Security+ Lesson 10

Course Title: CompTIA Security (SY0-601)
Lesson 10:
Implementing Network
Security Appliances
Ivan Jude Busgano, CTT+
CompTIA Certified Professional
Course Instructor
LESSON 10 OBJECTIVES
• Implement firewalls and proxy servers.

• Implement network security monitoring.
• Summarize the use of SIEM.
www.transientx.com
TOPIC 10A - IMPLEMENT FIREWALLS AND PROXY SERVERS
www.transientx.com
TOPIC 10A OUTLINE
• Firewalls
• Firewall implementations
• Proxies & gateways
• Access Control Lists (ACLs)
• Network address translation (NAT)
• Virtual firewalls
• Open source vs proprietary firewalls
www.transientx.com
TOPIC 10A KEY LEARNING POINT
• Firewalls
www.transientx.com
FIREWALLS
• one of the longest serving types of

network security control
• uses a group of rules to filter packets

(access control lists)
• rules can be based on the ff:

- IP address
- Protocol types
- Ports
• actions can be:

- block
- drop
- log
www.transientx.com
• Firewalls
www.transientx.com
FIREWALLS - MODES OF OPERATION
• stateless operation is used in basic

packet filtering firewalls
• stateful operation
- tracks information about a session
- session data is stored in a state table
- occurs at layer 4 and layer 7
- used in most firewalls now
www.transientx.com
FIREWALLS – TRANSPORT & APPLICATION
• layer 4 firewall (transport)

- examines 3-way handshake
- deviations can be dropped
• layer 7 firewall (application)

- examines the contents of packets
- matches the protocol & the port
- considered to be very powerful
- must be configured with SSL/TLS inspector
www.transientx.com
FIREWALLS – IPTABLES
• command-line utility provided by

Linux
• allows the admin to edit the rules

enforced by Linux kernel firewall
• works with chains (INPUT & OUTPUT)
• these chains are applied to

different types of traffic
• each chain has a default policy

set to DROP or ALLOW traffic
www.transientx.com
FIREWALL IMPLEMENTATIONS
• hardware-based
- deployment modes:
- router mode (layer 3)
- bridged mode (layer 2)
• software-based:
- host firewall (personal)
- application firewall
- server firewall
www.transientx.com
• Firewalls
www.transientx.com
PROXIES & GATEWAYS
• a proxy is a firewall that performs

application layer filtering (store-
and-forward model)
• forward proxy (outbound traffic)

- benefits:
- traffic management
- security
- caching engines
- classes:
- transparent
- non-transparent
• reverse proxy (inbound traffic)

www.transientx.com
• Firewalls
www.transientx.com
ACCESS CONTROL LISTS (ACLS)
• configured on the principle of

least access
• processed from top to bottom
• last rule is "implicit deny“
• must be aligned to written policy
• some basic principles must be

followed
www.transientx.com
• Firewalls
www.transientx.com
Network address translation (NAT)
• a NAT gateway is a service that

translates between public &
private addressing schemes
• several types of NAT:

- static NAT (1:1 mapping)
- overloaded NAT
- multiple private IP addresses
- only one public IP address
- uses port mappings
- destination NAT
- also called port forwarding
- forwards to other internal IP
www.transientx.com
• Firewalls
www.transientx.com
VIRTUAL FIREWALLS
• usually used in data centers &

cloud services
• common implementations:
- hypervisor-based
- virtual appliance
- multiple context
• virtual firewalls support east-west

security & microsegmentation
www.transientx.com
• Firewalls
www.transientx.com
OPEN SOURCE VS PROPRIETARY FIREWALLS
• wholly proprietary (Cisco, Juniper,

Palo-alto)
• mostly proprietary:
- developed from Linux kernel
- checkpoint, fortigate, sonicwall
• open source
- pfsense
- smoothwall
• most important considerations:

- technical support
- timely updates
- threat feeds
www.transientx.com
TOPIC 10A ACTIVITY
• Play video 1
• Play video 2
• Topic Quiz
www.transientx.com
TOPIC 10B - IMPLEMENT NETWORK SECURITY MONITORING
www.transientx.com
TOPIC 10B OUTLINE
• Network-based Intrusion detection system (IDS)

• Network-based intrusion prevention systems (NIPS)
• Detection mechanisms
• Next Gen Firewall (NGFW)
• Unified Threat Management (UTM)
• Content/URL filter
• Host-based Intrusion detection systems
• Web-application firewalls (WAF)
www.transientx.com
TOPIC 10B KEY LEARNING POINT

www.transientx.com
NETWORK-BASED INTRUSION DETECTION SYSTEM (IDS)
• are tools that provide real-time analysis of

network traffic, system, or application logs
• NIDS captures traffic using a packet sniffer
• only used to "passively" detect attack

symptoms
• three options for positioning sensors:

- mirror port or switched port analyzer (SPAN)
- passive test access point (TAP)
- active/inline TAP
www.transientx.com

www.transientx.com
NETWORK-BASED INTRUSION PREVENTION SYSTEMS (NIPS)
• compared to the passive function of

NIDS, NIPS provides active response
- end session
- temporarily block
- throttle bandwidth
• provides inline anti-virus scanning
• positioned like firewalls at the border

(usually after the firewall)
• "inline" means that all traffic passes

through it
www.transientx.com

www.transientx.com
DETECTION MECHANISMS
• signature-based detection uses pattern-

matching
• heuristics or behavior-based detection

identifies deviation from the normal
baseline
• heuristics mean to learn from experience:

- User & identity behavior analytics (UEBA)
- Network traffic analysis (NTA)
• anomaly-based looks for irregularities in

the use of protocol
www.transientx.com

www.transientx.com
NEXT GEN FIREWALL (NGFW)
• combines the following functionalities:

- application-aware filtering
- account-based filtering
- intrusion prevention system
- cloud inspection
www.transientx.com

www.transientx.com
UNIFIED THREAT MANAGEMENT (UTM)
• all-in-one appliance
• centralizes many types of security controls
• the drawback is that it can be an SPOF
• UTM & NGFW are just marketing terms
www.transientx.com

www.transientx.com
CONTENT/URL FILTER
• focused on filtering rules
• blocking URLs that appear on

blacklisted list
• apply time-based restrictions to

browsing
• often called secure web gateway

(SWG)
• can perform data loss prevention (DLP)
• can also be a cloud access security

broker (CASB)
www.transientx.com

www.transientx.com
HOST-BASED INTRUSION DETECTION SYSTEMS
• installed on each client workstation
• core feature is file integrity monitoring

(FIM)
• FIM audits key system files for integrity
• in windows, System File Checker (SFC)

can be used
www.transientx.com

www.transientx.com
WEB-APPLICATION FIREWALLS (WAF)
• specifically designed to
protect web servers &
backend databases
• provide protection from

code injection & DoS
• uses application-aware
processing rules
• some examples:
- modsecurity (opensource)
- naxsi (opensource)
- imperva (commercial)
www.transientx.com
TOPIC 10B ACTIVITY
• Play video
• Topic Quiz
www.transientx.com
TOPIC 10C - SUMMARIZE THE USE OF SIEM
www.transientx.com
TOPIC 10C OUTLINE
• Monitoring services
• Security Information & Event Management (SIEM)
• Report review
• File manipulation
www.transientx.com
TOPIC 10C KEY LEARNING POINT
• Report review
www.transientx.com
MONITORING SERVICES
• both security assessments and

incident response need real-time
monitoring of hosts and network
status
• types of monitoring services:

- packet capture
- network monitor
- logs
• logs are one of the most valuable

source of security information
- system log
- security log
www.transientx.com
• Report review
www.transientx.com
SECURITY INFORMATION & EVENT MANAGEMENT
• software designed to assist with

managing security data inputs
• its core function is to aggregate

traffic data & logs
• SIEM tasks:
- log collection
- log aggregation
- log correlation
www.transientx.com
• Report review
www.transientx.com
REPORT REVIEW
• many solutions use AI & ML as the

basis for automated analysis
• User entity behavior analytics (UEBA)

compares traffic to the baseline
• Sentiment analysis monitors social

media for brand incidents
• Security orchestration, automation, &

response (SOAR) use the data to
automate workflows & drive incident
response/threat hunting
www.transientx.com
• Report review
www.transientx.com
FILE MANIPULATION
• if you don't have SIEM, sometimes you need to work

with log files manually
• some tools to use in Linux:

- the "cat" command (view the contents)
- the "head" & "tail" (first & last 10 lines)
- the "logger" command (writes to the local system log)
- the "grep" command (invokes simple string matching)
www.transientx.com
TOPIC 10C ACTIVITY
• Play video
• Topic Quiz
www.transientx.com
LESSON 10 GUIDELINES (KEY TAKEAWAYS)
• Identify security requirements for a network zone.

• Determine appropriate security technology to use:
- Network firewall for filtering inbound & outbound traffic
- IDS, IPS, NGFW to implement signature or behavior-based detection
- content filter to control outbound user access
- UTM to implement multiple controls within a single appliance
• Assess whether hosts need additional security (host-based FW, WAF, FIM).
• Evaluate if commercial or open-source model best fits your requirements.
• Document & test ACLs & other security configurations.
• Implement appropriate method of log & network data collection:
- Manually
- SIEM
- SOAR
www.transientx.com
Course Title: CompTIA Security (SY0-601)
End of Lesson 10:

Implementing Network
Security Appliances
Ivan Jude Busgano, CTT+
CompTIA Certified Professional
Course Instructor

Security+ Lesson 10

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security+ Lesson 10

Uploaded by

Copyright:

Available Formats

Course Title: CompTIA Security (SY0-601)

• Implement firewalls and proxy servers.

• one of the longest serving types of

• uses a group of rules to filter packets

• rules can be based on the ff:

• actions can be:

• stateless operation is used in basic

• layer 4 firewall (transport)

• layer 7 firewall (application)

• command-line utility provided by

• allows the admin to edit the rules

• works with chains (INPUT & OUTPUT)

• these chains are applied to

• each chain has a default policy

• a proxy is a firewall that performs

• forward proxy (outbound traffic)

• reverse proxy (inbound traffic)

• configured on the principle of

• processed from top to bottom

• last rule is "implicit deny“

• must be aligned to written policy

• some basic principles must be

• a NAT gateway is a service that

• several types of NAT:

• usually used in data centers &

• virtual firewalls support east-west

• wholly proprietary (Cisco, Juniper,

• most important considerations:

• Network-based Intrusion detection system (IDS)

• Network-based Intrusion detection system (IDS)

• are tools that provide real-time analysis of

• NIDS captures traffic using a packet sniffer

• only used to "passively" detect attack

• three options for positioning sensors:

• Network-based Intrusion detection system (IDS)

• compared to the passive function of

• provides inline anti-virus scanning

• positioned like firewalls at the border

• "inline" means that all traffic passes

• Network-based Intrusion detection system (IDS)

• signature-based detection uses pattern-

• heuristics or behavior-based detection

• heuristics mean to learn from experience:

• anomaly-based looks for irregularities in

• Network-based Intrusion detection system (IDS)

• combines the following functionalities:

• Network-based Intrusion detection system (IDS)

• centralizes many types of security controls

• the drawback is that it can be an SPOF

• UTM & NGFW are just marketing terms

• Network-based Intrusion detection system (IDS)

• focused on filtering rules

• blocking URLs that appear on

• apply time-based restrictions to

• often called secure web gateway

• can perform data loss prevention (DLP)

• can also be a cloud access security

• Network-based Intrusion detection system (IDS)

• installed on each client workstation

• core feature is file integrity monitoring

• FIM audits key system files for integrity

• in windows, System File Checker (SFC)

• Network-based Intrusion detection system (IDS)

• provide protection from