Skip to main content


Showing posts from January 15, 2012

1.3.2 Subnetting

Subnetting Subnetting is how networks are divided. RFCs 1466 and 1918 detail subnetting and can be found at The practice of dividing a single network into two or more networks is called subnetting and the networks created are called subnetworks or subnets. This results in the logical division of an IP address into two fields, a network or routing prefix and the host identifier. The routing prefix is expressed in CIDR notation. It is written as the first address of a network, followed by a slash character (/), followed by the bit-length of the prefix. For example, is the prefix of the IPv4 network starting at the given address, having 24 bits allocated for the routing prefix, and the remaining 8 bits reserved for host addressing. In IPv4 the routing prefix can also be specified in the form of the subnet mask, expressed in quad-dotted decimal representation, e.g. is the network mask for the prefix. If defi

1.3.1 DMZ

DMZ In military terms, a demilitarized zone (DMZ) is an area, usually the frontier or boundary between two or more military powers (or alliances), where military activity is not permitted, usually by peace treaty, armistice, or other bilateral or multilateral agreement. Pic from By implementing intranets, extranets, and DMZs, you can create a reasonably secure environment for your organization. In computer security, a DMZ (or perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. Hosts in the DMZ provide services such as e-mail, web and Domain Name System (DNS) servers to users outside of the local area network. Because of the

1.2.12 Log analysis

Log analysis is crucial to identifying problems that occur related to security. As an administrator, you have the ability to turn on logging at many different locations and levels. The next step is to properly analyze what has been collected. Not only do you need to collect and analyze the logs, but you also need to store them for a time in the future when you want to compare what is happening now to then (baselining). They should be stored in a format that you can quickly access and understand without having to convert them to a document each time you want to look at them. As much as possible, automate the collection and archiving of log files. Log files can be analyzed either in real-time or historically (after an event). Real-time analysis allows the administrator to be alerted as quickly as possible of an event. Historical analysis is an aid for port-mortem analysis of an event. References: CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulane

1.2.11 Prevent Network Bridging by Network Separation

Network bridging occurs when a device has more than one network adapter card installed and the opportunity presents itself for a user on one of the networks to which the device is attached to jump to the other. When a server has multiple network interface cards (NICs), server is referred to known as multihomed hosts). To prevent network bridging, you can configure your network such that when bridging is detected, you shut off/disable that jack. You can also create profiles that allow for only one interface. References: CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.2.10 Implicit Deny

Implicit deny refers to the security principle of starting a user out with no access rights and granting permissions to resources as required. It requires that all access is denied by default and access permissions are granted to specific resources only when required. An implicit deny clause is implied at the end of each ACL, and it means that if the proviso in question has not been explicitly granted, then it is denied. References: CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

1.2.9 Loop Protection

Similar to flood guards, loop protection is a feature that works in layer 2 switching configurations and is intended to prevent broadcast or network loops which occur when there is more than one network path between two network hosts. The Spanning Tree Protocol (STP) is an example of a loop protection method. Its goal is to ensure loop-free bridged Ethernet LANs. It operates at the data link layer and makes sure there is only one active path between two stations. References: CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.8 Flood Guards

A flood guard is a protection feature built into many firewalls that allow the administrator to tweak the tolerance for unanswered login attacks. It tracks network traffic to identify scenarios that will overwhelm our network through conditions such as SYN, ping, port floods, etc. By reducing this tolerance, it is possible to reduce the likelihood of a successful DoS attack. If a resource—inbound or outbound—appears to be overused, then the flood guard kicks in. References: CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.7 802.1X

To understand IEEE 802.1X standard means it helps to discuss three separate concepts: PPP, EAP and 802.1X itself. PPP (Point-to-Point Protocol) is most commonly used for dial-up Internet access. PPP defines an authentication mechanism to authenticate the user at the other end of the PPP line. As security requirements became more sophisticated, organizations needed more than simple username and passwords authentication. A new authentication protocol, called the Extensible Authentication Protocol (EAP), was designed. EAP sits inside of PPP's authentication protocol and provides a generalized framework for several different authentication methods. EAP is supposed to head off proprietary authentication systems and let everything from passwords to challenge-response tokens and public-key infrastructure certificates all work smoothly. The IEEE 802.1X standard, is a standard for passing EAP over a wired or wireless LAN. It defines port-based security for wireless network access cont

1.2.6 Port Security

Port security works at level 2 of the OSI model and allows an administrator to configure switch ports to  only certain MAC addresses that can use the port. MAC Limiting and Filtering limit access to the network to MAC addresses that are known, and filter out those that are not. MAC filtering is not foolproof, and a quick look in a search engine will turn up tools that can be used to change the MAC address and help miscreants circumvent this control. Disable Unused Ports. All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter. References: CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

1.2.5 Access Control Lists

Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them certain network capabilities. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. Within ACLs, there exists a condition known as implicit deny. An implicit deny clause is implied at the end of each ACL and it means that if the proviso in question has not been explicitly granted, then it is denied. The entity being denied because it does not appear on the list can be a source address, a destination address, a packet type, or almost anything else you want to deny access. Firewall rules act like ACLs and are used to dictate what traffic can pass between the firewall and the internal network. Three possible actions can be taken based on the rule's criteria: Block the connection. Allow the connection. All

1.2.4 Secure Router Configuration

One of the most important things you can do to secure your network is make sure you secure the router. To securely configure the router, you must do the following: Validate a network design before implementation. Document your environment. Change the Default Password. The password for the administrator is set before the router leaves the factory. Employ good password principles and change it to a value that only you know. Walk through the Advanced Settings. These settings will differ based on the router manufacturer and type but often include settings to block ping requests, perform MAC filtering, and so on. Keep the Firmware Upgraded. Router manufacturers often issue patches when problems are discovered.  Always remember to back up your router configuration before making any significant changes. When transferring a configuration, always use a secure method where available. Transfer protocols include: TFTP (cleartext), SCP (encrypted) and HTTPS (encrypted). Physically secure

1.2.3 VLAN Management

A virtual LAN, (VLAN), is a group of hosts with a common set of requirements that communicate as if they were attached to the same wire, regardless of their physical location. A VLAN allows you to create groups of users and systems and segment them on the network. This segmentation lets you hide segments of the network from other segments and thereby control access. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same LAN segment. Network reconfiguration can be done through software instead of physically relocating devices. VLANs address issues such as scalability, security, and network management. A VLAN is a good way to contain network traffic to a certain segment of the network. On a LAN, hosts can communicate with each other through broadcasts, and no forwarding devices, such as routers, are needed. As the LAN grows, so too does the amount of chatter. Shrinking the size of the LAN by

1.2.2 Firewall Rules

You create firewall rules to allow a computer to send traffic to, or receive traffic from, programs, system services, computers, or users. Firewall rules act like ACLs and are used to dictate what traffic can pass between the firewall and the internal network. Firewall rules can be created to take one of three actions for all connections that match the rule's criteria: Block the connection. Allow the connection. Allow the connection only if it is secured. The rules can be applied to inbound traffic or outbound traffic and any type of network (LAN, wireless, BPN, remote access). The rule can be configured to specify the computers or users, program, service, or port and protocol. You can also configure the rule to be applied when any profile is being used or only when a specified profile is being used. The rules of a firewall follow the first-match-apply rule system. The final rule in a firewall set should be a default deny. In this way, anything that is not specifically al

1.2.1 Rule-based management

Rule-based management, also known as label-based management, defines conditions for access to objects. The access is granted to the object based on both the object's sensitivity label and the user's sensitivity label. With all rules, an action must be defined. That action is triggered when conditions are or are not met. Rule-based management is the concept of controlling the security of communications and IT events through rule- or filter-driven systems. Firewalls, proxies, routers, IDS, IPS, antivirus and more are examples of rule-based security management systems. Each of these systems has a set of rules. Each rule is either an explicit allow or deny. If an event or packet does not match any rule, it should be denied by default. Rule-based management is one method of implementing a white list security management concept. In a white-list security management system if the event or activity does not match an allow rule, it is denied by default. Even new zero-day attacks are

1.1.13 URL filtering, content inspection, malware inspection

URL (Uniform Resource Locator): points your web browser at a web page of your choice is a flexible 'meta language' allowing remote computers to exchange executable content and commands are a conduit for client/server data. Controlling the URLs that enter and leave your network is an important way to reduce risks posed by hackers, worms and spyware. URL filtering (or web filtering), involves blocking websites (or sections of websites) based solely on the URL; restricting access to specified websites and certain web-based applications. This is in contrast to content filters, which block data based on its content rather than where it is coming from. Within Internet Explorer, the Phishing Filter included with IE7 acted as a URL filter. In IE8 and later this was replaced by SmartScreen Filter. URL filtering can focus on all or part of a FQDN, specific path names, specific file names, specific file extensions, or entire specific URLs. Many URL filtering tools can obtain upd

1.1.12 Web application firewall vs. network firewall

An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall which by default is unable to control network traffic regarding a specific application. The Web Application Firewall (WAF) is an intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. It is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the ru

1.1.11 Spam Filter

Spam filter, all-in-one security appliances A spam filter is a software program that sorts incoming mail in order to identify and pull out unsolicited and unwanted email, also known as spam. Spam filters catch unwanted email and filter it out before it gets delivered internally to a user's inbox. The filtering is done based on rules, e.g. block email coming from certain IP addresses, email that contains particular words in the subject line, and the like. While spam filters are usually used to scan incoming messages, they can also be used to scan outgoing as well and thus act as a quick identifier of internal PCs that may have contracted a virus. Spam can be used to spread malicious code like viruses and Trojans, and for perpetuating phishing scams. For these reasons and more, a spam filter is a great way to help protect your computer or network and cut out junk mail. SpamAssassin is a well-known open source spam filter. Like other types of filtering programs, a spam filter

1.1.10 Sniffer

A sniffer is a network analysis tool to help you locate network problems. It consists of a well-integrated set of functions that can resolve network problems. Sniffers can list network packets in real-time from multiple network card (Include Modem, ISDN, ADSL) and can support capturing packets based on applications and protocols e.g. Ethernet, IP, TCP, UDP, PPPOE, HTTP, FTP, WINS, PPP, SMTP, POP3. Sniffers (also known as network monitors) helps troubleshoot network problems. A sniffer can be a self-contained software program or a hardware device with the appropriate software or firmware programming. Sniffers usually act as network probes or "snoops." They examine network traffic, making a copy of the data without redirecting or altering it. Network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software. References: http://www.colasoft.

1.1.9 Protocol Analyzer

A "protocol analyzer" is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Protocol analyzers (also known as and packet sniffers) refer to the process of monitoring the data that is transmitted across a network. Sniffers highlight that sensitive information should not be sent using insecure methods. Protocol analyzers can be stand-alone applications or used with other network monitoring and intrusion detection applications to monitor and capture network data right down to the packet and frame level. This tool can be used in conjunction with intrusion detection and prevention systems to analyze large blocks of network data and protocols. This scanning can detect specific behaviors of known exploits or network attacks. This information can be communicated to the IDS, which will block those network packets from reaching the client. References: CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by E

1.1.8 NIDS and NIPS

NIDS and NIPS (Behavior based, signature based, anomaly based, heuristic) An intrusion detection system (IDS) is software that runs on a server or network device to monitor and track network activity. By using an IDS, a network administrator can configure the system to monitor network activity for suspicious behavior that can indicate unauthorized access attempts. IDSs can be configured to evaluate system logs, look at suspicious network activity, and disconnect sessions that appear to violate security settings. IDSs can be sold with firewalls. Firewalls by themselves will prevent many common attacks, but they don't usually have the intelligence or the reporting capabilities to monitor the entire network. An IDS, in conjunction with a firewall, allows both a reactive posture with the firewall and a preventive posture with the IDS. In response to an event, the IDS can react by disabling systems, shutting down ports, ending sessions, deception (redirect to honeypot), and even p

1.1.7 VPN Concentrators

A virtual private network (VPN) is a secure and private point-to-point connection over a public network.  It provides an encrypted tunnel between the client and the remote network. A private network provides security over an otherwise unsecure environment. VPNs connect two LANs together across the Internet or other public networks. VPNs are also used to connect two remote routers to form a secure WAN. A VPN is implemented either as special hardware or software running on a server. A VPN typically use a tunneling protocol such as Layer 2 Tunneling Protocol (L2TP), IPSec, or Point-to-Point Tunneling Protocol (PPTP). To guarantee security, both ends of the VPN connection must be running the same type of VPN with equivalent protocols (e.g. L2TP) and encryption method (IPSec). A VPN concentrator is a hardware device used to create remote access VPNs. The concentrator creates encrypted tunnel sessions between hosts, and many use two-factor authentication for additional security. VP

1.1.6 Web Security Gateways

Web security gateway, can be thought of as a proxy server (performing proxy and caching functions) with web protection that can range from a standard virus scanner on incoming packets to monitoring outgoing user traffic. Potential red flags the gateway can detect/prohibit include inappropriate content, trying to establish a peer-to-peer connection with a file-sharing site, instant messaging, and unauthorized tunneling. You can configure most web security gateways to block known HTTP/HTML exploits, strip ActiveX tags, strip Java applets, and block/strip cookies. Beyond the basic tasks of a web proxy, it provides content filtering and application-level security to protect end users from accessing dangerous web sites and downloading files that are infected with worms, spyware or malware, or else from connection to servers that host phishing and fraud sites. Web security gateways can perform deep inspection of web HTTP traffic to prevent end users from accessing dangerous content.