January 14, 2012

1.1.5 Proxies

A proxy server works by intercepting connections between sender and receiver. All incoming data enters through one port and is forwarded to the rest of the network via another port. By blocking direct access between two networks, proxy servers make it much more difficult for hackers to get internal addresses and details of a private network.

The proxy is typically situated between the clients and the Internet, and it can be used to forward requests for many types of traffic and data transfers such as web and FTP. An HTTP proxy intercepts web access, and an SMTP proxy intercepts email. This protects the specific addresses of internal clients from being revealed to external servers and allows the proxy server to filter incoming and outgoing requests to prevent attacks and malware from reaching the client systems.

A proxy server uses a network addressing scheme to present one organization-wide IP address to the Internet. The server funnels all user requests to the Internet and returns responses to the appropriate users. In addition to restricting access from outside, this mechanism can prevent inside users from reaching specific Internet resources (e.g., certain web sites). A proxy server can also be one of the components of a firewall.

Proxies may also cache web pages. Each time an internal user requests a URL from outside, a temporary copy is stored locally. The next time an internal user requests the same URL, the proxy can serve the local copy instead of retrieving the original across the network, improving performance.

Proxy servers:
Act as a firewall and content filter
Improve performance

References:
http://kb.iu.edu/data/ahoo.html
http://www.proxyclub.org/blog/faqs
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.4 Load Balancers

A load balancer is a network device that distributes the flow of network traffic between multiple network devices. The goal is to minimize network congestion and bottlenecks. Load balancers can be used to balance traffic to routers, web servers or other network devices either through round-robin techniques or more intelligent methods, e.g. taking into account the number of current connections or response time. It maximizes throughput and ensures the system has the capacity to handle incoming requests and ensure better allocation of resources

A load balancer can be implemented as a software or hardware. Under the most common implementation, the load balancer splits the traffic intended for a website into individual requests that are then rotated to redundant servers as they become available (if a server that should be available is busy or down, it is taken out of the rotation).

Load balancing allows the service to continue even in the face of server down time due to server failure or server maintenance. If you are load balancing across several servers and one of the servers fails, your service will still be available to your users, as the traffic will be diverted to the other servers in your server farm.
Load balancers are generally grouped into two categories: Layer 4 and Layer 7. Layer 4 load balancers act upon data found in network and transport layer protocols (IP, TCP, FTP, UDP). Layer 7 load balancers distribute requests based upon data found in application layer protocols such as HTTP.

Some industry standard algorithms are:
Round robin
Weighted round robin
Least connections
Least response time

Layer 7 load balancers can further distribute requests based on application specific data such as HTTP headers, cookies, or data within the application message itself, such as the value of a specific parameter.

References:
http://www.f5.com/glossary/load-balancer.html
http://www.wisegeek.com/what-is-load-balancing.htm
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.3 Switches

Switches are multiport devices that improve network efficiency. Using switches improves network efficiency over hubs because of the virtual circuit capability. Switches also improve network security because the virtual circuits are more difficult to examine with network monitors.

A switch is a network device used to segment networks into smaller, more manageable sections and relays packets between the segments. Switches can be used for security, load balancing and performance improvements in a network.

A switch is able to inspect network packets and determine the source and destination to provide more efficient network flow and prevent network packets from one segment, from passing on to other network segments and causing network collisions.

Mastering the hula hoop (picture on right) requires an ability to switch the hips from one side to another in a rhythmic fashion. Now you will not forget what a switch is.

Switches map the Ethernet addresses of the nodes residing on each network segment and then allow only the necessary traffic to pass through the switch. When a packet is received by the switch, the switch examines the destination and source hardware addresses and compares them to a table of network segments and addresses. If the segments are the same, the packet is dropped ("filtered"); if the segments are different, then the packet is "forwarded" to the proper segment.

Switches can connect different networks types (such as Ethernet and Fast Ethernet) or networks of the same type.

A network switch or switching hub is a computer networking device that connects network segments.
An Ethernet switch operates at the data link layer of the OSI model to create a separate collision domain for each switch port. With 4 computers (e.g., A, B, C, and D) on 4 switch ports, A and B can transfer data back and forth, while C and D also do so simultaneously, and the two conversations will not interfere with one another.

A switch serves as a controller, enabling networked devices to talk to each other efficiently.
Switches create (or extend) a network. Routers connect networks.

Think of a switch as a traffic light (or traffic policeman) at a four-way intersection. The traffic light allows east-west (and west-east) traffic to move while holding back north-south (and south-north) traffic. And at an appropriate time the traffic light stops east-west (and west-east) traffic and allows north-south (and south-north) traffic to flow; analogous to how a switch operates.

References:
http://www.technick.net/public/code/cp_dpage.php?aiocp_dp=guide_networking_switching
http://en.wikipedia.org/wiki/Network_switch
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

January 08, 2012

1.1.2 Routers

A router links computers to the Internet, so users can share the connection. A router acts as a dispatcher, choosing the best path for information to travel so it's received quickly.

Switches create a network. Routers connect networks.

A router is a network device that connects several networks together and relays data between them.
A router is comprised of the following components: network interfaces, routing protocol, routing table, router operating system, routing policy or set of rules.

A router is a device that forwards data packets between computer networks. Routers work by providing a path between the networks. A router is connected to two or more data lines from different networks. When a data packet comes in on one of the lines, the router reads the address information in the packet to determine its ultimate destination. Then, using information in its routing table or routing policy, it directs the packet to the next network on its journey.

Routers perform traffic directing functions on the Internet.
Routers store information about the networks to which they're connected. Most routers can be configured to operate as packet-filtering firewalls. Many of the newer routers also provide advanced firewall functions.

Routers, in conjunction with a Channel Service Unit/Data Service Unit (CSU/DSU), are also used to translate from LAN framing to WAN framing (for example, a router that connects a 100BaseT network to a T1 network). This is needed because the network protocols are different in LANs and WANs
Routers establish communication by maintaining tables about destinations and local connections. A router contains information about the systems connected to it and where to send requests if the destination isn't known.

Routers usually communicate routing and other information using one of three standard protocols: Routing Information Protocol (RIP), Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF).
An administrator should take a layered approach to protecting the network. The router should be only one part of that approach.

The routes themselves can be configured as static or dynamic. If they are static, then they are edited manually and stay that way until changed. If they are dynamic, then they learn of other routers around them and use information about those to build their routing tables.

When two or more computers are connected together they can share resources freely. We refer to this construct as a network. You can set up multiple such networks and each would be able to share resources only between its own set of computers. I.e. network #1 would allow sharing between its own set of computers, network #2 would allow sharing between its own set of computers. Suppose you wanted a computer in network #1 to communicate with a computer in network #2.

You could do it in one of two ways:
  • Put all computers in network #1 and network #2 together
  • Somehow connect network #1 and #2 together that allowed the communication but also maintained the separate identities of the two networks.
There are good reasons to follow the 2nd option and to do that we use a router.

References:
  • http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/connect_employees_and_offices/what_is_a_network_switch/index.html
  • http://en.wikipedia.org/wiki/Router_(computing)
  • http://www.ciscorouting.com/routingbasics.html
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.1.1 Firewalls

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. I.e. it examines each network packet, against a set of rules, to determine whether to forward it toward its destination.

Firewalls are one of the first lines of defense in a network; it cannot, however, be considered the only such line. The basic purpose of a firewall is to isolate one network from another. There are different types of firewalls and they can be either stand-alone systems or included in other devices such as routers or servers. You can implement a firewall in either hardware or software form, or a combination of both.
Firewalls can be located to monitor traffic between the internal and external networks. It can also be placed between internal networks. In any position, a firewall controls and monitors access between different networks by filtering inbound and outbound traffic.

To configure the firewall, an administrator can set up a number of rules to use each time on incoming and outgoing network communications.

Firewalls function as one or more of the following:
  • Packet filter
  • Proxy firewall
  • Stateful inspection firewall

Packet Filter Firewalls

A packet filtering firewall passes or blocks traffic to specific addresses based on the type of application. The packet filter doesn't analyze the data of a packet; it decides whether to pass it based on the packet's addressing information, e.g. source/destination IP address and port number. For instance, a packet filter may allow web traffic on port 80 and block Telnet traffic on port 23.

If a received packet request asks for a port that isn't authorized, the filter may reject the request or simply ignore it. Many packet filters can also specify which IP addresses can request which ports and allow or deny them based on the security settings of the firewall.

Proxy Firewalls

Proxy firewalls operate at the application layer of the firewall, where both ends of a connection are forced to conduct the session through the proxy.

Proxy firewalls are also known as application gateway firewalls because they can inspect application layer traffic. Proxy firewalls combine stateful inspection technology with the ability to perform deep application inspections. A proxy service must be run for each type of Internet application the firewall will support -- a Simple Mail Transport Protocol (SMTP) proxy for e-mail, an HTTP proxy for Web services and so on.

The proxy intercepts all the packages and reprocesses them. In a proxy based firewall, every packet is stopped at the proxy firewall. The packet is then examined and compared to the rules configured into the firewall. If the packet passes the examinations, it is recreated and sent out. Because each packet is recreated, an application-proxy firewall has an increased potential to prevent unknown attacks than a packet filtering firewall. The drawback is that a separate application-proxy must be written for each application type being proxy examined.

A proxy firewall typically uses two network interface cards (NICs). One of the cards is connected to the outside network, and the other is connected to the internal network. The proxy software manages the connection between the two NICs. This setup segregates the two networks from each other and offers increased security.

The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. The proxy can also offer caching, should the same request be made again, and can increase the efficiency of data delivery.

The proxy function can occur at either the application level or the circuit level. Application-level proxy functions read the individual commands of the protocols that are being served. Circuit-level proxy creates a circuit between the client and the server and doesn't deal with the contents of the packets that are being processed.

Stateful Inspection Firewalls

Stateful inspection is also referred to as stateful packet filtering. It is a firewall that keeps track of the state of network connections traveling across it.

Stateless firewalls treats each network frame (or packet) in isolation. After a packet is passed, the packet and path are forgotten. A drawback is that they have no memory of previous packets which makes them vulnerable to spoofing attacks.

In stateful inspection (or stateful packet filtering), records are kept using a state table that tracks every communications channel. A stateful firewall is able to hold significant attributes of each connection in memory, from start to finish. This adds complexity to the process. Denial-of-Service attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down or reboot.

The stateful firewall depends on the three-way handshake of the TCP protocol when the protocol being used is TCP; when the protocol is UDP, the stateful firewall does not depend on anything related to TCP.

References:

1.1 Explain the security function and purpose of network devices and technologies

  • Firewalls 
  • Routers 
  • Switches 
  • Load Balancers 
  • Proxies 
  • Web security gateways 
  • VPN concentrators 
  • NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic) 
  • Protocol analyzers 
  • Sniffers 
  • Spam filter, all-in-one security appliances 
  • Web application firewall vs. network firewall 
  • URL filtering, content inspection, malware inspection 

Security+ SY0-301 Blueprint & Table Of Content

SY0-301 Certification Exam

1.0 Network Security

1.1 Explain the security function and purpose of network devices and technologies

. Firewalls
. Routers
. Switches
. Load Balancers
. Proxies
. Web security gateways
. VPN concentrators
. NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic)
. Protocol analyzers
. Sniffers
. Spam filter, all-in-one security appliances
. Web application firewall vs. network firewall
. URL filtering, content inspection, malware inspection

1.2 Apply and implement secure network administration principles
. Rule-based management
. Firewall rules
. VLAN management
. Secure router configuration
. Access control lists
. Port Security
. 802.1x
. Flood guards
. Loop protection
. Implicit deny
. Prevent network bridging by network separation
. Log analysis

1.3 Distinguish and differentiate network design elements and compounds
. DMZ
. Subnetting
. VLAN
. NAT
. Remote Access
. Telephony
. NAC
. Virtualization
. Cloud Computing
  • Platform as a Service
  • Software as a Service
  • Infrastructure as a Service


1.4 Implement and use common protocols
. IPSec
. SNMP
. SSH
. DNS
. TLS
. SSL
. TCP/IP
. FTPS
. HTTPS
. SFTP
. SCP
. ICMP
. IPv4 vs. IPv6

1.5 Identify commonly used default network ports
. FTP
. SFTP
. FTPS
. TFTP
. TELNET
. HTTP
. HTTPS
. SCP
. SSH
. NetBIOS

1.6 Implement wireless network in a secure manner
. WPA
. WPA2
. WEP
. EAP
. PEAP
. LEAP
. MAC filter
. SSID broadcast
. TKIP
. CCMP
. Antenna Placement
. Power level controls

2.0 Compliance and Operational Security

2.1 Explain risk related concepts
. Control types

  • Technical
  • Management
  • Operational

. False positives
. Importance of policies in reducing risk

  • Privacy policy
  • Acceptable use
  • Security policy
  • Mandatory vacations
  • Job rotation
  • Separation of duties
  • Least privilege

. Risk calculation

  • Likelihood
  • ALE
  • Impact

. Quantitative vs. qualitative
. Risk-avoidance, transference, acceptance, mitigation, deterrence
. Risks associated to Cloud Computing and Virtualization

2.2 Carry out appropriate risk mitigation strategies
. Implement security controls based on risk
. Change management
. Incident management
. User rights and permissions reviews
. Perform routine audits
. Implement policies and procedures to prevent data loss or theft

2.3 Execute appropriate incident response procedures
. Basic forensic procedures

  • Order of volatility
  • Capture system image
  • Network traffic and logs
  • Capture video
  • Record time offset
  • Take hashes
  • Screenshots
  • Witnesses
  • Track man hours and expense

. Damage and loss control
. Chain of custody
. Incident response: first responder

2.4 Explain the importance of security related awareness and training
. Security policy training and procedures
. Personally identifiable information
. Information classification: Sensitivity of data (hard or soft)
. Data labeling, handling and disposal
. Compliance with laws, best practices and standards
. User habits

  • Password behaviors
  • Data handling
  • Clean desk policies
  • Prevent tailgating
  • Personally owned devices

. Threat awareness

  • New viruses
  • Phishing attacks
  • Zero days exploits

. Use of social networking and P2P

2.5 Compare and contrast aspects of business continuity
. Business impact analysis
. Removing single points of failure
. Business continuity planning and testing
. Continuity of operations
. Disaster recovery
. IT contingency planning
. Succession planning

2.6 Explain the impact and proper use of environmental controls
. HVAC
. Fire suppression
. EMI shielding
. Hot and cold aisles
. Environmental monitoring
. Temperature and humidity controls
. Video monitoring

2.7 Execute disaster recovery plans and procedures
. Backup / backout contingency plans or policies
. Backups, execution and frequency
. Redundancy and fault tolerance

  • Hardware
  • RAID
  • Clustering
  • Load balancing
  • Servers

. High availability
. Cold site, hot site, warm site
. Mean time to restore, mean time between failures, recovery time objectives
and recovery point objectives

2.8 Exemplify the concepts of confidentiality, integrity and availability (CIA)

3.0 Threats and Vulnerabilities

3.1 Analyze and differentiate among types of malware
. Adware
. Virus
. Worms
. Spyware
. Trojan
. Rootkits
. Backdoors
. Logic bomb
. Botnets

3.2 Analyze and differentiate among types of attacks
. Man-in-the-middle
. DDoS
. DoS
. Replay
. Smurf attack
. Spoofing
. Spam
. Phishing
. Spim
. Vishing
. Spear phishing
. Xmas attack
. Pharming
. Privilege escalation
. Malicious insider threat
. DNS poisoning and ARP poisoning
. Transitive access
. Client-side attacks

3.3 Analyze and differentiate among types of social engineering attacks
. Shoulder surfing
. Dumpster diving
. Tailgating
. Impersonation
. Hoaxes
. Whaling
. Vishing

3.4 Analyze and differentiate among types of wireless attacks
. Rogue access points
. Interference
. Evil twin
. War driving
. Bluejacking
. Bluesnarfing
. War chalking
. IV attack
. Packet sniffing

3.5 Analyze and differentiate among types of application attacks
. Cross-site scripting
. SQL injection
. LDAP injection
. XML injection
. Directory traversal/command injection
. Buffer overflow
. Zero day
. Cookies and attachments
. Malicious add-ons
. Session hijacking
. Header manipulation

3.6 Analyze and differentiate among types of mitigation and deterrent techniques
. Manual bypassing of electronic controls

  • Failsafe/secure vs. failopen

. Monitoring system logs

  • Event logs
  • Audit logs
  • Security logs
  • Access logs

. Physical security

  • Hardware locks
  • Mantraps
  • Video surveillance
  • Fencing
  • Proximity readers
  • Access list

. Hardening

  • Disabling unnecessary services
  • Protecting management interfaces and applications
  • Password protection
  • Disabling unnecessary accounts

. Port security

  • MAC limiting and filtering
  • 802.1x
  • Disabling unused ports

. Security posture

  • Initial baseline configuration
  • Continuous security monitoring
  • remediation

. Reporting

  • Alarms
  • Alerts
  • Trends

. Detection controls vs. prevention controls

  • IDS vs. IPS
  • Camera vs. guard


3.7 Implement assessment tools and techniques to discover security threats and
vulnerabilities
. Vulnerability scanning and interpret results
. Tools
o Protocol analyzer
o Sniffer
o Vulnerability scanner
o Honeypots
o Honeynets
o Port scanner

. Risk calculations
o Threat vs. likelihood

. Assessment types
o Risk
o Threat
o Vulnerability

. Assessment technique
o Baseline reporting
o Code review
o Determine attack surface
o Architecture
o Design reviews

3.8 Within the realm of vulnerability assessments, explain the proper use of
penetration testing versus vulnerability scanning
. Penetration testing
o Verify a threat exists
o Bypass security controls
o Actively test security controls
o Exploiting vulnerabilities

. Vulnerability scanning
o Passively testing security controls
o Indentify vulnerability
o Indentify lack of security controls
o Indentify common misconfiguration
. Black box
. White box
. Gray box

4.0 Application, Data and Host Security

4.1 Explain the importance of application security
. Fuzzing
. Secure coding concepts
o Error and exception handling
o Input validation
. Cross-site scripting prevention
. Cross-site Request Forgery (XSRF) prevention
. Application configuration baseline (proper settings)
. Application hardening
. Application patch management

4.2 Carry out appropriate procedures to establish host security
. Operating system security and settings
. Anti-malware
o Anti-virus
o Anti-spam
o Anti-spyware
o Pop-up blockers
o Host-based firewalls
. Patch management
. Hardware security
o Cable locks
o Safe
o Locking cabinets
. Host software baselining
. Mobile devices
o Screen lock
o Strong password
o Device encryption
o Remote wipe/sanitation
o Voice encryption
o GPS tracking
. Virtualization

4.3 Explain the importance of data security
. Data Loss Prevention (DLP)
. Data encryption

o Full disk
o Database
o Individual files
o Removable media
o Mobile devices
. Hardware based encryption devices

o TPM
o HSM
o USB encryption
o Hard drive
. Cloud computing

5.0 Access Control and Identity Management

5.1 Explain the function and purpose of authentication services
. RADIUS
. TACACS
. TACACS+
. Kerberos
. LDAP
. XTACACS

5.2 Explain the fundamental concepts and best practices related to authentication,
authorization and access control
. Identification vs. authentication
. Authentication (single factor) and authorization
. Multifactor authentication
. Biometrics
. Tokens
. Common access card
. Personal identification verification card
. Smart card
. Least privilege
. Separation of duties
. Single sign on
. ACLs
. Access control
. Mandatory access control
. Discretionary access control
. Role/rule-based access control
. Implicit deny
. Time of day restrictions
. Trusted OS
. Mandatory vacations
. Job rotation

5.3 Implement appropriate security controls when performing account
management
. Mitigates issues associated with users with multiple account/roles
. Account policy enforcement
o Password complexity
o Expiration
o Recovery
o Length
o Disablement
o Lockout
. Group based privileges
. User assigned privileges

6.0 Cryptography

6.1 Summarize general cryptography concepts
. Symmetric vs. asymmetric
. Fundamental differences and encryption methods
o Block vs. stream

. Transport encryption
. Non-repudiation
. Hashing
. Key escrow
. Steganography
. Digital signatures
. Use of proven technologies
. Elliptic curve and quantum cryptography

6.2 Use and apply appropriate cryptographic tools and products
. WEP vs. WPA/WPA2 and preshared key
. MD5
. SHA
. RIPEMD
. AES
. DES
. 3DES
. HMAC
. RSA
. RC4
. One-time-pads
. CHAP
. PAP
. NTLM
. NTLMv2
. Blowfish
. PGP/GPG
. Whole disk encryption
. TwoFish
. Comparative strengths of algorithms
. Use of algorithms with transport encryption

o SSL
o TLS
o IPSec
o SSH
o HTTPS

6.3 Explain the core concepts of public key infrastructure
. Certificate authorities and digital certificates
o CA
o CRLs
. PKI
. Recovery agent
. Public key
. Private key
. Registration
. Key escrow
. Trust models

6.4 Implement PKI, certificate management and associated components
. Certificate authorities and digital certificates
o CA
o CRLs
. PKI
. Recovery agent
. Public key
. Private keys
. Registration
. Key escrow
. Trust models