reflection 2

profiletamerrabee3
sy0-601-09v1.0.pptx

Implementing Secure Network Designs

Lesson 9

1

Implement Secure Network Designs

Topic 9A

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

3.3 Given a scenario, implement secure network designs

Syllabus Objectives Covered

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Secure Network Designs

What problems arise from weaknesses in the network design/architecture?

Single points of failure

Complex dependencies

Availability over confidentiality and integrity

Lack of documentation and change control

Overdependence on perimeter security

Best practice design and architecture guides

Cisco’s SAFE Architecture

Places in the Network

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Corporate network

Access

Email mailbox server

Mail transfer server

Segmentation

Data flows and access controls

Business Workflows and Network Architecture

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

Network Appliances

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

Images © 123rf.com.

6

Routing and Switching Protocols

Forwarding

Layer 2 forwarding

Layer 3 forwarding

Address Resolution Protocol (ARP)

Map IP addresses to MAC addresses

Internet Protocol (IP)

IPv4 and IPv6

Network prefix/subnet mask

Routing protocols

Communicate routing table updates

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

7

Network segment

Nodes can communicate at layer 2

Broadcast domain

Implementing network segments

Separate unmanaged switches

Configure virtual LANs (VLANs) on managed switches

Layer 3 subnets

Map subnets to VLANs

Network Segmentation

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Network Topology and Zones

Physical and logical topologies

Zones represent isolated segments for hosts that have the same security requirement

Traffic between zones is subject to filtering by a firewall

Main zone types

Intranet (private)

Extranet

Internet (public)

Enterprise architecture zones

Access blocks representing host groups

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Images © 123rf.com.

Demilitarized Zones

Demilitarized zones (DMZs) isolate hosts that are Internet-facing

Communications through the DMZ should not be allowed

Ideally use proxies to rebuild packets for forwarding

Bastion hosts

Not fully trusted by internal network

Run minimal services

Do not store local network account credentials

Using different types of DMZ for different functions

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Demilitarized Zone Topologies

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

Images © 123rf.com.

Screened host

Local network screened by a single firewall

“SOHO DMZ”

SOHO router configuration option

Host configured to accept connections from the Internet

Screened Host

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

Images © 123rf.com.

12

Enabled by default configuration issues

Risks of unmanaged configurations

IPv6-specific attack vectors

Map IPv6 address space to appropriate security zones

Configure IPv6 firewall rules

Typically no need for address translation

Implications of IPv6

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Other Secure Network Design Considerations

Data center and cloud design requirements

East-west traffic

North-south traffic enters and leaves data center

East-west traffic is between servers within the data center

Problem for security inspection and filtering

Zero trust

Do not rely on perimeter security

Continuous/context-based authentication

Microsegmentation

Single host zones

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

14

Secure Network Designs

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

Review Activity

Implement Secure Switching and Routing

Topic 9B

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

16

1.4 Given a scenario, analyze potential indicators associated with network attacks

3.1 Given a scenario, implement secure protocols

Routing and switching only

3.3 Given a scenario, implement secure network designs

Syllabus Objectives Covered

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Man-in-the-Middle (MitM) attacks

Threat actor can intercept and modify communications

On-path attack

Snooping

Spoofing

MAC address cloning/spoofing

Media Access Control (MAC) hardware interface address

Easy to change for a different value

Man-in-the-Middle and Layer 2 Attacks

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

ARP Poisoning and MAC Flooding Attacks

Address Resolution Protocol (ARP) poisoning

Broadcasting unsolicited ARP replies to poison the cache of local hosts with spoofed MAC address

Attacker usually tries to masquerade as default gateway

MAC flooding

Overwhelm switch memory to trigger unicast flooding

Facilitates sniffing

Screenshot used with permission from wireshark.org.

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Loop Prevention

Spanning Tree Protocol (STP)

Broadcast storm prevention

Broadcast and flooded unicast getting amplified as it loops continually around network

Storm control if STP has failed

Bridge Protocol Data Unit (BPDU) guard

Configure switches to defeat attempts to engineer a loop

Portfast setting configured for access ports

BPDU guard disables port if STP traffic is detected

Images © 123RF.com.

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

20

Physical Port Security and MAC Filtering

Physical port security

Secure switch hardware

Physically disconnect unused ports

Disable unused ports via management interface

MAC address limiting and filtering

Configure permitted MACs

Limit number of MAC changes

DHCP snooping

Dynamic ARP inspection

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

Network Access Control

Endpoint security/defense in depth

IEEE 802.1X/port-based network access control (PNAC)

Can also enforce health policy

Posture assessment

Agent-based

Persistent versus non-persistent

Agentless

Scanning software

Device polling

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Screenshot used with permission from packetfence.org.

Route Security

Sources of routing table updates

Preventing route injection

Source routing

Patch management and router appliance hardening

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

Secure Switching and Routing

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

Review Activity

Assisted Lab

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Implementing a Secure Network Design

25

Lab Activity

Implement Secure Wireless Infrastructure

Lesson 9C

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

26

1.4 Given a scenario, analyze potential indicators associated with network attacks

3.4 Given a scenario, install and configure wireless security settings

Syllabus Objectives Covered

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

27

Wireless Network Installation Considerations

Ensure maximum availability from legitimate access points

Wireless access point (WAP) placement

Service set identifier (SSID) and basic service set identifier (BSSID)

Frequency bands and channels

Co-channel interference (CCI)

Adjacent channel interference (ACI)

Site surveys and heat maps

Architectural plan

Wi-Fi analyzer

Heat map plots signal strength from high (red) to low (green/blue)

Channel layout shows overlapping usage

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

28

Controller and Access Point Security

Configuration of multi-WAP WLANs

Hardware and software controllers

Fat versus thin WAPs

Physical security and management interfaces

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

Screenshot used with permission from Ubiquiti Networks.

Wi-Fi Protected Access

WPA (v1)

RC4 with Temporal Key Integrity Protocol (TKIP)

Wi-Fi protected access 2 (WPA2)

Advanced Encryption Standard (AES) replaces RC4

Counter Mode with Cipher Block Chaining Message Authentication Code (CBC-MAC) Protocol (CCMP) replaces TKIP

Also enables enterprise authentication options

Wi-Fi protected access 3 (WPA3)

Simultaneous Authentication of Equals (SAE)

Enhanced Open

Updated cryptography

Management protection frames

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

Screenshot used with permission from TP-Link Technologies.

30

Wi-Fi Authentication Methods

WPA2 pre-shared key authentication

Passphrase used to generate a pairwise master key (PMK)

4-way handshake

PMK is used to derive session keys

WPA3 personal authentication

Password Authenticated Key Exchange (PAKE)

Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake

Dragonfly handshake

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

31

Wi-Fi Protected Setup (WPS)

Pushbutton or passcode autoconfiguration of access points and clients

Brute-force vulnerability in passcode algorithm

Access point may support lockout to mitigate

Make sure access point firmware is up-to-date

EasyConnect and Device Provisioning Protocol (DPP)

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

Open Authentication and Captive Portals

Use an access point without authentication (or encryption)

Secondary authentication via captive portal or splash page

Everything sent over link can be snooped

Use secure protocols for confidential data (HTTPS, Secure IMAP, FTPS)

Use a Virtual Private Network (VPN) to create a secure tunnel

Wi-Fi Enhanced Open

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

33

Enterprise/IEEE 802.1X Authentication

Extensible Authentication Protocol (EAP) over Wireless (EAPoW)

Network directory authorization via RADIUS or TACACS+

User credential is used to generate session encryption key

Screenshot used with permission from Cisco.

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

Extensible Authentication Protocol

Designed to provide for interoperable security devices and software

EAP-TLS

Transport Layer Security (TLS) to authenticate via device certificates/smart cards

Both server and supplicant must have certificates

Mutual authentication

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

PEAP, EAP-TTLS, and EAP-FAST

Secure tunneling for user credentials

Protected EAP (PEAP)

Password authentication through a TLS-protected tunnel

Server certificate only

PEAPv0 (EAP-MSCHAPv2)

PEAPv1 (EAP-GTC)

EAP with Tunneled TLS (EAP-TTLS)

Similar to PEAP but with more flexibility on inner authentication method

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)

Cisco alternative to PEAP that can be set up without certificate infrastructure

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

36

RADIUS Federation

Federated identity solution

Mesh network for RADIUS servers operated by different institutions

Eduroam

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

37

Rogue Access Points and Evil Twins

Rogue access point

Troubleshooting access point misconfiguration

Disable unused devices and interfaces

Evil twin

Masquerade as legitimate AP

Use similar SSID

Capture authentication information

Wi-Fi analyzers

Screenshot used with permission from Xirrus.

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

38

Disassociation and Replay Attacks

Deauthentication attack

Attacker sends spoofed deauth packet

DoS and assists other attacks

Disassociation attack

Similar but just causes station to disassociate

Configure Management Frame Protection (MFP/802.11w)

Initialization vector (IV) attack

Generate packets to strip IV

KRACK/key reinstallation

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

39

Jamming Attacks

Environmental versus malicious interference

Jamming attacks

Denial of service

Promote evil twin

Use spectrum analyzer to locate source

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

40

Secure Wireless Infrastructure

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

41

Review Activity

Implement Load Balancers

Topic 9D

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

42

42

1.4 Given a scenario, analyze potential indicators associated with network attacks

3.3 Given a scenario, implement secure network designs

Syllabus Objectives Covered

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

43

Distributed Denial of Service (DDoS)

Leverage bandwidth from compromised hosts/networks

Handlers form a command and control (C&C) network

Compromised hosts installed with bots that can run automated scripts

Co-ordinated by the C&C network as a botnet

Overwhelm with superior bandwidth (number of bots)

Consume resources with spoof session requests (SYN flood)

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

44

44

Amplification, Application, and OT Attacks

Distributed Reflection DoS (DRDoS)

Amplified SYN flood

Spoof victim's IP address and attempt to open connections with multiple servers

Those servers direct their SYN/ACK responses to the victim

Application attacks

Bogus DNS/NTP queries

Direct responses at victim

Queries can be constructed to generate large response packets

Operational technology (OT) networks

DoS against embedded systems

Can be more vulnerable to miscrafted packets than computing hosts

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

45

Distributed Denial of Service Attack Mitigation

Attacks use spoofed addresses, making them hard to block

Drop traffic to protect other hosts in the routing domain

Access control list (ACL)

remotely triggered blackhole (RTBH)

Sinkhole routing

Cloud DDoS mitigation services

Screenshot used with permission from Security Onion.

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

46

Load Balancing

Distributes requests across farm or pool of servers (nodes)

Layer 4 load balancer

Layer 7 load balancer (content switch)

Scheduling

Round robin

Fewest existing connections / best response time

Weighting

Heartbeat and health checks

Source IP affinity

Session persistence

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

47

Images © 123rf.com.

Clustering

Configure nodes for failover

Virtual IP

Common Address Redundancy Protocol (CARP)

Active/passive versus active/active

Application clustering

Provides stateful fault tolerance

Images © 123RF.com.

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

48

Compared to best effort and first in, first out (FIFO)

Quality of service (QoS) to prioritize traffic with certain characteristics

Bandwidth

Latency and jitter

Traffic marking

DiffServ and 802.1p

Traffic policing

Denial of service and trust boundaries for traffic marking

Ensure bandwidth for management and security monitoring traffic

Quality of Service

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

49

49

Load Balancers

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

50

Review Activity

Summary

Lesson 9

CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

51

51