In this sample chapter from CompTIA Security+ SY0-501 Exam Cram, 5th Edition, learn how to support organizational security through the installation and configuration of network components—both hardware and software-based.
This section focuses on the network components that are used for perimeter security. Keep in mind that each organization has different needs and might use additional tools for perimeter defense. The objective of this section is to give you some idea of how the purpose of a component determines the placement of the device. Before you can properly secure a network, you must understand the security function, the purpose of network devices, and technologies used to secure the network.
Perimeter security is based on access control. Access control generally refers to the process of making resources available to accounts that should have access, while limiting that access to only what is required. Access control on perimeter devices is often done through an access control list (ACL). ACLs can apply to firewalls, routers, and other devices.
A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can consist of hardware, software, or a combination of both. A firewall is the first line of defense for the network. The primary function of a firewall is to mitigate threats by monitoring all traffic entering or leaving a network. How firewalls are configured is important, especially for large companies. A compromised firewall might spell disaster in the form of bad publicity or a lawsuit—not only for the company, but also for the companies it does business with. For smaller companies, a firewall is an excellent investment because most small companies do not have a full-time technology staff and an intrusion could easily put them out of business. All things considered, a firewall is an important part of your defense, but you should not rely on it exclusively for network protection. Figure 7.1 shows the firewall placement in a small network.
FIGURE 7.1 A Small Network Firewall Placement
Generally, a firewall can be described as being either stateful or stateless. Stateless firewalls tend to work as a basic access control list (ACL) filter. This type of firewall does not inspect traffic. It merely observes the traffic coming in and out of the network and then allows or denies packets based on the information in the ACL. Because this type of firewall does minimal filtering, it tends to be faster than a stateful firewall and is best for heavy traffic loads.
Stateful firewalls are a deeper inspection firewall type that analyzes traffic patterns and data flows. This allows a more dynamic access control decision because the network state is not static. Stateful firewalls are better when it comes to identifying unauthorized communication attempts because they watch the state of the connection from beginning to end, including security functions such as tunnels and encryption.
Rules can be created for either inbound traffic or outbound traffic. Inbound rules explicitly allow or explicitly block inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or explicitly block network traffic originating from the computer that matches the criteria in the rule.
In many firewalls, the rules can be granualized and configured to specify the computers or users, program, service, or port and protocol. Rules can be configured so that they are applied when profiles are used. As soon as a network packet matches a rule, that rule is applied and processing stops. The more restrictive rules should be listed first and the least restrictive rules should follow; otherwise, if a less restrictive rule is placed before a more restrictive rule, checking stops at the first rule.
Implicit deny is an access control practice in which resource availability is restricted to only logins that are explicitly granted access. The resources remain unavailable even when logins are not explicitly denied access. This practice is commonly used in Cisco networks, where most ACLs have a default setting of implicit deny. By default, an implicit deny all clause appears at the end of every ACL. Anything that is not explicitly permitted is denied. Essentially, an implicit deny works the same as finishing the ACL with deny ip any any. This ensures that when access is not explicitly granted, it is automatically denied by default.
Application layer firewalls can examine application traffic and identify threats through deep packet inspection techniques. Often we do not think in terms of application-level security when discussing devices such as firewalls, IPS, IDS, and proxies. Yet most next-generation devices are capable of being application aware. To meet the changing ways organizations do business, next-generation firewalls (NGFWs) have been developed. NGFWs are considered application-aware. This means that they go beyond the traditional port and IP address examination of stateless firewalls to inspect traffic at a deeper level. Application layer firewalls integrate the functions of other network devices such as a proxy, IDS, and IPS. Many application layer firewalls use an IPS engine to provide application support. As a result, various blended techniques are used to identify applications and formulate policies based on business rules.
Application layer firewalls are preferred to network layer firewalls because they have the capability to do deep packet inspection and function at Layer 7 of the OSI model. Network layer firewalls mainly function at Layer 3 of the OSI model and, as such, are limited to basically packet forwarding.
In the world of a mobile workforce, employers require a secure method for employees to access corporate resources while on the road or working from home. One of the most common methods implemented for this type of access is a virtual private network (VPN). A VPN concentrator is used to allow multiple external users to access internal network resources using secure features that are built into the device. A VPN concentrator is deployed where a single device must handle a very large number of VPN tunnels. Remote-access VPN connectivity is provided using either Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) for the VPN. User authentication can be via RADIUS, Kerberos, Microsoft Active Directory, RSA SecurID, digital certificates, or the built-in authentication server. Chapter 22, “Identity and Access Management Concepts,” covers the function and purpose of authentication services.
In a typical scenario, the VPN concentrator allows users to utilize an encrypted tunnel to securely access a corporate network or other network via the Internet. Another use is internally, to encrypt WLAN or wired traffic when the security of login and password information is paramount for high-level users and sensitive information. You can implement a VPN concentrator to prevent login and password information from being captured. A VPN concentrator also allows ACLs to be applied to remote user sessions. These scenarios use various technologies that you need to comprehend to properly implement the correct VPN solution.
VPN concentrators come in various models and allow for customized options, such as the numbers of simultaneous users, amount of throughput needed, amount of protection required, and tunnel modes. For example, Cisco VPN concentrators include components that allow for split tunneling, increased capacity, and throughput.
Internet Protocol Security
The Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. IPsec can secure transmissions between critical servers and clients. This helps prevent network-based attacks from taking place. Unlike most security systems that function within the application layer of the OSI model, IPsec functions within the network layer. IPsec provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol.
IPsec can be run in either tunnel mode or transport mode. Transport mode is used between endpoints such as a client and a server. It can also be used between a gateway and an endpoint when the gateway is being treated as an endpoint, such as in a Remote Desktop (RDP) or Telnet session.
IPsec default mode is tunnel mode. Tunnel mode is most often used between gateways such as a router and a firewall. When tunnel mode is used, the gateway acts as a proxy for the hosts. In tunnel mode, an AH or ESP header is used. The asymmetric key standard defining IPsec provides two primary security services:
Authentication Header (AH): AH provides authentication of the data’s sender, along with integrity and nonrepudiation. RFC 2402 states that AH provides authentication for as much of the IP header as possible, as well as for upper-level protocol data. However, some IP header fields might change in transit, and when the packet arrives at the receiver, the value of these fields might not be predictable by the sender. AH cannot protect the values of such fields, so the protection it provides to the IP header is somewhat piecemeal.
Encapsulating Security Payload (ESP): ESP supports authentication of the data’s sender and encryption of the data being transferred, along with confidentiality and integrity protection. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an antireplay service (a form of partial sequence integrity), and limited traffic-flow confidentiality. The set of services provided depends on options selected at the time of security association establishment and on the placement of the implementation. Confidentiality can be selected independently of all other services. However, the use of confidentiality without integrity/authentication (either in ESP or separately in AH) might subject traffic to certain forms of active attacks that could undermine the confidentiality service.
Protocols 51 and 50 are the AH and ESP components of the IPsec protocol. IPsec inserts ESP or AH (or both) as protocol headers into an IP datagram that immediately follows an IP header.
The protocol field of the IP header is 50 for ESP or 51 for AH. If IPsec is configured to do authentication instead of encryption, you must configure an IP filter to let protocol 51 traffic pass. If IPsec uses nested AH and ESP, you can configure an IP filter to let only protocol 51 (AH) traffic pass.
IPsec supports the Internet Key Exchange (IKE) protocol, which is a key management standard used to allow separate key protocols to be specified for use during data encryption. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet.
Part 6, “Cryptography and PKI,” focuses on Domain 6 and covers the common key exchange protocols, standard encryption algorithms, and hashing algorithms used in IPsec, such as Rivest-Shamir-Adleman (RSA), International Data Encryption Algorithm (IDEA), Triple DES (3DES), and message digest 5 (MD5).
In addition to IPsec VPNs, technologies such as TLS and its predecessor, SSL, can be used to secure network communications. These VPNs use the SSL and Transport Layer Security (TLS) protocols to provide a secure connection between internal network resources and remote users such as bring your own device (BYOD) users, vendors, and business partners. Because TLS is a point-to-point communication encryption technology, it can be used to secure traffic in a variety of applications, including web- and email-based communications. The main advantage SSL and TLS VPNs have over IPsec VPNs is simple end-user implementation because they function via a browser and an Internet connection.
The workforce has become very mobile, allowing employees to work anytime and anywhere. This shift has caused organizations to replace traditional IPsec VPNs with SSL/TLS VPNs that include an always-on solution.
Instead of depending on the user to establish a VPN connection, the always-on VPN client immediately and automatically establishes a VPN connection when an Internet connection is made. Network authentication occurs through certificates or other enterprise solutions because the connection is transparent to the user. Examples of always-on VPN solutions include Microsoft DirectAccess and Cisco AnyConnect Secure Mobility.
So far, this chapter has mainly discussed the technologies used to secure VPN communications, but other modes and types of VPNs exist as well. When you think of VPNs, you likely relate to remote-access VPNs that connect single hosts to organizational networks.
Site-to-site VPNs are implemented based on IPsec policies assigned to VPN topologies. These VPNs connect entire networks to each other. An example of this type of implementation might be a VPN connecting a bank branch office to the network and the main office. Individual hosts do not need VPN client software. They communicate using normal TCP/IP traffic via a VPN gateway. The VPN gateways are responsible for setting up and breaking down the encapsulation and encryption traffic.
The last item this section discusses is the mode in which the VPN operates. Two modes are available: full tunnel and split tunnel.
The traffic is split after the VPN connection is made through the client configuration settings, such as IP address range or specific protocols.
The choice to use split tunneling is mainly to reserve bandwidth while the users are on the Internet and to reduce the load on the VPN concentrator, especially when the organization has a large remote workforce. Split tunneling can also be useful when employees are treated as contractors on client sites and require access to both employer resources and client resources.
NIDS and NIPS
IDS stands for intrusion detection system. Intrusion detection systems are designed to analyze data, identify attacks, and respond to the intrusion by sending alerts. They differ from firewalls, which control the information that gets into and out of the network: an IDS also can identify unauthorized activity. IDSs are also designed to identify attacks in progress within the network, not just on the boundary between private and public networks. Intrusion detection is managed by two basic methods: knowledge-based and behavior-based detection.
IDSs identify attacks based on rule sets, so most IDSs have a large number of rules. Rule writing is an important and difficult part of network security monitoring. Luckily, security vendors themselves do a lot of the rule writing. For example, Proofpoint currently has more than 37,000 rules, in several popular formats, and also hosts a web page that provides a daily rule set summary. Of course, the rules still might need to be modified, to meet the needs of the organization.
The two basic types of IDSs are network-based and host-based. As the names suggest, network-based IDSs (NIDSs) look at the information exchanged between machines. Host-based IDSs (HIDSs) look at information that originates on the individual machines.
Consider some basics:
NIDSs monitor the packet flow and try to locate packets that might have gotten through the firewall but are not allowed to do so. They are best at detecting DoS attacks and unauthorized user access.
HIDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity.
NIDSs and HIDSs should be used together to ensure a truly secure environment. IDSs can be located anywhere on the network. You can place them internally or between firewalls.
As with any network device, the placement of a NIDS determines the effectiveness of the technology. A NIDS can be placed outside the perimeter of the firewall as an early detection system or can be used internally as an added layer of security. Internally placed NIDSs that are near the local network switching nodes and near the access routers at the network boundary have lower false alarm rates because the NIDS doesn’t have to monitor any traffic that the firewall blocks.
Intrusion detection software is reactive or passive. This means that the system detects a potential security breach, logs the information, and signals an alert after the event occurs. By the time an alert has been issued, the attack has usually occurred and has damaged the network or desktop.
This type of device is sometimes referred to as an out-of-band device.
Network intrusion prevention systems (NIPSs) are sometimes considered to be an extension of IDSs. NIPSs can be either hardware- or software-based, as with many other network protection devices. Intrusion prevention differs from intrusion detection because it actually prevents attacks instead of only detecting the occurrence of an attack.
NIPSs proactively protect machines against damage from attacks that signature-based technologies cannot detect because most NIPS solutions can look at application layer protocols such HTTP, FTP, and SMTP. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly.
This type of device is often referred to as an in-band device. Because the device is analyzing live network traffic, an in-band device acts as the enforcement point and can prevent an attack from reaching its target. In general, in-band systems are deployed at the network perimeter, but they also can be used internally to capture traffic flows at certain network points, such as into the datacenter.
Behavior-based intrusion detection methods are rooted in the premise that an intrusion can be detected by comparing the normal activity of a network to current activity. Any abnormalities from normal or expected behavior of the network are reported via an alarm. Behavior-based methods can identify attempts to exploit new or undocumented vulnerabilities, can alert to elevation or abuse of privileges, and tend to be independent of operating-system-specific processes. Behavior-based methods consider intrusive any activity that does not match a learned behavior. These methods are associated with a high false alarm rate. If a network is compromised before the learned behavior period, any malicious activity related to the compromise is not reported.
Signature-based detection methods are considered knowledge-based because the underlying mechanism is a database of known vulnerabilities. Signature-based methods monitor a network to find a pattern or signature match. When they find a match, they generate an alert. Vendors provide signature updates, similar to antivirus software updates, but generally signatures can be created anytime a particular behavior needs to be identified. Because pattern matching can be done quickly when the rule set is not extensive, the system or user notices very little intrusiveness or performance reduction.
Signature-based methods provide lower false alarms, compared to behavior-based methods, because all suspicious activity is in a known database. Anomaly-based detection methods are similar to behavior-based intrusion detection methods. Both are based on the concept of using a baseline for network behavior. However, a slight variation exists between the two.
In anomaly-based detection methods, after the application is trained, the established profile is used on real data to detect deviations. Training an application entails inputting and defining data criteria in a database. In a behavior-based intrusion detection method, the established profile is used as a comparison to current activity, monitoring for evidence of a compromise instead of the attack itself.
The rule development process for anomaly-based methods can become complicated because of the differences in vendor protocol implementations.
Heuristic intrusion detection methods are commonly known as anomaly-based methods because heuristic algorithms are used to identify anomalies.
Similar to anomaly-based methods, heuristic-based methods are typically rule-based and look for abnormal behavior. Heuristic rules tend to categorize activity into one of the following types: benign, suspicious, or unknown. As the IDS learns network behavior, the activity category can change. This slight difference between heuristic- and anomaly-based methods is that anomaly-based methods are less specific. Anomaly-based methods target behavior that is out of the ordinary instead of classifying all behavior.
False positives occur when a typical or expected behavior is identified as irregular or malicious. False positives generally occur when an IDS detects the presence of a newly installed application and the IDS has not yet been trained for this new behavior. Sometimes anomalous behavior in one area of an organization is acceptable; in other areas, this behavior is suspicious. False positives are one of the largest problems encountered in IDS management because they can easily prevent legitimate IDS alerts from quickly being identified. Rule sets need to be tuned to reduce the number of false positives. A single rule that generates false positives can create thousands of alerts in a short period of time. The alerts for rules that cause repeated false positives are often ignored or disabled. This increases risk to the organization because legitimate attacks might eventually be ignored, increasing the probability that the system will be compromised by the type of attack the disabled or ignored rule was actually looking for.
False negatives occur when an alert that should have been generated did not occur. In other words, an attack takes place but the IDS doesn’t detect it. False negatives most often happen because the IDS is reactive and signature-based systems do not recognize new attacks. Sometimes in a signature-based system, a rule can be written to catch only a subset of an attack vector. Several risks are associated with false positives. When false positives occur, missed attacks are not mitigated, giving the organization a false sense of security. Consider one more note about false positives: In an environment that relies on anomaly detection and in a host-based intrusion detection system (HIDS) that relies on file changes, if a system was compromised at the time of IDS training, false negatives will occur for any already exploited conditions.