reflection 2
Implementing Secure Network Designs
Lesson 9
1
Implement Secure Network Designs
Topic 9A
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
3.3 Given a scenario, implement secure network designs
Syllabus Objectives Covered
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Secure Network Designs
What problems arise from weaknesses in the network design/architecture?
Single points of failure
Complex dependencies
Availability over confidentiality and integrity
Lack of documentation and change control
Overdependence on perimeter security
Best practice design and architecture guides
Cisco’s SAFE Architecture
Places in the Network
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Corporate network
Access
Email mailbox server
Mail transfer server
Segmentation
Data flows and access controls
Business Workflows and Network Architecture
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Network Appliances
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Images © 123rf.com.
6
Routing and Switching Protocols
Forwarding
Layer 2 forwarding
Layer 3 forwarding
Address Resolution Protocol (ARP)
Map IP addresses to MAC addresses
Internet Protocol (IP)
IPv4 and IPv6
Network prefix/subnet mask
Routing protocols
Communicate routing table updates
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
7
Network segment
Nodes can communicate at layer 2
Broadcast domain
Implementing network segments
Separate unmanaged switches
Configure virtual LANs (VLANs) on managed switches
Layer 3 subnets
Map subnets to VLANs
Network Segmentation
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Network Topology and Zones
Physical and logical topologies
Zones represent isolated segments for hosts that have the same security requirement
Traffic between zones is subject to filtering by a firewall
Main zone types
Intranet (private)
Extranet
Internet (public)
Enterprise architecture zones
Access blocks representing host groups
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Images © 123rf.com.
Demilitarized Zones
Demilitarized zones (DMZs) isolate hosts that are Internet-facing
Communications through the DMZ should not be allowed
Ideally use proxies to rebuild packets for forwarding
Bastion hosts
Not fully trusted by internal network
Run minimal services
Do not store local network account credentials
Using different types of DMZ for different functions
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Demilitarized Zone Topologies
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Images © 123rf.com.
Screened host
Local network screened by a single firewall
“SOHO DMZ”
SOHO router configuration option
Host configured to accept connections from the Internet
Screened Host
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Images © 123rf.com.
12
Enabled by default configuration issues
Risks of unmanaged configurations
IPv6-specific attack vectors
Map IPv6 address space to appropriate security zones
Configure IPv6 firewall rules
Typically no need for address translation
Implications of IPv6
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Other Secure Network Design Considerations
Data center and cloud design requirements
East-west traffic
North-south traffic enters and leaves data center
East-west traffic is between servers within the data center
Problem for security inspection and filtering
Zero trust
Do not rely on perimeter security
Continuous/context-based authentication
Microsegmentation
Single host zones
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
14
Secure Network Designs
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Review Activity
Implement Secure Switching and Routing
Topic 9B
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
16
1.4 Given a scenario, analyze potential indicators associated with network attacks
3.1 Given a scenario, implement secure protocols
Routing and switching only
3.3 Given a scenario, implement secure network designs
Syllabus Objectives Covered
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Man-in-the-Middle (MitM) attacks
Threat actor can intercept and modify communications
On-path attack
Snooping
Spoofing
MAC address cloning/spoofing
Media Access Control (MAC) hardware interface address
Easy to change for a different value
Man-in-the-Middle and Layer 2 Attacks
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
ARP Poisoning and MAC Flooding Attacks
Address Resolution Protocol (ARP) poisoning
Broadcasting unsolicited ARP replies to poison the cache of local hosts with spoofed MAC address
Attacker usually tries to masquerade as default gateway
MAC flooding
Overwhelm switch memory to trigger unicast flooding
Facilitates sniffing
Screenshot used with permission from wireshark.org.
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Loop Prevention
Spanning Tree Protocol (STP)
Broadcast storm prevention
Broadcast and flooded unicast getting amplified as it loops continually around network
Storm control if STP has failed
Bridge Protocol Data Unit (BPDU) guard
Configure switches to defeat attempts to engineer a loop
Portfast setting configured for access ports
BPDU guard disables port if STP traffic is detected
Images © 123RF.com.
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
20
Physical Port Security and MAC Filtering
Physical port security
Secure switch hardware
Physically disconnect unused ports
Disable unused ports via management interface
MAC address limiting and filtering
Configure permitted MACs
Limit number of MAC changes
DHCP snooping
Dynamic ARP inspection
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Network Access Control
Endpoint security/defense in depth
IEEE 802.1X/port-based network access control (PNAC)
Can also enforce health policy
Posture assessment
Agent-based
Persistent versus non-persistent
Agentless
Scanning software
Device polling
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Screenshot used with permission from packetfence.org.
Route Security
Sources of routing table updates
Preventing route injection
Source routing
Patch management and router appliance hardening
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Secure Switching and Routing
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Review Activity
Assisted Lab
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Implementing a Secure Network Design
25
Lab Activity
Implement Secure Wireless Infrastructure
Lesson 9C
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
26
1.4 Given a scenario, analyze potential indicators associated with network attacks
3.4 Given a scenario, install and configure wireless security settings
Syllabus Objectives Covered
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
Wireless Network Installation Considerations
Ensure maximum availability from legitimate access points
Wireless access point (WAP) placement
Service set identifier (SSID) and basic service set identifier (BSSID)
Frequency bands and channels
Co-channel interference (CCI)
Adjacent channel interference (ACI)
Site surveys and heat maps
Architectural plan
Wi-Fi analyzer
Heat map plots signal strength from high (red) to low (green/blue)
Channel layout shows overlapping usage
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
28
Controller and Access Point Security
Configuration of multi-WAP WLANs
Hardware and software controllers
Fat versus thin WAPs
Physical security and management interfaces
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
Screenshot used with permission from Ubiquiti Networks.
Wi-Fi Protected Access
WPA (v1)
RC4 with Temporal Key Integrity Protocol (TKIP)
Wi-Fi protected access 2 (WPA2)
Advanced Encryption Standard (AES) replaces RC4
Counter Mode with Cipher Block Chaining Message Authentication Code (CBC-MAC) Protocol (CCMP) replaces TKIP
Also enables enterprise authentication options
Wi-Fi protected access 3 (WPA3)
Simultaneous Authentication of Equals (SAE)
Enhanced Open
Updated cryptography
Management protection frames
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
Screenshot used with permission from TP-Link Technologies.
30
Wi-Fi Authentication Methods
WPA2 pre-shared key authentication
Passphrase used to generate a pairwise master key (PMK)
4-way handshake
PMK is used to derive session keys
WPA3 personal authentication
Password Authenticated Key Exchange (PAKE)
Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake
Dragonfly handshake
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
31
Wi-Fi Protected Setup (WPS)
Pushbutton or passcode autoconfiguration of access points and clients
Brute-force vulnerability in passcode algorithm
Access point may support lockout to mitigate
Make sure access point firmware is up-to-date
EasyConnect and Device Provisioning Protocol (DPP)
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
Open Authentication and Captive Portals
Use an access point without authentication (or encryption)
Secondary authentication via captive portal or splash page
Everything sent over link can be snooped
Use secure protocols for confidential data (HTTPS, Secure IMAP, FTPS)
Use a Virtual Private Network (VPN) to create a secure tunnel
Wi-Fi Enhanced Open
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
Enterprise/IEEE 802.1X Authentication
Extensible Authentication Protocol (EAP) over Wireless (EAPoW)
Network directory authorization via RADIUS or TACACS+
User credential is used to generate session encryption key
Screenshot used with permission from Cisco.
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
Extensible Authentication Protocol
Designed to provide for interoperable security devices and software
EAP-TLS
Transport Layer Security (TLS) to authenticate via device certificates/smart cards
Both server and supplicant must have certificates
Mutual authentication
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
PEAP, EAP-TTLS, and EAP-FAST
Secure tunneling for user credentials
Protected EAP (PEAP)
Password authentication through a TLS-protected tunnel
Server certificate only
PEAPv0 (EAP-MSCHAPv2)
PEAPv1 (EAP-GTC)
EAP with Tunneled TLS (EAP-TTLS)
Similar to PEAP but with more flexibility on inner authentication method
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
Cisco alternative to PEAP that can be set up without certificate infrastructure
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
36
RADIUS Federation
Federated identity solution
Mesh network for RADIUS servers operated by different institutions
Eduroam
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
Rogue Access Points and Evil Twins
Rogue access point
Troubleshooting access point misconfiguration
Disable unused devices and interfaces
Evil twin
Masquerade as legitimate AP
Use similar SSID
Capture authentication information
Wi-Fi analyzers
Screenshot used with permission from Xirrus.
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
38
Disassociation and Replay Attacks
Deauthentication attack
Attacker sends spoofed deauth packet
DoS and assists other attacks
Disassociation attack
Similar but just causes station to disassociate
Configure Management Frame Protection (MFP/802.11w)
Initialization vector (IV) attack
Generate packets to strip IV
KRACK/key reinstallation
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
39
Jamming Attacks
Environmental versus malicious interference
Jamming attacks
Denial of service
Promote evil twin
Use spectrum analyzer to locate source
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
40
Secure Wireless Infrastructure
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
41
Review Activity
Implement Load Balancers
Topic 9D
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
42
42
1.4 Given a scenario, analyze potential indicators associated with network attacks
3.3 Given a scenario, implement secure network designs
Syllabus Objectives Covered
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
43
Distributed Denial of Service (DDoS)
Leverage bandwidth from compromised hosts/networks
Handlers form a command and control (C&C) network
Compromised hosts installed with bots that can run automated scripts
Co-ordinated by the C&C network as a botnet
Overwhelm with superior bandwidth (number of bots)
Consume resources with spoof session requests (SYN flood)
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
44
44
Amplification, Application, and OT Attacks
Distributed Reflection DoS (DRDoS)
Amplified SYN flood
Spoof victim's IP address and attempt to open connections with multiple servers
Those servers direct their SYN/ACK responses to the victim
Application attacks
Bogus DNS/NTP queries
Direct responses at victim
Queries can be constructed to generate large response packets
Operational technology (OT) networks
DoS against embedded systems
Can be more vulnerable to miscrafted packets than computing hosts
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
45
Distributed Denial of Service Attack Mitigation
Attacks use spoofed addresses, making them hard to block
Drop traffic to protect other hosts in the routing domain
Access control list (ACL)
remotely triggered blackhole (RTBH)
Sinkhole routing
Cloud DDoS mitigation services
Screenshot used with permission from Security Onion.
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
46
Load Balancing
Distributes requests across farm or pool of servers (nodes)
Layer 4 load balancer
Layer 7 load balancer (content switch)
Scheduling
Round robin
Fewest existing connections / best response time
Weighting
Heartbeat and health checks
Source IP affinity
Session persistence
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
47
Images © 123rf.com.
Clustering
Configure nodes for failover
Virtual IP
Common Address Redundancy Protocol (CARP)
Active/passive versus active/active
Application clustering
Provides stateful fault tolerance
Images © 123RF.com.
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
48
Compared to best effort and first in, first out (FIFO)
Quality of service (QoS) to prioritize traffic with certain characteristics
Bandwidth
Latency and jitter
Traffic marking
DiffServ and 802.1p
Traffic policing
Denial of service and trust boundaries for traffic marking
Ensure bandwidth for management and security monitoring traffic
Quality of Service
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
49
49
Load Balancers
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
50
Review Activity
Summary
Lesson 9
CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
51
51