Chapter 15: Physical Security and

Risk • Click to edit Master subtitle

Instructor: style
 Chapter 15 Objectives
• The Following CompTIA Network+ Exam Objectives
Are Covered in This Chapter:
• 1.3 Explain the concepts and characteristics of
routing and switching
• ACL
• Segmentation and interface properties
• DMZ
• 2.2 Given a scenario, determine the appropriate
placement of networking devices on a network and
install/configure them
• Firewall
• 2.3 Explain the purposes and use cases for
advanced networking devices
• UTM appliance
• NGFW/Layer7 Firewall
2
 Chapter 15 Objectives
(cont.)
• 3.2 Compare and contrast business
continuity and disaster recovery concepts
• Power management
• Battery backups/UPS
• Power generators
• Dual power supplies
• Redundant circuits
• Recovery
• Cold sites
• Warm sites
• Hot sites
3
 Chapter 15 Objectives
(cont.)
• Snapshots
• MTTR
• MTBF
• SLA requirements

4
 Using Hardware and Software
Security Devices
• In medium to large enterprise networks, strategies for
security usually include some combination of internal
and perimeter routers plus firewall devices.
• Internal routers provide added security by screening
traffic to the more vulnerable parts of a corporate
network though a wide array of strategic access lists. Corporate
(Trusted)
Network
Untrusted
Network Perimeter Firewall Internal
(Premises) (Local Network)
Router Router
Internet

Web
Server
DMZ

Email
Server 5
 Firewalls
• Firewalls are usually a combination of hardware and software.
• The hardware part is usually a router, but it can also be a
computer or a dedicated piece of hardware called a black box
that has two Network Interface Cards (NICs) in it.
• One of the NICs connects to the public side, and the other one
connects to the private side.
• The software part is configured to control how the firewall
actually works to protect your network by scrutinizing each
incoming and outgoing packet and rejecting any suspicious
ones.

6
 Firewalls
• Network-Based Firewalls
– A network-based firewall is used to protect private
networks from public networks.
– This type of firewall is designed to protect an entire
network of computers instead of just one system.
– Usually a combination of hardware and software
• Host-Based Firewalls
– A host-based firewall is implemented on a single
machine so it only protects that one machine.
– Usually a software implementation

7
 Firewall Technologies
• Access Control Lists (ACLs)
– The first line of defense for any network that’s
connected to the Internet are access control lists.
– These reside on your routers and determine by IP
addresses and/or ports which machines are allowed to
use those routers and in what direction.
A can access B,
B can access if a
secure authenticated
connection is detected.

Network B Network A
“Private” Network “Public” Network
Router

8
 Port Security

• Use port security to define a set

of MAC addresses that are
allowed to access a port where a
sensitive device is located.
• Use it to set unused ports to only
be available to a preconfigured
set of MAC addresses.

9
•
Firewall Technologies
Demilitarized Zone (DMZ)
– A demilitarized zone (DMZ) is a network segment that
isn’t public or private but halfway between the two.
Internet

DMZ

Email Server Router

Web Server Firewall

Switch

FTP Server
Switch

Protected
Intranet

Email Server
File & Print Server

Internal Database
& Web Server

10
 Firewall Technologies
• Protocol Switching
– Protocol switching protects data on the inside of a firewall.

TCP/IP Internet

TCP/IP Only TCP/IP Only

Protocol switching occurs

Inside the firewall. The first
Router Router
NIC understands TCP/IP only.
TCP/IP Only The second NIC understands
IPX/SPX Only IPX/SPX only.
Deadzone
Firewall IPX/SPX Only

Router
Switch IPX/SPX Only
TCP/IP Only
Protected
Intranet

Email Server
IPX/SPX File & Print Server
TCP/IP Both

Internal Database
& Web Server 11
 Firewall Technologies
• Dynamic Packet Filtering
– Packet filtering refers to the ability of a router or a firewall
to discard packets that don’t meet the right criteria.

State List
Session between A & B:
Last packet #1238
Next packet #1239

Server sending
packet #1239

X Firewall
Hacker is denied access because the
Client expecting
Packet #1239

Hacker attempts
state list says the firewall should expect
to get in using
packet #1239 next, but instead It is
packet #1211
receiving #1211, so it rejects the packet.

12
 Firewall Technologies
• Proxy Services
– Proxies act on behalf of the whole network to
completely separate packets from internal hosts
and external hosts.
Discarded
Web Server

Data
HTTP
From Proxy Proxy Server From A
Data Data
A
From Server From Proxy
Internet Data Data

A proxy receives a request from a client and makes

the request on behalf of the client. This example
shows an HTTP proxy server.

13
 Firewall Technologies
• Firewalls at the Application Layer vs. the Network Layer
– Stateful vs. Stateless Network-Layer Firewalls
– Application-Layer Firewalls
• Scanning Services and Other Firewall Features

Key Default Scanning Settings

14
 Firewall Technologies
• Content Filtering
– Content filtering means blocking data based on the
content of the data rather than the source of the data.
• Signature Identification
– Firewalls can also stop attacks and problems through
a process called signature identification.
– Viruses that are known will have a signature, which is
a particular pattern of data, within them.

15
Figure 15.7
Chapter 15
Internet Options Security tab
Figure 15.8
Chapter 15
Adding a trusted site
Figure 15.9
Chapter 15
Custom security settings
Figure 15.10
 Intrusion-Detection and
Intrusion-Prevention Systems
• Firewalls are designed to block nasty traffic from
entering your network, but IDS is more of an auditing
tool: It keeps track of all activity on your network so
you can see if someone has been trespassing.

Firewall 3

Network

1 Attack underway
2 IDS analysis Looks for misuse
or known attack IDS
3 Response signatures 2 Attack Signature
&
Misuse Database

20
 Intrusion-Detection and
Intrusion-Prevention Systems
• Network-Based IDS
– The most common implementation of a detection
system is a network-based IDS (NIDS).
– The IDS system is a separate device attached to the
network via a machine like a switch or directly via a tap.

Hub or Tap
Connection
Internet

Firewall

Secured
Management Channel

IDS
21
 Intrusion-Detection and
Intrusion-Prevention Systems
• Changing network configuration
– An IDS can close the port either temporarily or permanently.
– If the IDS closes ports, legitimate traffic may not be able to
get through either, but it will definitely stop the attack.

IDS Closing Port 80 for 60 Seconds

Internet
1 Port 80 attack

Firewall

Sensor

1 Attack occurs 3

2 IDS analysis/responses
Alert Detected
3 Port 80 closed 2
Client
22
IDS Command (Close 80, 60 Seconds)
 Intrusion-Detection and
Intrusion-Prevention Systems
• Deceiving the attacker
– Trick the attacker into thinking their attack is really working
when it’s not.
– The system logs information, trying to pinpoint who’s behind
the attack and which methods they’re using.
– A honeypot is a device or sever which the hacker is directed to;
it’s intended keep their interest long enough to gather enough
information to identify them and their attack method.
Firewall

Honeypot
1 Network Attack
3

X
Client

2 Alert Detected

IDS
1 Attack occurs
2 Analysis/response 23
3 Reroute network traffic
 Vulnerability Scanners
• NESSUS
– Propriety vulnerability scanning
program that requires a license to
use commercially yet is the single
most popular scanning program in
use
• NMAP
– Originally intended to simply identify
devices on the network for the
purpose of creating a network
diagram, its functionality has
evolved. 24
 VPN Concentrators
• A VPN concentrator is a device that creates remote access
for virtual private networks (VPNs) either for users logging
in remotely or for a large site-to-site VPN.
• In contrast to standard remote-access connections,
remote-access VPNs often allow higher data throughput
and provide encryption.
• Cisco produces VPN concentrators that support anywhere
from 100 users up to 10,000 simultaneous remote-access
connections.

25
 Understanding Problems
Affecting Device Security
• Physical Security
– Physical Barriers
– Security Zones

26
Figure 15.17
 Understanding Problems
Affecting Device Security
• Logical Security Configurations
– Ensure your network has an outside barrier and/or a
perimeter defense.
– Have a solid firewall, and it’s best to have an IDS or
IPS of some sort as well.

28
Chapter 15
Network perimeter defense
Figure 15.18

Internet
Router
Firewall IDS

Local Network
Chapter 15
Network divided into security zones
Figure 15.19

Administration Network
Zone 1
Accounting
Network
Internet
Router
Production Network
Zone 2 Private
Network

Sales Network
Zone 3
 Understanding Problems
Affecting Device Security
• Maybe traffic is heavy, and you need to break up physical
segments.
• Perhaps different groups are in different buildings or on
different floors of a building, and you want to effectively
segment them.

Zone 3 IDS
Router

Border
Firewall
Router
IDS
Zone 2
Router

Zone 1 IDS 31
Router
Figure 15.21
Figure 15.22
Figure 15.23
Figure 15.24
 Summary

• Summary
• Exam Essentials Section
• Written Labs
• Review Questions

36