of spam messages.

●● Callback verification Because many spam messages use forged “from” addresses, some filters attempt to validate the “from” address of incoming e-mail. The receiving server can contact the sending server in an attempt

01-ch01.indd 16 10/31/14 9:46 AM


17


to validate the sending address, but this is not always effective, as spoofed addresses are sometimes valid e-mail addresses that can be verified.

●● Statistical content filtering Statistical filtering is much like a document classification system. Users mark received messages as either spam or legitimate mail, and the filtering system learns from the user’s input. The more messages that are seen and classified as spam, the better the filtering software should get at intercepting incoming spam. Spammers counteract many filtering technologies by inserting random words and characters into the messages, making it difficult for content filters to identify patterns common to spam.

●● Rule-based filtering Rule-based filtering is a simple technique that merely looks for matches in certain fields or keywords. For example, a rule-based filtering system may look for any message with the words “get rich” in the subject line of the incoming message. Many popular e-mail clients have the ability to implement rule-based filtering.

●● Egress filtering Some organizations perform spam filtering on e-mail leaving their organization as well, and this is called egress filtering. The same types of anti-spam techniques can be used to validate and filter outgoing e-mail in an effort to combat spam.

●● Hybrid filtering Most commercial anti-spam methods use hybrid filtering, or a combination of several different techniques to fight spam. For example, a filtering solution may take each incoming message and match it against known spammers, then against a rule-based filter, then a content filter, and finally against a statistical-based filter. If the message passes all filtering stages, it will be treated as a legitimate message; otherwise, it is rejected as spam.

Much spam filtering is done at the network or SMTP server level. It’s more efficient to scan all incoming and outgoing messages with a centralized solution than it is to deploy individual solutions on user desktops throughout the organization. E-mail is essentially a proxied service by default: messages generally come into and go out of an organization’s mail server. (Users don’t typically connect to remote SMTP servers to send and receive messages, but they can.) Anti-spam solutions are available in the form of software that is loaded on the SMTP server itself or on a secondary server that processes messages either before they reach the SMTP server or after the messages are processed by the SMTP server. Anti-spam solutions are also available in appliance form, where the software and hardware are a single integrated solution. Many centralized anti-spam methods allow individual users to customize spam filtering for their specific inbox, specifying their own filter rules and criteria for evaluating inbound e-mail.

The central issue with spam is that, despite all the effort placed into building effec-tive spam filtering programs, spammers continue to create new methods for flooding inboxes. Spam filtering solutions are good, but are far from perfect, and continue to fight the constant challenge of allowing in legitimate messages while keeping the spam out. The lack of central control over Internet traffic also makes anti-spam efforts more dif-ficult. Different countries have different laws and regulations governing e-mail, which range from draconian to nonexistent. For the foreseeable future, spam will continue to be a burden to administrators and users alike.

PA

RT

I

01-ch01.indd 17 10/31/14 9:46 AM


18


UTM Security AppliancesMany security vendors offer “all-in-one security appliances,” which are devices that combine multiple functions into the same hardware appliance. Most commonly, these functions are firewall, IDS/IPS, and antivirus, although all-in-one appliances can include VPN capabilities, anti-spam, malicious web traffic filtering, anti-spyware, content filter-ing, traffic shaping, and so on. All-in-one appliances are often sold as being cheaper, easier to manage, and more efficient than having separate solutions that accomplish each of the functions the all-in-one appliance is capable of performing. A common name for these all-in-one appliances is a Unified Threat Management (UTM). Using a UTM appliance simplifies the security activity as a single process, under a common software package for operations. This reduces the learning curve to a single tool rather than a collection of tools. A UTM appliance can have better integration and efficiencies in handling network traffic and incidents than a collection of tools connected together.

URL FilterURL filters block connections to websites that are in a prohibited list. The use of an appliance, typically backed by a service to keep the list of prohibited websites updated, provides an automated means to block access to sites deemed dangerous or inappro-priate. Because of the highly volatile nature of web content, automated enterprise-level protection is needed to ensure a reasonable chance of blocking sources of inappropri-ate content, malware, and other malicious content.

Content InspectionRather than just rely on a URL to determine the acceptability of content, appliances can also inspect the actual content being served. Content inspection is used to filter web requests that return content with specific components, such as names of body parts, music or video content, and other content that is inappropriate for the business environment.

Malware InspectionMalware is another item that can be detected during network transmission, and appliances can be tuned to detect malware. Network-based malware detection has the advantage of having to update only a single system as opposed to all machines.

Web Application Firewall vs. Network FirewallA network firewall is a device that enforces policies based on network address rules. Blocking of addresses and/or ports allows a network firewall to restrict network traf-fic. A web application firewall (WAF) is a device that performs restrictions based on rules associated with HTTP/HTTPS traffic. By definition, web application firewalls are content filters, and their programming capabilities allow significant capability and protections. The level of specificity in what can be allowed or blocked can go to granu-lar levels, such as “Allow Facebook, but block Facebook games.” WAFs can detect and block disclosure of critical data, such as account numbers, credit card numbers, and so forth. WAFs can also be used to protect websites from common attack vectors such as cross-site scripting, fuzzing, and buffer overflow attacks.

01-ch01.indd 18 10/31/14 9:46 AM


19


A web application firewall can be configured to examine inside an SSL session. This is important if an attacker is attempting to use an SSL-encrypted channel to mask their activity. Because legitimate SSL channels are instantiated by the system, the appropriate credentials can be passed internally to the WAF to enable SSL inspection.

Application-aware DevicesNetwork security was developed before application-level security was even a concern, so application-level attacks are not seen or blocked by traditional network security defenses. The security industry has responded to the application attack vector with the introduction of application-aware devices. Firewalls, IDSs/IPSs, proxies, and other devices are now capable of doing stateful inspection of traffic and detecting and blocking application-level attacks as well as network-level attacks.

Next-Generation FirewallsNext-generation firewalls is a term used to describe firewalls that are capable of content-level filtering and hence are capable of application-level monitoring. Depending on the level of programming and sophistication, next-generation firewalls can perform many advanced security checks based on defined application rules.

IDS/IPSIntrusion detection and prevention systems perform their security tasks by screening network traffic and then applying a set of rules. When the process is application aware, the specificity of rules can be even more exacting. Adding advanced rule-processing power that manages both stateful and content-aware rule processing allows these devices to detect malicious attacks to applications based on the application, not just based on an address. The engines used for IDS/IPS are being incorporated into firewalls, turning a simple network firewall into a next-generation firewall.

Application-Level ProxiesProxies serve to manage connections between systems, acting as relays for the traffic. Proxies can function at the circuit level, where they support multiple traffic types, or they can be application-level proxies, which are designed to relay specific application traffic. An HTTP proxy can manage an HTTP conversation, as it understands the type and function of the content. Application-specific proxies can serve as security devices if they are programmed with specific rules designed to provide protection against undesired content.

Chapter ReviewThis chapter described network devices and their configurations. Firewalls, routers, switches, sniffers, load balancers, proxies, web security gateways, and VPN concentra-tors were covered. Security devices, including intrusion detection systems, protocol analyzers, spam filters, and all-in-one security appliances, were presented. The chapter concluded with an examination of application-aware devices, including next-generation firewalls and web application firewalls.

PA

RT

I

01-ch01.indd 19 10/31/14 9:46 AM


20


QuestionsTo help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the correct answers at the end of the chapter.

1. What do load balancers use to determine if a host is operational?

A. Logixn

B. Request count

C. Health checking

D. Time To Live (TTL)

2. What is meant by the word “stateful” with respect to firewalls?

A. The firewall tracks what country requests are from.

B. Only packets matching an active connection are allowed through.

C. Only packets that are addressed to the internal server are allowed through.

D. The firewall keeps a list of all addresses to prevent spoofing of an internal IP address.

3. What is the primary difference between a proxy and a firewall?

A. A proxy allows access, while a firewall denies access.

B. A firewall uses a hardened operating system, while a proxy does not.

C. A proxy makes application-level requests on behalf of internal users, while a firewall typically just passes through authorized traffic.

D. A firewall is capable of successfully performing Network Address Translation for internal clients, while a proxy is forced to reveal internal addressing schemes.

4. Why is it important for a web application firewall to perform SSL inspection?

A. A lack of SSL inspection would allow a channel of threats past the firewall.

B. SSL inspection is only used when you know you are under attack.

C. Inspecting the SSL traffic assists with load balancing.

D. None of the above.

5. An anomaly-based NIPS will alert in which case?

A. When the network traffic matches a known attack pattern

B. When the network traffic deviates from a predefined traffic profile

C. When attack traffic alerts on a host-based intrusion detection system, forwarding a network cookie to allow the intrusion prevention system to block the traffic

D. When the network traffic changes from a configured traffic baseline

01-ch01.indd 20 10/31/14 9:46 AM


21


6. What is the best policy to use when administrating a firewall?

A. Quality of service (QoS)

B. Least access

C. First-in, first-out (FIFO)

D. Comprehensive

7. Why does a network protocol analyzer need to be in promiscuous mode?

A. To avoid network ACLs

B. To tell the switch to forward all packets to a workstation

C. To force the network card to process all packets

D. Promiscuous mode is not required.

8. Which protocol can create a security vulnerability in switches, firewalls, and routers because it authenticates using a cleartext password?

A. SNMP

B. SSH

C. SMTP

D. NAT

9. Why should most organizations use a content-filtering proxy?

A. To allow users to browse the Internet anonymously

B. To provide a secure tunnel to the Internet

C. To enforce a network acceptable use policy

D. To reduce bandwidth usage with local copies of popular content

10. Why is delay-based filtering effective against spam?

A. Spam generators will not send spam if they cannot do it immediately.

B. Spam generators do not wait for the SMTP banner.

C. Spam generators are poorly behaved and will quickly move on to the next server.

D. Spam has a very short TTL value.

For questions 11–14, use the following scenario: Suspecting that a hacker has broken through your company’s perimeter systems, the CISO has asked you to perform the incident response. After the team is assembled, you decide to tackle the network portion.

PA

RT

I

01-ch01.indd 21 10/31/14 9:46 AM


22


11. Which logs should be examined to determine if an intruder breached internal systems? (Choose all that apply).

A. Router●

B. Firewall

C. Caching proxy

D. Switch

E. IDS

F. Spam filter

G. VPN concentrator

●

12. You find that the attack has come through the router and firewall to an unidentified desktop machine. You have the IP addresses but not the traffic content. What is likely your next step?

A. Disconnect the router from the Internet to prevent further attack progress.

B. Use ACLs to drop the IP address the attack came from.

C. Use a protocol analyzer to see current attack traffic.

D. Turn the findings over to management.

13. From analyzing the network traffic, you have determined that the attack has compromised a desktop in the sales department and is now sending outbound spam e-mails. Which devices can be used to eliminate this traffic? (Choose all that apply).

A. Router●

B. Firewall

C. Caching proxy

D. Switch

E. IDS

F. Spam filter

G. VPN concentrator

14. How would an intrusion detection system help you respond to this incident?

A. It would provide an earlier warning that the attack was happening.

B. It would give more details about the attacker.

C. It would provide more complete logs than the current equipment in place.

D. It would not help because it is not an intrusion prevention system.

15. List four models that intrusion detection systems can use to detect suspect traffic.

Answers

1. C. A load-balancing device will send a request to each server in its list as a health check to ensure the application is responding.

2. B. A stateful firewall keeps track of all active connections and prevents spoofing by recognizing when a packet is not part of any current connections.

3. C. A proxy works at the application layer, while a firewall generally works at the transport and network layers.

01-ch01.indd 22 10/31/14 9:46 AM


23


4. A. Performing SSL inspection is important because otherwise an attacker could use the SSL channel to get threats past the firewall uninspected.

5. D. An anomaly-based NIPS will alert when network traffic deviates from a baseline of traffic established when the device is first installed.

6. B. The principle of least access is best to use when administering a firewall; you want the firewall to block as much traffic as possible, while allowing the authorized traffic through.

7. C. Promiscuous mode tells the network adapter to process all packets it receives, not just the packets for its MAC address and broadcast packets.

8. A. Simple Network Management Protocol (SNMP) provides management functions to many network devices, but SNMPv1 and SNMPv2 authenticate with a cleartext password, allowing anyone monitoring packets to capture the password and have access to the network equipment.

9. C. Content-filtering proxies are popular with corporations because they allow for the enforcement of an acceptable use policy by filtering any content the authenticated user is not allowed to see.

10. B. Spam generators do not wait for the SMTP banner and can be identified as a spammer by behaving poorly.

11. A, B, and E. Router, Firewall, and IDS are the primary logs that should be checked to determine what the attacker’s path and target were.

12. C. Since you are not sure of the attack content or if it is still ongoing, it is best to use a protocol analyzer to examine the traffic in question and determine what the specifics of the attack are and if it is still ongoing.

13. A, B, and F. Routers and firewalls are both designed to effectively filter any unwanted traffic out, and can filter any e-mail connections going out from the desktop. A spam filter can filter e-mail not only in the inbound direction, but also in the outbound direction if it is part of your outbound e-mail stream, which can be helpful in the case of a malware infection.

14. A. IDS systems are designed to recognize an attack as soon as it happens, provide warning the attack is happening, and allow a quick response to mitigate the attack.

15. The four models are behavior based, signature based, anomaly based, and heuristic.

PA

RT

I

01-ch01.indd 23 10/31/14 9:46 AM

CHAPTER Network Device Configuration - … 1: Network Device Configuration 5 All-In-One / CompTIA...

Documents

Transcript of CHAPTER Network Device Configuration - … 1: Network Device Configuration 5 All-In-One / CompTIA...