CompTIA Security+ SYO-401

Certification Training
9454 Learners
View Course Now!
33 Chapters +

Implementing Security Configuration Parameters Tutorial

1 Implementing Security Configuration Parameters

Good day everyone! As we all know, the growth of multinational and medium-sized companies has resulted in the development of highly advanced and complex Internet systems. These systems transmit data across the globe through wired and wireless technologies. Use of either mode of data transmission makes the system susceptible to exploitation. As the proverb goes, “Necessity is the mother of invention”, as a measure to safeguard from such exploitations, we have developed a large number of network devices, and invented ways to apply security configuration parameters to these devices and their underlying technologies. In this lesson, we will learn about these network devices. The following screen explains the objectives covered in this lesson. After completing this lesson, you will be able to: • Comprehend the OSI model and the TCP/IP model, • Discuss different network devices, and • Understand different Detection and Prevention systems.

2 OSI Model

In this topic, you will learn about the OSI model. The OSI model describes how information traverses a network. This is used as a primary reference model to identify the data handled at different stages of transportation, despite the fact that it does not fit in all protocols. The other reference model is the four layer, TCP/IP model. Now, let's look at the different layers of the OSI model. The first layer is the Physical Layer. This defines the connectors and the media used to transmit data, and includes patch panels, wall-jacks, wires, and other cabling. Second is the Data Link Layer. This is responsible for the information sent and received on nodes and devices. It uses physical addressing such as MAC addresses, rather than logical addressing. It detects Errors on packet transmission, and its common devices include: network interface card, switches, and bridges. The third layer features logical addressing such as, IP address. While data is transferred from multiple networks, its packets must be compatible with logical addressing to move data from one LAN to another. This layer enables changing the packets from Physical addressing to logical addressing and back. Thus, the third layer is termed as Routing or Translation. Fourth is the Transport Layer, which is responsible for end to end communication between devices. It determines exactly how the connections are established, and checks whether particular connections are reliable. Moreover, the layer provides services that include: Connection-Oriented Communication, Same Order Delivery, Data Integrity, Flow Control, Traffic Control, Multiplexing, and Byte Orientation. The fifth layer is the Session Layer. It tracks the number of bytes transmitted to identify when a particular session ended. On this layer, the devices acknowledge receipt of data or connection from one end to another. This enables applications to function over a live connection, and builds a dialogue between multiple devices. The penultimate layer is the Presentation Layer. It is responsible for formatting data that is received or sent by an application. This layer includes tasks such as, encryption, compression, graphics, translation, and others. The final layer is the Application Layer. In this layer, we apply the user interface, which is the front end of an application. It translates how the users interact with data. For example, web browsers and email clients function on the application layer. Now, we have learned about the layers of O-S-I. Do you know what happens to an information when it is transmitted from one machine to another or across devices? Let’s take a look at the image on our screen, wherein the data transmitted from one machine to another, or across devices is depicted by placing two O-S-I models adjacent to each other. The data flow begins from Layer 7 on one device, and the packets travel down till Layer 1. From here, the data is transmitted across the wire. In the second device, data is received at Layer 1, and transmitted up to Layer 7. Hence the data traverses between layers, and this phenomenon is termed as Data Flow in OSI model.

3 Network Devices

In this topic, you will learn about different network devices and their applied security configuration. After learning the basics of networking, now we will go through the devices in a network. You would be knowing, there are two types of devices, namely, Single function devices and Multi-function devices. Networking devices are part of computers, and are to be within the infrastructure. Let's start by reviewing these devices. We will begin with legacy and basic devices, and then move to newer technologies. In networking, hubs are single function legacy devices, but have become rare these days. Switches have replaced hubs in most of the networks. They are common connecting points for devices in a network. How does a hub process the data? They accept data at one port and then transmit the exact data to all other ports. This processing leads to collisions that could bog down networks, especially when multiple devices send data at the same time. Computers sending information to other devices on the network consumes bandwidth of larger networks by relaying regular information. Moreover, hubs ignore data packets, and just transmit or repeat the data. Thus, they are considered as Layer 1 devices.

4 Switches

Switches have replaced hubs. Now, let’s understand the reasons for it. Switches are similar to hubs, as they connect all devices on an internal network, and transmit data from one device to another. Switches are Layer 2 devices, because they actually read, and use the MAC address or physical address information that is transmitted across the network. Switches communicate with devices plugged into physical ports. They create a table that has the MAC address of each plugged-in device assigned to a physical port. So, when a device sends data, the switch looks at the MAC address of that packet, and knows exactly where the information has to be sent. A switch refers to a multiport device designed to boost network efficiency by storing and using a table of MAC addresses. They do not use IP addresses like routers, for sending packets. We will cover routers in the next topic. A switch connects all systems in a network, but filters traffic through the Layer 2 address that is a MAC or hardware address assigned by the manufacturer along with the port to which the system is connected. These details are in the MAC address table stored in the switch memory, which tracks the port of each connected system. Switch features the best capabilities of both a hub and a router. It maintains some routing information about systems in the internal network, and triggers connections with them as a hub or a router. Although, the connection is not encrypted or secure, which is not needed, the data does not go outside the switched area. Moreover, a switch ensures good security, as it sends traffic only to the port on which the destination system exists. Switches are only utilized in internal networks, as their switching is done as per the non-routable MAC addresses. Now, let’s see the 6 key features offered by network switches. 1. Filtering: Here, switches prevent unauthorized users from viewing confidential information. 2. Port Mirroring or Mirroring: Here, switches enable a single port to be allocated as a mirror of other ports. In other words, the traffic to the target port is duplicated and sent to the mirroring port, and this can be used with packet analyzers for traffic monitoring. 3. Port Security: Switches utilize port security to ensure that only certain devices have access to the network, when plugged into the specified port. To do this, switches utilize the MAC addresses of devices. This is also termed as Physical Port Security. 4. Disabling Ports: Switches allow you to disable the unused physical ports on the switch. This prevents these ports from getting hijacked by a malicious person. 5. Creating Collision Domains: Switches enable you to create collision domains. This is important from a security perspective, because in segmented networks, data can collide. This was commonly observed with hubs. With a switch, each individual port creates a single collision domain that prevents actual collisions, since they are segmented into their own domain. 6. Virtual Local Area Networks or VLANs: Layer 3 managed switches can create VLANs, which is another form of network separation. These switches convert a separated network into multiple Virtual Local Area Networks, which divide data into their own networks over the switch. This data requires a router to pass information between VLANs. Also, VLANs provide network separation or segmentation through these switches.

5 Router

Now, let’s learn about Routers. A router provides connectivity between two or more networks. This means, it has two connections to join networks, each having a valid address. Routers sit on Layer 3 of the OSI model, and are responsible for routing data between two networks with the help of a routing table present in its memory. Additionally, routers establish networks using logical addressing or IP addresses. In other words, routers note the IP addresses of the source and destination of data packets, and accordingly determine the best possible path. Because, the table stores local connections and destinations, a router knows the systems connected to it as well as the routing destination in case the destination is unknown. The table grows when the number of connections increase via router. Now, let’s see a network topology diagram, wherein the data is routed between two routers. As depicted, the router R1 sends data to the network with address, 20.0.0.0 through the 19.0.0.2 address. You can configure the routes either as static or dynamic. Static routes are changeable manually, while dynamic routes learn and utilize other routers’ information to create their routing tables. Now, let’s see some key features of routers connected in a network. While routing data, routers use logical IP addresses, and divide subnets and networks. This is beneficial from the security perspective. And these subnets can only communicate with devices within them. If they have to communicate with a different subnet, a router using common routing protocols is required to forward the packets. The separation created by routers is termed a Broadcast Domain, and it is a group of systems that receive broadcasts sent from a machine. Broadcasts target machines present on that domain. Dividing broadcast domains with routers improves the performance of your network, as it minimizes the broadcasts that slow down the network. Routers are smart devices that keep information of the networks connected to them. You can set up routers as packet filtering firewalls. With a Channel Service Unit (CSU) or a Data Service Unit (DSU), routers can translate from LAN to WAN framing, such as connecting a network of 100BaseT to a T1 network. This is essential because different protocols are used in LANs and WANs. These routers are called Border Routers as they act as external connectors of a LAN to a WAN. They usually run at the network border, and filter which data packets can enter, and in what conditions. Routers are also used to divide internal networks into multiple sub-networks. You can connect routers internally to other routers, to form autonomous zones. For example, you can set up a corporate network using a Border Router for ISP connection, and use internal routers for autonomous networks. Such a connection keeps local network traffic away off the corporate network backbone, and ensures additional security to internal users. In addition to the routing tables, routers use routing protocols such as, Routing Information Protocol or RIP and Open Shortest Path First or OSPF, which determine the route for the packet after leaves its network. Moreover, routers are the gateway devices to and from networks. Routers communicate information such as routing details through RIP, OSPF, or Border Gateway Protocol (BGP). They only pass authorized traffic, thus forming the first line of defense. In this way, a router can be your firewall, if used properly. However, a layered approach will help the router augment the function of a firewall.

6 Firewalls

In a network, a firewall is the main line of defense. Firewall exists as an appliance, which is installed as a main device separating two networks. Appliances are freestanding devices running in a self-contained way. They need less maintenance and support like a server-based component. Firewalls help keeping networked computers safe and secure. This is achieved by examining data packets that reach the firewall, as well as checking whether the packet can pass through the firewall. You can configure firewalls with rules to set security parameters. As a system administrator, you need to set up rules for the firewall to determine how much data traffic should pass through it, and how much should be blocked. Generally, you should set up firewall to block all traffic, which means no data packets can pass through. Then, you need to configure exceptions to the defined rule, so that the desired traffic can pass through the firewall. Let’s take an example. If you want a Web server to be accessible through the Internet, deny all data packets except those from the TCP port 80, on which the server runs. Now, let’s see the different types of firewalls. Firewalls are embedded into devices such as servers or routers, or can be standalone systems. Also, you have firewall solutions available as both hardware only and software only. However, according to the functions, there are three main types of firewalls: • Packet Filter, • Proxy Firewall, and • Stateful Packet Inspection Firewall. Let’s now see each of the firewall and their idiosyncrasies. We’ll begin with Packet Filtering firewalls. Packet Filtering firewalls run as a packet filter to allow or block traffic as per the source IP address, destination IP address, source port, destination port, and protocol. They do not analyze data within the packets, but address details in them. This means, these firewalls filter traffic as per the header fields in data packets. While configuring a packet filtering firewall, you have to set up rules to determine the traffic to be allowed, and the traffic to be blocked. For instance, when you wish to allow incoming traffic from a source intended for port 80, on a server whose IP address is 23.14.33.55 while denying other incoming traffic from other systems. In this case, the table shown on your screen will depict the security configuration parameters or a packet filtering rule. A packet filtering firewall is a stateless inspection device, because it considers the address information for filtering traffic. This is in contrast to the application firewall that filters traffic as per the payload or data portion of the packet for rejecting suspicious commands. This makes packet filtering firewall vulnerable to manipulation by an attacker who can change the addresses to fit into the firewall rule. Proxy Firewall is similar to an intermediary between networks. They ensure better security than the firewalls acting as packet filters due to relatively higher intelligence. The proxy can take place either at the circuit level or application level. A circuit-level proxy works by forming a circuit between the server and client. It does not analyze the packet contents. An application-level proxy reads each command of the served protocols. Such a proxy server is highly superior, as it is aware of the capabilities of the protocol in use, and the rules. For instance, it should be aware of the difference between PUT and GET operations along with the rules to process them. For each protocol, a distinct application-level proxy server should be implemented. Several proxy servers also provide other usage information, such as accounting details, which a circuit-level proxy server does not store. A proxy firewall requiring two Network Interface Cards or NICs is called a Dual-homed Firewall. One card is connected to the external network, while the other is associated with the internal network. The connection between these two cards is administered by the proxy software. Such a mechanism isolates the two networks, and ensures increased security. When requested by an external network, proxy analyzes and takes rule-based decisions to either forward or reject the request. It intercepts each packet and reprocesses it for internal use, which involves hiding IP addresses. In case a request originates from an internal source, it is routed via a proxy that repackages and sends the request along, thus separating the user from the outside network. If the same request is repeated, proxy firewalls provide caching to ensure more efficiency of data delivery. NOTE: A system configured with one or more IP addresses is termed as ‘multi-homed’. Now, let’s see the difference between stateless and stateful firewalls. Stateless firewalls such as packet filters usually filter traffic as per the packet header data. Whereas, the Stateful Packet Inspection firewalls not only filter traffic as per the address or port number, but also as per the conversation context to find out whether the packet should be obtained at that conversational point. A packet is allowed into the network, if the firewall obtains it in the correct conversation context, and the packet adheres to any of the rules. The stateful firewalls do not follow rules to filter traffic, but act more intelligently than the stateless firewalls to become aware of the conversation context. For example, if a hacker attempts to send a risky command to the stateful firewall, with port 80 as the destination, but without a three-way handshake, the firewall responds, “Nope, sorry, you are not allowed, as no connection has been established.” This is because, a Stateful Packet Inspection firewall is aware that such a handshake is essential prior to TCP communication. Most of the devices used in networks do not keep track of how information is routed or used. Another point of distinction between a stateless and stateful packet filtering firewall is remembrance. In stateless inspection, both the path and packet are forgotten after the packet passes. However, in stateful inspection, a state table tracks every channel of communication, due to which details such as, the packet’s origin, and another packet’s probable origin, must be remembered. Occurring at all network levels, stateful inspections offer additional security, particularly for connectionless protocols, such as Internet Control Message Protocol (ICMP) or User Datagram Protocol (UDP), thus complicating the process. Also, Denial-of-Service (DoS) attacks trigger a challenge, as flooding methods overload the state table to shut down or reboot the firewall.

7 Load Balancer

Now, let’s learn about Load Balancer. Load Balancer is a network device designed to split data load between multiple devices. This is used to improve the performance of a network server or resources. It often performs in a failover or a round robin fashion, as it divides the load between network components such as routers, hard drives, and servers. It is responsible for shifting the load from one component to another, avoiding overload, and subsequently improving performance. Rather than allowing a single device to handle all requests, a load balancer allows multiple devices to process the incoming requests. Since more systems are now available for processing requests simultaneously, the network becomes scalable as well as efficient. Load balancing maximizes throughput, reduces the response time, ensures better allocation, as well as optimization of resources. You can implement a load balancer either as a hardware or software solution, connected to a device such as Firewall or Router. The most common use of a load balancer is to split the traffic for a site into separate requests, which are rotated to redundant servers, when available. In case, a server is down or busy, it does not become a part of rotation. Okay, let’s now move to network cables, which are responsible for connecting the devices. Network cables enable you to connect and transfer data between computers, routers, switches, and storage area networks. They are the channels through which data navigates. Depending on the structure and configuration of the network, you must use the suitable one. Let’s now see the different types of network cables: First is the Coaxial Cable or the Coax. It was originally used in Token Ring environments, also known as Thinnet. It used a BNC or British Naval Connector to connect devices. Token Ring networks that exist in a logical ring will take turns to transmit data. The machine with a virtual ‘token’ was able to transmit data. Coax cabling used for televisions and cable Internet is known as Thicknet, which uses RJ-8 or T connectors to connect and transmit data to our televisions. Thicknet has a piece of cable with a solid copper core in the center, and is insulated with ‘shielding’ to protect against the electromagnetic interference. Next is the Twisted-Pair Cable, one of the common network cables. It is used with the CatX Ethernet networks, and further classified into two types, UTP or Unshielded Twisted Pair cabling and STP or Shielded Twisted Pair cabling. UTP cabling is cheaper and flexible, but it doesn’t protect against electromagnetic interference. Electromagnetic interference is known as Crosstalk, and the twists in UTP and STP help reduce a majority of regular crosstalk from similar cabling. It works up to a maximum distance of 100 meters before attenuation occurs, and then you start losing data. Attenuation means weakening of a signal due to the distance it has traveled. UTP connectors use RJ-45 connects. We use these connectors on patch cables, plugged into patch panels, and NICs, inside your computer. STP is a more secure type of twisted-pair cable, because it has a layer of insulation to protect the quality of signal from degrading due to outside interference. STP cables use RJ-11 connectors, and are used in telephones. UTP and STP cables have a variety of wiring styles, such as Straight-through cables and Crossover cables. Straight-through cables connect unlike devices. For example, you can connect a computer to a switch or a hub using a straight-through cable. This means, Pin 1 on the computer connects to Pin 1 on another device. Because of this wiring, they are able to send information back and forth to one another. Crossover cables are used to connect two like devices directly at the NIC, without using a hub or a switch. It is not possible to connect two similar devices using a straight-through cable, which has the transmit pin on one end connected to the transmit pin on the other. Hence, a computer cannot receive data that is not sent to the receiving pins. Crossover cables connect transmit pins of the first computer to the receiving pins of the second. This facilitates sending data to the second computer, and vice versa. Screen 26: Fiber Optic Cable is the third type of network cable. This carries digital data signals in the form of light. Optical fiber cable has a thin cylinder of glass, referred as core, which is surrounded by a layer of concentric glass, known as Cladding. Fiber optic cables are further classified as: Single-mode fiber and Multimode fiber. The former uses a single beam of light, and can travel long distances. This fiber optic cable is considered highly sensitive. Alternatively, the latter has multiple rays of light that reflect down different angles. This travels shorter distances, but is cheaper and more flexible.

8 Detection and Prevention Systems for a Network

In this topic, we will discuss different Detection and Prevention systems for a network.Let’s start with VPN Concentrators. These are often found in large corporate environments with a large number of remote users who need to access the network resources securely over the Internet. VPN Concentrators create encrypted VPN tunnels across the Internet that transmit data to the client supposedly on the local network. Also, VPN Concentrators can be configured into a high availability scenario, wherein you have multiple devices performing day-to-day tasks, and also act as a backup. This is often implemented with a load balancer or built-in technologies that detect a failure in one device, and automatically transfers the load to another device. Next, we will learn about Web Security Gateways or WSG. Web Security Gateways are one of the new emerging all-in-one technologies of network security, and they are often known as Unified Threat Management device. It attempts to defend the network from malicious content or attacks on Internet. These devices often use malware scanners and content filters to ensure the web content that users search or information across the network is not malicious. The data loss prevention or DLP strategy is implemented to ensure that end users are refrained from sending critical information outside the network boundaries. Next, we have Intrusion Detection and Intrusion Prevention Systems.

9 Host-Based Intrusion Detection Systems

Intrusion Detection Systems (IDS) and Intrusion Prevention systems (IPS) are two new emerging technologies to monitor a network for malicious activities. The two classes of IDS and IPS are: Active and Passive, but IPS is never passive. Passive detection involves monitoring data, and alerting, but no further action is taken. Whereas, in active detection, IDS and IPS react when suspicious activity is found entering the network. IDS are reactive after a malicious intrusion takes place, and IPS attempts to prevent the intrusion. There are different methods that IDS and IPS use to determine whether the traffic they analyze is an attack. Network-based systems have three major components: Sensor, Analysis Engine, and Console. With the Console, you control the technology; the Sensor lets data pass through. And, once the data is passed, it is analyzed by the Analysis Engine.Signature-based analyses behaves like signature-based antivirus. This means, the system analyzes the data, and compares it to a database of known signatures. If these signatures match the known patterns within the signature database, the NIDS will then alert as an intrusion. NIPS analyzes the behavior that takes place, and attempts to alert as well as stop the attack. The benefit of a signature-based analysis is the presence of few false alarms or false positives when alerting, because this is a confirmed attack pattern. But, a disadvantage of this analysis is the absence of possibility to discover a Zero-Day attack or an attack that is yet to be publicly revealed and thwarted.Now, we’ll see Host-based Intrusion Detection Systems or HIDS. These are technology software that is present on a host device. It monitors traffic, in and out of the device for possible attacks, and are reactive security measures that do not prevent intrusions, but instead detect and react. Most often, they alert when they detect specific changes or behavior in data or information. HIDS monitors memory, system files, log files, file systems, and active connections. They analyze events that take place on the machine, and their specified parameters determine whether or not an attack has occurred. Next, we have Network-based Intrusion Detection and Prevention Systems (NIDS and NIPS) NIDS and NIPS are network devices that are more advanced than HIDS. NIDS, like HIDS, monitor and alert the behavior across the network that may be an intrusion or an attack. IPS works to proactively prevent the intrusions, as it starts to detect a possible attack. Heuristic-based system is an emerging technology that is considered intelligent. In this approach, the behavior-based system carefully observes the patterns of data or behavior, and if they match the known patterns, or appear to resemble patterns of behavior known as an intrusion, the system reacts. Heuristic-based systems are even referred to as Learning Systems. They detect intrusions based off the behavior of data as it progresses. Heuristic IDS are great for detecting Zero-Day attacks, but often counter many false positive reports.Anomaly-based and Behavior-based Systems This type of technology requires a network baseline, and data that travels across the network. These systems take a baseline, and then a threshold is set. If the activity increases past that threshold, it is considered as abnormal data, and the system triggers an alert. These come with false positives, but require a lot of configuration. Behavior-based systems are a type of anomaly detection, and are involved in monitoring the behavior of a person using the machine, and not the data across the network. The disadvantage is that, anything outside of normal activity is likely to trigger an alert causing many false positives. Protocol analyzers, also known as packet sniffers, are used to review data packets across the network. Wireshark is one of the most common packet sniffer. They are useful for determining what exactly happens on the network, and can be used for reviewing malicious attacks, detecting an attack in progress, or just knowing what is going on across your network. In switched networks, it is hard to monitor traffic since it is sent directly to its destination. Hence, port mirroring comes into play. Now, you can set port mirroring so that the data from other ports is transmitted out of the mirror port and across the analyzer. This enables you to monitor all the information that is traversing the network. Additionally, there are hardware devices known as network taps. These have ports, in which monitoring devices can be connected to monitor the traffic transmitted over the network.We have always seen and heard about Spam, and are advised not to open Spam emails. So, to understand spam filters, you must first understand spam. It is an unsolicited commercial email that is usually sent out by automated systems capable of sending mass mailers. Spam email in a business environment poses as a threat if it is malicious, and is even considered a hindrance to productivity. Spam can even cause users not to access their legitimate email in a timely fashion. If you have an email server onsite, spams also lead to gross consumption of storage space. Spam filters are technologies that attempt to filter spam emails before they reach the end user. Spam emails can be filtered based on the following criteria: • Recipient Filter, used for blocking or allowing email based on the target recipient. • Sender Filter, helps blocking or allowing email based on the sender. • Connection Filter, which allows or denies listing of email addresses, and • Real-time Blacklist, a third party software that tracks known spam IP addresses, and blocks them from entering your network. Other spam filters use rating algorithms or technologies. These will rate an email based on its header or content. Depending on the email rating, it will then either allow or block it as spam. Now, let’s learn about UTM appliances. These combine three or more security technologies into a single device, and monitors data that moves in or out of the network. Web Security gateways are considered as UTM devices. We’ll now look at the features of UTM appliances. Let’s begin with URL Filtering. This enables you to restrict or allow web browsing based on the destination URL. It is used to prevent access to common websites that are not productive for your environment. Next, we have Content Inspection. This is a feature of a security device that monitors the actual content of a packet. Based on the information found in the packet, it determines whether it should be allowed. Third on the list is Malware Inspection. A UTM device often utilizes network-level malware detection, which protects the network from viruses, adware, spam, and other forms of malicious data that harm unsuspecting users. Fourth is Web Application Firewall or WAF. It works on the application layer of the OSI model, and enables you to control HTTP transmitted messages that enter and exit the server. Unlike network firewalls, WAFs are focused on HTTP information that is transmitted across the network. Finally, we have the Application Aware Devices. These network security devices are capable of looking at data and packets based on source, protocol, port, or destination, and also monitor the type of application data the packet contains. They are designed to react when a specific type of data from a specific type of application is allowed or prevented from entering the network.

11 Summary

Let’s summarize the topics covered in this lesson: ? The OSI and the TCP/IP are two reference models that help us understand how information is communicated over a network. ? The layers of OSI model help solve problems while transferring data from one device to another using specific protocols at the various layers. ? There are different types of network devices, namely, hubs, switches, routers, firewalls, proxy servers, load balancer, and network cables. With this, we conclude the lesson, ‘Implementing Security Configuration Parameters.’ The next lesson is, ‘Implementing Secure Network Administration Principles as per a given scenario.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*