1. Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 7
Network Security Fundamentals
Chapter 7
Network Security Fundamentals

2. Objectives
List the different types of network security devices and explain how they can be used
Explain how network technologies can enhance security
Describe secure network design elements
Objectives
List the different types of network security devices and explain how they can be used
Explain how network technologies can enhance security
Describe secure network design elements
Security+ Guide to Network Security Fundamentals, Fifth Edition

3. Network Security Fundamentals
Once information security and network security were virtually synonymous
The network was viewed as the protecting wall around which client computers could be kept safe
But this approach is untenable: too many entry points that circumvent the network and allow malware to enter:
Infected USB flash drive
Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices
Network Security Fundamentals
Once information security and network security were virtually synonymous
The network was viewed as the protecting wall around which client computers could be kept safe
But this approach is untenable: too many entry points that circumvent the network and allow malware to enter:
Infected USB flash drive
Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices
Security+ Guide to Network Security Fundamentals, Fifth Edition

4. Network Security Posture
Yet having secure network is essential to comprehensive information security posture:
Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection
Network-delivered services can scale better for larger environments and can complement server and application functionality
Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices
Network Security Posture
Yet having secure network is essential to comprehensive information security posture:
Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection
Network-delivered services can scale better for larger environments and can complement server and application functionality
Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices
Security+ Guide to Network Security Fundamentals, Fifth Edition

5. Network Security Strategy
Secure network defense still remains critical element in any organization’s security plan
Organizations should make network defenses one of first priorities in protecting information
Network security strategy:
Network devices
Network technologies
Design of the network
Network Security Strategy
Secure network defense still remains critical element in any organization’s security plan
Organizations should make network defenses one of first priorities in protecting information
Network security strategy:
Network devices
Network technologies
Design of the network
Security+ Guide to Network Security Fundamentals, Fifth Edition

6. Standard Network Devices
Security functions of standard network devices can be used to provide degree of network security
Network devices can be classified based on function in Open systems interconnection (OSI) model
Standards released in 1978, revised in 1983, still used today
Illustrates:
How network device prepares data for delivery
How data is handled once received
Standard Network Devices
Security functions of standard network devices can be used to provide degree of network security
Network devices can be classified based on function in Open systems interconnection (OSI) model
Standards released in 1978, revised in 1983, still used today
Illustrates:
How network device prepares data for delivery
How data is handled once received
Security+ Guide to Network Security Fundamentals, Fifth Edition

7. OSI Layers OSI model breaks networking steps into seven layers
Each layer has different networking tasks
Each layer cooperates with adjacent layers
OSI Layers
OSI model breaks networking steps into seven layers
Each layer has different networking tasks
Each layer cooperates with adjacent layers
Security+ Guide to Network Security Fundamentals, Fifth Edition

8. OSI Reference Model (Table 7-1)
A table with four columns and eight rows. The first row is composed of column headers: Layer number, Layer name, Description, and Function. Row 2. Layer number: Layer 7 Layer name: Application Layer Description: The top layer, Application, provides the user interface to allow network services. Function: Provides services for user applications Row 3. Layer number: Layer 6 Layer name: Presentation Layer Description: The Presentation Layer is concerned with how the data is represented and formatted for the user. Function: Is used for translation, compression, and encryption Row 4. Layer number: Layer 5 Layer name: Session Layer Description: This layer has the responsibility of permitting the two parties on the network to hold ongoing communications across the network. Function: Allows devices to establish and manage sessions Row 5. Layer number: Layer 4 Layer name: Transport Layer Description: The Transport Layer is responsible for ensuring that error-free data is given to the user. Function: Provides connection establishment, management, and termination as well as acknowledgments and retransmissions Row 6. Layer number: Layer 3 Layer name: Network Layer Description: The Network Layer picks the route the packet is to take, and handles the addressing of the packets for delivery. Function: Makes logical addressing, routing, fragmentation, and reassembly available Row 7. Layer number: Layer 2 Layer name: Data Link Layer Description: The Data Link Layer is responsible for dividing the data into frames. Some additional duties of the Data Link Layer include error detection and correction (for example, if the data is not received properly, the Data Link Layer would request that it be retransmitted). Function: Performs physical addressing, data framing, and error detection and handling Row 8. Layer number: Layer 1 Layer name: Physical Layer Description: The job of this layer is to send the signal to the network or receive the signal from the network. Function: Involved with encoding and signaling, and data transmission and reception
Security+ Guide to Network Security Fundamentals, Fifth Edition

9. Hubs
Hubs – Used by early LANs to connect multiple Ethernet devices together to function as single network segment
Work at Layer 1 of the OSI model
Did not read data passing through them so ignorant of data source and destination
Essentially multiport repeater
Protocol analyzer - Captures packets to decode and analyze their contents; facilitated by hub
Hubs rarely used today due to security vulnerability and increased network traffic
Hubs
Hubs – Used by early LANs to connect multiple Ethernet devices together to function as single network segment
Work at Layer 1 of the OSI model
Did not read data passing through them so ignorant of data source and destination
Essentially multiport repeater
Protocol analyzer - Captures packets to decode and analyze their contents; facilitated by hub
Hubs rarely used today due to security vulnerability and increased network traffic
Security+ Guide to Network Security Fundamentals, Fifth Edition

10. Switches Switch – Device that connects network devices
Operate at Data Link Layer (Layer 2)
Determine which device is connected to each port
Can forward frames sent to that specific device or broadcast to all devices
Use MAC address to identify devices
Provide better security than hubs by limiting distribution of frames
Switches
Switch – Device that connects network devices
Operate at Data Link Layer (Layer 2)
Determine which device is connected to each port
Can forward frames sent to that specific device or broadcast to all devices
Use MAC address to identify devices
Provide better security than hubs by limiting distribution of frames
Security+ Guide to Network Security Fundamentals, Fifth Edition

11. Traffic Monitoring
Network administrator monitors network traffic to help identify and troubleshoot network problems
Traffic monitoring methods:
Port mirroring - Allows administrator to configure switch to copy traffic that occurs on some or all ports to designated monitoring port on switch
Network tap (test access point) - Separate device installed on network
Traffic Monitoring
Network administrator monitors network traffic to help identify and troubleshoot network problems
Traffic monitoring methods:
Port mirroring - Allows administrator to configure switch to copy traffic that occurs on some or all ports to designated monitoring port on switch
Network tap (test access point) - Separate device installed on network
Security+ Guide to Network Security Fundamentals, Fifth Edition

12. Port Mirroring (Figure 7-1)
A figure. At the left is a network analyzer connected with a line to a network switch with mirror port. The switch is connected on one end to the Internet and the other end to the internal network.
Security+ Guide to Network Security Fundamentals, Fifth Edition

13. Network Tap (Figure 7-2)
Network Tap (Figure 7-2)
A figure. At the left is a network analyzer connected with a line to a Network tap that is connected to the internal network. The tap is connect to a network switch that is connected to the Internet.
Security+ Guide to Network Security Fundamentals, Fifth Edition

14. Protecting the Switch (Table 7-2)
A table with three columns and six rows. The first row is composed of column headers: Type of attack, Description, and Security defense. Row 2. Type of attack: MAC flooding Description: An attacker can overflow the switch’s address table with fake MAC addresses, forcing it to act like a hub, sending packets to all devices. Security defense: Use a switch that can close ports with too many MAC addresses. Row 3. Type of attack: MAC address impersonation Description: If two devices have the same MAC address, a switch may send frames to each device. An attacker can change the MAC address on her device to match the target device’s MAC address. Security defense: Configure the switch so that only one port can be assigned per MAC address. Row 4. Type of attack: ARP poisoning Description: The attacker sends a forged ARP packet to the source device, substituting the attacker’s computer MAC address. Security defense: Use an ARP detection appliance. Row 5. Type of attack: Port mirroring Description: An attacker connects his device to the switch’s mirror port. Security defense: Secure the switch in a locked room. Row 6. Type of attack: Network tap Description: A network tap is connected to the network to intercept frames. Security defense: Keep network connections secure by restricting physical access.
Security+ Guide to Network Security Fundamentals, Fifth Edition

15. Routers
Router – Network device that forward packets across computer networks
Operate at Network Layer (Layer 3)
Can be set to filter out specific types of network traffic
Routers
Router – Network device that forward packets across computer networks
Operate at Network Layer (Layer 3)
Can be set to filter out specific types of network traffic
Security+ Guide to Network Security Fundamentals, Fifth Edition

16. Load Balancing
Load balancing – Technology to help evenly distribute work across network
Allocate requests among multiple devices
Advantages of load-balancing technology
Reduces probability of overloading a single server
Optimizes bandwidth of network computers
Reduces network downtime
Load balancing achieved through software or hardware device
Load Balancing
Load balancing – Technology to help evenly distribute work across network
Allocate requests among multiple devices
Advantages of load-balancing technology
Reduces probability of overloading a single server
Optimizes bandwidth of network computers
Reduces network downtime
Load balancing achieved through software or hardware device
Security+ Guide to Network Security Fundamentals, Fifth Edition

17. Load Balancers Load balancer - Dedicated hardware device
Often grouped into two categories:
Layer 4 load balancers - Act upon data found in Network and Transport layer protocols such as Internet Protocol (IP), Transmission Control Protocol (TCP), File Transfer Protocol (FTP), and User Datagram Protocol (UDP)
Layer 7 load balancers - Distribute requests based on data found in Application layer protocols such as HTTP
Load Balancers
Load balancer - Dedicated hardware device
Often grouped into two categories:
Layer 4 load balancers - Act upon data found in Network and Transport layer protocols such as Internet Protocol (IP), Transmission Control Protocol (TCP), File Transfer Protocol (FTP), and User Datagram Protocol (UDP)
Layer 7 load balancers - Distribute requests based on data found in Application layer protocols such as HTTP
Security+ Guide to Network Security Fundamentals, Fifth Edition

18. Load Balancer Techniques
Layer 4 and Layer 7 load balancers can distribute work in different ways:
Based on a “round-robin” rotation to all devices equally
To devices that have the least number of connections
Layer 7 load balancers also can use HTTP headers, cookies, or data within application message itself to make decision on distribution
Load Balancer Techniques
Layer 4 and Layer 7 load balancers can distribute work in different ways:
Based on a “round-robin” rotation to all devices equally
To devices that have the least number of connections
Layer 7 load balancers also can use HTTP headers, cookies, or data within application message itself to make decision on distribution
Security+ Guide to Network Security Fundamentals, Fifth Edition

19. Load Balancers Security
Load balancer has security advantages
Because load balancers generally are located between routers and servers, can detect and stop attacks directed at a server or application
Load balancer can be used detect and prevent denial-of-service (DoS) and protocol attacks that could cripple a single server
Some load balancers can hide HTTP error pages or remove server identification headers from HTTP responses, denying attackers additional information about the internal network
Load Balancers Security
Load balancer has security advantages
Because load balancers generally are located between routers and servers, can detect and stop attacks directed at a server or application
Load balancer can be used detect and prevent denial-of-service (DoS) and protocol attacks that could cripple a single server
Some load balancers can hide HTTP error pages or remove server identification headers from HTTP responses, denying attackers additional information about the internal network
Security+ Guide to Network Security Fundamentals, Fifth Edition

20. Proxies
Proxy – Person who authorized to act as substitute or agent on behalf of another human
Proxy server - Computer or application that intercepts and processes user requests:
If previous request has been fulfilled a copy of Web page may reside in proxy server’s cache
If not, proxy server requests item from external Web server using its own IP address
Proxies
Proxy – Person who authorized to act as substitute or agent on behalf of another human
Proxy server - Computer or application that intercepts and processes user requests:
If previous request has been fulfilled a copy of Web page may reside in proxy server’s cache
If not, proxy server requests item from external Web server using its own IP address
Security+ Guide to Network Security Fundamentals, Fifth Edition

21. Application-Aware Proxies
When proxy server receives requested item from web server, item is then forwarded to the client
Access to proxy servers is configured in user’s web browser
Application-aware proxy - Special proxy server that “knows” the application protocols that it supports (FTP proxy server implements the protocol FTP)
Application-Aware Proxies
When proxy server receives requested item from web server, item is then forwarded to the client
Access to proxy servers is configured in user’s web browser
Application-aware proxy - Special proxy server that “knows” the application protocols that it supports (FTP proxy server implements the protocol FTP)
Security+ Guide to Network Security Fundamentals, Fifth Edition

22. Proxy Server (Figure 7-3)
A figure. An internal network with four computers is connected to a switch that is connected to a proxy server. The server is connected to a firewall that is connected to the Internet router that is connected to the Internet.
Security+ Guide to Network Security Fundamentals, Fifth Edition

23. Configuring Access To Proxy Servers (Figure 7-4)
A screen capture of proxy settings from Internet explorer. The proxy address to use and port fields for HTTP, Secure, FTP and Socks are all blank.
Security+ Guide to Network Security Fundamentals, Fifth Edition

24. Proxy Advantages Proxy server advantages:
Increased speed (requests served from the cache)
Reduced costs (cache reduces bandwidth required)
Improved management - Block specific Web pages or sites
Stronger security:
Intercept malware
Hide client system’s IP address from the open Internet
Proxy Advantages
Proxy server advantages:
Increased speed (requests served from the cache)
Reduced costs (cache reduces bandwidth required)
Improved management - Block specific Web pages or sites
Stronger security:
Intercept malware
Hide client system’s IP address from the open Internet
Security+ Guide to Network Security Fundamentals, Fifth Edition

25. Reverse Proxies
Reverse proxy - Does not serve clients but routes incoming requests to correct server
Reverse proxy’s IP address visible to outside users
Internal server’s IP address hidden
Reverse Proxies
Reverse proxy - Does not serve clients but routes incoming requests to correct server
Reverse proxy’s IP address visible to outside users
Internal server’s IP address hidden
Security+ Guide to Network Security Fundamentals, Fifth Edition

26. Reverse Proxy (Figure 7-5)
A figure. The left computer is labeled IP = and says user makes request to get webpage from 123.org. The next computer is the proxy server and labeled that the proxy server replaces source IP with its own IP. The server connects to the Internet that connects to a reverse proxy named server 123.org. The server is connected to Web servers 1, 2, and 3.
Security+ Guide to Network Security Fundamentals, Fifth Edition

27. Network Security Hardware
Specifically designed security hardware devices
Greater protection than standard networking devices
Devices include network firewalls, spam filters, virtual private network concentrators, Internet content filters, Web security gateways, intrusion detection and prevention systems, and Unified Threat Management appliances
Network Security Hardware
Specifically designed security hardware devices
Greater protection than standard networking devices
Devices include network firewalls, spam filters, virtual private network concentrators, Internet content filters, Web security gateways, intrusion detection and prevention systems, and Unified Threat Management appliances
Security+ Guide to Network Security Fundamentals, Fifth Edition

28. Network Firewalls
Host-based application software firewall runs as program on one client
Hardware-based network firewall designed to protected an entire network
Both essentially same: to inspect packets and either accept or deny entry
Hardware firewalls usually located outside network security perimeter as first line of defense
Network Firewalls
Host-based application software firewall runs as program on one client
Hardware-based network firewall designed to protected an entire network
Both essentially same: to inspect packets and either accept or deny entry
Hardware firewalls usually located outside network security perimeter as first line of defense
Security+ Guide to Network Security Fundamentals, Fifth Edition

29. Firewall Location (Figure 7-6)
A figure. An internal network with four computers is connected to a switch that is connected to a firewall that is connected to the Internet router that is connected to the Internet.
Security+ Guide to Network Security Fundamentals, Fifth Edition

30. Network Firewall Filtering
Methods of firewall packet filtering:
Stateless packet filtering - Inspects incoming packet and permits or denies based on conditions set by administrator
Stateful packet filtering - Keeps record of state of connection and makes decisions based on connection and conditions
Network Firewall Filtering
Methods of firewall packet filtering:
Stateless packet filtering - Inspects incoming packet and permits or denies based on conditions set by administrator
Stateful packet filtering - Keeps record of state of connection and makes decisions based on connection and conditions
Security+ Guide to Network Security Fundamentals, Fifth Edition

31. Network Firewall Actions
Allow - Let packet pass through and continue on its journey
Drop - Prevent packet from passing into network and send no response to sender
Reject - Prevent packet from passing into network but send a message to sender that the destination cannot be reached
Ask - Inquire what action to take
Network Firewall Actions
Firewall actions:
Allow - Let packet pass through and continue on its journey
Drop - Prevent packet from passing into network and send no response to sender
Reject - Prevent packet from passing into network but send a message to sender that the destination cannot be reached
Ask - Inquire what action to take
Security+ Guide to Network Security Fundamentals, Fifth Edition

32. Rule-Based Firewalls
Rule-based firewall uses set of individual instructions to control actions (firewall rules)
Each firewall rule is separate instruction processed in sequence
Rules stored together in one or more text files that read when firewall starts
Rule-based are static in nature and cannot do anything other than what have been expressly configured to do
Rule-Based Firewalls
Rule-based firewall uses set of individual instructions to control actions (firewall rules)
Each firewall rule is separate instruction processed in sequence
Rules stored together in one or more text files that read when firewall starts
Rule-based are static in nature and cannot do anything other than what have been expressly configured to do
Security+ Guide to Network Security Fundamentals, Fifth Edition

33. Application-Aware Firewalls
Application-aware firewall (next-generation firewall or NGFW) - More “intelligent” firewall operates at higher level
Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol)
Web application firewall - Special type of application-aware that looks at applications using HTTP
Application-Aware Firewalls
Application-aware firewall (next-generation firewall or NGFW) - More “intelligent” firewall operates at higher level
Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol)
Web application firewall - Special type of application-aware that looks at applications using HTTP
Security+ Guide to Network Security Fundamentals, Fifth Edition

34. Spam Filters
Spam filters - Enterprise-wide spam filters block spam before it reaches the host
systems use two protocols:
Simple Mail Transfer Protocol (SMTP) - Handles outgoing mail
Post Office Protocol (POP) - Handles incoming mail
Spam Filters
Spam filters - Enterprise-wide spam filters block spam before it reaches the host
systems use two protocols:
Simple Mail Transfer Protocol (SMTP) - Handles outgoing mail
Post Office Protocol (POP) - Handles incoming mail
Security+ Guide to Network Security Fundamentals, Fifth Edition

35. Spam Filters On SMTP Server
Spam filters installed with SMTP server
Filter configured to listen on port 25
Pass non-spam to SMTP server listening on another port
Method prevents SMTP server from notifying spammer of failed message delivery
Spam Filters On SMTP Server
Spam filters installed with SMTP server
Filter configured to listen on port 25
Pass non-spam to SMTP server listening on another port
Method prevents SMTP server from notifying spammer of failed message delivery
Security+ Guide to Network Security Fundamentals, Fifth Edition

36. Spam Filter With SMTP Server (Figure 7-7)
A figure. An sender (Port 25) connects to an SMTP server that connects to the Internet. A line from the Internet connects via Port 25 to a Spam filter that connects through Port 26 to the SMTP server. This server connects to a POP3 server that connects to the receiver via Port 110.
Security+ Guide to Network Security Fundamentals, Fifth Edition

37. Spam Filters On POP3 Server
Spam filters installed on POP3 server
All spam must first pass through SMTP server and be delivered to user’s mailbox
Can result in increased costs of storage, transmission, backup, deletion
Third-party entity contracted to filter spam
All directed to third-party’s remote spam filter
cleansed before being redirected to organization
Spam Filters On POP3 Server
Spam filters installed on POP3 server
All spam must first pass through SMTP server and be delivered to user’s mailbox
Can result in increased costs of storage, transmission, backup, deletion
Third-party entity contracted to filter spam
All directed to third-party’s remote spam filter
cleansed before being redirected to organization
Security+ Guide to Network Security Fundamentals, Fifth Edition

38. Spam Filter on POP3 Server (Figure 7-8)
A figure. An sender (Port 25) connects to an SMTP server that connects to the Internet. A line from the Internet connects via Port 25 to the SMTP server. This server connects to a POP3 server with the spam filter that connects to the receiver via Port 110.
Security+ Guide to Network Security Fundamentals, Fifth Edition

39. Virtual Private Network Concentrators
Virtual private network (VPN) - Uses unsecured network as if were secure
All data transmitted between remote device and network is encrypted
Types of VPNs:
Remote-access VPN - User to LAN connection
Site-to-site VPN - Multiple sites can connect to other sites over the Internet
Virtual Private Network Concentrators
Virtual private network (VPN) - Uses unsecured network as if were secure
All data transmitted between remote device and network is encrypted
Types of VPNs:
Remote-access VPN - User to LAN connection
Site-to-site VPN - Multiple sites can connect to other sites over the Internet
Security+ Guide to Network Security Fundamentals, Fifth Edition

40. VPN Endpoints Endpoints – End of tunnel between VPN devices:
May be software on local computer
May be VPN concentrator (hardware device)
May be integrated into another networking device
VPNs can be software-based or hardware-based
Hardware-based generally have better security
Software-based have more flexibility in managing network traffic
VPN Endpoints
Endpoints – End of tunnel between VPN devices:
May be software on local computer
May be VPN concentrator (hardware device)
May be integrated into another networking device
VPNs can be software-based or hardware-based
Hardware-based generally have better security
Software-based have more flexibility in managing network traffic
Security+ Guide to Network Security Fundamentals, Fifth Edition

41. Internet Content Filters
Internet content filters - Monitor Internet traffic and block access to preselected Web sites and files
Unapproved sites can be restricted based on:
Uniform Resource Locator (URL filtering)
Searching for and matching keywords such as sex or hate (content inspection)
Looking for malware (malware inspection)
Internet Content Filters
Internet content filters - Monitor Internet traffic and block access to preselected Web sites and files
Unapproved sites can be restricted based on:
Uniform Resource Locator (URL filtering)
Searching for and matching keywords such as sex or hate (content inspection)
Looking for malware (malware inspection)
Security+ Guide to Network Security Fundamentals, Fifth Edition

42. Internet Content Filter Features (Table 7-3)
A table with two columns and six rows. The first row is composed of column headers: Feature and Description. Row 2. Feature: URL filtering and content inspection Description: Network administrators can block access to specific websites or allow only specific websites to be accessed while all others are blocked. Blocking can be based on keywords, URL patterns, or lists of prohibited sites. Row 3. Feature: Malware inspection and filtering Description: Filters can assess if a webpage contains any malicious elements or exhibits any malicious behavior, and then flag questionable pages with a warning message. Row 4. Feature: Prohibiting file downloads Description: Executable programs (.exe), audio or video files (.mp3, .avi, .mpg), and archive files (.zip, .rar) can be blocked. Row 5. Feature: Profiles Description: Content-specific websites, such as adult, hacking, and virus-infected websites, can be blocked. Row 6. Feature: Detailed reporting Description: Administrators can monitor Internet traffic and identify users who attempt to foil the filters.
Security+ Guide to Network Security Fundamentals, Fifth Edition

43. Gateways
Web security gateway - Can block malicious content in real time
Enable higher level of defense by examining content through application-level filtering
Examples of blocked web traffic:
ActiveX objects
Adware, spyware
Peer to peer file sharing
Script exploits
TCP/IP malicious code attacks
Gateways
Web security gateway - Can block malicious content in real time
Enable higher level of defense by examining content through application-level filtering
Examples of blocked web traffic:
ActiveX objects
Adware, spyware
Peer to peer file sharing
Script exploits
TCP/IP malicious code attacks
Security+ Guide to Network Security Fundamentals, Fifth Edition

44. Intrusion Detection and Prevention
Intrusion detection system (IDS) - Device that can detect an attack as it occurs
IDS systems can use different methodologies for monitoring for attacks
IDS can be installed on either local hosts or networks
Extension of IDS is an intrusion prevention system (IPS)
Intrusion Detection and Prevention
Intrusion detection system (IDS) - Device that can detect an attack as it occurs
IDS systems can use different methodologies for monitoring for attacks
IDS can be installed on either local hosts or networks
Extension of IDS is an intrusion prevention system (IPS)
Security+ Guide to Network Security Fundamentals, Fifth Edition

45. Monitoring Methodologies
Anomaly-based monitoring - Compares current detected behavior with baseline
Signature-based monitoring - Looks for well-known attack signature patterns
Behavior-based monitoring - Detects abnormal actions by processes or programs and alerts user who decides whether to allow or block activity
Heuristic monitoring - Uses experience-based techniques
Monitoring Methodologies
Anomaly-based monitoring - Compares current detected behavior with baseline
Signature-based monitoring - Looks for well-known attack signature patterns
Behavior-based monitoring - Detects abnormal actions by processes or programs and alerts user who decides whether to allow or block activity
Heuristic monitoring - Uses experience-based techniques
Security+ Guide to Network Security Fundamentals, Fifth Edition

46. Methodology Comparisons To Trap Port Scanning Application (Table 7-4)
A table with three columns and five rows. The first row is composed of column headers: Monitoring methodology, Trap application scanning ports?, and Comments. Row 2. Monitoring methodology: Anomaly-based monitoring Trap application scanning ports?: Depends Comments: Only if this application has tried to scan previously and a baseline has been established Row 3. Monitoring methodology: Signature-based monitoring Trap application scanning ports?: Depends Comments: Only if a signature of scanning by this application has been previously created Row 4. Monitoring methodology: Behavior-based monitoring Trap application scanning ports?: Depends Comments: Only if this action by the application is different from other applications Row 5. Monitoring methodology: Heuristic monitoring Trap application scanning ports?: Yes Comments: IDS is triggered if any application tries to scan multiple ports
Security+ Guide to Network Security Fundamentals, Fifth Edition

47. Host-Based Intrusion Detection System (HIDS)
Host-based intrusion detection system (HIDS) - Software-based application that runs on local host computer that can detect an attack as occurs
HIDS relies on agents installed directly on system being protected
Monitors:
System calls
File system access
System registry settings
Host input/output
Host-Based Intrusion Detection System (HIDS)
Host-based intrusion detection system (HIDS) - Software-based application that runs on local host computer that can detect an attack as occurs
HIDS relies on agents installed directly on system being protected
Monitors:
System calls
File system access
System registry settings
Host input/output
Security+ Guide to Network Security Fundamentals, Fifth Edition

48. HIDS Disadvantages Disadvantages of HIDS:
Cannot monitor network traffic that does not reach local system
All log data is stored locally
Resource-intensive and can slow system
HIDS Disadvantages
Disadvantages of HIDS:
Cannot monitor network traffic that does not reach local system
All log data is stored locally
Resource-intensive and can slow system
Security+ Guide to Network Security Fundamentals, Fifth Edition

49. Network Intrusion Detection System (NIDS)
Network intrusion detection system (NIDS) - Watches for attacks on network.
NIDS sensors installed on firewalls and routers to gather information and report back to central device
May use one or more of the evaluation techniques
Network Intrusion Detection System (NIDS)
Network intrusion detection system (NIDS) - Watches for attacks on network.
NIDS sensors installed on firewalls and routers to gather information and report back to central device
May use one or more of the evaluation techniques
Security+ Guide to Network Security Fundamentals, Fifth Edition

50. NIDS Evaluation Techniques (Table 7-5)
A table with two columns and four rows. The first row is composed of column headers: Technique and Description. Row 2. Technique: Protocol stack verification Description: Some attacks use invalid IP, TCP, UDP, or ICMP protocols. A protocol stack verification can identify and flag invalid packets, such as several fragmented IP packets. Row 3. Technique: Application protocol verification Description: Some attacks attempt to use invalid protocol behavior or have a telltale signature (such as DNS poisoning). The NIDS will reimplement different application protocols to find a pattern. Row 4. Technique: Creating extended logs Description: A NIDS can log unusual events and then make these available to other network logging monitoring systems.
Security+ Guide to Network Security Fundamentals, Fifth Edition

51. Application-Aware IDS
Once attack detected NIDS can perform different actions to sound an alarm and log event
Application-aware IDS - Specialized IDS capable of using “contextual knowledge” in real time
Can know the version of the operating system or which application is running as well as what vulnerabilities are present in the systems being protected
Improves the speed and accuracy of IDS decisions and reduces the risk of false positives
Application-Aware IDS
Once attack detected NIDS can perform different actions to sound an alarm and log event
Application-aware IDS - Specialized IDS capable of using “contextual knowledge” in real time
Can know the version of the operating system or which application is running as well as what vulnerabilities are present in the systems being protected
Improves the speed and accuracy of IDS decisions and reduces the risk of false positives
Security+ Guide to Network Security Fundamentals, Fifth Edition

52. Intrusion Prevention System (IPS)
Intrusion prevention system (IPS) - Monitors to detect malicious activities like IDS does but also attempts to prevent them by stopping attack
Network intrusion prevention system (NIPS) - Similar to active NIDS that monitors network traffic to immediately react to malicious attack
Intrusion Prevention System (IPS)
Intrusion prevention system (IPS) - Monitors to detect malicious activities like IDS does but also attempts to prevent them by stopping attack
Network intrusion prevention system (NIPS) - Similar to active NIDS that monitors network traffic to immediately react to malicious attack
Security+ Guide to Network Security Fundamentals, Fifth Edition

53. NIDS vs. NIPS Major differences between a NIDS and a NIPS is location:
NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis
NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack
Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy
NIDS vs. NIPS
Major differences between a NIDS and a NIPS is location:
NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis
NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack
Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy
Security+ Guide to Network Security Fundamentals, Fifth Edition

54. Unified Threat Management (UTM) Security Appliances
Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection
Makes cumbersome to manage multiple devices
Unified Threat Management (UTM) - Security product that combines several security functions
Unified Threat Management (UTM) Security Appliances
Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection
Makes cumbersome to manage multiple devices
Unified Threat Management (UTM) - Security product that combines several security functions
Security+ Guide to Network Security Fundamentals, Fifth Edition

55. UTM Functions UTM functions: Antispam and antiphishing
Antivirus and antispyware
Bandwidth optimization
Content filtering
Encryption
Firewall
Instant messaging control
Intrusion protection
Web filtering
UTM Functions
UTM functions:
Antispam and antiphishing
Antivirus and antispyware
Bandwidth optimization
Content filtering
Encryption
Firewall
Instant messaging control
Intrusion protection
Web filtering
Security+ Guide to Network Security Fundamentals, Fifth Edition

56. Security Through Network Technologies
Network technologies can also help to secure network
Two technologies:
Network address translation
Network access control
Security Through Network Technologies
Network technologies can also help to secure network
Two technologies:
Network address translation
Network access control
Security+ Guide to Network Security Fundamentals, Fifth Edition

57. Network Address Translation (NAT)
Internet routers normally drop packet with private address
Network address translation (NAT) - Allows private IP addresses to be used on public Internet
Replaces private IP address with public address as leaves network and vice versa when returns
Port address translation (PAT) - Variation of NAT that outgoing packets given same IP address but different TCP port number
Network Address Translation (NAT)
Internet routers normally drop packet with private address
Network address translation (NAT) - Allows private IP addresses to be used on public Internet
Replaces private IP address with public address as leaves network and vice versa when returns
Port address translation (PAT) - Variation of NAT that outgoing packets given same IP address but different TCP port number
Security+ Guide to Network Security Fundamentals, Fifth Edition

58. Network Address Translation (Figure 7-9)
A figure. The computer on the left has IP address This is labeled “1. Packet created on computer with private IP address ” This connects to a box that shows the original IP address and an alias IP address of labeled “2. NAT replaces IP address with alias.” A line connects to the Internet labeled “3. Packet sent with alias address.”
Security+ Guide to Network Security Fundamentals, Fifth Edition

59. NAT Advantages Advantages of NAT:
Masks IP addresses of internal devices
Allows multiple devices to share smaller number of public IP addresses
NATG Advantages
Advantages of NAT:
Masks IP addresses of internal devices
Allows multiple devices to share smaller number of public IP addresses
Security+ Guide to Network Security Fundamentals, Fifth Edition

60. Network Access Control (NAC)
Network access control (NAC) - Examines current state of system or network device before allowing network connection
Device must meet set of criteria
If not met, NAC allows connection to quarantine network until deficiencies corrected
Network Access Control (NAC)
Network access control (NAC) - Examines current state of system or network device before allowing network connection
Device must meet set of criteria
If not met, NAC allows connection to quarantine network until deficiencies corrected
Security+ Guide to Network Security Fundamentals, Fifth Edition

61. Network Access Control (NAC) Framework (Figure 7-10)
A figure. At the top is the quarantine network, connected to the client computer that is connected to the health registration authority. This authority is connected to an antivirus server and a patch management server. It is also connected to a network access control network.
1. The client performs a self-assessment using a System Health Agent (SHA) to determine its current security posture.
2. The assessment, known as a Statement of Health (SoH), is sent to a server called the Health Registration Authority (HRA). This server enforces the security policies of the network. It also integrates with other external authorities such as antivirus and patch management servers in order to retrieve current configuration information.
3. If the client is approved by the HRA, it is issued a Health Certificate.
4. The Health Certificate is then presented to the network servers to verify that the client’s security condition has been approved.
5. If the client is not approved, it is connected to a quarantine network where the deficiencies are corrected, and then the computer is allowed to connect to the network.
Security+ Guide to Network Security Fundamentals, Fifth Edition

62. Security Through Network Design Elements
Elements of a secure network design
Demilitarized zones
Subnetting
Virtual LANs
Remote access
Security Through Network Design Elements
Elements of a secure network design
Demilitarized zones
Subnetting
Virtual LANs
Remote access
Security+ Guide to Network Security Fundamentals, Fifth Edition

63. Demilitarized Zone (DMZ)
Demilitarized zone (DMZ) - Separate network located outside secure network perimeter
Untrusted outside users can access DMZ but not secure network
Most secure approach is have two firewalls
Demilitarized Zone (DMZ)
Demilitarized zone (DMZ) - Separate network located outside secure network perimeter
Untrusted outside users can access DMZ but not secure network
Most secure approach is have two firewalls
Security+ Guide to Network Security Fundamentals, Fifth Edition

64. DMZ With One Firewall (Figure 7-11)
A figure. An internal network with four computers is connected to a switch that is connected to a proxy server connected to a firewall that is connected to the Internet router that is connected to the Internet. The firewall is also connected to a DMZ which in turn is connected to a switch that is connected to a Web server and mail server.
Security+ Guide to Network Security Fundamentals, Fifth Edition

65. DMZ With Two Firewalls (Figure 7-12)
A figure. An internal network with four computers is connected to a switch that is connected to a proxy server connected to a firewall. The firewall is to a DMZ which in turn is connected to a switch that is connected to a Web server and mail server. The DMZ is also connected to a second firewall that is connected to the Internet router that is connected to the Internet. The firewall is also connected.
Security+ Guide to Network Security Fundamentals, Fifth Edition

66. Subnetting
IP addresses are 32-bit (4-byte) addresses with network address and host address
Classful addressing - Split between the network and host portions on the boundaries between the bytes
Subnetting or subnet addressing - IP address split anywhere within its 32 bits
Instead of just having networks and hosts networks essentially can be divided into three parts: network, subnet, and host
Subnetting
IP addresses are 32-bit (4-byte) addresses with network address and host address
Classful addressing - Split between the network and host portions on the boundaries between the bytes
Subnetting or subnet addressing - IP address split anywhere within its 32 bits
Instead of just having networks and hosts networks essentially can be divided into three parts: network, subnet, and host
Security+ Guide to Network Security Fundamentals, Fifth Edition

67. Subnets (Figure 7-13)
Subnets (Figure 7-13)
A figure. A computer is connected to subnet that is then connected to a router connected to another subnet of This subnet is connected to a router that is then connected to subnet
Security+ Guide to Network Security Fundamentals, Fifth Edition

68. Subnetting Security
Each network can contain several subnets, and each subnet connected through different routers can contain multiple hosts
Subnets also can improve network security:
Single network into multiple smaller subnets in order to isolate groups of hosts
Allows network administrators to hide the internal network layout
Subnetting Security
Each network can contain several subnets, and each subnet connected through different routers can contain multiple hosts
Subnets also can improve network security:
Single network into multiple smaller subnets in order to isolate groups of hosts
Allows network administrators to hide the internal network layout
Security+ Guide to Network Security Fundamentals, Fifth Edition

69. Virtual LANs (VLAN)
Virtual LAN (VLAN) - Segment network by separating devices into logical groups
VLAN allows scattered users to be logically grouped together even though physically attached to different switches
Can reduce network traffic and provide a degree of security similar to subnetting
VLANs can be isolated so sensitive data is transported only to members of the VLAN
Switch or tagging protocol can be used
Virtual LANs (VLAN)
Virtual LAN (VLAN) - Segment network by separating devices into logical groups
VLAN allows scattered users to be logically grouped together even though physically attached to different switches
Can reduce network traffic and provide a degree of security similar to subnetting
VLANs can be isolated so sensitive data is transported only to members of the VLAN
Switch or tagging protocol can be used
Security+ Guide to Network Security Fundamentals, Fifth Edition

70. Remote Workers Working away from the office commonplace today:
Telecommuters
Traveling sales representatives
Traveling workers
Strong security for remote workers must be maintained
Transmissions are routed through networks not managed by the organization
Remote Workers
Working away from the office commonplace today:
Telecommuters
Traveling sales representatives
Traveling workers
Strong security for remote workers must be maintained
Transmissions are routed through networks not managed by the organization
Security+ Guide to Network Security Fundamentals, Fifth Edition

71. Remote Access
Remote access - Any combination of hardware and software that enables remote users to access local internal network
Remote access provides remote users with same access and functionality as local users through VPN or dial-up connection
Service includes support for remote connection and logon and then displays the same network interface as the normal network
Remote Access
Remote access - Any combination of hardware and software that enables remote users to access local internal network
Remote access provides remote users with same access and functionality as local users through VPN or dial-up connection
Service includes support for remote connection and logon and then displays the same network interface as the normal network
Security+ Guide to Network Security Fundamentals, Fifth Edition

72. Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 7
Network Security Fundamentals
Chapter 7
Network Security Fundamentals