Neo Kobo

3.4.7 War chalking

2012-01-29T13:08:00.000-08:00

War chalking

Warchalking is the drawing of standard iconography (often in chalk) in public places to advertise an open Wi-Fi wireless network.

Warchalking involves those who discover a way into the network leaving signals on, or outside, the premise to notify others of the vulnerability.

References:

http://en.wikipedia.org/wiki/Warchalking

3.4.6 Bluesnarfing

2012-01-29T13:06:00.000-08:00

Bluesnarfing

Bluesnarfing is much more serious than Bluejacking, but both exploit others' Bluetooth connections without their knowledge.

Bluesnarfing enables gaining unauthorized access through a Bluetooth connection. This access can be gained through a phone, PDA, or any device using Bluetooth. Once access has been gained, the attacker can copy any data in the same way they would with any other unauthorized access.

References:

http://en.wikipedia.org/wiki/Bluesnarfing
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4.5 Bluejacking

2012-01-29T12:56:00.000-08:00

Bluejacking

Bluejacking is the sending of unsolicited messages (think spam) over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field to another bluetooth enabled device via the OBEX protocol.
Bluejacking takes advantage of a loophole in the technology's messaging options that allows a user to send unsolicited messages to other nearby Bluetooth owners.

Bluetooth technology operates by using low-power radio waves, communicating on a frequency of 2.45 gigahertz. This special frequency is also known as the ISM band, an open, unlicensed band set aside for industrial, scientific and medical devices. When a number of Bluetooth devices are switched on in the same area, they all share the same ISM band and can locate and communicate with each other, much like a pair of walkie talkies tuned to the same frequency are able to link up.

Bluetooth technology users take advantage of this ability to network with other phones and can send text messages or electronic business cards to each other. To send information to another party, the user creates a personal contact name in his or her phone's address book -- the name can be anything from the sender's actual name to a clever nickname.

Bluejackers have devised a simple technique to surprise their victims: Instead of creating a legitimate name in the address book, the bluejacker's message takes the place of the name. The prank essentially erases the "from" part of the equation, allowing a user to send any sort of comment he wishes without identifying himself.

Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters.

Bluetooth is often used for creating personal area networks (PANs), and most Bluetooth devices come with a factory default PIN that you will want to change to more secure values.
One of the simplest ways to secure Bluetooth devices is to not set their attribute to Discoverable.

References:

http://www.bluejackingtools.com/what-is-bluejacking/
http://electronics.howstuffworks.com/bluejacking.htm
http://en.wikipedia.org/wiki/Bluejacking
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4.3 Evil Twin

2012-01-29T12:52:00.000-08:00

Evil Twin

Evil twin attack is a term for a rogue Wi-Fi access point (AP) that appears to be a legitimate, but actually has been set up by a hacker to eavesdrop and intercept wireless communications among Internet surfers.

It is an attack in which unsuspecting Wi-Fi users are tricked into associating with a phony wireless Access Point. Also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP, these attacks use phony APs with faked login pages to capture credentials and credit card numbers, launch man-in-the-middle attacks, or infect wireless hosts.

Evil twin is the wireless version of e-mail phishing scams. An attacker tricks wireless users into connecting a laptop or mobile phone to a rogue hotspot by posing as a legitimate provider.
By imitating the name of another, legitimate wireless provider, they can fool people into trusting the internet services that they are providing. When the users log into bank or e-mail accounts, the phishers have access to the entire transaction, since it is sent through their equipment.

One way that Corporate users can protect themselves from an evil twin attack is by using VPN (virtual private network) when logging into company servers.

References:

http://www.watchguard.com/infocenter/editorial/27061.asp
http://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)
http://www.ericgoldman.name/security/8-exploits-and-attacks/21-evil-twin-attack-explanation
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4 Analyze and differentiate among types of wireless attacks

2012-01-29T12:49:00.001-08:00

Analyze and differentiate among types of wireless attacks

Rogue access points
Interference
Evil twin
War driving
Bluejacking
Bluesnarfing
War chalking
IV attack
Packet sniffing

3.2.14 Transitive Access

2012-01-29T00:10:00.000-08:00

Transitive access

Transitive – Passing over to or affecting something else.

Transitive access is a problem when inadvertent (and possibly unauthorized) access results for a set of related and authorized access.

With transitive access, one A trusts B. If B then trusts C, then a relationship can exist where C is trusted by A).

In a transitive trust relationship, the relationship between A and B flows through such that A now trusts C.

In all versions of Active Directory, the default is that all domains in a forest trust each other with two-way transitive trust relationships.

While this process makes administration much easier when you add a new child domain (no administrative intervention is required to establish the trusts), it leaves open the possibility of a hacker acquiring more trust than they should by virtue of joining the domain.

References:

http://dictionary.reference.com/
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.1.13 DNS poisoning and ARP poisoning

2012-01-29T00:05:00.000-08:00

DNS poisoning and ARP poisoning

DNS and ARP poisoning are types of man-in-the-middle (MITM) attacks, which are types of spoofing attacks. A spoofing attack is an attempt by someone to masquerade as someone else.

Address Resolution Protocol (ARP) cache poisoning (sometimes also known as ARP Poison Routing) allows an attacker on the same network segment (subnet) as its victims to eavesdrop on all network traffic between the victims.

ARP poisoning, tries to convince the network that the attacker's MAC address is the one associated with an IP address so that traffic sent to that IP address is wrongly sent to the attacker's machine.

In ARP poisoning, the MAC (Media Access Control) address table of the victim host is ‘poisoned’ with false data. Incorrect data for a victim host is interjected into the MAC table of the victim host to force the victim to communicate with the wrong host. By faking this value, it is possible to make it look as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for another host, or to launch a DoS attack.

Any device can send an ARP reply packet to another host and force that host to update its ARP cache with the new value. Sending an ARP reply when no request has been generated is called sending a gratuitous ARP. When malicious intent is present the result of a few well placed gratuitous ARP packets used in this manner can result in hosts who think they are communicating with one host, but in reality are communicating with a listening attacker.

For sensitive hosts, you can rely on static ARP entries in your local ARP cache rather than on ARP requests and replies which can be faked.

As a reactive measure, you can monitor the network traffic of hosts using tools such as Snort or xARP.
With DNS poisoning, the DNS server is given information that it thinks is legitimate when it isn't. This can send users to a website other than the one they wanted to go to, reroute mail, or do any other type of redirection wherein data from a DNS server is used to determine a destination. Another name for this is DNS poisoning. DNS servers store its information (resource records) either in database files or as cached data. This information can be falsified or ‘poisoned’.

Every DNS query that is sent out over the network contains a uniquely generated identification number that’s purpose is to identify queries and responses and tie them together. This means that if our attacking computer can intercept a DNS query sent out from a target device, all we have to do is create a fake packet that contains that identification number in order for that packet to be accepted by that target.

DNS poisoning is difficult to defend against due to the attacks being mostly passive by nature. Typically, you will never know your DNS is being poisoned or spoofed until it has happened. That being said, there are still a few things that can be done to defend against these types of attacks:
Secure your internal machines
Defending against internal threats and having a good internal security posture is always good
Don’t rely on DNS for secure systems – use local hosts file for sensitive name resolution data
Use IDS – monitor your network/host
Use DNSSEC – an updated and more secure version of DNS

References:

http://www.windowsecurity.com/articles/understanding-man-in-the-middle-attacks-arp-part1.html
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.11 Xmas Attack

2012-01-28T23:53:00.000-08:00

Xmas Attack

One of the three Nmap scan types:
• Xmas scan (-sX) – Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
• Null scan (-sN) – Does not set any bits (TCP flag header is 0)
• FIN scan (-sF) – Sets just the TCP FIN bit.

One of the most popular attacks that utilizes Nmap is the Xmas attack (also known as the Xmas scan and Christmas attack). This is an advanced scan that tries to get around firewall detection and look for open ports. It accomplishes this by setting three flags (FIN, PSH, and URG).

References:

http://nmap.org/book/man-port-scanning-techniques.html
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.10 Vishing & Spear Phishing

2012-01-28T23:51:00.000-08:00

Vishing

When you combine phishing with Voice over IP (VoIP), it becomes known as vishing and is just an elevated form of social engineering.

Spear phishing

Spear phishing is a unique form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party.

In spear phishing, the attacker uses information that the target would be less likely to question because it appears to be coming from a trusted source. Because it appears far more likely to be a legitimate message, it cuts through the user's standard defenses like a spear and has a higher likelihood of being clicked.

With spear phishing, you might get a message that appears to be from your boss telling you that there is a problem with your direct deposit account and you need to access this HR link right now to correct it.

Spear phishing works because it uses information it can find about you from email databases, friends lists, and the like.

References:
• CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.9 Spim

2012-01-28T23:46:00.000-08:00

Spim

SpIM is short for "Spam via Instant Messenger" and is a term that refers to unwanted and unsolicited junk messages sent via an instant messenger (instead of through e-mail messaging).

Most Spim comes in the form of chat requests/sessions from unknown people who then send you text messages about their products or services. Some may ask you to visit a website, which may contain malware or they may try to send you files to download.

The immediacy of IM makes users more likely to reflexively click links. Furthermore, because it bypasses anti-virus software and firewalls. IM is an easy means of passing on not only commercial messages, but also viruses and other malware.

Never accept or open attachments from people you don’t know.

Turn off the automatic download features in your instant messenger client.

Send all downloads to the same folder on your hard drive and then use your anti-virus software to scan that folder each time a new file is added.

Related Terms
SPIT – Spam over Internet Telephony

References:

http://housing.uncc.edu/technology/securemypc/alt_spam.htm
http://www.webopedia.com/DidYouKnow/Internet/2006/spam_spit_spim.asp
http://searchexchange.techtarget.com/definition/spim

3.2.8 Phishing

2012-01-28T23:42:00.000-08:00

Phishing

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is an example of social engineering techniques used to deceive users; in which you simply ask someone for a piece of information that you want by making it look as if it is a legitimate request.

Vishing involves combining phishing with Voice over IP.

An email might look as if it is from a bank and contain some basic information, such as the user's name. A fake website might be created to look just like a legitimate site. It can then gather personal information from the user.

The person instigating the phishing can then use the values entered there to access the legitimate account.

One of the best counters to phishing is to simply mouse over the “Click Here” link and read the URL.

Phishing email messages, websites, and phone calls are designed to steal money, access, information, etc.

References:

http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
http://www.fraud.org/tips/internet/phishing.htm
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.7 Spam

2012-01-28T23:29:00.000-08:00

Spam

Spam is the use of electronic messaging systems, particularly e-mail but including most broadcast media, digital delivery systems, to send unsolicited bulk messages indiscriminately. In general, e-mail messages you didn’t ask for, from people you don’t know are considered ‘spam’.

Spam can contain viruses or other malware, or it may try to trick the recipient to give up passwords and user names, or visit a harmful site.

Spam is not actually an acronym.

According to the Internet Society and other sources, the term spam is derived from the 1970 Spam sketch of the BBC television comedy series Monty Python's Flying Circus. The sketch is set in a cafe where nearly every item on the menu includes Spam canned luncheon meat. As the waiter recites the Spam-filled menu, a chorus of Viking patrons drowns out all conversations with a song repeating "Spam, Spam, Spam, Spam... lovely Spam! wonderful Spam!", hence "Spamming" the dialogue.

Related Terms
SPAM – Hormel Foods Corporation, the maker of SPAM luncheon meat, has asked that the capitalized word "Spam" be reserved to refer to their product and trademark.

References:

http://en.wikipedia.org/wiki/Spam_(electronic)

3.2.5 Smurf Attack

2012-01-28T23:24:00.000-08:00

Smurf Attack

The smurf attack, named after its exploit program, is a denial-of-service attack which uses spoofed broadcast ping messages to flood a target system.

In the "smurf" attack, from remote location, an attacker sends forged ICMP echo packets directed to the broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target.

This generates a denial-of-service attack. There are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim).

The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. When (potentially) all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages.

When the attackers create these packets, they do not use the IP address of their own machine as the source address. The victim is subjected to network congestion that could potentially make the network unusable.

One solution to prevent your site from being used as an intermediary in this attack is to disable IP-directed broadcasts at your router. By disabling these broadcasts, you configure your router to deny IP broadcast traffic onto your network from other networks.

Some operating systems can be configured to prevent the machine from responding to ICMP packets sent to IP broadcast addresses. Configuring machines so that they do not respond to these packets can prevent your machines from being used as intermediaries in this type of attack.

References:

http://searchcio-midmarket.techtarget.com/definition/adware
http://www.softpanorama.org/Net/Internet_layer/ICMP/smurf_attack.shtml
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2 Analyze and differentiate among types of attacks

2012-01-28T23:21:00.000-08:00

Analyze and differentiate among types of attacks

Man-in-the-middle
DDoS
DoS
Replay
Smurf attack
Spoofing
Spam
Phishing
Spim
Vishing
Spear phishing
Xmas attack
Pharming
Privilege escalation
Malicious insider threat
DNS poisoning and ARP poisoning
Transitive access
Client-side attacks

3.1.6 Rootkits

2012-01-25T00:16:00.000-08:00

Rootkits

Rootkits are software programs that have the ability to hide certain things from the operating system. Theoretically, rootkits could hide anywhere there is enough memory to reside: video cards, PCI cards, and the like. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.

A rootkit is a type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have "root" access to the computer, which means it runs at a privileged level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. If a rootkit has been installed, you may not be aware that your computer has been compromised, and traditional anti-virus software may not be able to detect the malicious programs.

Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor your actions, modify programs, or perform other functions on your computer without being detected.

Rootkits can be installed and hidden on your computer without your knowledge. It may be included in a larger software package or installed by an attacker who has been able to take advantage of a vulnerability on your computer or has convinced you to download it.

Detection methods include using an alternative, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel.

Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers.

The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components. Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected.

Types of rootkits include the following:

Firmware – embedded in the firmware; always available
Kernel – embedded in the operating system; practically invisible; privileged
Persistent – activates on boot up and stays active while computer is running
Application – activates with a specific application
Library – associated with library files (e.g. DLLs); interjects own code via API and system calls

References:

http://en.wikipedia.org/wiki/Rootkit
http://www.us-cert.gov/cas/tips/ST06-001.html
http://www.pcmag.com/encyclopedia_term/0,2542,t=root+kit&i=55733,00.asp

3.1.4 Spyware

2012-01-25T00:12:00.000-08:00

Spyware

Spyware is software that can display advertisements, collect information about you, or change settings on your computer, generally without appropriately obtaining your consent. For example, spyware can install unwanted toolbars, links, or favorites in your web browser, change your default home page, or display pop-up ads frequently.

Some spyware displays no symptoms that you can detect, but it secretly collects sensitive information, such as the websites you visit or the text you type. Most spyware is installed through free software that you download, but in some cases simply visiting a website results in a spyware infection.

Spyware gathers information on you to pass on to marketers or intercepts personal data such as credit card numbers and makes them available to third parties.

References:

http://windows.microsoft.com/en-US/windows7/Understanding-security-and-safer-computing

3.1.1 Adware

2012-01-25T00:09:00.000-08:00

Adware

Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during the installation process. The object of the Adware is to generate revenue for its author.

Adware, by itself, is harmless; however, some adware may come with integrated spyware such as keyloggers and other privacy-invasive software.

The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.

Adware is criticized because it can include code that tracks a user's personal information and pass it on to third parties, without the user's authorization or knowledge.

References:

http://searchcio-midmarket.techtarget.com/definition/adware
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.1 Analyze and differentiate among types of malware

2012-01-25T00:07:00.000-08:00

Analyze and differentiate among types of malware

Adware
Virus
Worms
Spyware
Trojan
Rootkits
Backdoors
Logic bomb
Botnets

2.2.3 Incident Management

2012-01-23T22:24:00.000-08:00

Incident management

Incident management—the steps followed when events occur.

A clearly defined incident response policy can help contain a problem and provide quick recovery to normal operations.

In the event of some form of security incident, some form of procedure should be in place to deal with these events as they happen.

The policy should cover each type of compromised security scenario and list the procedures to follow when they happen.

The incident response policy should cover the following areas:

Contact information for emergency services and other outside resources.
Methods of securing and preserving evidence of a security breach.
Scenario-based procedures of what to do with computer and network equipment depending on the security problem.
How to document the problem and the evidence properly.

The components of an incidence-response plan should include preparation, roles, rules, and procedures. Incident-response procedures should define how to maintain business continuity while defending against further attacks.

References:

http://www.informit.com/articles/article.aspx?p=1809117&seqNum=3
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.2.2 Change Management

2012-01-23T22:21:00.000-08:00

Change management

Change management policies are official company procedures used to identify and communicate current or forthcoming changes to some aspect of the company’s networks and communications services.

Change documentation should include the following:

Specific details, about the change being proposed/implemented
The name of the authority who approved the changes
A list of the departments and the names of the supervisors involved in performing the change
What the immediate effect of the change will be
What the long-term effect of the change will be
The date and time the change will occur

After the change has occurred, the following should be added to the documentation:

Specific problems and issues that occurred during the process
Any known workarounds if issues have occurred
Recommendations and notes on the event

After the change has been requested, documented, and approved, you should then send out notification to the users so that they know what to expect when the change has been implemented.

References:

http://www.informit.com/articles/article.aspx?p=1809117&seqNum=3
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.2 Carry out appropriate risk mitigation strategies

2012-01-23T22:14:00.000-08:00

Carry out appropriate risk mitigation strategies

Implement security controls based on risk
Change management
Incident management
User rights and permissions reviews
Perform routine audits
Implement policies and procedures to prevent data loss or theft

2.1.7 Risks associated to Cloud Computing and Virtualization

2012-01-23T20:56:00.000-08:00

Risks associated to Cloud Computing and Virtualization

If you ask two people a question about what cloud computing is, you are likely to get four different answers. That in itself should be considered a risk. For our purpose, we will consider cloud computing as the use of the Internet to host services and data instead of hosting it locally. Implementation of this include Google Mail, Amazon EC2, Salesforce.com, etc.

The Security+ certification exam considers the following three ways of implementing cloud computing:

The Platform as a Service (PaaS) model, vendors provide a platform for customers to build and run custom applications.
Software as a Service (SaaS) is a way of delivering Web-based, on-demand, or hosted applications.
Infrastructure as a Service The Infrastructure as a Service (IaaS) model closely resembles the traditional utility model used by electric, gas, and water providers. It delivers computer infrastructure – typically a platform virtualization environment – as a service, along with raw (block) storage and networking.

Risk-related issues associated with cloud computing include the following:

Regulatory Compliance such as Sarbanes-Oxley's act.
User Privileges such as preventing privilege escalation.
Data Segregation keeps customer’s data secure and private, particularly important in a multi-tenant cloud computing implementation.

Some of the security risks that are possible with virtualization include the following:

Breaking Out of the Virtual Machine.
Network and Security Controls Can Intermingle.
Lax patch/update policy.

References:

http://en.wikipedia.org/wiki/Cloud_computing
http://onekobo.com/Cloud/TagCloud.html
https://cloudsecurityalliance.org/
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence

2012-01-22T19:29:00.000-08:00

Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk Avoidance Risk avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.

Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to exposure to the risk. One of the biggest problems with risk avoidance is that you are steering clear of activities you may benefit from.

This is the most effective solution, but often not possible due to organizational requirements.
Risk transference, you do not simply shift the risk completely to another entity, instead you share some of the burden of the risk with someone else, such as an insurance company. A typical policy would pay you a cash amount if all the steps were in place to reduce risk and your system still was harmed.

Risk mitigation is accomplished anytime you take steps to reduce the risk. Steps include installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall. In Microsoft's Security Intelligence Report, Volume 9, they list the following suggestions for mitigating risk:

Keep security messages fresh and in circulation.
Target new employees and current staff members.
Set goals to ensure a high percentage of the staff is trained on security best practices.
Repeat the information to raise awareness.

In risk mitigation (occasionally referred to as risk reduction), the harm can still occur, but you've reduced the impact it will have.

Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you. The easiest way to think of risk deterrence is to think of it as a “you hit me and I'll hit you back harder” mentality. This can be as simple as posting prosecution policies on your login pages and convincing them that you have steps in place to identify intrusions and act on them.

Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated.

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, all the responsible parties must know that it exists and can affect the organization. It has to be an identified risk for which those involved understand the potential cost/damage and agree to accept.

Risk acceptance is essentially being fully aware that the risk exists (and that you could be affected by it), then choosing to do nothing further.

The risk must be identified, accepted and then a decision made that no action will be taken. Risk acceptance must be a conscious choice, documented, approved by senior administration, and regularly reviewed.

Related Terms:

Risk Appetite – the level of risk tolerance.
Exploit – An exploit is a mechanism of taking advantage of an identified vulnerability.
Threat – A threat is the potential that a vulnerability will be identified and exploited.
Control – Controls act to close vulnerabilities, prevent exploitation, reduce threat potential, and/or reduce the likelihood of a risk or its impact.

References:

http://certcities.com/editorial/columns/story.asp?EditorialsID=447
http://www.informit.com/articles/article.aspx?p=1809117&seqNum=2
http://studydroid.com/index.php?page=viewPack&packId=220486
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.1.4 Risk Calculation

2012-01-22T19:25:00.000-08:00

Risk Calculation

The likelihood and impact of a risk has a strong measure on your cost analysis for budgeting funds for risk countermeasures and mitigation. A calculation used to determine this factor is Annual Loss Expectancy (ALE).

You must calculate the chance of a risk occurring, sometimes called the Annual Rate of Occurrence (ARO), and the potential loss of revenue based on a specific period of downtime, which is called the Single Loss Expectancy (SLE). By multiplying these factors together, you arrive at the ALE. This is how much money you expect to lose on an annual basis because of the impact from an occurrence of a specific risk.

When you're doing a risk assessment, one of the most important things to do is to prioritize. Take into account the likelihood of an event happening and the impact to your organization if it does. Focus on the events that are likely and would have an impact. Not everything should be weighed evenly.

One method of measurement to consider is annualized rate of occurrence (ARO). This is the likelihood, often drawn from historical data, of an event occurring within a year. This measure can be used in conjunction with a monetary value assigned to data to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values.

When you're computing risk assessment, remember this formula:

SLE x ARO = ALE

Thus, if you can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring in a year (ARO = .1), then the ALE drops to $100.
The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as:

ALE = SLE * ARO

where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending more resources per year on a security measure which will eliminate it.

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending upon whether you are focusing on dollar amounts or not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all based on doing assessments that lead to dollar amounts and are thus quantitative.

Know how to calculate risk. Risk can be calculated either qualitatively (subjective) or quantitatively (objective). Quantitative calculations assign dollar amounts, and the basic formula is SLE × ARO = ALE where SLE is the single loss expectancy, ARO is the annualized rate of occurrence, and ALE is the annual loss expectancy.

ALE – A calculation that is used to identify risks and calculate the expected loss each year.
For each vulnerability associated with each asset, you must do the following to quantify risk:

Estimate the cost of replacing or restoring that asset (its Single Loss Expectancy)
Estimate the vulnerability's expected Annual Rate of Occurrence
Multiply these to obtain the vulnerability's Annualized Loss Expectancy

The three categories commonly used to identify the likelihood of a risk: High (1.0), Medium (0.5), or Low (0.1) values for risk comparison.

References:

http://www.riskythinking.com/glossary/annualized_loss_expectancy.php
http://etutorials.org/Linux+systems/secure+linux-based+servers/Chapter+1.+Threat+Modeling+and+Risk+Management/Section+1.2.+Simple+Risk+Analysis+ALEs/
http://www.informit.com/articles/article.aspx?p=1809117&seqNum=2
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.1 Explain risk related concepts

2012-01-22T19:12:00.000-08:00

Explain risk related concepts

Control types

Technical
Management
Operational

False positives
Importance of policies in reducing risk

Privacy policy
Acceptable use
Security policy
Mandatory vacations
Job rotation
Separation of duties
Least privilege

Risk calculation

Likelihood
ALE
Impact

Quantitative vs. qualitative
Risk-avoidance, transference, acceptance, mitigation, deterrence
Risks associated to Cloud Computing and Virtualization

1.5 Identify commonly used default network ports

2012-01-22T13:55:00.000-08:00

Identify commonly used default network ports

TCP Port #	UDP Port #	Service
20		FTP (data channel)
21		FTP (control channel)
22		SSH; SCP; SFTP (over SSH)
989	989	FTPS (data): FTP over TLS/SSL
990	990	FTPS (control): FTP over TLS/SSL
	69	Trivial File Transfer Protocol (TFTP)
23		Telnet
80		Hypertext Transfer Protocol (HTTP)
443		HTTPS (Hypertext Transfer Protocol over SSL/TLS)
137	137	NetBIOS Name Service
138	138	NetBIOS Datagram Service
139	139	NetBIOS Session Service

1.6.8 SSID Broadcast

2012-01-22T13:29:00.000-08:00

SSID broadcast

The SSID (Service Set IDentifier), or network name, of your wireless network is required for devices to connect to it.

SSID is a function performed by an Access Point (AP) that transmits its name so that wireless stations searching for a network connection can 'discover' it. It's what allows your wireless adapter's software to give you a list of the AP in range.

Wireless APs and routers can automatically broadcast their network name (SSID) into open air at regular intervals (every few seconds) to announce their presence. This feature of Wi-Fi network protocols is intended to allow clients to dynamically discover and roam between WLANs.

One method of "protecting" the network that is often recommended is to turn off the SSID broadcast. This should be considered a very weak form of security because it is a trivial process for an attacker to discover the presence of the access point besides the SSID broadcast.

Security by obscurity is no security at all.

SSIDs are not encrypted or otherwise scrambled, it becomes easy to grab one by snooping the WLAN looking for SSID broadcast messages coming from the router or AP. Knowing your SSID brings hackers one step closer to a successful intrusion.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or "supplicant" in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

An SSID is a network name, not a password. It is not designed to be hidden.

A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. It's a violation of the 802.11 specification to keep your SSID hidden and, even if you think your SSID is hidden, it really isn't.

Having SSID broadcast disabled essentially makes your Access Point invisible unless a wireless client already knows the SSID, or is using tools that monitor or 'sniff' traffic from an AP's associated clients.

Related Terms

Site survey
War driving
War chalking
Basic Service Set (BSS)
Access Point (AP)

References:

http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx
http://compnetworking.about.com/cs/wirelessproducts/qt/disablessidcast.htm
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.6.4 EAP

2012-01-22T13:25:00.000-08:00

EAP

Extensible Authentication Protocol (EAP) is an Internet Engineering Task Force (IETF) standard that provides an infrastructure for network access clients and authentication servers to host plug-in modules for current and future authentication methods. EAP is used to authenticate Point-to-Point Protocol (PPP)-based connections (such as dial-up, virtual private network remote access, and site-to-site connections) and for IEEE 802.1X-based network access to authenticating Ethernet switches and wireless access points (APs).

EAP is used primarily in WEP/WPA/WPA2-based wireless networks for securely transporting authentication data. EAP separates the message exchange from the authentication process through the use of a different exchange layer and it provides a module-based infrastructure that supports several different authentication methods.

EAP, is an authentication framework (not a specific authentication mechanism) frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247.

It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined.

Five EAP methods are adopted by the WPA/WPA2 standard: EAP-TLS, EAP-PSK, EAP-MD5, and LEAP and PEAP.

The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary EAP method developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard.

The Protected Extensible Authentication Protocol, (Protected EAP or PEAP), is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP which assumed a protected communication channel, so facilities for protection of the EAP conversation were not provided. PEAP is more secure since it establishes an encrypted channel between the server and the client.

References:

http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
http://technet.microsoft.com/en-us/network/bb643147
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.4.10 SFTP

2012-01-22T13:23:00.001-08:00

SFTP

In computing, the SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management functionality over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) version 2.0, but is also intended to be usable with other protocols.

SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up by the IETF SECSH working group.

The protocol itself does not provide authentication and security; it assumes that it is run over a secure channel, i.e. it expects the underlying protocol to secure this and that the server has already authenticated the client, and the identity of the client user is available to the protocol. SFTP is most often used as subsystem of SSH protocol version 2 implementations.

Unlike standard FTP, SFTP encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.

References:

http://kb.iu.edu/data/akqg.html
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

1.6.1 WPA

2012-01-22T13:23:00.000-08:00

WPA

Wi-Fi Protected Access (WPA) is a security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless networks and surpass the older Wired Equivalent Privacy (WEP) protocol. The Alliance defined WPA in response to serious weaknesses researchers had found in WEP.

WPA (defined in the draft IEEE 802.11i standard) became available around 1999 and was intended as an intermediate measure in anticipation that it would be replaced by the more secure WPA2 protocol.

There are two versions, WPA and WPA2, with the latter being the full implementation of the security features.
The difference between WPA and WPA2 is that WPA implements most—but not all—of 802.11i in order to be able to communicate with older wireless cards and it used the RC4 encryption algorithm with TKIP, while WPA2 implements the full standard and is not compatible with older cards.

WPA also mandates the use of the Temporal Key Integrity Protocol (TKIP), while WPA2 favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. With the larger initialization vector, it increases the difficulty in cracking and minimizes the risk of replay.

WEP used a 40-bit or 128-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.

TKIP basically works by generating a sequence of WEP keys based on a master key, and re-keying periodically before enough data volume could be captured to allow recovery of the WEP key. TKIP changes the Key every 10,000 packets, which is quick enough to combat statistical methods to analyze the cipher.
TKIP also adds into the picture the Message Integrity Code (MIC). The transmission’s CRC, and ICV (Integrity Check Value) is checked. If the packet was tampered with. WPA will stop using the current keys and re-keys.

As a simplified timeline useful for exam study, think of WEP as coming first. It was fraught with errors and WPA (with TKIP) was used as an intermediate solution, implementing a portion of the 802.11i standard. The final solution—a full implementation of the 802.11i standard—is WPA2 (with CCMP).
WPA (and WEP before it) couples the RC4 encryption algorithm with TKIP, while WPA2 favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. Chapter 12 focuses solely on wireless and discusses these protocols in greater detail.
WPA was an intermediate solution that implemented only a portion of the 802.11i standard. The final solution—a full implementation of the 802.11i standard—is WPA2, which uses CCMP.

Security researchers showed theoretically how WPA could be broken in November 2008, in what is known as the “Becks-Tews method” developed by researchers Martin Beck and Erik Tews.

The attack works only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm, and do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard, or AES, algorithm.

WPA can use a pre-shared key (PSK or Personal WPA) or it can use an authentication server (Enterprise) that distributes the keys. In the PSK method, all devices on the wireless LAN must use the same passphrase key to access the network. The authentication server method is more scalable to support environments with a large number of clients.

The strength of a WPA network, is only as strong as the passphrase used, which consists of from 8 to 63 characters.

References:

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
http://www.ezlan.net/wpa_wep.html
http://www.zdnet.com/blog/btl/researchers-crack-wpa-wi-fi-encryption-in-60-seconds/23384
http://www.practicallynetworked.com/security/041207wpa_psk.htm
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.4.9 HTTPS

2012-01-22T13:22:00.000-08:00

HTTPS

Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (http). HTTPS is a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. It provides encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.

HTTPS combines HTTP with SSL/TLS to provide encrypted communication. When a user connects to a website via HTTPS, the website encrypts the session with a digital certificate. A user can tell if they are connected to a secure website if the website URL begins with https:// instead of http://.

The default port is 443 and the URL begins with https://.

The main idea of HTTPS is to create a secure channel over an insecure network.

HTTPS is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.

HTTPS uses SSL to secure the channel between the client and server.

HTTPS is not to be confused with S-HTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.

The protocol was originally created by Netscape for use with their browser and became a finalized standard with RFC 2818.

Secure Hypertext Transport Protocol (S-HTTP) is HTTP with message security (added by using RSA or a digital certificate). Whereas HTTPS creates a secure channel, S-HTTP creates a secure message. S-HTTP can use multiple protocols and mechanisms to protect the message. It also provides data integrity and authentication.

S-HTTP is seldom used and defaults to using port 80 (the HTTP port).

References:

http://searchsoftwarequality.techtarget.com/definition/HTTPS
http://en.wikipedia.org/wiki/HTTP_Secure
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.4.8 FTPS

2012-01-22T13:21:00.001-08:00

FTPS

FTPS (FTP over SSL) is an extension to the File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols for channel encryption as defined in RFC 2228.

Well-known TCP & UDP ports for FTPS:

989 – FTPS (data channel)
990 – FTPS (control channel)

Much like HTTPS, but unlike SFTP, FTPS servers may provide a public key certificate.

Both FTPS and SFTP use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twofish and so on), and a key-exchange algorithm. For authentication, FTPS uses X.509 certificates, whereas SFTP (SSH protocol) uses SSH keys.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices or from some specific operating systems that have FTP support but don't have SSH/SFTP clients.

Pros of FTPS:

Widely known and used
The communication can be read and understood by humans
Provides services for server-to-server file transfer
SSL/TLS has good authentication mechanisms (X.509 certificate features)
FTP and SSL/TLS support is built into many Internet communication frameworks

Cons of FTPS:

Doesn't have a uniform directory listing format
Requires a secondary DATA channel, which makes it hard to use behind the firewalls
Doesn't define a standard for file name character sets (encodings)
Not all FTP servers support SSL/TLS
Doesn't have a standard way to get and change file and directory attributes

SFTP (“SSH FTP”) is based on SSH (Secure Shell) version 2. It uses the same communication channels and encryption mechanisms as SSH.

There are several implementations of FTPS, including those with “implicit SSL” where a distinct service listens for encrypted connections, and “explicit SSL” where the connection runs over the same service and is switched to an encrypted connection by a protocol option. In addition, there are several potential combinations of what parts of an FTPS connection are actually being encrypted, such as “only encrypted login” or “encrypted login and data transfer”.

References:

http://en.wikipedia.org/wiki/FTPS
http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329
http://binblog.info/2010/10/12/ftps-vs-sftp-once-and-for-all/
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.6 Implement wireless network in a secure manner

2012-01-22T13:21:00.000-08:00

1.4.5 TLS

2012-01-22T13:18:00.000-08:00

TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications in scenarios where that data is being sent across an insecure network, such as checking your email. The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.

TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

The main benefit in opting for TLS over SSL is that TLS was incepted as an open-community standard, meaning TLS is more extensible and will likely be more widely supported in the future with other Internet standards. TLS is even backwards compatible, possessing the ability to “scale down” to SSL if necessary to support secure client-side connections that only understand SSL.

Another more immediate benefit, however, is that TLS allows both secure and insecure connections over the same port, whereas SSL requires a designated secure-only port.

TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

TLS is an IETF standards track protocol, last updated in RFC 5246, and is based on the earlier SSL specifications developed by Netscape Communications.

References:

http://en.wikipedia.org/wiki/Transport_Layer_Security
http://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
http://msdn.microsoft.com/en-us/library/windows/desktop/aa380513(v=VS.85).aspx
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

1.4.2 SNMP

2012-01-22T13:16:00.000-08:00

SNMP

1.4.1 IPSec

2012-01-22T13:15:00.000-08:00

IPSec

IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks.

Its primary goals are data confidentiality, data integrity, and host authentication. The combination of integrity and authentication provides non-repudiation. IPSec also detects replay attacks.

IPSec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

Unlike protocols such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), that operate in the upper layers of the TCP/IP model, IPSec operates in the Internet Layer of the Internet Protocol Suite and protects any application traffic across an IP network. Applications do not need to be specifically designed to use IPSec.

Because IPSec is integrated at the Internet layer (layer 3), it provides security for almost all protocols in the TCP/IP suite, and because IPSec is applied transparently to applications, there is no need to configure separate security for each application that uses TCP/IP.

IPSec, although not a tunneling protocol, provides encryption to tunneling protocols; it's often used to enhance tunnel security.

Internet Protocol Security Internet Protocol Security (IPSec) isn't a tunneling protocol, but it's used in conjunction with tunneling protocols. IPSec is oriented primarily toward LAN-to-LAN connections, but it can also be used with remote connections. IPSec provides secure authentication and encryption of data and headers; this makes it a good choice for security. IPSec can work in either Tunneling mode or Transport mode. In Tunneling mode, the data or payload and message headers are encrypted. Transport mode encrypts only the payload. IPSec is an add-on to IPv4 and built into IPv6.

References:

http://www.cromwell-intl.com/tcpip/what-is-ipsec.html
http://technet.microsoft.com/en-us/library/cc776369(WS.10).aspx
http://www.unixwiz.net/techtips/iguide-ipsec.html
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.4 Implement and use common protocols

2012-01-22T13:12:00.000-08:00

Implement and use common protocols

IPSec
SNMP
SSH
DNS
TLS
SSL
TCP/IP
FTPS
HTTPS
SFTP
SCP
ICMP
IPv4 vs. IPv6

1.3.9 Cloud Computing

2012-01-22T13:10:00.001-08:00

Cloud Computing

o Platform as a Service
o Software as a Service
o Infrastructure as a Service

1.3.8 Virtualization

2012-01-22T13:06:00.000-08:00

Virtualization

Virtualization providers include proprietary solutions from VMware, Citrix, Microsoft and Red Hat open source solutions from Xen and VirtualBox, for example.

Virtualization technology allows you to take any single physical device and hide its characteristics from users—in essence allowing you to run multiple items on one device and make them appear as if they are stand-alone entities.

Virtualization is a method of running multiple independent virtual operating systems on a single physical computer. It is a way of maximizing physical resources to maximize the investment in hardware.

A single server can host multiple (logical) virtual machines. Each virtual machine (VM) can run a different operating system, e.g. Ubuntu Linux, Microsoft Windows 2008 R2, etc. By using one host to do multiple functions, you can immediately gain cost savings in terms of hardware, utility, infrastructure, etc.

Virtualization presents security challenges. A user accessing the system could have access to everything on the system (not just within their virtual machine) if they could override the physical layer protection.

Some of the security risks that are possible with virtualization include the following:

Breaking Out of the Virtual Machine – If a malcontent could break out of the virtualization layer and be able to access the other virtual machines, they could access data they should never have access to.
Network and Security Controls Can Intermingle – The tools used to administer the virtual machine may not have the same granularity as those used to manage the network. This could lead to privilege escalation and a compromise of security.
Virtualization software, also called a hypervisor or the virtual machine monitor, emulates computer hardware allowing multiple operating systems to run on a single physical computer host. It is the software that allows the virtual machines to exist. If the hypervisor can be successfully attacked, the attacker can gain root-level access to all virtual systems.

There are two types of x86 server virtualization: bare-metal and hosted. Sometimes these types are referred to as Type-1 and Type-2 hypervisors respectively. Bare-metal means the virtualization layer (hypervisor) installs directly onto a server without the need for a traditional operating system like Windows or Linux to be installed first. “Hosted” means that an operating system must first be installed on a server, and the virtualization layer is installed afterwards, just like an application.

Types of virtualization include:

Server virtualization – run multiple independent virtual operating systems on a single physical computer.
Desktop virtualization –separating the logical desktop from the physical machine, e.g. virtual desktop infrastructure (VDI).
Application virtualization – hosting individual applications in an environment separated from the underlying OS.
Memory virtualization – aggregation of RAM resources from networked systems into a single memory pool
Network virtualization – creation of a virtualized network addressing space within or across network subnets
Storage virtualization –abstracting logical storage from physical storage

References:

http://en.wikipedia.org/wiki/Network_Access_Control
http://searchnetworking.techtarget.com/definition/network-access-control
http://itknowledgeexchange.techtarget.com/virtualization-pro/what-is-virtualization/
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.7 NAC

2012-01-22T13:02:00.000-08:00

NAC

NAC – Network access control is a method of bolstering the security of a proprietary network by restricting the availability of network resources only to endpoint devices that comply with a defined security policy.

NAC aims to control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

When a computer connects to a computer network, it is not permitted to access anything unless it complies with a minimum set of parameters. Checks include the devices operating system, application patch level, anti-virus protection level, user access rights, system update level and configuration.

While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system.

NAC’s goals include:

Mitigation of proliferation – NAC solutions attempt to block end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk.
Policy enforcement – NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in the network.
Identity and access management – Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments attempt to do so based on authenticated user identities.
Operational security issues include network access control (NAC), authentication, and security topologies after the network installation is complete.

References:

http://en.wikipedia.org/wiki/Network_Access_Control
http://searchnetworking.techtarget.com/definition/network-access-control
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.6 Telephony

2012-01-22T12:59:00.000-08:00

Telephony

When telephone technology is married with information technology, the result is known as telephony. A breach in your telephony infrastructure is just as devastating as any other violation and can lead to the loss of valuable data.

Telephony is the technology associated with the electronic transmission of voice, fax, or other information between distant parties using systems historically associated with the telephone.

Internet telephony is the use of the Internet rather than the traditional telephone company infrastructure and rate structure to exchange spoken or other telephone information. The term is used frequently to refer to computer hardware and software that performs functions traditionally performed by telephone equipment.

As more organizations migrate from land lines to Voice over IP (VoIP) for cost savings and agility, security is increasingly important for Internet Telephony. VOIP can be easily sniffed with tools such as Cain & Abel and is susceptible to Denial of Service (DoS) attacks because it rides on UDP. There is also the outage issue with VoIP in cases where the data network goes down and you lose the telephony as well.

Related terms include: POTS – plain old telephone system; PSTN – public switched telephone network; VoIP – voice over IP; PBX – private branch exchange; SPIT – spam over Internet Telephony.

References:

http://www.webopedia.com/TERM/T/telephony.html
http://searchunifiedcommunications.techtarget.com/definition/Telephony
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.5 Remote Access

2012-01-22T12:57:00.000-08:00

Remote Access

Remote access is the broad collection of mechanisms that allow external entities to interact with an internal closed environment. One of the first tools for remote access was the dial-up modem. Today we regularly employ encrypted VPN tunnels.

Security over a remote access connection is critical, e.g. via an encrypted tunnel, one-time passwords, etc. Additionally, you need to be aware of every flow of data that penetrates the boundaries of your private LAN and fully control each and every bit of data moving across such a gateway. Monitor your environment and review logs.

A first-stage remote access defense is a separate authentication system for remote access that preauthenticates all connections before they are allowed to interact with the LAN itself. If the remote access user fails to properly authenticate to the first-stage defense barrier, they are denied access to the servers on the LAN.

Preauthentication systems make full network attacks from remote links more difficult. If the preauthentication system is disabled, then no communication is allowed from any remote access link. It is better to lose remote access capabilities than it is to lose the entire private LAN.

Remote access can occur over many pathways including broadband, VPN, wireless, satellite, remote control, and remote shell.

Connection filtering, offered by some preauthentication systems, allows for restrictions to be placed on remote access links. These restrictions can include the type of OS used, the protocols supported, the user accounts involved, the time of day, the logical addressing of the client, the LAN systems the remote client is allowed to communicate with, and even the content of the communication.

Another important aspect of remote access to consider is that even with the best security on the remote access link itself, if the remote client is compromised, it could lead to the compromise of the LAN. Remote clients can be compromised by malware, theft, or physical intrusion of their storage location.

References:

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.4 NAT

2012-01-22T12:53:00.000-08:00

NAT

Network Address Translation (NAT) as defined in RFC 1631 enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic.

NAT acts as a proxy between the local area network (which can be using private IP addresses) and the Internet (which must use public IP addresses).

Most NAT implementations assign internal hosts private IP address numbers and use public addresses only for the NAT to translate to and communicate with the outside world. The private address ranges are as follows:

10.0.0.0–10.255.255.255
172.16.0.0–172.31.255.255
192.168.0.0–192.168.255.255

NAT is like the receptionist in a large office. The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension.

NAT has many forms and can work in several ways including: Static NAT – Mapping an unregistered IP address to a registered IP address on a one-to-one basis., Port Address Translation – A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports.
NAT only allows connections that originated on the inside network. This means, that an internal client can connect to an outside FTP server, however an outside client will not be able to connect to an internal FTP server because it would have to originate the connection and NAT will not allow that.

The value of using NAT includes:

Security – external users do not know the real IP addresses of internal hosts
Efficiency – as it limits the number of public IP addresses an organization or company must use

NAT effectively hides your network from the world, making it much harder to determine what systems exist on the other side of the router. The NAT server effectively operates as a firewall for the network.
In addition to NAT, Port Address Translation (PAT) is possible. Whereas NAT can use multiple public IP addresses, PAT uses a single one and shares the port with the network.

Along with Classless Interdomain Routing (CIDR), NAT helps reduce the need for a large amount of publicly known IP addresses by an organization or user.

References:

http://computer.howstuffworks.com/nat1.htm
http://www.vicomsoft.com/learning-center/network-address-translation/
http://www.faqs.org/rfcs/
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.3 VLAN

2012-01-22T12:50:00.000-08:00

VLAN

A virtual local area network, virtual LAN or VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location.
A VLAN allows you to create groups of users and systems and segment them on the network. This segmentation lets you hide segments of the network from other segments and thereby control access. You can also set up VLANs to control the paths that data takes to get from one point to another. A VLAN is a good way to contain network traffic to a certain area in a network.

A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together even if they are not located on the same network switch. VLAN membership can be configured through software instead of physically relocating devices or connections.

VLANs address issues such as scalability, security, and network management.

By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain.

On a LAN, hosts can communicate with each other directly through broadcasts, no forwarding devices such as routers, are needed. As the LAN grows, the amount of broadcast traffic grows. Shrinking the size of the LAN by segmenting it into smaller groups (VLANs) reduces the size of the broadcast domains. The advantages of doing this include reducing the scope of the broadcasts, improving performance and manageability, and decreasing dependence on the physical topology. A key benefit is that VLANs can increase security by allowing users with similar data sensitivity levels to be segmented together.

A VLAN is a broadcast domain created by switches.

References:

http://www.cs.wustl.edu/~jain/cis788-97/ftp/virtual_lans/index.htm
http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm
http://www.tech-faq.com/vlan.html
http://en.wikipedia.org/wiki/Virtual_LAN
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.2 Subnetting

2012-01-19T18:46:00.000-08:00

Subnetting

Subnetting is how networks are divided. RFCs 1466 and 1918 detail subnetting and can be found at http://www.faqs.org/rfcs/.

The practice of dividing a single network into two or more networks is called subnetting and the networks created are called subnetworks or subnets.

This results in the logical division of an IP address into two fields, a network or routing prefix and the host identifier.

The routing prefix is expressed in CIDR notation. It is written as the first address of a network, followed by a slash character (/), followed by the bit-length of the prefix. For example, 192.168.1.0/24 is the prefix of the IPv4 network starting at the given address, having 24 bits allocated for the routing prefix, and the remaining 8 bits reserved for host addressing.

In IPv4 the routing prefix can also be specified in the form of the subnet mask, expressed in quad-dotted decimal representation, e.g. 255.255.255.0 is the network mask for the 192.168.1.0/24 prefix.

If definitions are helpful to you, use these vocabulary terms to get you started:

Address—The unique number ID assigned to one host or interface in a network.
Subnet—A portion of a network sharing a particular subnet address.
Subnet mask—A 32-bit combination used to describe which portion of an address refers to the subnet and which part refers to the host.
Interface—A network connection.

The smallest subnet that has no more subdivisions within it is considered a single "broadcast domain," which directly correlates to a single LAN (local area network) segment on an Ethernet switch.

Subnets have a beginning and an ending, and the beginning number of a specific subnet is always even (192.168.10.0) and the ending number is always odd (192.168.10.255). The beginning number is the "Network ID" and the ending number is the "Broadcast ID".

Subnetting an IP Network can be done for a variety of reasons, including traffic segmentation, organization, preservation of address space, and security. In an Ethernet network, all nodes on a segment see all the packets transmitted by all the other nodes on that segment. Performance can be adversely affected under heavy traffic loads, due to collisions and the resulting retransmissions.

The subnet mask plays a crucial role in defining the size of a subnet, limiting broadcast traffic to within the subnet and hiding network details from external users.

Subnetting for IPv4 was originally defined to make better use of the host bits for Class A and Class B IPv4 public address prefixes.

References:

http://en.wikipedia.org/wiki/Subnetwork
http://www.techrepublic.com/article/ip-subnetting-made-easy/6089187
http://technet.microsoft.com/en-us/library/bb726997.aspx
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800a67f5.shtml
http://www.ralphb.net/IPSubnet/subnet.html
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3.1 DMZ

2012-01-19T18:41:00.000-08:00

DMZ

In military terms, a demilitarized zone (DMZ) is an area, usually the frontier or boundary between two or more military powers (or alliances), where military activity is not permitted, usually by peace treaty, armistice, or other bilateral or multilateral agreement.

Pic from sheylara.com

By implementing intranets, extranets, and DMZs, you can create a reasonably secure environment for your organization.

In computer security, a DMZ (or perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Hosts in the DMZ provide services such as e-mail, web and Domain Name System (DNS) servers to users outside of the local area network. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network and an intervening firewall controls the traffic between the DMZ servers and the internal network clients.

A single firewall can be used to create a network architecture containing a DMZ. However a more secure approach uses two firewalls to create a DMZ. The first firewall is configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network.

This setup is considered more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities.

A DMZ is an area where you can place a public server for access by people you might not trust otherwise. By isolating a server in a DMZ, you can hide or remove access to other areas of your network.
A host that exists outside the DMZ and is open to the public is often called a bastion host.

References:

http://en.wikipedia.org/wiki/DMZ_(computing)
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.3 Distinguish and differentiate network design elements and compounds

2012-01-19T18:33:00.000-08:00

Distinguish and Differentiate Network Design Elements and Compounds

DMZ
Subnetting
VLAN
NAT
Remote Access
Telephony
NAC
Virtualization
Cloud Computing

Platform as a Service
Software as a Service
Infrastructure as a Service

1.2.12 Log analysis

2012-01-18T22:06:00.000-08:00

Log analysis is crucial to identifying problems that occur related to security. As an administrator, you have the ability to turn on logging at many different locations and levels. The next step is to properly analyze what has been collected.

Not only do you need to collect and analyze the logs, but you also need to store them for a time in the future when you want to compare what is happening now to then (baselining). They should be stored in a format that you can quickly access and understand without having to convert them to a document each time you want to look at them.

References:

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.2.11 Prevent Network Bridging by Network Separation

2012-01-18T22:05:00.000-08:00

Network bridging occurs when a device has more than one network adapter card installed and the opportunity presents itself for a user on one of the networks to which the device is attached to jump to the other.

When a server has multiple network interface cards (NICs), server is referred to known as multihomed hosts).
To prevent network bridging, you can configure your network such that when bridging is detected, you shut off/disable that jack. You can also create profiles that allow for only one interface.

References:

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.2.10 Implicit Deny

2012-01-18T22:03:00.000-08:00

Implicit deny refers to the security principle of starting a user out with no access rights and granting permissions to resources as required. It requires that all access is denied by default and access permissions are granted to specific resources only when required.

An implicit deny clause is implied at the end of each ACL, and it means that if the proviso in question has not been explicitly granted, then it is denied.

References:

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.2.9 Loop Protection

2012-01-17T22:26:00.001-08:00

Similar to flood guards, loop protection is a feature that works in layer 2 switching configurations and is intended to prevent broadcast or network loops which occur when there is more than one network path between two network hosts.

The Spanning Tree Protocol (STP) is an example of a loop protection method. Its goal is to ensure loop-free bridged Ethernet LANs. It operates at the data link layer and makes sure there is only one active path between two stations.

References:

CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.8 Flood Guards

2012-01-17T22:25:00.000-08:00

A flood guard is a protection feature built into many firewalls that allow the administrator to tweak the tolerance for unanswered login attacks.

It tracks network traffic to identify scenarios that will overwhelm our network through conditions such as SYN, ping, port floods, etc. By reducing this tolerance, it is possible to reduce the likelihood of a successful DoS attack. If a resource—inbound or outbound—appears to be overused, then the flood guard kicks in.

References:

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.7 802.1X

2012-01-17T22:22:00.000-08:00

To understand IEEE 802.1X standard means it helps to discuss three separate concepts: PPP, EAP and 802.1X itself.

PPP (Point-to-Point Protocol) is most commonly used for dial-up Internet access.

PPP defines an authentication mechanism to authenticate the user at the other end of the PPP line. As security requirements became more sophisticated, organizations needed more than simple username and passwords authentication. A new authentication protocol, called the Extensible Authentication Protocol (EAP), was designed. EAP sits inside of PPP's authentication protocol and provides a generalized framework for several different authentication methods. EAP is supposed to head off proprietary authentication systems and let everything from passwords to challenge-response tokens and public-key infrastructure certificates all work smoothly.

The IEEE 802.1X standard, is a standard for passing EAP over a wired or wireless LAN. It defines port-based security for wireless network access control. With 802.1X, you package EAP messages in Ethernet frames and without the overhead of PPP. It offers a means of authentication and defines the Extensible Authentication Protocol (EAP) over IEEE 802 and is often known as EAP over LAN (EAPOL).

The biggest benefit of using 802.1X is that the access points and the switches do not need to do the authentication but instead rely on the authentication server to do the actual work.

802.1X involves three parties:

Supplicant - the user or client device, such as a laptop, that wants to be authenticated.
Authentication server - the actual server doing the authentication, e.g. a RADIUS server.
Authenticator - the device in between, such as a wireless access point.

One of the key points of 802.1X is that the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. This makes 802.1X ideal for wireless access points, which are typically small and have little memory and processing power.

References:

http://www.networkworld.com/news/2010/0506whatisit.html
http://en.wikipedia.org/wiki/IEEE_802.1X
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.6 Port Security

2012-01-17T22:16:00.001-08:00

Port security works at level 2 of the OSI model and allows an administrator to configure switch ports to only certain MAC addresses that can use the port.

MAC Limiting and Filtering limit access to the network to MAC addresses that are known, and filter out those that are not.

MAC filtering is not foolproof, and a quick look in a search engine will turn up tools that can be used to change the MAC address and help miscreants circumvent this control.

Disable Unused Ports. All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter.

References:

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.5 Access Control Lists

2012-01-17T21:49:00.000-08:00

Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them certain network capabilities. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.

Within ACLs, there exists a condition known as implicit deny. An implicit deny clause is implied at the end of each ACL and it means that if the proviso in question has not been explicitly granted, then it is denied. The entity being denied because it does not appear on the list can be a source address, a destination address, a packet type, or almost anything else you want to deny access.

Firewall rules act like ACLs and are used to dictate what traffic can pass between the firewall and the internal network. Three possible actions can be taken based on the rule's criteria:

Block the connection.
Allow the connection.
Allow the connection only if it is secured.

The rules can be applied to inbound traffic or outbound traffic and any type of network (LAN, wireless, remote access). On a regular basis, you should audit the firewall rules and verify that you are obtaining the results you wish and make any modifications needed.

ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access lists.

An access list entry that is contained inside the ACL usually includes the origin of the network packet, the destination, the protocol used, the TCP/IP port used and whether access is permitted or denied.

References:

http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html
http://en.wikipedia.org/wiki/Access_control_list
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.4 Secure Router Configuration

2012-01-17T21:46:00.000-08:00

One of the most important things you can do to secure your network is make sure you secure the router. To securely configure the router, you must do the following:

Validate a network design before implementation. Document your environment.
Change the Default Password. The password for the administrator is set before the router leaves the factory. Employ good password principles and change it to a value that only you know.
Walk through the Advanced Settings. These settings will differ based on the router manufacturer and type but often include settings to block ping requests, perform MAC filtering, and so on.
Keep the Firmware Upgraded. Router manufacturers often issue patches when problems are discovered.

Always remember to back up your router configuration before making any significant changes. When transferring a configuration, always use a secure method where available. Transfer protocols include: TFTP (cleartext), SCP (encrypted) and HTTPS (encrypted).

Physically secure your router. Additionally all router ports, both console ports and inbound ports should be secure.

Router configuration changes should be done from the console and not a remote location.

References:

Security+ Guide to Network Security Fundamentals, Fourth Edition
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.3 VLAN Management

2012-01-17T21:41:00.000-08:00

A virtual LAN, (VLAN), is a group of hosts with a common set of requirements that communicate as if they were attached to the same wire, regardless of their physical location. A VLAN allows you to create groups of users and systems and segment them on the network. This segmentation lets you hide segments of the network from other segments and thereby control access.

A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same LAN segment. Network reconfiguration can be done through software instead of physically relocating devices.

VLANs address issues such as scalability, security, and network management.

A VLAN is a good way to contain network traffic to a certain segment of the network.

On a LAN, hosts can communicate with each other through broadcasts, and no forwarding devices, such as routers, are needed. As the LAN grows, so too does the amount of chatter. Shrinking the size of the LAN by segmenting it into smaller groups (VLANs) reduces the size of the broadcast domain (and the amount of chatter). The advantages of doing this include reducing the scope of the broadcasts, improving security, performance and manageability, and decreasing dependence on the physical topology. VLANs allow users with similar data sensitivity levels to be segmented together.

A VLAN is a logical subdivision of a Layer 2 network that makes a single Layer 2 infrastructure operate as though it were multiple, separate Layer 2 networks. This is accomplished by adding a numeric tag field to each data packet as it leaves a Layer 2 switch which identifies the VLAN number to which the packet belongs. Other VLAN-enabled switches honor the VLAN numbering scheme to segregate the network into logical, virtual networks.

It is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs.

The protocol used in configuring virtual LANs is IEEE 802.1Q.

With port-based VLAN membership, the port is assigned to a specific VLAN independent of the user or system attached to the port. This means all users attached to the port should be members in the same VLAN.

In a protocol based VLAN enabled switch, traffic is forwarded through ports based on protocol.

References:
• http://www.connect802.com/vlans.htm
• CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
• CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.2 Firewall Rules

2012-01-17T21:36:00.000-08:00

You create firewall rules to allow a computer to send traffic to, or receive traffic from, programs, system services, computers, or users. Firewall rules act like ACLs and are used to dictate what traffic can pass between the firewall and the internal network. Firewall rules can be created to take one of three actions for all connections that match the rule's criteria:

Block the connection.
Allow the connection.
Allow the connection only if it is secured.

The rules can be applied to inbound traffic or outbound traffic and any type of network (LAN, wireless, BPN, remote access). The rule can be configured to specify the computers or users, program, service, or port and protocol. You can also configure the rule to be applied when any profile is being used or only when a specified profile is being used.

The rules of a firewall follow the first-match-apply rule system. The final rule in a firewall set should be a default deny. In this way, anything that is not specifically allowed or that was not explicitly denied by an earlier rule is always blocked by default.

On a regular basis, you should audit the firewall rules and verify that you are obtaining the results you wish and make any modifications needed.

Depending on the type of firewall, separate inbound and outbound rules must be created, unless the firewall supports stateful inspection.

References:

http://technet.microsoft.com/en-us/library/dd421709(WS.10).aspx
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.1 Rule-based management

2012-01-16T22:39:00.000-08:00

Rule-based management, also known as label-based management, defines conditions for access to objects. The access is granted to the object based on both the object's sensitivity label and the user's sensitivity label. With all rules, an action must be defined. That action is triggered when conditions are or are not met.

Rule-based management is the concept of controlling the security of communications and IT events through rule- or filter-driven systems. Firewalls, proxies, routers, IDS, IPS, antivirus and more are examples of rule-based security management systems. Each of these systems has a set of rules. Each rule is either an explicit allow or deny. If an event or packet does not match any rule, it should be denied by default.

Rule-based management is one method of implementing a white list security management concept. In a white-list security management system if the event or activity does not match an allow rule, it is denied by default. Even new zero-day attacks are blocked using a white-list management system.

How to go about configuring a firewall should stem directly from the business rules established in the organization's security policy and by always placing your "allow" rules lower in priority than your "deny" filters, your overall rule set will be more secure.

References:

http://searchsecurity.techtarget.com/tip/Firewall-rule-management-best-practices
http://searchsecurity.techtarget.com/tip/How-to-reduce-risks-with-URL-filtering
CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2 Apply and implement secure network administration principles

2012-01-16T22:35:00.000-08:00

Rule-based management
Firewall rules
VLAN management
Secure router configuration
Access control lists
Port Security
802.1x
Flood guards
Loop protection
Implicit deny
Prevent network bridging by network separation
Log analysis

1.1.13 URL filtering, content inspection, malware inspection

2012-01-16T22:31:00.000-08:00

URL (Uniform Resource Locator):

points your web browser at a web page of your choice
is a flexible 'meta language' allowing remote computers to exchange executable content and commands
are a conduit for client/server data.

Controlling the URLs that enter and leave your network is an important way to reduce risks posed by hackers, worms and spyware.

URL filtering (or web filtering), involves blocking websites (or sections of websites) based solely on the URL; restricting access to specified websites and certain web-based applications. This is in contrast to content filters, which block data based on its content rather than where it is coming from. Within Internet Explorer, the Phishing Filter included with IE7 acted as a URL filter. In IE8 and later this was replaced by SmartScreen Filter.

URL filtering can focus on all or part of a FQDN, specific path names, specific file names, specific file extensions, or entire specific URLs. Many URL filtering tools can obtain updated master URL block lists from vendors as well as allow administrators to add or remove URLs from a custom list.

Here are two ways filtering URLs on their way out of your network can make you safer:

Require users to access the Internet via a proxy server.
Filter outbound URLs to enforce compliance with corporate Internet acceptable usage policies.

URL filters can also be valuable tools in the fight against spyware, worms and Trojan horse software. In addition to allowing you to block access to sites harboring harmful code, they can help you eliminate the use of Web-based e-mail services, file sharing sites and other Web resources that allow files into your network without the proper virus scanning.

Here are two ways to control the URLs entering your network:

The first line of defense is having well-written web applications that validate inputs and protect themselves against attack (e.g. from unexpected input from parameters passed in URLs).
Add an application level firewall to create defense in-depth. When packets try to enter your network, subject them to rules that insure they should be admitted.

Content inspection is the security filtering function where the contents of the application protocol payload are inspected. Often such inspection is based on keyword matching. A master black list of unwanted terms, addresses, or URLs is used to control what is or is not allowed to reach a user.

Instead of relying on a website to be previously identified as questionable, as URL filtering does, content inspection works by looking at the data coming in. Within the most recent versions of Internet Explorer, content filtering can be configured using Content Advisor.

Malware inspection is the use of a malware scanner (a.k.a antivirus scanner or spyware scanner) to detect unwanted software content in network traffic. If malware is detected it can be blocked, logged and/or trigger an alert.

It is important to stop malware before it ever gets hold of a system. While tools that identify malware when they find it on a system are useful, real-time tools that stop it from ever making it to the system are better.

References:

http://technet.microsoft.com/en-us/library/dd182018.aspx
http://searchsecurity.techtarget.com/tip/How-to-reduce-risks-with-URL-filtering
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.12 Web application firewall vs. network firewall

2012-01-16T17:23:00.000-08:00

An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall.

The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall which by default is unable to control network traffic regarding a specific application.

The Web Application Firewall (WAF) is an intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. It is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked.

Examples of WAF include Cisco - ACE Web Application Firewall and SecureSphere Web Application Firewall (WAF).

The network firewall controls and monitors access between different networks by filtering inbound and outbound traffic, manages access controls to requested locations and typically blocks all services except those specifically permitted.

References:

http://www.webappsec.org/projects/glossary/
http://en.wikipedia.org/wiki/Application_firewall
https://www.owasp.org/index.php/Web_Application_Firewall
http://www.imperva.com/products/wsc_web-application-firewall.html
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.11 Spam Filter

2012-01-16T17:20:00.000-08:00

Spam filter, all-in-one security appliances

A spam filter is a software program that sorts incoming mail in order to identify and pull out unsolicited and unwanted email, also known as spam. Spam filters catch unwanted email and filter it out before it gets delivered internally to a user's inbox. The filtering is done based on rules, e.g. block email coming from certain IP addresses, email that contains particular words in the subject line, and the like. While spam filters are usually used to scan incoming messages, they can also be used to scan outgoing as well and thus act as a quick identifier of internal PCs that may have contracted a virus.

Spam can be used to spread malicious code like viruses and Trojans, and for perpetuating phishing scams. For these reasons and more, a spam filter is a great way to help protect your computer or network and cut out junk mail.

SpamAssassin is a well-known open source spam filter.

Like other types of filtering programs, a spam filter looks for certain criteria on which it bases judgments. From simply scanning subject lines for particular words to more sophisticated methods such as those based on Bayesian statistical methodoloy or other heuristic filters, spam filters attempt to identify spam through suspicious word patterns or word frequency.

References:

http://www.wisegeek.com/what-is-a-spam-filter.htm
http://searchmidmarketsecurity.techtarget.com/definition/spam-filter
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.1.10 Sniffer

2012-01-16T16:57:00.000-08:00

A sniffer is a network analysis tool to help you locate network problems. It consists of a well-integrated set of functions that can resolve network problems. Sniffers can list network packets in real-time from multiple network card (Include Modem, ISDN, ADSL) and can support capturing packets based on applications and protocols e.g. Ethernet, IP, TCP, UDP, PPPOE, HTTP, FTP, WINS, PPP, SMTP, POP3.

Sniffers (also known as network monitors) helps troubleshoot network problems.

A sniffer can be a self-contained software program or a hardware device with the appropriate software or firmware programming. Sniffers usually act as network probes or "snoops." They examine network traffic, making a copy of the data without redirecting or altering it.

Network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software.

References:

http://compnetworking.about.com/od/networksecurityprivacy/g/bldef_sniffer.htm
http://www.colasoft.com/resources/network-sniffer.php
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.1.9 Protocol Analyzer

2012-01-16T16:53:00.000-08:00

A "protocol analyzer" is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Protocol analyzers (also known as and packet sniffers) refer to the process of monitoring the data that is transmitted across a network. Sniffers highlight that sensitive information should not be sent using insecure methods.

Protocol analyzers can be stand-alone applications or used with other network monitoring and intrusion detection applications to monitor and capture network data right down to the packet and frame level.

This tool can be used in conjunction with intrusion detection and prevention systems to analyze large blocks of network data and protocols. This scanning can detect specific behaviors of known exploits or network attacks.

This information can be communicated to the IDS, which will block those network packets from reaching the client.

References:

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.8 NIDS and NIPS

2012-01-15T22:30:00.000-08:00

NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic)

An intrusion detection system (IDS) is software that runs on a server or network device to monitor and track network activity. By using an IDS, a network administrator can configure the system to monitor network activity for suspicious behavior that can indicate unauthorized access attempts. IDSs can be configured to evaluate system logs, look at suspicious network activity, and disconnect sessions that appear to violate security settings.

IDSs can be sold with firewalls. Firewalls by themselves will prevent many common attacks, but they don't usually have the intelligence or the reporting capabilities to monitor the entire network. An IDS, in conjunction with a firewall, allows both a reactive posture with the firewall and a preventive posture with the IDS.

In response to an event, the IDS can react by disabling systems, shutting down ports, ending sessions, deception (redirect to honeypot), and even potentially shutting down your network. A network-based IDS that takes active steps to halt or prevent an intrusion is called a network intrusion prevention system (NIPS). When operating in this mode, they are considered active systems.

Passive detection systems log the event and rely on notifications to alert administrators of an intrusion. Shunning or ignoring an attack is an example of a passive response, where an invalid attack can be safely ignored. A disadvantage of passive systems is the lag between intrusion detection and any remediation steps taken by the administrator.

Intrusion prevention systems (IPS) like IDSs follows the same process of gathering and identifying data and behavior, with the added ability to block (prevent) the activity.

A network-based IDS examines network patters, such as an unusual number or requests destined for a particular server or service, such as an FTP server. Network IDS systems should be located as upfront as possible, e.g. on the firewall, a network tap, span port, or hub, to monitor external traffic. Host IDS systems on the other hand, are placed on individual hosts where they can more efficiently monitor internally generated events.

Using both network and host IDS enhances the security of the environment.

Snort is an example of a network intrusion detection and prevention system. It conducts traffic analysis and packet logging on IP networks. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine.

Network based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic. Using the captured data, the Network IDS processes and flags any suspicious traffic. Unlike an intrusion prevention system, an intrusion detection system does not actively block network traffic. The role of a network IDS is passive, only gathering, identifying, logging and alerting.

Host based intrusion detection system (HIDS) attempts to identify unauthorized, illicit, and anomalous behavior on a specific device. HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity. The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and alerting. Tripwire is an example of a HIDS.

There are no fully mature open standards for ID at present. The Internet Engineering Task Force (IETF) is the body which develops new Internet standards. They have a working group to develop a common format for IDS alerts.

The following types of monitoring methodologies can be used to detect intrusions and malicious behavior: signature, anomaly, heuristic and rule-based monitoring.

A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS.

A network IDS signature is a pattern that we want to look for in traffic. Signatures range from very simple – checking the value of a header field – to highly complex signatures that may actually track the state of a connection or perform extensive protocol analysis.

An anomaly-based IDS examines ongoing traffic, activity, transactions, or behavior for anomalies (things outside the norm) on networks or systems that may indicate attack. An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network, what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other, and alert the administrator when traffic is detected which is anomalous to the baseline.

A heuristic-based security monitoring uses an initial database of known attack types but dynamically alters their signatures base on learned behavior of network traffic. A heuristic system uses algorithms to analyze the traffic passing through the network. Heuristic systems require more fine-tuning to prevent false positives in your network.

A behavior-based system looks for variations in behavior such as unusually high traffic, policy violations, and so on. By looking for deviations in behavior, it is able to recognize potential threats and respond quickly.
Similar to firewall access control rules, a rule-based security monitoring system relies on the administrator to create rules and determine the actions to take when those rules are transgressed.

References:
• http://netsecurity.about.com/cs/hackertools/a/aa030504.htm
• http://www.sans.org/security-resources/idfaq/
• CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
• Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.7 VPN Concentrators

2012-01-15T22:20:00.000-08:00

A virtual private network (VPN) is a secure and private point-to-point connection over a public network. It provides an encrypted tunnel between the client and the remote network. A private network provides security over an otherwise unsecure environment.

VPNs connect two LANs together across the Internet or other public networks. VPNs are also used to connect two remote routers to form a secure WAN. A VPN is implemented either as special hardware or software running on a server.

A VPN typically use a tunneling protocol such as Layer 2 Tunneling Protocol (L2TP), IPSec, or Point-to-Point Tunneling Protocol (PPTP).

To guarantee security, both ends of the VPN connection must be running the same type of VPN with equivalent protocols (e.g. L2TP) and encryption method (IPSec).

A VPN concentrator is a hardware device used to create remote access VPNs. The concentrator creates encrypted tunnel sessions between hosts, and many use two-factor authentication for additional security.

VPN concentrators incorporate the encryption and authentication techniques to create a remote-access or site-to-site VPN connection. Cisco VPN concentrators, for example, include components, called Scalable Encryption Processing (SEP) modules, that enable users to easily increase capacity and throughput.

References:
• http://searchnetworking.techtarget.com/answer/How-does-the-VPN-concentrator-work
• CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
• Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.6 Web Security Gateways

2012-01-15T22:03:00.000-08:00

Web security gateway, can be thought of as a proxy server (performing proxy and caching functions) with web protection that can range from a standard virus scanner on incoming packets to monitoring outgoing user traffic.

Potential red flags the gateway can detect/prohibit include inappropriate content, trying to establish a peer-to-peer connection with a file-sharing site, instant messaging, and unauthorized tunneling. You can configure most web security gateways to block known HTTP/HTML exploits, strip ActiveX tags, strip Java applets, and block/strip cookies.

Beyond the basic tasks of a web proxy, it provides content filtering and application-level security to protect end users from accessing dangerous web sites and downloading files that are infected with worms, spyware or malware, or else from connection to servers that host phishing and fraud sites.

Web security gateways can perform deep inspection of web HTTP traffic to prevent end users from accessing dangerous content.

These types of gateways can also scan text content of web sites to search for prohibited words and phrases that indicate offensive content. For maximum effectiveness, all end-user web browser clients must be configured to use the gateway as their web proxy.

References:
• CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
• Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.5 Proxies

2012-01-14T18:04:00.000-08:00

A proxy server works by intercepting connections between sender and receiver. All incoming data enters through one port and is forwarded to the rest of the network via another port. By blocking direct access between two networks, proxy servers make it much more difficult for hackers to get internal addresses and details of a private network.

The proxy is typically situated between the clients and the Internet, and it can be used to forward requests for many types of traffic and data transfers such as web and FTP. An HTTP proxy intercepts web access, and an SMTP proxy intercepts email. This protects the specific addresses of internal clients from being revealed to external servers and allows the proxy server to filter incoming and outgoing requests to prevent attacks and malware from reaching the client systems.

A proxy server uses a network addressing scheme to present one organization-wide IP address to the Internet. The server funnels all user requests to the Internet and returns responses to the appropriate users. In addition to restricting access from outside, this mechanism can prevent inside users from reaching specific Internet resources (e.g., certain web sites). A proxy server can also be one of the components of a firewall.

Proxies may also cache web pages. Each time an internal user requests a URL from outside, a temporary copy is stored locally. The next time an internal user requests the same URL, the proxy can serve the local copy instead of retrieving the original across the network, improving performance.

Proxy servers:
• Act as a firewall and content filter
• Improve performance

References:
• http://kb.iu.edu/data/ahoo.html
• http://www.proxyclub.org/blog/faqs
• Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.4 Load Balancers

2012-01-14T09:40:00.000-08:00

A load balancer is a network device that distributes the flow of network traffic between multiple network devices. The goal is to minimize network congestion and bottlenecks. Load balancers can be used to balance traffic to routers, web servers or other network devices either through round-robin techniques or more intelligent methods, e.g. taking into account the number of current connections or response time. It maximizes throughput and ensures the system has the capacity to handle incoming requests and ensure better allocation of resources

A load balancer can be implemented as a software or hardware. Under the most common implementation, the load balancer splits the traffic intended for a website into individual requests that are then rotated to redundant servers as they become available (if a server that should be available is busy or down, it is taken out of the rotation).

Load balancing allows the service to continue even in the face of server down time due to server failure or server maintenance. If you are load balancing across several servers and one of the servers fails, your service will still be available to your users, as the traffic will be diverted to the other servers in your server farm.
Load balancers are generally grouped into two categories: Layer 4 and Layer 7. Layer 4 load balancers act upon data found in network and transport layer protocols (IP, TCP, FTP, UDP). Layer 7 load balancers distribute requests based upon data found in application layer protocols such as HTTP.

Some industry standard algorithms are:
• Round robin
• Weighted round robin
• Least connections
• Least response time

Layer 7 load balancers can further distribute requests based on application specific data such as HTTP headers, cookies, or data within the application message itself, such as the value of a specific parameter.

References:
• http://www.f5.com/glossary/load-balancer.html
• http://www.wisegeek.com/what-is-load-balancing.htm
• CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
• Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.3 Switches

2012-01-14T07:29:00.000-08:00

Switches are multiport devices that improve network efficiency. Using switches improves network efficiency over hubs because of the virtual circuit capability. Switches also improve network security because the virtual circuits are more difficult to examine with network monitors.

A switch is a network device used to segment networks into smaller, more manageable sections and relays packets between the segments. Switches can be used for security, load balancing and performance improvements in a network.

A switch is able to inspect network packets and determine the source and destination to provide more efficient network flow and prevent network packets from one segment, from passing on to other network segments and causing network collisions.

Mastering the hula hoop (picture on right) requires an ability to switch the hips from one side to another in a rhythmic fashion. Now you will not forget what a switch is.

Switches map the Ethernet addresses of the nodes residing on each network segment and then allow only the necessary traffic to pass through the switch. When a packet is received by the switch, the switch examines the destination and source hardware addresses and compares them to a table of network segments and addresses. If the segments are the same, the packet is dropped ("filtered"); if the segments are different, then the packet is "forwarded" to the proper segment.

Switches can connect different networks types (such as Ethernet and Fast Ethernet) or networks of the same type.

A network switch or switching hub is a computer networking device that connects network segments.
An Ethernet switch operates at the data link layer of the OSI model to create a separate collision domain for each switch port. With 4 computers (e.g., A, B, C, and D) on 4 switch ports, A and B can transfer data back and forth, while C and D also do so simultaneously, and the two conversations will not interfere with one another.

A switch serves as a controller, enabling networked devices to talk to each other efficiently.
Switches create (or extend) a network. Routers connect networks.

Think of a switch as a traffic light (or traffic policeman) at a four-way intersection. The traffic light allows east-west (and west-east) traffic to move while holding back north-south (and south-north) traffic. And at an appropriate time the traffic light stops east-west (and west-east) traffic and allows north-south (and south-north) traffic to flow; analogous to how a switch operates.

References:
• http://www.technick.net/public/code/cp_dpage.php?aiocp_dp=guide_networking_switching
• http://en.wikipedia.org/wiki/Network_switch
• CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
• Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1.2 Routers

2012-01-08T20:45:00.000-08:00

A router links computers to the Internet, so users can share the connection. A router acts as a dispatcher, choosing the best path for information to travel so it's received quickly.

Switches create a network. Routers connect networks.

A router is a network device that connects several networks together and relays data between them.
A router is comprised of the following components: network interfaces, routing protocol, routing table, router operating system, routing policy or set of rules.

A router is a device that forwards data packets between computer networks. Routers work by providing a path between the networks. A router is connected to two or more data lines from different networks. When a data packet comes in on one of the lines, the router reads the address information in the packet to determine its ultimate destination. Then, using information in its routing table or routing policy, it directs the packet to the next network on its journey.

Routers perform traffic directing functions on the Internet.
Routers store information about the networks to which they're connected. Most routers can be configured to operate as packet-filtering firewalls. Many of the newer routers also provide advanced firewall functions.

Routers, in conjunction with a Channel Service Unit/Data Service Unit (CSU/DSU), are also used to translate from LAN framing to WAN framing (for example, a router that connects a 100BaseT network to a T1 network). This is needed because the network protocols are different in LANs and WANs
Routers establish communication by maintaining tables about destinations and local connections. A router contains information about the systems connected to it and where to send requests if the destination isn't known.

Routers usually communicate routing and other information using one of three standard protocols: Routing Information Protocol (RIP), Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF).
An administrator should take a layered approach to protecting the network. The router should be only one part of that approach.

The routes themselves can be configured as static or dynamic. If they are static, then they are edited manually and stay that way until changed. If they are dynamic, then they learn of other routers around them and use information about those to build their routing tables.

When two or more computers are connected together they can share resources freely. We refer to this construct as a network. You can set up multiple such networks and each would be able to share resources only between its own set of computers. I.e. network #1 would allow sharing between its own set of computers, network #2 would allow sharing between its own set of computers. Suppose you wanted a computer in network #1 to communicate with a computer in network #2.

You could do it in one of two ways:

Put all computers in network #1 and network #2 together
Somehow connect network #1 and #2 together that allowed the communication but also maintained the separate identities of the two networks.

There are good reasons to follow the 2^nd option and to do that we use a router.

References:

http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/connect_employees_and_offices/what_is_a_network_switch/index.html
http://en.wikipedia.org/wiki/Router_(computing)
http://www.ciscorouting.com/routingbasics.html
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.1.1 Firewalls

2012-01-08T20:08:00.000-08:00

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. I.e. it examines each network packet, against a set of rules, to determine whether to forward it toward its destination.

Firewalls are one of the first lines of defense in a network; it cannot, however, be considered the only such line. The basic purpose of a firewall is to isolate one network from another. There are different types of firewalls and they can be either stand-alone systems or included in other devices such as routers or servers. You can implement a firewall in either hardware or software form, or a combination of both.
Firewalls can be located to monitor traffic between the internal and external networks. It can also be placed between internal networks. In any position, a firewall controls and monitors access between different networks by filtering inbound and outbound traffic.

To configure the firewall, an administrator can set up a number of rules to use each time on incoming and outgoing network communications.

Firewalls function as one or more of the following:

Packet filter
Proxy firewall
Stateful inspection firewall

Packet Filter Firewalls

A packet filtering firewall passes or blocks traffic to specific addresses based on the type of application. The packet filter doesn't analyze the data of a packet; it decides whether to pass it based on the packet's addressing information, e.g. source/destination IP address and port number. For instance, a packet filter may allow web traffic on port 80 and block Telnet traffic on port 23.

If a received packet request asks for a port that isn't authorized, the filter may reject the request or simply ignore it. Many packet filters can also specify which IP addresses can request which ports and allow or deny them based on the security settings of the firewall.

Proxy Firewalls

Proxy firewalls operate at the application layer of the firewall, where both ends of a connection are forced to conduct the session through the proxy.

Proxy firewalls are also known as application gateway firewalls because they can inspect application layer traffic. Proxy firewalls combine stateful inspection technology with the ability to perform deep application inspections. A proxy service must be run for each type of Internet application the firewall will support -- a Simple Mail Transport Protocol (SMTP) proxy for e-mail, an HTTP proxy for Web services and so on.

The proxy intercepts all the packages and reprocesses them. In a proxy based firewall, every packet is stopped at the proxy firewall. The packet is then examined and compared to the rules configured into the firewall. If the packet passes the examinations, it is recreated and sent out. Because each packet is recreated, an application-proxy firewall has an increased potential to prevent unknown attacks than a packet filtering firewall. The drawback is that a separate application-proxy must be written for each application type being proxy examined.

A proxy firewall typically uses two network interface cards (NICs). One of the cards is connected to the outside network, and the other is connected to the internal network. The proxy software manages the connection between the two NICs. This setup segregates the two networks from each other and offers increased security.

The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. The proxy can also offer caching, should the same request be made again, and can increase the efficiency of data delivery.

The proxy function can occur at either the application level or the circuit level. Application-level proxy functions read the individual commands of the protocols that are being served. Circuit-level proxy creates a circuit between the client and the server and doesn't deal with the contents of the packets that are being processed.

Stateful Inspection Firewalls

Stateful inspection is also referred to as stateful packet filtering. It is a firewall that keeps track of the state of network connections traveling across it.

Stateless firewalls treats each network frame (or packet) in isolation. After a packet is passed, the packet and path are forgotten. A drawback is that they have no memory of previous packets which makes them vulnerable to spoofing attacks.

In stateful inspection (or stateful packet filtering), records are kept using a state table that tracks every communications channel. A stateful firewall is able to hold significant attributes of each connection in memory, from start to finish. This adds complexity to the process. Denial-of-Service attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down or reboot.

The stateful firewall depends on the three-way handshake of the TCP protocol when the protocol being used is TCP; when the protocol is UDP, the stateful firewall does not depend on anything related to TCP.

References:

http://en.wikipedia.org/wiki/Firewall_(computing)
http://en.wikipedia.org/wiki/Stateful_firewall
http://kb.iu.edu/data/aoru.html
http://virusprotectionformac.net/firewall-for-mac
http://www.tech-faq.com/firewall.html
http://www.akadia.com/services/firewall_proxy_server.html
CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
Mike Meyers' CompTIA Security+ Certification Passport, Second Edition by T. J. Samuelle

1.1 Explain the security function and purpose of network devices and technologies

2012-01-08T18:49:00.000-08:00

Firewalls
Routers
Switches
Load Balancers
Proxies
Web security gateways
VPN concentrators
NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic)
Protocol analyzers
Sniffers
Spam filter, all-in-one security appliances
Web application firewall vs. network firewall
URL filtering, content inspection, malware inspection

Security+ SYS-301 Blueprint & Table Of Content

2012-01-08T18:48:00.000-08:00

SY0-301 Certification Exam

1.0 Network Security

1.1 Explain the security function and purpose of network devices and technologies

. Firewalls
. Routers
. Switches
. Load Balancers
. Proxies
. Web security gateways
. VPN concentrators
. NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic)
. Protocol analyzers
. Sniffers
. Spam filter, all-in-one security appliances
. Web application firewall vs. network firewall
. URL filtering, content inspection, malware inspection

1.2 Apply and implement secure network administration principles
. Rule-based management
. Firewall rules
. VLAN management
. Secure router configuration
. Access control lists
. Port Security
. 802.1x
. Flood guards
. Loop protection
. Implicit deny
. Prevent network bridging by network separation
. Log analysis

1.3 Distinguish and differentiate network design elements and compounds
. DMZ
. Subnetting
. VLAN
. NAT
. Remote Access
. Telephony
. NAC
. Virtualization
. Cloud Computing
o Platform as a Service
o Software as a Service
o Infrastructure as a Service

1.4 Implement and use common protocols
. IPSec
. SNMP
. SSH
. DNS
. TLS
. SSL
. TCP/IP
. FTPS
. HTTPS
. SFTP
. SCP
. ICMP
. IPv4 vs. IPv6

1.5 Identify commonly used default network ports
. FTP
. SFTP
. FTPS
. TFTP
. TELNET
. HTTP
. HTTPS
. SCP
. SSH
. NetBIOS

1.6 Implement wireless network in a secure manner
. WPA
. WPA2
. WEP
. EAP
. PEAP
. LEAP
. MAC filter
. SSID broadcast
. TKIP
. CCMP
. Antenna Placement
. Power level controls

2.0 Compliance and Operational Security

2.1 Explain risk related concepts
. Control types
o Technical
o Management
o Operational

. False positives
. Importance of policies in reducing risk
o Privacy policy
o Acceptable use
o Security policy
o Mandatory vacations
o Job rotation
o Separation of duties
o Least privilege

. Risk calculation
o Likelihood
o ALE
o Impact

. Quantitative vs. qualitative
. Risk-avoidance, transference, acceptance, mitigation, deterrence
. Risks associated to Cloud Computing and Virtualization

2.2 Carry out appropriate risk mitigation strategies
. Implement security controls based on risk
. Change management
. Incident management
. User rights and permissions reviews
. Perform routine audits
. Implement policies and procedures to prevent data loss or theft

2.3 Execute appropriate incident response procedures
. Basic forensic procedures
o Order of volatility
o Capture system image
o Network traffic and logs
o Capture video
o Record time offset
o Take hashes
o Screenshots
o Witnesses
o Track man hours and expense
. Damage and loss control
. Chain of custody
. Incident response: first responder

2.4 Explain the importance of security related awareness and training
. Security policy training and procedures
. Personally identifiable information
. Information classification: Sensitivity of data (hard or soft)
. Data labeling, handling and disposal
. Compliance with laws, best practices and standards
. User habits
o Password behaviors
o Data handling
o Clean desk policies
o Prevent tailgating
o Personally owned devices

. Threat awareness
o New viruses
o Phishing attacks
o Zero days exploits

. Use of social networking and P2P

2.5 Compare and contrast aspects of business continuity
. Business impact analysis
. Removing single points of failure
. Business continuity planning and testing
. Continuity of operations
. Disaster recovery
. IT contingency planning
. Succession planning

2.6 Explain the impact and proper use of environmental controls
. HVAC
. Fire suppression
. EMI shielding
. Hot and cold aisles
. Environmental monitoring
. Temperature and humidity controls
. Video monitoring

2.7 Execute disaster recovery plans and procedures
. Backup / backout contingency plans or policies
. Backups, execution and frequency
. Redundancy and fault tolerance
o Hardware
o RAID
o Clustering
o Load balancing
o Servers

. High availability
. Cold site, hot site, warm site
. Mean time to restore, mean time between failures, recovery time objectives
and recovery point objectives

2.8 Exemplify the concepts of confidentiality, integrity and availability (CIA)

3.0 Threats and Vulnerabilities

3.1 Analyze and differentiate among types of malware
. Adware
. Virus
. Worms
. Spyware
. Trojan
. Rootkits
. Backdoors
. Logic bomb
. Botnets

3.2 Analyze and differentiate among types of attacks
. Man-in-the-middle
. DDoS
. DoS
. Replay
. Smurf attack
. Spoofing
. Spam
. Phishing
. Spim
. Vishing
. Spear phishing
. Xmas attack
. Pharming
. Privilege escalation
. Malicious insider threat
. DNS poisoning and ARP poisoning
. Transitive access
. Client-side attacks

3.3 Analyze and differentiate among types of social engineering attacks
. Shoulder surfing
. Dumpster diving
. Tailgating
. Impersonation
. Hoaxes
. Whaling
. Vishing

3.4 Analyze and differentiate among types of wireless attacks
. Rogue access points
. Interference
. Evil twin
. War driving
. Bluejacking
. Bluesnarfing
. War chalking
. IV attack
. Packet sniffing

3.5 Analyze and differentiate among types of application attacks
. Cross-site scripting
. SQL injection
. LDAP injection
. XML injection
. Directory traversal/command injection
. Buffer overflow
. Zero day
. Cookies and attachments
. Malicious add-ons
. Session hijacking
. Header manipulation

3.6 Analyze and differentiate among types of mitigation and deterrent techniques
. Manual bypassing of electronic controls

o Failsafe/secure vs. failopen
. Monitoring system logs

o Event logs
o Audit logs
o Security logs
o Access logs
. Physical security

o Hardware locks
o Mantraps
o Video surveillance
o Fencing
o Proximity readers
o Access list
. Hardening

o Disabling unnecessary services
o Protecting management interfaces and applications
o Password protection
o Disabling unnecessary accounts
. Port security

o MAC limiting and filtering
o 802.1x
o Disabling unused ports

. Security posture
o Initial baseline configuration
o Continuous security monitoring
o remediation

. Reporting
o Alarms
o Alerts
o Trends

. Detection controls vs. prevention controls
o IDS vs. IPS
o Camera vs. guard

3.7 Implement assessment tools and techniques to discover security threats and
vulnerabilities
. Vulnerability scanning and interpret results
. Tools
o Protocol analyzer
o Sniffer
o Vulnerability scanner
o Honeypots
o Honeynets
o Port scanner

. Risk calculations
o Threat vs. likelihood

. Assessment types
o Risk
o Threat
o Vulnerability

. Assessment technique
o Baseline reporting
o Code review
o Determine attack surface
o Architecture
o Design reviews

3.8 Within the realm of vulnerability assessments, explain the proper use of
penetration testing versus vulnerability scanning
. Penetration testing
o Verify a threat exists
o Bypass security controls
o Actively test security controls
o Exploiting vulnerabilities

. Vulnerability scanning
o Passively testing security controls
o Indentify vulnerability
o Indentify lack of security controls
o Indentify common misconfiguration
. Black box
. White box
. Gray box

4.0 Application, Data and Host Security

4.1 Explain the importance of application security
. Fuzzing
. Secure coding concepts
o Error and exception handling
o Input validation
. Cross-site scripting prevention
. Cross-site Request Forgery (XSRF) prevention
. Application configuration baseline (proper settings)
. Application hardening
. Application patch management

4.2 Carry out appropriate procedures to establish host security
. Operating system security and settings
. Anti-malware
o Anti-virus
o Anti-spam
o Anti-spyware
o Pop-up blockers
o Host-based firewalls
. Patch management
. Hardware security
o Cable locks
o Safe
o Locking cabinets
. Host software baselining
. Mobile devices
o Screen lock
o Strong password
o Device encryption
o Remote wipe/sanitation
o Voice encryption
o GPS tracking
. Virtualization

4.3 Explain the importance of data security
. Data Loss Prevention (DLP)
. Data encryption

o Full disk
o Database
o Individual files
o Removable media
o Mobile devices
. Hardware based encryption devices

o TPM
o HSM
o USB encryption
o Hard drive
. Cloud computing

5.0 Access Control and Identity Management

5.1 Explain the function and purpose of authentication services
. RADIUS
. TACACS
. TACACS+
. Kerberos
. LDAP
. XTACACS

5.2 Explain the fundamental concepts and best practices related to authentication,
authorization and access control
. Identification vs. authentication
. Authentication (single factor) and authorization
. Multifactor authentication
. Biometrics
. Tokens
. Common access card
. Personal identification verification card
. Smart card
. Least privilege
. Separation of duties
. Single sign on
. ACLs
. Access control
. Mandatory access control
. Discretionary access control
. Role/rule-based access control
. Implicit deny
. Time of day restrictions
. Trusted OS
. Mandatory vacations
. Job rotation

5.3 Implement appropriate security controls when performing account
management
. Mitigates issues associated with users with multiple account/roles
. Account policy enforcement
o Password complexity
o Expiration
o Recovery
o Length
o Disablement
o Lockout
. Group based privileges
. User assigned privileges

6.0 Cryptography

6.1 Summarize general cryptography concepts
. Symmetric vs. asymmetric
. Fundamental differences and encryption methods
o Block vs. stream

. Transport encryption
. Non-repudiation
. Hashing
. Key escrow
. Steganography
. Digital signatures
. Use of proven technologies
. Elliptic curve and quantum cryptography

6.2 Use and apply appropriate cryptographic tools and products
. WEP vs. WPA/WPA2 and preshared key
. MD5
. SHA
. RIPEMD
. AES
. DES
. 3DES
. HMAC
. RSA
. RC4
. One-time-pads
. CHAP
. PAP
. NTLM
. NTLMv2
. Blowfish
. PGP/GPG
. Whole disk encryption
. TwoFish
. Comparative strengths of algorithms
. Use of algorithms with transport encryption

o SSL
o TLS
o IPSec
o SSH
o HTTPS

6.3 Explain the core concepts of public key infrastructure
. Certificate authorities and digital certificates
o CA
o CRLs
. PKI
. Recovery agent
. Public key
. Private key
. Registration
. Key escrow
. Trust models

6.4 Implement PKI, certificate management and associated components
. Certificate authorities and digital certificates
o CA
o CRLs
. PKI
. Recovery agent
. Public key
. Private keys
. Registration
. Key escrow
. Trust models