CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Use Secure Network Administration Principles Tutorial

1 Use Secure Network Administration Principles

In today’s world, computer systems are easily compromised. If you are careful to not let an intruder enter your computer or network, the situation can be avoided. This lesson covers Access Control Settings, and implementing Network Administrative Principles for connected devices. Prior to this, let’s outline the objectives for this lesson. After completing this lesson, you will be able to: • Categorize different types of Access Controls, • Describe key security measures, • Identify Access Control Lists in detail, • Explain Port Security, • Analyze security issues related to wireless networking, and • Explain concepts of Implicit Deny, Network Separation, Log Analysis, and Unified Threat Management. In this topic, we will learn about the Access Control Lists and its categories.

2 Access Control List and its Categories

Now, let’s begin with the basics of access control. With access control, you create a strategy for users to access resources within your network or the computing environment. There are mainly two types of access control, namely, physical and logical. In the former, you limit a user’s access to your campus or office building, whereas in the latter, you give users access to the computer network, servers, database, and system files. In addition to these types, Access Control consists of 4 categories: Rule-based, Role-based, Mandatory, and Discretionary. Now, let’s learn more about the Access Control categories with a scenario. A prominent textile manufacturing company, RiverFall Garments, in South Carolina decided to create their own flagship curtain designs and launch their brand within 2 months. So the management decided to hire top designers to design and manufacture the first set of a million curtains. The management laid down the following rules to address security issues: The area used for design creation should be restricted. The manufacturing team should be given access to the design files during the working hours for only 15 days. Only the Top Management and Design Experts should be allowed access to the design room and systems. Only the CEO and Design Head should grant user access to design files. So, can we provide them with a solution? Sure, we can! We will begin with Rule-based Access Control. Here, we create rules to ensure the network is accessed and managed in a disciplined manner. With Rule-based Access Control, the system administrator creates a strategy to manage user access within the network. These rules are changed as per the demands of the businesses, which directly or indirectly affects user access. Additionally, a list of rules is used to determine the data that can enter or should be dropped from the network.Considering the given scenario, the System Administrator defines rules such that a user in the manufacturing team has access to the designs from 8 am to 7:30 pm for 15 days. Another example for Rule-based Access Control are meal vouchers that are accepted in cafes, restaurants, and stores. Since these vouchers can be used as cash, they should not be valid for shopping other items such as clothes, footwear, and others. Next, we will see Role-based Access Control. It is the strategy of assigning roles to users, and hence granting access to computers or network within an organisation. When a role is assigned, the user is expected to perform a specific task. The user can have one or more roles to access information based on the assigned roles. If the user shuffles between his roles, the authorities and access control change accordingly. The roles are assigned as per the job competency, authority, and responsibility within the organization. In a hierarchy, a given role should access information of only linked departments. According to the scenario, the System Administrator creates a new department, Design, and two roles, Management and Design Experts. Only these roles are given access to the systems in the Design department. To fulfil the given condition, the System Administrator assigns two new roles to users in the Top Management, and the role of Design Experts to designers.Next, we will see Mandatory Access Control. It is a strategy where users are assigned a specific label or classification on which they are allowed to access information within an organization. The labels are classified as public, confidential, secret, and top secret. This represents the sensitivity of information. When a user tries to access the information, the security system checks the labels with classification, and grants access to resources or information. For example, the user with secret label cannot access top secret information, whereas a user with top secret label can access any information. Hence, the System Administrator at RiverFall allocated Top Secret labels to users from Top Management, Secret to Designers, Confidential to Middle-level Management, and Public to others. In this type of access control, information is not shared unless the administrator gives the rights. It is a highly secure control mechanism. Examples of firms applying this access control are government and military forces, where confidentiality is given the top most priority. Discretionary Access Control is a strategy where users are allowed to define access control parameters. For example, User A grants Users B and C with read-only access for files, whereas grants the users of department X with read and write permissions. Users can grant permission to access only the information they own. In other words, User A cannot define access rules for information owned by User B. Discretionary Access Control can be considered a more feasible access control type, but the risk of granting information access to an unauthorized user is also high. So, in case of RiverFall Garments, only the top management has the permission to grant access for design files to the concerned teams.

3 Key Security Measures

In this topic, we will learn some of the key security measures.We begin with Rule-based Management. It is a strategy that enables you to define conditions for accessing information within the network. Here, access to information is based on sensitivity label assigned to the information and the user. It is a concept used by networking security devices and technologies such as firewalls, IPS, IDS, and proxies. If an action does not match any rule, access should be denied. The rules of access are very strict for the network within an organisation. Rule-based management takes place with the help of Access Control Lists. These list of rules define what type of action can or cannot take place within a corporate network. Depending on the device, rules can be specified against protocol, port, source or destination, and application aware devices. The goal of this management is to allow network access to data that is absolutely necessary. Rule-based management is based on the concept of Least Privilege, which will be discussed later in the lesson. Let’s take an example: Typical firewalls use the Implicit Deny rule. According to this rule, anything that is not specified as ALLOWED, is assumed to be DENIED, and thus not permitted to access the network or resources. Firewalls are based on the First-match-apply rule system. What does this mean? A set of rules are created on the firewall, and every packet of traffic is compared against these rules. When a rule identifies a match, a corresponding action is applied on the matched data. As an action is applied, the data is not subject to any other rule. If the data doesn't match any rule but the last one, then the action ‘Blocked’ is applied. Firewalls follow the principle of whitelist Security Management System. They constantly block unauthorized programs from entering the network, and stops running any malicious program that has entered the network. While creating firewall rules, you need to consider its types, Inbound and Outbound. However, this is not applicable if the firewall supports Stateful Inspection. Another key aspect of firewall rules is to continuously review to ensure the listed rules are placed in an appropriate order, and they don't create any loopholes in security. After the successful launch of their curtain brand, the Design Team at RiverFall Garments felt the need for a team head. So, the management decided to split, and appoint their Chief Operating Officer as the head of Design Team, and other manufacturing operations were under the Chief Production Officer. Since the two departments run as separate units, and don’t need to interact with each other, the management doesn’t want the users or employees in these two departments to access the files or information. Let’s see what can be the possible solution.

4 VLAN Management

Virtual Local Area Network or VLAN is a method of segmenting a large network into smaller ones. VLANs are often used to separate voice and data communications in environments that has VoIP technologies. VLAN management has detailed control of your network division, thereby giving an administrator the ability to specify the exact path data will travel over a network. It can take place on Layer 3 managed switches or routers. When you have two networks that are VLAN-based in the same environment, they can only communicate if there exists a routing device to transfer data between them. VLANs help dividing and configuring network resources in multiple departments within the company to limit access the information access is limited only for users in the department. Screen 18: VLAN Management (Contd.) This is explained with the help of a diagram displayed on your screen. It is a switched network with a single router for RiverFall Garments. Technically, all these machines are on the same network. VLANs have been created so that the Design department is assigned as VLAN 100. So, they are able to communicate with other computers on VLAN 100 across the whole network. Computers on VLAN 300 or the Manufacturing department can access the VLAN 300 server. To enhance the security of the network, you can combine VLANs with other technologies. Today, most people can’t imagine a day without a Wi-Fi connection. But, what if the Wi-Fi code you use is not secure? Simple, anyone can access your network. Routers are loaded with common defaults, which are designed to allow an administrator to access them, and begin the router configuration. If you configure your router to route the traffic, but don’t secure the router, it gives a malicious user full access to your network. Securing router configurations start with changing the default credentials. Routers have credentials: Admin as Username, and Blank as Password. Default credentials can be looked up on the Internet or on the vendor website. If someone is able to access the management interface of a router that is not securely configured, it becomes easier to access the information, and configuring the router for personal use. Securing router credentials involves changing the administrator login name, if possible, and employing strong passwords, such as eight characters or more, letters, symbols, numbers, uppercase, and lower case. Once secured, the password must be stored from where it cannot be easily discovered. The next step in securing your route is configuring its advanced settings. In this setting, you should disable ping requests, port security, MAC filtering, and other advanced configuration settings. The harder it is to know that a router exists in the vicinity, or gain physical or logical access to the router, more secure is your network. The next important thing is to enable updates for your router firmware. A router firmware is a software embedded in the router to provide network protocols and other controls related to security. This automatically updates your router when it discovers addresses, exploits, and other weaknesses. If you are unable to configure this, there is a risk of getting hacked, giving access to your network, or even damaging the router. It is recommended to always back up your router before employing a router firmware. An untested firmware can sometimes have adverse effects. Lastly, most routers have remote access for easy management, especially companies with several campuses or multiple routers. Remote access always opens up devices for a larger possibility of compromise. If your company requires remote access, ensure the router is secure, and possesses intensive authentication methods for authorization. Some consider implementing RADIUS or TACACs that use an internal authentication server. They are secure servers that the router or device uses to look up log on information. If you disable remote access to routers, the physical protection of the router is the only concern. So, ensure there are physical security controls in place to prevent compromise of devices such as CCTV, mantraps, biometrics, and security guards.

5 Access Control List in depth

In this topic, we will learn how to identify Access Control Lists in detail. We talked about ACLs, how they relate to rule management, and the devices that use them. ACLs are not only logical lists used by routers, firewalls, and networks to monitor and maintain a network, they can also be physical lists of people who enter a building or room. Some people consider whitelists and blacklists as forms of ACL. Whitelists are lists of all locations, websites, or people that are allowed. Blacklists are all things that are denied. ACLs are often used in spam filters to whitelist or blacklist known email domains based on their history. Firewalls and Proxies use ACLs to allow or deny traffic, while URL Filters use whitelists or blacklists to prevent or allow websites to be viewed. Routers use Access Control Lists to send and receive data between networks. ACLs should be implemented wherever possible to increase the security of your networking infrastructure. An important thing to remember about Access Control Lists for the Security Plus exam is that ACLs are used to facilitate and implement the concepts of Least Privilege and Implicit Deny, apart from the rules, Allow and Deny.

6 Port Security

In this topic, we will learn about Port Security.In the Security Plus exam, Port Security is always in reference to physical port security, and not logical port. Logical ports are associated with protocols such as 80 with HTTP. Physical port security means safeguarding connection points, such as RJ-45 wall jacks or device ports from external users or devices that are not authorized to access the network premises. You can safeguard the ports by cutting off the connection for the wall jack that originates from the wiring closet and server vaults. Another option of port security is to secure a port physically on a router or a switch using technologies such as MAC filtering. Implemented port security of managed switches allows physical ports to disable them when not in use. This helps restricting a port to plug into your network and access your environment. Because of hardware addresses like MAC that are unique to each NIC helps you to securely limit devices plugged into the port. Although, the negative aspect of MAC can be tricked, if hackers know the MAC address allowed on a port, they might easily bypass this security. Port security should be used on a port with inactive functionality. Apart from disallowing unauthorized access to the network, it can also prevent MAC flooding. This overwrites entries on a MAC table to redirect information. The next measure for port security is managing TCP and User Datagram Protocol or UDP ports. The port is open only when an active service is assigned to it. Hence, the other 65,535 ports of TCP or UDP are shut if an active service is not assigned to them. This leaves the active port at risk, as hackers can easily identify by performing a port scan. It is therefore vital to employ Firewalls, IDSs, IPSs, and other security tools to detect such an intrusion, and block or revert the course of malicious data. Another aspect of port security is Port Knocking. Here, all ports on a system appear to be closed, and a client computer can access a desired port by sending specific packets in a particular order to a particular set of ports. This lets the client software to gain access to the service. Hackers can intercept the knocking and learn the sequence, but this method surely keeps the process of scanning ports at bay.

7 Standards for Wireless Security Network

In this topic, we will analyze security issues related to wireless networking.IEEE defines how to enhance security of wireless networks with the standards of 802.1X. This enhances the Port Security of wireless networks by adding EAP or Extensible Authentication Protocol and using MAC Filtering to increase network security. EPA is an authentication protocol that allows access points and switches to rely on server for verification. 802.1X does not give access to the switched network until the user authenticates. RADIUS servers are often implemented with 802.1X, and Network Access Control is used with an EPA. Flood guards are features found on routers or switches. They allow you to block or control nasty attacks. Common flood attacks are ping attacks or even SYN attacks, where the hacker repeatedly sends the SYN packet and opens multiple sessions, but never closes them. Flood Guards are designed to prevent this as it can cause denial of service. Additionally, you can configure flood guards to stop a certain amount of login attempts. These are very similar to loop protection. To understand loop protection, we must first review how a loop occurs. Most loops are called switching loops or broadcast storms. This is because, switches dismiss connections from each other for different reasons. If there aren’t any protections in place, it will cause floods, as data gets retransmitted across the network. This happens from broadcasts and other types of transmissions, which can lead to a complete network disruption or denial of service.Spanning Tree Protocol is available for switches that prevent switching loops by detecting ports involved in a loop, and disable one of them by breaking the looped connection. If it detects the lost connection with another switch over the port that was active, it opens up the blocked port to allow the information to pass.

8 Concepts of Implicit Deny, Network Separation, Log Analysis, and Unified Threat Management

In this topic, we will cover concepts of Implicit Deny, Network Separation, Log Analysis, and Unified Threat Management.Screen 30: Implicit Deny Implicit Deny is a security principle that is applied to access control lists and technology used to manage allocation of access to network resources. It is listed last in ACLs or is implied at the end of an ACL. This means, it hasn’t been listed as ALLOWED in the rules of ACL, or otherwise is considered Denied. Access can be denied based on any stipulation the ACL allows. The common ones are source, destination, protocol and port, or application type. There are many ACLs for devices that possess minute modification of what is allowed or not allowed. Some examples that use implicit deny are Router ACLs, Firewalls, and Windows NTFS permissions. It is important to know that implicit deny facilitates Least Privilege. Least Privilege is a security principle in which, users and devices on a network are granted access to the resources they absolutely need.We have learned about several technologies that provide network separation, but we need to understand its relevance to security administrators. We know, Network Separation can be either logical or physical. VLANs are a type of logical network separation. Whereas, placing a router between two networks is physical network separation. It also prevents unauthorized access to data based on departments or job roles, thereby minimizing the chance of a broadcast storm on a domain. Segmentation of a network creates multiple collision domains and multiple broadcast domains that have its own benefits. Hackers can only capture data on network segments. If communication is required between the two segmented networks, you need to implement IP subnets and employ routers. And, if communication isn’t essential between the two segmented physical networks, you can replace routers with firewalls to ensure the data is filtered in a secure manner, and the traffic is managed efficiently. Network separation is done with DMZs and subnetting. DMZ is a network segment where public facing devices are often put to prevent direct access from the public to the private internal network. On your screen, you see a diagram that shows network separation, drawn out to both physical and logical networks using subnetting, physical boundaries, and a DMZ. Analyzing log data is a commonly overlooked form of security, but is important for security assessments. You must have a regular and thorough review of network and security devices, and of critical systems. This will help you get an alert on intrusions, compromise, or both, or faulty equipment. Log analysis is often part of security audits, which is a managerial aspect, but creating regular logs enable you to catch problems before they occur. Most programs inherently allow some form of logging, and these should be configured to be accessible and also allow to create a backlog where logs can be reviewed at a later date. We have discussed Unified Threat Management devices, and their identical counterpart, Web Security Gateways. Now, we will look into the details of UTM. Unified Threat Management is a type of all-in-one security devices. UTM enables vendors to put several security measures into a single device, thereby cutting down the cost. It is risky at times, because if one device fails, the UTM on that device will no longer be available on the network. This is a single point of failure. Some of the key features of UTM devices include spam filters, malware detection, URL filter, web content filters, and others.

10 Summary

Let’s summarize the topics covered in this lesson. • Access Control consists of 4 categories: Rule-Based, Role-Based, Mandatory, and Discretionary. • Firewalls use Access Control lists, which are rules that define what type of traffic is passed through the firewall. • Virtual Local Area Networks (VLANs) are a method of segmenting a large network into smaller ones. • EPA is an authentication protocol that lets access points and switches rely on server for verification. Screen 36: Summary (Contd.) • Flood guards are features found on routers or switches. They allow you to block or control nasty attacks. • VLANs are a type of logical network separation. Whereas, placing a router between two networks is physical network separation. • Unified Threat Management is a type of all-in-one security devices. UTM allows vendors to put several security measures into a single device, and thus cut down on cost. With this, we conclude the lesson, ‘Use Secure Network Administration Principles as per a given scenario.’ The next lesson is, ‘Explain Network Design Elements and Components.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*