Home > Articles

Network Components

In this sample chapter from CompTIA Security+ SY0-501 Exam Cram, 5th Edition, learn how to support organizational security through the installation and configuration of network components—both hardware and software-based.

This chapter is from the book

Perimeter Security

This section focuses on the network components that are used for perimeter security. Keep in mind that each organization has different needs and might use additional tools for perimeter defense. The objective of this section is to give you some idea of how the purpose of a component determines the placement of the device. Before you can properly secure a network, you must understand the security function, the purpose of network devices, and technologies used to secure the network.

Perimeter security is based on access control. Access control generally refers to the process of making resources available to accounts that should have access, while limiting that access to only what is required. Access control on perimeter devices is often done through an access control list (ACL). ACLs can apply to firewalls, routers, and other devices.

Firewalls

A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can consist of hardware, software, or a combination of both. A firewall is the first line of defense for the network. The primary function of a firewall is to mitigate threats by monitoring all traffic entering or leaving a network. How firewalls are configured is important, especially for large companies. A compromised firewall might spell disaster in the form of bad publicity or a lawsuit—not only for the company, but also for the companies it does business with. For smaller companies, a firewall is an excellent investment because most small companies do not have a full-time technology staff and an intrusion could easily put them out of business. All things considered, a firewall is an important part of your defense, but you should not rely on it exclusively for network protection. Figure 7.1 shows the firewall placement in a small network.

FIGURE 7.1

FIGURE 7.1 A Small Network Firewall Placement

Generally, a firewall can be described as being either stateful or stateless. Stateless firewalls tend to work as a basic access control list (ACL) filter. This type of firewall does not inspect traffic. It merely observes the traffic coming in and out of the network and then allows or denies packets based on the information in the ACL. Because this type of firewall does minimal filtering, it tends to be faster than a stateful firewall and is best for heavy traffic loads.

Stateful firewalls are a deeper inspection firewall type that analyzes traffic patterns and data flows. This allows a more dynamic access control decision because the network state is not static. Stateful firewalls are better when it comes to identifying unauthorized communication attempts because they watch the state of the connection from beginning to end, including security functions such as tunnels and encryption.

Rules can be created for either inbound traffic or outbound traffic. Inbound rules explicitly allow or explicitly block inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or explicitly block network traffic originating from the computer that matches the criteria in the rule.

In many firewalls, the rules can be granualized and configured to specify the computers or users, program, service, or port and protocol. Rules can be configured so that they are applied when profiles are used. As soon as a network packet matches a rule, that rule is applied and processing stops. The more restrictive rules should be listed first and the least restrictive rules should follow; otherwise, if a less restrictive rule is placed before a more restrictive rule, checking stops at the first rule.

Implicit deny is an access control practice in which resource availability is restricted to only logins that are explicitly granted access. The resources remain unavailable even when logins are not explicitly denied access. This practice is commonly used in Cisco networks, where most ACLs have a default setting of implicit deny. By default, an implicit deny all clause appears at the end of every ACL. Anything that is not explicitly permitted is denied. Essentially, an implicit deny works the same as finishing the ACL with deny ip any any. This ensures that when access is not explicitly granted, it is automatically denied by default.

Application layer firewalls can examine application traffic and identify threats through deep packet inspection techniques. Often we do not think in terms of application-level security when discussing devices such as firewalls, IPS, IDS, and proxies. Yet most next-generation devices are capable of being application aware. To meet the changing ways organizations do business, next-generation firewalls (NGFWs) have been developed. NGFWs are considered application-aware. This means that they go beyond the traditional port and IP address examination of stateless firewalls to inspect traffic at a deeper level. Application layer firewalls integrate the functions of other network devices such as a proxy, IDS, and IPS. Many application layer firewalls use an IPS engine to provide application support. As a result, various blended techniques are used to identify applications and formulate policies based on business rules.

Application layer firewalls are preferred to network layer firewalls because they have the capability to do deep packet inspection and function at Layer 7 of the OSI model. Network layer firewalls mainly function at Layer 3 of the OSI model and, as such, are limited to basically packet forwarding.

VPN Concentrators

In the world of a mobile workforce, employers require a secure method for employees to access corporate resources while on the road or working from home. One of the most common methods implemented for this type of access is a virtual private network (VPN). A VPN concentrator is used to allow multiple external users to access internal network resources using secure features that are built into the device. A VPN concentrator is deployed where a single device must handle a very large number of VPN tunnels. Remote-access VPN connectivity is provided using either Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) for the VPN. User authentication can be via RADIUS, Kerberos, Microsoft Active Directory, RSA SecurID, digital certificates, or the built-in authentication server. Chapter 22, “Identity and Access Management Concepts,” covers the function and purpose of authentication services.

In a typical scenario, the VPN concentrator allows users to utilize an encrypted tunnel to securely access a corporate network or other network via the Internet. Another use is internally, to encrypt WLAN or wired traffic when the security of login and password information is paramount for high-level users and sensitive information. You can implement a VPN concentrator to prevent login and password information from being captured. A VPN concentrator also allows ACLs to be applied to remote user sessions. These scenarios use various technologies that you need to comprehend to properly implement the correct VPN solution.

VPN concentrators come in various models and allow for customized options, such as the numbers of simultaneous users, amount of throughput needed, amount of protection required, and tunnel modes. For example, Cisco VPN concentrators include components that allow for split tunneling, increased capacity, and throughput.

Internet Protocol Security

The Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. IPsec can secure transmissions between critical servers and clients. This helps prevent network-based attacks from taking place. Unlike most security systems that function within the application layer of the OSI model, IPsec functions within the network layer. IPsec provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol.

IPsec can be run in either tunnel mode or transport mode. Transport mode is used between endpoints such as a client and a server. It can also be used between a gateway and an endpoint when the gateway is being treated as an endpoint, such as in a Remote Desktop (RDP) or Telnet session.

IPsec default mode is tunnel mode. Tunnel mode is most often used between gateways such as a router and a firewall. When tunnel mode is used, the gateway acts as a proxy for the hosts. In tunnel mode, an AH or ESP header is used. The asymmetric key standard defining IPsec provides two primary security services:

  • Authentication Header (AH): AH provides authentication of the data’s sender, along with integrity and nonrepudiation. RFC 2402 states that AH provides authentication for as much of the IP header as possible, as well as for upper-level protocol data. However, some IP header fields might change in transit, and when the packet arrives at the receiver, the value of these fields might not be predictable by the sender. AH cannot protect the values of such fields, so the protection it provides to the IP header is somewhat piecemeal.

  • Encapsulating Security Payload (ESP): ESP supports authentication of the data’s sender and encryption of the data being transferred, along with confidentiality and integrity protection. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an antireplay service (a form of partial sequence integrity), and limited traffic-flow confidentiality. The set of services provided depends on options selected at the time of security association establishment and on the placement of the implementation. Confidentiality can be selected independently of all other services. However, the use of confidentiality without integrity/authentication (either in ESP or separately in AH) might subject traffic to certain forms of active attacks that could undermine the confidentiality service.

Protocols 51 and 50 are the AH and ESP components of the IPsec protocol. IPsec inserts ESP or AH (or both) as protocol headers into an IP datagram that immediately follows an IP header.

The protocol field of the IP header is 50 for ESP or 51 for AH. If IPsec is configured to do authentication instead of encryption, you must configure an IP filter to let protocol 51 traffic pass. If IPsec uses nested AH and ESP, you can configure an IP filter to let only protocol 51 (AH) traffic pass.

IPsec supports the Internet Key Exchange (IKE) protocol, which is a key management standard used to allow separate key protocols to be specified for use during data encryption. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet.

Part 6, “Cryptography and PKI,” focuses on Domain 6 and covers the common key exchange protocols, standard encryption algorithms, and hashing algorithms used in IPsec, such as Rivest-Shamir-Adleman (RSA), International Data Encryption Algorithm (IDEA), Triple DES (3DES), and message digest 5 (MD5).

In addition to IPsec VPNs, technologies such as TLS and its predecessor, SSL, can be used to secure network communications. These VPNs use the SSL and Transport Layer Security (TLS) protocols to provide a secure connection between internal network resources and remote users such as bring your own device (BYOD) users, vendors, and business partners. Because TLS is a point-to-point communication encryption technology, it can be used to secure traffic in a variety of applications, including web- and email-based communications. The main advantage SSL and TLS VPNs have over IPsec VPNs is simple end-user implementation because they function via a browser and an Internet connection.

The workforce has become very mobile, allowing employees to work anytime and anywhere. This shift has caused organizations to replace traditional IPsec VPNs with SSL/TLS VPNs that include an always-on solution.

Instead of depending on the user to establish a VPN connection, the always-on VPN client immediately and automatically establishes a VPN connection when an Internet connection is made. Network authentication occurs through certificates or other enterprise solutions because the connection is transparent to the user. Examples of always-on VPN solutions include Microsoft DirectAccess and Cisco AnyConnect Secure Mobility.

So far, this chapter has mainly discussed the technologies used to secure VPN communications, but other modes and types of VPNs exist as well. When you think of VPNs, you likely relate to remote-access VPNs that connect single hosts to organizational networks.

Site-to-site VPNs are implemented based on IPsec policies assigned to VPN topologies. These VPNs connect entire networks to each other. An example of this type of implementation might be a VPN connecting a bank branch office to the network and the main office. Individual hosts do not need VPN client software. They communicate using normal TCP/IP traffic via a VPN gateway. The VPN gateways are responsible for setting up and breaking down the encapsulation and encryption traffic.

The last item this section discusses is the mode in which the VPN operates. Two modes are available: full tunnel and split tunnel.

The traffic is split after the VPN connection is made through the client configuration settings, such as IP address range or specific protocols.

The choice to use split tunneling is mainly to reserve bandwidth while the users are on the Internet and to reduce the load on the VPN concentrator, especially when the organization has a large remote workforce. Split tunneling can also be useful when employees are treated as contractors on client sites and require access to both employer resources and client resources.

NIDS and NIPS

IDS stands for intrusion detection system. Intrusion detection systems are designed to analyze data, identify attacks, and respond to the intrusion by sending alerts. They differ from firewalls, which control the information that gets into and out of the network: an IDS also can identify unauthorized activity. IDSs are also designed to identify attacks in progress within the network, not just on the boundary between private and public networks. Intrusion detection is managed by two basic methods: knowledge-based and behavior-based detection.

IDSs identify attacks based on rule sets, so most IDSs have a large number of rules. Rule writing is an important and difficult part of network security monitoring. Luckily, security vendors themselves do a lot of the rule writing. For example, Proofpoint currently has more than 37,000 rules, in several popular formats, and also hosts a web page that provides a daily rule set summary. Of course, the rules still might need to be modified, to meet the needs of the organization.

The two basic types of IDSs are network-based and host-based. As the names suggest, network-based IDSs (NIDSs) look at the information exchanged between machines. Host-based IDSs (HIDSs) look at information that originates on the individual machines.

Consider some basics:

  • NIDSs monitor the packet flow and try to locate packets that might have gotten through the firewall but are not allowed to do so. They are best at detecting DoS attacks and unauthorized user access.

  • HIDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity.

NIDSs and HIDSs should be used together to ensure a truly secure environment. IDSs can be located anywhere on the network. You can place them internally or between firewalls.

As with any network device, the placement of a NIDS determines the effectiveness of the technology. A NIDS can be placed outside the perimeter of the firewall as an early detection system or can be used internally as an added layer of security. Internally placed NIDSs that are near the local network switching nodes and near the access routers at the network boundary have lower false alarm rates because the NIDS doesn’t have to monitor any traffic that the firewall blocks.

Intrusion detection software is reactive or passive. This means that the system detects a potential security breach, logs the information, and signals an alert after the event occurs. By the time an alert has been issued, the attack has usually occurred and has damaged the network or desktop.

This type of device is sometimes referred to as an out-of-band device.

Network intrusion prevention systems (NIPSs) are sometimes considered to be an extension of IDSs. NIPSs can be either hardware- or software-based, as with many other network protection devices. Intrusion prevention differs from intrusion detection because it actually prevents attacks instead of only detecting the occurrence of an attack.

NIPSs proactively protect machines against damage from attacks that signature-based technologies cannot detect because most NIPS solutions can look at application layer protocols such HTTP, FTP, and SMTP. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly.

This type of device is often referred to as an in-band device. Because the device is analyzing live network traffic, an in-band device acts as the enforcement point and can prevent an attack from reaching its target. In general, in-band systems are deployed at the network perimeter, but they also can be used internally to capture traffic flows at certain network points, such as into the datacenter.

Detection Methods

Behavior-based intrusion detection methods are rooted in the premise that an intrusion can be detected by comparing the normal activity of a network to current activity. Any abnormalities from normal or expected behavior of the network are reported via an alarm. Behavior-based methods can identify attempts to exploit new or undocumented vulnerabilities, can alert to elevation or abuse of privileges, and tend to be independent of operating-system-specific processes. Behavior-based methods consider intrusive any activity that does not match a learned behavior. These methods are associated with a high false alarm rate. If a network is compromised before the learned behavior period, any malicious activity related to the compromise is not reported.

Signature-based detection methods are considered knowledge-based because the underlying mechanism is a database of known vulnerabilities. Signature-based methods monitor a network to find a pattern or signature match. When they find a match, they generate an alert. Vendors provide signature updates, similar to antivirus software updates, but generally signatures can be created anytime a particular behavior needs to be identified. Because pattern matching can be done quickly when the rule set is not extensive, the system or user notices very little intrusiveness or performance reduction.

Signature-based methods provide lower false alarms, compared to behavior-based methods, because all suspicious activity is in a known database. Anomaly-based detection methods are similar to behavior-based intrusion detection methods. Both are based on the concept of using a baseline for network behavior. However, a slight variation exists between the two.

In anomaly-based detection methods, after the application is trained, the established profile is used on real data to detect deviations. Training an application entails inputting and defining data criteria in a database. In a behavior-based intrusion detection method, the established profile is used as a comparison to current activity, monitoring for evidence of a compromise instead of the attack itself.

The rule development process for anomaly-based methods can become complicated because of the differences in vendor protocol implementations.

Heuristic intrusion detection methods are commonly known as anomaly-based methods because heuristic algorithms are used to identify anomalies.

Similar to anomaly-based methods, heuristic-based methods are typically rule-based and look for abnormal behavior. Heuristic rules tend to categorize activity into one of the following types: benign, suspicious, or unknown. As the IDS learns network behavior, the activity category can change. This slight difference between heuristic- and anomaly-based methods is that anomaly-based methods are less specific. Anomaly-based methods target behavior that is out of the ordinary instead of classifying all behavior.

Analytics

False positives occur when a typical or expected behavior is identified as irregular or malicious. False positives generally occur when an IDS detects the presence of a newly installed application and the IDS has not yet been trained for this new behavior. Sometimes anomalous behavior in one area of an organization is acceptable; in other areas, this behavior is suspicious. False positives are one of the largest problems encountered in IDS management because they can easily prevent legitimate IDS alerts from quickly being identified. Rule sets need to be tuned to reduce the number of false positives. A single rule that generates false positives can create thousands of alerts in a short period of time. The alerts for rules that cause repeated false positives are often ignored or disabled. This increases risk to the organization because legitimate attacks might eventually be ignored, increasing the probability that the system will be compromised by the type of attack the disabled or ignored rule was actually looking for.

False negatives occur when an alert that should have been generated did not occur. In other words, an attack takes place but the IDS doesn’t detect it. False negatives most often happen because the IDS is reactive and signature-based systems do not recognize new attacks. Sometimes in a signature-based system, a rule can be written to catch only a subset of an attack vector. Several risks are associated with false positives. When false positives occur, missed attacks are not mitigated, giving the organization a false sense of security. Consider one more note about false positives: In an environment that relies on anomaly detection and in a host-based intrusion detection system (HIDS) that relies on file changes, if a system was compromised at the time of IDS training, false negatives will occur for any already exploited conditions.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020