January 19, 2012

1.3.2 Subnetting

Subnetting

Subnetting is how networks are divided. RFCs 1466 and 1918 detail subnetting and can be found at http://www.faqs.org/rfcs/.

The practice of dividing a single network into two or more networks is called subnetting and the networks created are called subnetworks or subnets.

This results in the logical division of an IP address into two fields, a network or routing prefix and the host identifier.

The routing prefix is expressed in CIDR notation. It is written as the first address of a network, followed by a slash character (/), followed by the bit-length of the prefix. For example, 192.168.1.0/24 is the prefix of the IPv4 network starting at the given address, having 24 bits allocated for the routing prefix, and the remaining 8 bits reserved for host addressing.

In IPv4 the routing prefix can also be specified in the form of the subnet mask, expressed in quad-dotted decimal representation, e.g. 255.255.255.0 is the network mask for the 192.168.1.0/24 prefix.

If definitions are helpful to you, use these vocabulary terms to get you started:
  • Address—The unique number ID assigned to one host or interface in a network.
  • Subnet—A portion of a network sharing a particular subnet address.
  • Subnet mask—A 32-bit combination used to describe which portion of an address refers to the subnet and which part refers to the host.
  • Interface—A network connection.
The smallest subnet that has no more subdivisions within it is considered a single "broadcast domain," which directly correlates to a single LAN (local area network) segment on an Ethernet switch.

Subnets have a beginning and an ending, and the beginning number of a specific subnet is always even (192.168.10.0) and the ending number is always odd (192.168.10.255). The beginning number is the "Network ID" and the ending number is the "Broadcast ID".

Subnetting an IP Network can be done for a variety of reasons, including traffic segmentation, organization, preservation of address space, and security. In an Ethernet network, all nodes on a segment see all the packets transmitted by all the other nodes on that segment. Performance can be adversely affected under heavy traffic loads, due to collisions and the resulting retransmissions.

The subnet mask plays a crucial role in defining the size of a subnet, limiting broadcast traffic to within the subnet and hiding network details from external users.

Subnetting for IPv4 was originally defined to make better use of the host bits for Class A and Class B IPv4 public address prefixes.

References:
  • http://en.wikipedia.org/wiki/Subnetwork
  • http://www.techrepublic.com/article/ip-subnetting-made-easy/6089187
  • http://technet.microsoft.com/en-us/library/bb726997.aspx
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800a67f5.shtml
  • http://www.ralphb.net/IPSubnet/subnet.html
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.1 DMZ

DMZ

In military terms, a demilitarized zone (DMZ) is an area, usually the frontier or boundary between two or more military powers (or alliances), where military activity is not permitted, usually by peace treaty, armistice, or other bilateral or multilateral agreement.
Pic from sheylara.com

By implementing intranets, extranets, and DMZs, you can create a reasonably secure environment for your organization.

In computer security, a DMZ (or perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Hosts in the DMZ provide services such as e-mail, web and Domain Name System (DNS) servers to users outside of the local area network. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network and an intervening firewall controls the traffic between the DMZ servers and the internal network clients.

A single firewall can be used to create a network architecture containing a DMZ. However a more secure approach uses two firewalls to create a DMZ. The first firewall is configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network.

This setup is considered more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities.

A DMZ is an area where you can place a public server for access by people you might not trust otherwise. By isolating a server in a DMZ, you can hide or remove access to other areas of your network.
A host that exists outside the DMZ and is open to the public is often called a bastion host.

References:

  • http://en.wikipedia.org/wiki/DMZ_(computing)
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney


1.3 Distinguish and differentiate network design elements and compounds

Distinguish and Differentiate Network Design Elements and Compounds

  • DMZ
  • Subnetting
  • VLAN
  • NAT
  • Remote Access
  • Telephony
  • NAC
  • Virtualization
  • Cloud Computing
    • Platform as a Service
    • Software as a Service
    • Infrastructure as a Service

January 18, 2012

1.2.12 Log analysis

Log analysis is crucial to identifying problems that occur related to security. As an administrator, you have the ability to turn on logging at many different locations and levels. The next step is to properly analyze what has been collected.

Not only do you need to collect and analyze the logs, but you also need to store them for a time in the future when you want to compare what is happening now to then (baselining). They should be stored in a format that you can quickly access and understand without having to convert them to a document each time you want to look at them. As much as possible, automate the collection and archiving of log files.

Log files can be analyzed either in real-time or historically (after an event). Real-time analysis allows the administrator to be alerted as quickly as possible of an event. Historical analysis is an aid for port-mortem analysis of an event.

References:
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.2.11 Prevent Network Bridging by Network Separation

Network bridging occurs when a device has more than one network adapter card installed and the opportunity presents itself for a user on one of the networks to which the device is attached to jump to the other.

When a server has multiple network interface cards (NICs), server is referred to known as multihomed hosts).
To prevent network bridging, you can configure your network such that when bridging is detected, you shut off/disable that jack. You can also create profiles that allow for only one interface.
References:
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.2.10 Implicit Deny

Implicit deny refers to the security principle of starting a user out with no access rights and granting permissions to resources as required. It requires that all access is denied by default and access permissions are granted to specific resources only when required.

An implicit deny clause is implied at the end of each ACL, and it means that if the proviso in question has not been explicitly granted, then it is denied.

References:
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

January 17, 2012

1.2.9 Loop Protection

Similar to flood guards, loop protection is a feature that works in layer 2 switching configurations and is intended to prevent broadcast or network loops which occur when there is more than one network path between two network hosts.

The Spanning Tree Protocol (STP) is an example of a loop protection method. Its goal is to ensure loop-free bridged Ethernet LANs. It operates at the data link layer and makes sure there is only one active path between two stations.

References:

  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney


1.2.8 Flood Guards

A flood guard is a protection feature built into many firewalls that allow the administrator to tweak the tolerance for unanswered login attacks.

It tracks network traffic to identify scenarios that will overwhelm our network through conditions such as SYN, ping, port floods, etc. By reducing this tolerance, it is possible to reduce the likelihood of a successful DoS attack. If a resource—inbound or outbound—appears to be overused, then the flood guard kicks in.

References:

  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.7 802.1X

To understand IEEE 802.1X standard means it helps to discuss three separate concepts: PPP, EAP and 802.1X itself.

PPP (Point-to-Point Protocol) is most commonly used for dial-up Internet access.

PPP defines an authentication mechanism to authenticate the user at the other end of the PPP line. As security requirements became more sophisticated, organizations needed more than simple username and passwords authentication. A new authentication protocol, called the Extensible Authentication Protocol (EAP), was designed. EAP sits inside of PPP's authentication protocol and provides a generalized framework for several different authentication methods. EAP is supposed to head off proprietary authentication systems and let everything from passwords to challenge-response tokens and public-key infrastructure certificates all work smoothly.

The IEEE 802.1X standard, is a standard for passing EAP over a wired or wireless LAN. It defines port-based security for wireless network access control. With 802.1X, you package EAP messages in Ethernet frames and without the overhead of PPP. It offers a means of authentication and defines the Extensible Authentication Protocol (EAP) over IEEE 802 and is often known as EAP over LAN (EAPOL).

The biggest benefit of using 802.1X is that the access points and the switches do not need to do the authentication but instead rely on the authentication server to do the actual work.

802.1X involves three parties:

  1. Supplicant - the user or client device, such as a laptop, that wants to be authenticated.
  2. Authentication server -  the actual server doing the authentication, e.g. a RADIUS server.
  3. Authenticator - the device in between, such as a wireless access point.

One of the key points of 802.1X is that the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. This makes 802.1X ideal for wireless access points, which are typically small and have little memory and processing power.

References:

  • http://www.networkworld.com/news/2010/0506whatisit.html
  • http://en.wikipedia.org/wiki/IEEE_802.1X
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.6 Port Security

Port security works at level 2 of the OSI model and allows an administrator to configure switch ports to  only certain MAC addresses that can use the port.

MAC Limiting and Filtering limit access to the network to MAC addresses that are known, and filter out those that are not.

MAC filtering is not foolproof, and a quick look in a search engine will turn up tools that can be used to change the MAC address and help miscreants circumvent this control.

Disable Unused Ports. All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter.

References:

  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.5 Access Control Lists

Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them certain network capabilities. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.

Within ACLs, there exists a condition known as implicit deny. An implicit deny clause is implied at the end of each ACL and it means that if the proviso in question has not been explicitly granted, then it is denied. The entity being denied because it does not appear on the list can be a source address, a destination address, a packet type, or almost anything else you want to deny access.

Firewall rules act like ACLs and are used to dictate what traffic can pass between the firewall and the internal network. Three possible actions can be taken based on the rule's criteria:

  • Block the connection.
  • Allow the connection.
  • Allow the connection only if it is secured.

The rules can be applied to inbound traffic or outbound traffic and any type of network (LAN, wireless, remote access). On a regular basis, you should audit the firewall rules and verify that you are obtaining the results you wish and make any modifications needed.

ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access lists.

An access list entry that is contained inside the ACL usually includes the origin of the network packet, the destination, the protocol used, the TCP/IP port used and whether access is permitted or denied.

References:

  • http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html
  • http://en.wikipedia.org/wiki/Access_control_list
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.4 Secure Router Configuration

One of the most important things you can do to secure your network is make sure you secure the router. To securely configure the router, you must do the following:

  • Validate a network design before implementation. Document your environment.
  • Change the Default Password. The password for the administrator is set before the router leaves the factory. Employ good password principles and change it to a value that only you know.
  • Walk through the Advanced Settings. These settings will differ based on the router manufacturer and type but often include settings to block ping requests, perform MAC filtering, and so on.
  • Keep the Firmware Upgraded. Router manufacturers often issue patches when problems are discovered. 

Always remember to back up your router configuration before making any significant changes. When transferring a configuration, always use a secure method where available. Transfer protocols include: TFTP (cleartext), SCP (encrypted) and HTTPS (encrypted).

Physically secure your router. Additionally all router ports, both console ports and inbound ports should be secure.

Router configuration changes should be done from the console and not a remote location.

References:

  • Security+ Guide to Network Security Fundamentals, Fourth Edition
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.3 VLAN Management

A virtual LAN, (VLAN), is a group of hosts with a common set of requirements that communicate as if they were attached to the same wire, regardless of their physical location. A VLAN allows you to create groups of users and systems and segment them on the network. This segmentation lets you hide segments of the network from other segments and thereby control access.

A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same LAN segment. Network reconfiguration can be done through software instead of physically relocating devices.

VLANs address issues such as scalability, security, and network management.

A VLAN is a good way to contain network traffic to a certain segment of the network.

On a LAN, hosts can communicate with each other through broadcasts, and no forwarding devices, such as routers, are needed. As the LAN grows, so too does the amount of chatter. Shrinking the size of the LAN by segmenting it into smaller groups (VLANs) reduces the size of the broadcast domain (and the amount of chatter). The advantages of doing this include reducing the scope of the broadcasts, improving security, performance and manageability, and decreasing dependence on the physical topology. VLANs allow users with similar data sensitivity levels to be segmented together.
A VLAN is a logical subdivision of a Layer 2 network that makes a single Layer 2 infrastructure operate as though it were multiple, separate Layer 2 networks. This is accomplished by adding a numeric tag field to each data packet as it leaves a Layer 2 switch which identifies the VLAN number to which the packet belongs. Other VLAN-enabled switches honor the VLAN numbering scheme to segregate the network into logical, virtual networks.
It is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs.

The protocol used in configuring virtual LANs is IEEE 802.1Q.

With port-based VLAN membership, the port is assigned to a specific VLAN independent of the user or system attached to the port. This means all users attached to the port should be members in the same VLAN.

In a protocol based VLAN enabled switch, traffic is forwarded through ports based on protocol.

References:
http://www.connect802.com/vlans.htm
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.2 Firewall Rules

You create firewall rules to allow a computer to send traffic to, or receive traffic from, programs, system services, computers, or users. Firewall rules act like ACLs and are used to dictate what traffic can pass between the firewall and the internal network. Firewall rules can be created to take one of three actions for all connections that match the rule's criteria:

  • Block the connection.
  • Allow the connection.
  • Allow the connection only if it is secured.

The rules can be applied to inbound traffic or outbound traffic and any type of network (LAN, wireless, BPN, remote access). The rule can be configured to specify the computers or users, program, service, or port and protocol. You can also configure the rule to be applied when any profile is being used or only when a specified profile is being used.

The rules of a firewall follow the first-match-apply rule system. The final rule in a firewall set should be a default deny. In this way, anything that is not specifically allowed or that was not explicitly denied by an earlier rule is always blocked by default.

On a regular basis, you should audit the firewall rules and verify that you are obtaining the results you wish and make any modifications needed.

Depending on the type of firewall, separate inbound and outbound rules must be created, unless the firewall supports stateful inspection.

References:

  • http://technet.microsoft.com/en-us/library/dd421709(WS.10).aspx
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

January 16, 2012

1.2.1 Rule-based management

Rule-based management, also known as label-based management, defines conditions for access to objects. The access is granted to the object based on both the object's sensitivity label and the user's sensitivity label. With all rules, an action must be defined. That action is triggered when conditions are or are not met.

Rule-based management is the concept of controlling the security of communications and IT events through rule- or filter-driven systems. Firewalls, proxies, routers, IDS, IPS, antivirus and more are examples of rule-based security management systems. Each of these systems has a set of rules. Each rule is either an explicit allow or deny. If an event or packet does not match any rule, it should be denied by default.

Rule-based management is one method of implementing a white list security management concept. In a white-list security management system if the event or activity does not match an allow rule, it is denied by default. Even new zero-day attacks are blocked using a white-list management system.

How to go about configuring a firewall should stem directly from the business rules established in the organization's security policy and by always placing your "allow" rules lower in priority than your "deny" filters, your overall rule set will be more secure.

References:

  • http://searchsecurity.techtarget.com/tip/Firewall-rule-management-best-practices
  • http://searchsecurity.techtarget.com/tip/How-to-reduce-risks-with-URL-filtering
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2 Apply and implement secure network administration principles

  • Rule-based management
  • Firewall rules
  • VLAN management
  • Secure router configuration
  • Access control lists
  • Port Security
  • 802.1x
  • Flood guards
  • Loop protection
  • Implicit deny
  • Prevent network bridging by network separation
  • Log analysis

1.1.13 URL filtering, content inspection, malware inspection

URL (Uniform Resource Locator):
  • points your web browser at a web page of your choice
  • is a flexible 'meta language' allowing remote computers to exchange executable content and commands
  • are a conduit for client/server data.
Controlling the URLs that enter and leave your network is an important way to reduce risks posed by hackers, worms and spyware.

URL filtering (or web filtering), involves blocking websites (or sections of websites) based solely on the URL; restricting access to specified websites and certain web-based applications. This is in contrast to content filters, which block data based on its content rather than where it is coming from. Within Internet Explorer, the Phishing Filter included with IE7 acted as a URL filter. In IE8 and later this was replaced by SmartScreen Filter.

URL filtering can focus on all or part of a FQDN, specific path names, specific file names, specific file extensions, or entire specific URLs. Many URL filtering tools can obtain updated master URL block lists from vendors as well as allow administrators to add or remove URLs from a custom list.

Here are two ways filtering URLs on their way out of your network can make you safer:
  1. Require users to access the Internet via a proxy server.
  2. Filter outbound URLs to enforce compliance with corporate Internet acceptable usage policies. 
URL filters can also be valuable tools in the fight against spyware, worms and Trojan horse software. In addition to allowing you to block access to sites harboring harmful code, they can help you eliminate the use of Web-based e-mail services, file sharing sites and other Web resources that allow files into your network without the proper virus scanning.

Here are two ways to control the URLs entering your network:
  1. The first line of defense is having well-written web applications that validate inputs and protect themselves against attack (e.g. from unexpected input from parameters passed in URLs).
  2. Add an application level firewall to create defense in-depth. When packets try to enter your network, subject them to rules that insure they should be admitted. 
Content inspection is the security filtering function where the contents of the application protocol payload are inspected. Often such inspection is based on keyword matching. A master black list of unwanted terms, addresses, or URLs is used to control what is or is not allowed to reach a user.

Instead of relying on a website to be previously identified as questionable, as URL filtering does, content inspection works by looking at the data coming in. Within the most recent versions of Internet Explorer, content filtering can be configured using Content Advisor.

Malware inspection is the use of a malware scanner (a.k.a antivirus scanner or spyware scanner) to detect unwanted software content in network traffic. If malware is detected it can be blocked, logged and/or trigger an alert.

It is important to stop malware before it ever gets hold of a system. While tools that identify malware when they find it on a system are useful, real-time tools that stop it from ever making it to the system are better.

References:
  • http://technet.microsoft.com/en-us/library/dd182018.aspx
  • http://searchsecurity.techtarget.com/tip/How-to-reduce-risks-with-URL-filtering
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.12 Web application firewall vs. network firewall

An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall.

The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall which by default is unable to control network traffic regarding a specific application.

The Web Application Firewall (WAF) is an intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. It is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked.

Examples of WAF include Cisco - ACE Web Application Firewall and SecureSphere Web Application Firewall (WAF).

The network firewall controls and monitors access between different networks by filtering inbound and outbound traffic, manages access controls to requested locations and typically blocks all services except those specifically permitted.

References:

  • http://www.webappsec.org/projects/glossary/
  • http://en.wikipedia.org/wiki/Application_firewall
  • https://www.owasp.org/index.php/Web_Application_Firewall
  • http://www.imperva.com/products/wsc_web-application-firewall.html
  • Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.11 Spam Filter

Spam filter, all-in-one security appliances

A spam filter is a software program that sorts incoming mail in order to identify and pull out unsolicited and unwanted email, also known as spam. Spam filters catch unwanted email and filter it out before it gets delivered internally to a user's inbox. The filtering is done based on rules, e.g. block email coming from certain IP addresses, email that contains particular words in the subject line, and the like. While spam filters are usually used to scan incoming messages, they can also be used to scan outgoing as well and thus act as a quick identifier of internal PCs that may have contracted a virus.

Spam can be used to spread malicious code like viruses and Trojans, and for perpetuating phishing scams. For these reasons and more, a spam filter is a great way to help protect your computer or network and cut out junk mail.

SpamAssassin is a well-known open source spam filter.

Like other types of filtering programs, a spam filter looks for certain criteria on which it bases judgments. From simply scanning subject lines for particular words to more sophisticated methods such as those based on Bayesian statistical methodoloy or other heuristic filters, spam filters attempt to identify spam through suspicious word patterns or word frequency.

References:

  • http://www.wisegeek.com/what-is-a-spam-filter.htm
  • http://searchmidmarketsecurity.techtarget.com/definition/spam-filter
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.1.10 Sniffer

A sniffer is a network analysis tool to help you locate network problems. It consists of a well-integrated set of functions that can resolve network problems. Sniffers can list network packets in real-time from multiple network card (Include Modem, ISDN, ADSL) and can support capturing packets based on applications and protocols e.g. Ethernet, IP, TCP, UDP, PPPOE, HTTP, FTP, WINS, PPP, SMTP, POP3.

Sniffers (also known as network monitors) helps troubleshoot network problems.

A sniffer can be a self-contained software program or a hardware device with the appropriate software or firmware programming. Sniffers usually act as network probes or "snoops." They examine network traffic, making a copy of the data without redirecting or altering it.

Network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software.

References:

  • http://compnetworking.about.com/od/networksecurityprivacy/g/bldef_sniffer.htm
  • http://www.colasoft.com/resources/network-sniffer.php
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.1.9 Protocol Analyzer

A "protocol analyzer" is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Protocol analyzers (also known as and packet sniffers) refer to the process of monitoring the data that is transmitted across a network. Sniffers highlight that sensitive information should not be sent using insecure methods.

Protocol analyzers can be stand-alone applications or used with other network monitoring and intrusion detection applications to monitor and capture network data right down to the packet and frame level.

This tool can be used in conjunction with intrusion detection and prevention systems to analyze large blocks of network data and protocols. This scanning can detect specific behaviors of known exploits or network attacks.

This information can be communicated to the IDS, which will block those network packets from reaching the client.

References:

  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle


January 15, 2012

1.1.8 NIDS and NIPS

NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic)

An intrusion detection system (IDS) is software that runs on a server or network device to monitor and track network activity. By using an IDS, a network administrator can configure the system to monitor network activity for suspicious behavior that can indicate unauthorized access attempts. IDSs can be configured to evaluate system logs, look at suspicious network activity, and disconnect sessions that appear to violate security settings.

IDSs can be sold with firewalls. Firewalls by themselves will prevent many common attacks, but they don't usually have the intelligence or the reporting capabilities to monitor the entire network. An IDS, in conjunction with a firewall, allows both a reactive posture with the firewall and a preventive posture with the IDS.

In response to an event, the IDS can react by disabling systems, shutting down ports, ending sessions, deception (redirect to honeypot), and even potentially shutting down your network. A network-based IDS that takes active steps to halt or prevent an intrusion is called a network intrusion prevention system (NIPS). When operating in this mode, they are considered active systems.

Passive detection systems log the event and rely on notifications to alert administrators of an intrusion. Shunning or ignoring an attack is an example of a passive response, where an invalid attack can be safely ignored. A disadvantage of passive systems is the lag between intrusion detection and any remediation steps taken by the administrator.

Intrusion prevention systems (IPS) like IDSs follows the same process of gathering and identifying data and behavior, with the added ability to block (prevent) the activity.

A network-based IDS examines network patters, such as an unusual number or requests destined for a particular server or service, such as an FTP server. Network IDS systems should be located as upfront as possible, e.g. on the firewall, a network tap, span port, or hub, to monitor external traffic. Host IDS systems on the other hand, are placed on individual hosts where they can more efficiently monitor internally generated events.

Using both network and host IDS enhances the security of the environment.

Snort is an example of a network intrusion detection and prevention system. It conducts traffic analysis and packet logging on IP networks. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine.

Network based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic. Using the captured data, the Network IDS processes and flags any suspicious traffic. Unlike an intrusion prevention system, an intrusion detection system does not actively block network traffic. The role of a network IDS is passive, only gathering, identifying, logging and alerting.

Host based intrusion detection system (HIDS) attempts to identify unauthorized, illicit, and anomalous behavior on a specific device. HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity. The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and alerting. Tripwire is an example of a HIDS.

There are no fully mature open standards for ID at present. The Internet Engineering Task Force (IETF) is the body which develops new Internet standards. They have a working group to develop a common format for IDS alerts.

The following types of monitoring methodologies can be used to detect intrusions and malicious behavior: signature, anomaly, heuristic and rule-based monitoring.

A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS.

A network IDS signature is a pattern that we want to look for in traffic. Signatures range from very simple – checking the value of a header field – to highly complex signatures that may actually track the state of a connection or perform extensive protocol analysis.

An anomaly-based IDS examines ongoing traffic, activity, transactions, or behavior for anomalies (things outside the norm) on networks or systems that may indicate attack. An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network, what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other, and alert the administrator when traffic is detected which is anomalous to the baseline.

A heuristic-based security monitoring uses an initial database of known attack types but dynamically alters their signatures base on learned behavior of network traffic. A heuristic system uses algorithms to analyze the traffic passing through the network. Heuristic systems require more fine-tuning to prevent false positives in your network.

A behavior-based system looks for variations in behavior such as unusually high traffic, policy violations, and so on. By looking for deviations in behavior, it is able to recognize potential threats and respond quickly.
Similar to firewall access control rules, a rule-based security monitoring system relies on the administrator to create rules and determine the actions to take when those rules are transgressed.

References:
http://netsecurity.about.com/cs/hackertools/a/aa030504.htm
http://www.sans.org/security-resources/idfaq/
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.7 VPN Concentrators

A virtual private network (VPN) is a secure and private point-to-point connection over a public network.  It provides an encrypted tunnel between the client and the remote network. A private network provides security over an otherwise unsecure environment.

VPNs connect two LANs together across the Internet or other public networks. VPNs are also used to connect two remote routers to form a secure WAN. A VPN is implemented either as special hardware or software running on a server.

A VPN typically use a tunneling protocol such as Layer 2 Tunneling Protocol (L2TP), IPSec, or Point-to-Point Tunneling Protocol (PPTP).

To guarantee security, both ends of the VPN connection must be running the same type of VPN with equivalent protocols (e.g. L2TP) and encryption method (IPSec).

A VPN concentrator is a hardware device used to create remote access VPNs. The concentrator creates encrypted tunnel sessions between hosts, and many use two-factor authentication for additional security.

VPN concentrators incorporate the encryption and authentication techniques to create a remote-access or site-to-site VPN connection. Cisco VPN concentrators, for example, include components, called Scalable Encryption Processing (SEP) modules, that enable users to easily increase capacity and throughput.

References:
http://searchnetworking.techtarget.com/answer/How-does-the-VPN-concentrator-work
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.6 Web Security Gateways


Web security gateway, can be thought of as a proxy server (performing proxy and caching functions) with web protection that can range from a standard virus scanner on incoming packets to monitoring outgoing user traffic.

Potential red flags the gateway can detect/prohibit include inappropriate content, trying to establish a peer-to-peer connection with a file-sharing site, instant messaging, and unauthorized tunneling. You can configure most web security gateways to block known HTTP/HTML exploits, strip ActiveX tags, strip Java applets, and block/strip cookies.

Beyond the basic tasks of a web proxy, it provides content filtering and application-level security to protect end users from accessing dangerous web sites and downloading files that are infected with worms, spyware or malware, or else from connection to servers that host phishing and fraud sites.

Web security gateways can perform deep inspection of web HTTP traffic to prevent end users from accessing dangerous content.

These types of gateways can also scan text content of web sites to search for prohibited words and phrases that indicate offensive content. For maximum effectiveness, all end-user web browser clients must be configured to use the gateway as their web proxy.

References:
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle