reflection 2

profiletamerrabee3
sy0-601-10v1.0.pptx

Implementing Network Security Appliances

Lesson 10

1

Implement Firewalls and Proxy Servers

Topic 10A

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

3.3 Given a scenario, implement secure network designs

Syllabus Objectives Covered

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Packet Filtering Firewalls

Enforce a network access control list (ACL)

Act to deny (block or drop), log, or accept a packet

Inspect headers of individual packets

Source and destination IP address

Protocol ID/type (TCP, UDP, ICMP, routing protocols, and so on)

Source and destination port numbers (TCP or UDP application type)

Inbound, outbound, or both

Stateless operation

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

State table stores connection information

Transport layer (layer 4)

TCP handshake

New versus established and related connections

Application layer (layer 7)

Validate protocol

Match threat signatures

Application-specific filtering

Stateful Inspection Firewalls

Screenshot used with permission from Rubicon Communications, LLC

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

iptables

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

6

Firewall Implementation

Firewall appliances

Routed (layer 3)

Bridged/transparent (layer 2)

Router/firewall

Application-based firewalls

Host-based (personal)

Application firewall

Network operating system (NOS) firewall

Screenshot used with permission from Cisco.

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Proxies and Gateways

Forward proxy server

Proxy opens connections with external servers on behalf of internal clients

Application-specific filters

Non-transparent and transparent proxies

User authentication

Reverse proxy server

Proxy opens connections with internal servers on behalf of external clients

Screenshot used with permission from Rubicon Communications, LLC.

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Access Control Lists

Least access

Top to bottom processing order

Implicit deny

Explicit deny all

Criteria for rules (tuples)

Documenting and testing configuration

Screenshot used with permission from Rubicon Communications, LLC.

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Network Address Translation

Source NAT

Static and dynamic NAT

Overloaded NAT/Network Address Port Translation (NAPT)/Port Address Translation (PAT)

Destination NAT/port forwarding

Advertise a resource using a global IP address but forward it to a local IP address

Usually forward specific ports only

Screenshot used with permission from Rubicon Communications, LLC.

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Hypervisor-based

Filtering built into the hypervisor or cloud service

Virtual appliance

Deployed as a virtual machine to the cloud

Multiple context

Firewall appliance running multiple instances

East-west security design and microsegmentation

Virtual Firewalls

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

11

Source code inspection and supply chain issues

Wholly proprietary appliance OS

UNIX or Linux kernel with proprietary features

Wholly open-source

Support arrangements and subscription features

Open-source versus Proprietary Firewalls

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

Firewalls and Proxy Servers

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Review Activity

Assisted Lab

Configuring a Firewall

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

Lab Activity

Implement Network Security Monitoring

Topic 10B

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

15

3.3 Given a scenario, implement secure network designs

Syllabus Objectives Covered

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

Network-Based Intrusion Detection Systems

Intrusion detection system (IDS)

Network sensor captures traffic

Detection engine performs real-time analysis of indicators

Passive logging/alerting

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Screenshot Security Onion securityonion.net

TAPs and Port Mirrors

Sensor placement

Inside firewall

In front of application servers

Managing volume of traffic/alerts

Switched port analyzer (SPAN)/mirror port

Passive test access point (TAP)

Active TAP

Aggregation TAP

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

Network-Based Intrusion Prevention Systems

Intrusion prevention system (IPS)

Active response to threats

Reset session

Apply firewall filters on the fly to shun traffic

Bandwidth throttling

Packet modification

Run a script or other process

Anti-virus scanning/content filtering

Inline placement—risk of failure

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Signature-Based Detection

Analysis engine

Signature-based detection

Pattern matching

Database of known attack signatures

Must be updated with latest definitions /plug-ins/feeds

Many attack tools do not conform to specific signatures

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

Behavior and Anomaly-Based Detection

Behavioral-based detection

Train sensor with baseline normal behavior to recognize anomalous behavior

Network behavior and anomaly detection (NBAD)

Heuristics (learning from experience)

Statistical model of behavior

Machine learning assisted analysis

User and entity behavior analytics (UEBA)

Network traffic analysis (NTA)

Anomaly-based detection as irregularity in packet construction

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

Next-generation Firewalls and Content Filters

Next-generation firewall

Application-aware filtering, user account-based filtering, IPS, cloud inspection, …

Unified threat management (UTM)

Combining security controls into single agent and management platforms

Firewall, anti-malware, network intrusion prevention, spam filtering, content filtering, data loss prevention, VPN, cloud access gateway, …

Content/URL filter

Focuses on outgoing user traffic

Content block lists and allow lists

Time-based restrictions

Secure web gateway (SWG)

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Host-Based Intrusion Detection Systems

Host-based IDS

Network, log, and file system monitoring for endpoints

File integrity monitoring (FIM)

Cryptographic hash or file signature verifies integrity of files

Compare hashes manually or verify signature with publisher’s public key

Windows File Protection/sfc

Tripwire and OSSEC

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

Web Application Firewalls

Able to inspect code in HTTP packets

Matches suspicious code to vulnerability database

Can be implemented as software on host or as appliance

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

Network Security Monitoring

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

25

Review Activity

CompTIA Lab

Configuring an Intrusion Detection System

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

Lab Activity

Summarize the Use of SIEM

Topic 10C

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

27

27

1.7 Summarize the techniques used in security assessments

3.3 Given a scenario, implement secure network designs

4.1 Given a scenario, use the appropriate tool to assess organizational security

Syllabus Objectives Covered

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

Packet capture

Sniffers and flow analysis

Traffic and protocol statistics

Packet analysis

Network monitors

Appliance state data

Heartbeat availability monitoring

Logs

System logs to diagnose availability issues

Security logs to audit access

Monitoring Services

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

29

Security Information and Event Management

Log collection

Agent-based

Local agent to forward logs

Listener/collector

Protocol-based remote log forwarding (syslog)

Sensor

Packet capture and traffic flow data

Log aggregation

Consolidation of multiple log formats to facilitate search/query and correlation

Normalization of fields

Time synchronization

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

Screenshots used with permission from AT&T Cybersecurity.

Analysis and Report Review

Correlation

Relating security data and threat intelligence

Alerting of indicators of compromise (IOC)

Basic rules versus machine learning

User and entity behavior analytics (UEBA)

Sentiment analysis

Machine interpretation of natural language

Emotion AI

Security orchestration, automation, response (SOAR)

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

31

cat

View contents of one or more files

head and tail

View first and last lines of file

logger

Write input to system log

File Manipulation

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

Regular expression syntax

Search operators, quantifiers, logic statements, and anchors/boundaries

grep

Searches file contents

Simple string matching or regex syntax

Regular Expressions and grep

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

33

grep -F 192.168.1.254 access.log

grep -r 192\.168\.1\.[\d]{1,3}

Use of SIEM

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

Review Activity

Summary

Lesson 10

CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

35