Professional Documents
Culture Documents
MIT 420 Chapter 9 Removed-3
MIT 420 Chapter 9 Removed-3
Security Appliances
& Technologies
Intrusion detection
Deception Network hardware
Firewalls Proxy servers . and prevention
instruments security models
systems
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (1
of 6)
Firewall Functions
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
W” © Parental Controk: Profies - X
Firewalls (2
8 Communication or Media
Chat
v Dating and personals
y explicit Instant Messaging
of 6 :
ex educaton Peer-to-peer
troversal
v Criminal activity
v O @ Shopping and Entertanment
v Hate and intolerance v Advertisements and popups
v al drugs v
v legal software v
v Plagarism (school work shopping
& Games
v
v
neidl_rubenking@pamag. com
Shop Support
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (3 * Firewall Categories
of 6) * Stateful vs. stateless:
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Help protect your PC with Windows Defender Firewall
Windows Defender Firewall can help prevent hackers or malicious software from gaining access to your PC
through the Intermet or a network.
.
Networks at home or work where you know and trust the people and devices on the network
Firewalls (4 Incoming connections: Block all connections to apps that are not on the list
of allowed apps
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (5 | Switch
of 6)
il sssell @
Database Application
server server
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Specialized Firewall Appliances
* Web application firewall
* Network address translation gateway
Firewalls (6 * Network address translation (NAT) is a
of 6) technique that allows private IP addresses to
be used on the public internet
* Next generation firewall
* Unified threat management (UTM)
* UTM is a device that combines several
security functions such as packet filtering,
antispam, antiphishing, antispyware,
encryption, intrusion protection, and web
filtering
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Figure 1. Magic Quadrant for Network Firewalls
= ] L g
F . | |
Palo Ao Networks
fort @
®
Source: https://go.fortinet.com/global-Ip/BSPtarh
Bt RSTR e walls
Activity - Check your Firewall
Security
& Privacy
Check the -
hOSt based flreWa" General FileVault Privacy
on your personal
@ Firewall: On
device and discuss
The firewall is turned on and set up to prevent unauthorized applications, programs, and
your observations services from accepting incoming connections.
Fir
4 @« System
and Securtty » Windows Defendes Firewall v | @ SeachControl Panel »
e It can look for malware by intercepting it before it reaches the internal endpoint
eIt can hide the IP address of endpoints inside the secure network so that only the
proxy server’s IP address is used on the open Internet
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Forward proxy server Reverse proxy
P r‘ OX User makes replaces server routes to
request Source IP with its own IP correct server
Source IP = Source IP = Source IP =
Servers (2
Web
192.146.118.20 192.146.118.254 192.146.118.254 server 1
ot -8
IP =192.146.118.20 Forward proxy
server
e s
Internet Reverse proxy
server 123.org
IP=192.146.118.254 il
.‘71..;51“" sessll
e© server 3
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Dece pt Ion e By directing threat actors away from a valuable asset to
| nStru me ntS something that has little or no value
Honeypots
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
65727 64,025 3281 249 = 152
pt i O n :
D e Ce
Instruments 1]
2 of 3
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
aam Honeypots (continued) ————
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Intrusion
Detection
and
Prevention Inline system is connected directly to the network and
Syste ms ( 1 Of monitors the flow of data as it occurs
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Monitoring Methodologies
Intrusion * Anomaly-based monitoring compares current
Detection detected behavior with baseline
* Signature-based monitoring looks for well-
and _ known attack signature patterns
Prevention * Behavior-based monitoring detects abnormal
Systems (2 of actions by processes or programs
3) » Alerts user who decides whether to allow or
block activity
* Heuristic monitoring uses experience-based
techniques
* Attempts to answer the question “Will this
do something harmful if it is allowed to
execute?”
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Intrusion
Detection
and
Prevention
Systems (3 Of ¢ NIDS sensors installed on firewalls and routers
gather information and report back to central
3) device
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Network
Hardware
Security
I\/I Od u | es For endpoints, an HSM is typically a USB device, an expansion
card, or a device that connects directly to a computer through a
port
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Configuration
Management
Basic configuration management
tools include:
e Secure baseline configurations
e Standard naming conventions
e Defined Internet Protocol schema
e Diagrams
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Security Technologies
There are general security
technologies that can provide a
defense
Access technologies
ty+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
licly accessible website, in whole or in part.
* Access Control List (ACL)
An access control list (ACL) contains rules that
administer the availability of digital assets by granting
Access or denying access to the assets
Technologies Two types of ACLS include:
* Filesystem ACLs filter access to files and directories
(1 of 7) on an endpoint by telling the OS who can access the
device and what privileges they are allowed
* Networking ACLs filter access to a network
. Often found on routers
Router ACLs can be used on external routers to restrict
vulnerable protocols and limit traffic from entering the
network
Internal router ACLs are often configured with explicit
allow and deny statements for specific addresses and
protocol services
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Virtual Private Network (VPN)
* AVPN is a security technology that enables
authorized users to use an unsecured public
Access network (the Internet) as if it were a secure private
Technologies network
(2 Of 7) * Two common types of VPNs:
* A remote access VPN
* Asite-to-site VPN
* A full tunnel sends all traffic to the VPN
concentrator and protects it
* A split tunnel routes only some traffic over the
secure VPN while other traffic directly accesses the
Internet (this helps preserve bandwidth)
* The most common protocols used for VPNs are
IPsec and SSL
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Network Access Control (NAC)
NAC examines the current state of a system or network
device before it can connect to the network
Access Any device that does not meet a specified set of criteria
Technologies can connect only to a “quarantine” network where the
security deficiencies are corrected
(3 of 7) NAC uses software “agents” to gather information and
report back (called host agent health checks)
An agent may be a permanent NAC agent or a
dissolvable NAC agent that disappears after reporting
information to the NAC
The NAC technology can be embedded within a
Microsoft Windows Active Directory (AD) domain
controller
* NAC uses AD to scan the device (called agentless
NAC)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Quarantine network
5. If no Health
Certificate, client
A C C e S S sent to quarantine 2. Statement of Health sent
to Health Registration Antivirus server
Technologies assessment
Authority
[cithe
4. Health Certificate presented
3. Health Certificate
issued to client Patch management
server
= el
to network server
f
Figure 9-7 Network access control (NAC) process
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Data Loss Prevention (DLP)
* DLP is considered as rights management, or the
authority of the owner of the data to impose
ACCGSS : restrictions on its use
Tech nO|Og|eS * DLP is a system of security tools that is used to
recognize and identify data that is critical to the
(5 of 7) organization
* Most DLP systems use content inspection which is
defined as a security analysis of the transaction
within its approved context
* An administrator creates DLP rules based on the
data and the policy
* These rules are loaded into a DLP server
* When a policy violation is detected by the DLP
agent it is reported back to the DLP server
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Data Loss Prevention (continued)
* When a server is notified of a policy violation different
ACCGSS actions can be taken:
. * Block the data
Technol ogles * Redirect it to an individual who can examine the request
(6 Of 7) e Quarantine the data until later
* Alert a supervisor of the request
* A process called tokenization obfuscates sensitive data
elements, such as an account number, into a random string
of characters (token)
* The original sensitive data element and the token are
stored in a database called a token vault so that if the
actual data element is needed, it can be retrieved as
needed
* Tokenization is illustrated in Figure 9-8 on the following
slide
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
User Data with tokenization
Alessia Oplontis Alessia Oplontis
SSN: 293-56-5094 SSN: 678-12-0508
Account: 9847230982 Account: 0283761435
Access
Technologies Plain text value | Token value
293-56-5094 678-12-0508
Hiieseell @
(7 of 7) 9847230982 0283761435
Token vault
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Switch A
Segment 3
Segment 1
Technologies
fO r . Segment 2 .
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Switch TAP Router
Technologies
for
Monitoring B
: Out-of-band monitoring
and Managing desi]
(4 of 6)
Figure 9-10 Port TAP
Switch RoiiteF
Technologies
for
Monitoring | .
and Managing Out-of-ba?gorlnonltorlng
(5 of 6)
Figure 9-11 Port mirroring
Technologies
for ¢ File integrity monitors examine files to see if they have
changed
Monitoring e File integrity monitors are used for detecting malware as
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Network Segmentation
De5|gn * Examples of network segmentation include virtual
TeChnOlogies LANs and a demilitarized zone
» Zero trust is a strategic initiative about networks
(1 Of 7) that is designed to prevent successful attacks
* It attempts to eliminate the concept of trust
from an organization’s network architecture
» Zero trust requires that networks be segmented
* A network can be segmented by separating devices
into logical groups by creating a virtual LAN (VLAN)
* VLANSs can be isolated so that sensitive data is
transported only to members of the VLAN
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Network Segmentation (continued)
* A demilitarized zone (DMZ) is a separate
Design ,
network located outside secure network
. perimeter
Technolog|es * Untrusted outside users can access DMZ but
(2 of 7) cannot enter the secure network
* A common approach to configuring a DMZ is to
use a jump box (sometimes called a jump
server or jump host)
* A jump box is a minimally configured
administrator server that connects two
dissimilar security zones while providing
tightly restricted access between them
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Firewall Firewall
[
Internet Router | |
Switch . Switch .
Design
Technologies DMz
(3 of 7) Wil eseeli ®
{itesesll @
Miiessell @
il esosll @
LM eeseli @
sl @ el
Mileecell ®
eson il @
- IR ee-ei @ !_l. wene) (Tuene
Web Email Database Application
server server server server
& k
oo
[ E X N N ]
Internet Router |
Switch . Switch .
Design V—
Technologies g e o
- :-7” , Jump box A sessll @ o --o_ ne|
(4 of 7) III!I i !| .7
8y, Wil sseell @
e
Database
W
App;lication
i s6¢s ne Al ssoell @
%:&I_Iu- ne iseeell @
Web Email
server server
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
* Load Balancing (continued)
* When multiple load balancers are used together, they
can be placed in different configurations that include:
Design * In an active-passive configuration, the primary load
TeCh no | Ogies balancer distributes the network traffic to the most
suitable server, while the secondary load balancer
(6 Of 7) operates in a “listening mode”
* In an active-active configuration, all load balancers
are always active
* Load balancing can also support session persistence,
which is a process in which a load balancer creates a
link between an endpoint and a specific network server
for the duration of a session
* This can help improve the user experience and
optimize network resource usage
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
_ * Load Balancing (continued)
Design - Security advantages of using a load balancer:
Tech nologies * They can detect and stop attacks directed at
a server or application
(7 of 7) * Can also
PP
detect
and prevent protocol attacks
* Some load balancers can hide HTTP error
pages or remove server identification
headers from HTTP responses, denying
attackers additional information about the
internal network
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Load Balancers
fi Web Server 1
Web Server 3
summary
A computer firewall is designed to limit the spread of malware
Stateless packet filtering on a firewall looks at a packet and
permits or denies it based solely on the firewall rules
Summary (1 * Stateful packet filtering uses both the firewall rules and the
state of the connection
of 2) There are several specialized firewall appliances: a web
application firewall (WAF), a next generation firewall (NGFW),
unified threat management (UTM) device
A forward proxy is a computer or program that intercepts user
requests from the internal network and processes these
requests on behalf of the user
A honeypot is a computer located in an area with limited
security that serves as “bait” to threat actors
An intrusion detection system (IDS) can detect an attack as it
occurs, an intrusion prevention system (IPS) attempts to block
the attack
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
A network hardware security module is a special trusted
network computer that performs cryptographic
operations such as key management, key exchange,
onboard random number generation, key storage facility,
Summa ry (2 and symmetric and asymmetric encryption
f 2 * An access control list (ACL) contains rules that administer
the availability of digital assets by granting or denying
access to the assets
* Network access control (NAC) examines the current state
of an endpoint before it can connect to the network
* Data loss prevention (DLP) is a system of security tools
used to recognize and identify data critical to the
organization and ensure that it is protected
* Broadcast storm prevention can be accomplished by loop
prevention, which uses the IEEE 802.1d standard
spanning-tree protocol (STP)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Due to nature of the course, various
materials have compiled from different
internet-based resources with some
modification. | sincerely acknowledge their
hard work and contribution.
Any Questions
ddddd ; = nqwa 0n(e
- REIEE: tsabh 8081,=
cnacv
gB
n6omm
filos Mu._ Nmum dank]fl ""“'"
rnatundu
aaaaa
h-:'S —mm manana
it cei
==
.=E“
% mmsmuc chakkeram
=1 M—z%‘fimfiifidhkm“’:fl“ aigaaibhlo maithdakujemagae t -
U == e
flh“fla 0" gzotn,b m,5 3 ok Mot o k2 £ MEPCH
;«zw*wwii
‘“‘ 1}‘] ]L
‘le m
e[ cl