reflection 2
Implementing Network Security Appliances
Lesson 10
1
Implement Firewalls and Proxy Servers
Topic 10A
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
3.3 Given a scenario, implement secure network designs
Syllabus Objectives Covered
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Packet Filtering Firewalls
Enforce a network access control list (ACL)
Act to deny (block or drop), log, or accept a packet
Inspect headers of individual packets
Source and destination IP address
Protocol ID/type (TCP, UDP, ICMP, routing protocols, and so on)
Source and destination port numbers (TCP or UDP application type)
Inbound, outbound, or both
Stateless operation
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
State table stores connection information
Transport layer (layer 4)
TCP handshake
New versus established and related connections
Application layer (layer 7)
Validate protocol
Match threat signatures
Application-specific filtering
Stateful Inspection Firewalls
Screenshot used with permission from Rubicon Communications, LLC
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
iptables
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
6
Firewall Implementation
Firewall appliances
Routed (layer 3)
Bridged/transparent (layer 2)
Router/firewall
Application-based firewalls
Host-based (personal)
Application firewall
Network operating system (NOS) firewall
Screenshot used with permission from Cisco.
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Proxies and Gateways
Forward proxy server
Proxy opens connections with external servers on behalf of internal clients
Application-specific filters
Non-transparent and transparent proxies
User authentication
Reverse proxy server
Proxy opens connections with internal servers on behalf of external clients
Screenshot used with permission from Rubicon Communications, LLC.
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Access Control Lists
Least access
Top to bottom processing order
Implicit deny
Explicit deny all
Criteria for rules (tuples)
Documenting and testing configuration
Screenshot used with permission from Rubicon Communications, LLC.
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Network Address Translation
Source NAT
Static and dynamic NAT
Overloaded NAT/Network Address Port Translation (NAPT)/Port Address Translation (PAT)
Destination NAT/port forwarding
Advertise a resource using a global IP address but forward it to a local IP address
Usually forward specific ports only
Screenshot used with permission from Rubicon Communications, LLC.
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Hypervisor-based
Filtering built into the hypervisor or cloud service
Virtual appliance
Deployed as a virtual machine to the cloud
Multiple context
Firewall appliance running multiple instances
East-west security design and microsegmentation
Virtual Firewalls
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
11
Source code inspection and supply chain issues
Wholly proprietary appliance OS
UNIX or Linux kernel with proprietary features
Wholly open-source
Support arrangements and subscription features
Open-source versus Proprietary Firewalls
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Firewalls and Proxy Servers
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Review Activity
Assisted Lab
Configuring a Firewall
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
Lab Activity
Implement Network Security Monitoring
Topic 10B
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
15
3.3 Given a scenario, implement secure network designs
Syllabus Objectives Covered
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
Network-Based Intrusion Detection Systems
Intrusion detection system (IDS)
Network sensor captures traffic
Detection engine performs real-time analysis of indicators
Passive logging/alerting
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Screenshot Security Onion securityonion.net
TAPs and Port Mirrors
Sensor placement
Inside firewall
In front of application servers
Managing volume of traffic/alerts
Switched port analyzer (SPAN)/mirror port
Passive test access point (TAP)
Active TAP
Aggregation TAP
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Network-Based Intrusion Prevention Systems
Intrusion prevention system (IPS)
Active response to threats
Reset session
Apply firewall filters on the fly to shun traffic
Bandwidth throttling
Packet modification
Run a script or other process
Anti-virus scanning/content filtering
Inline placement—risk of failure
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Signature-Based Detection
Analysis engine
Signature-based detection
Pattern matching
Database of known attack signatures
Must be updated with latest definitions /plug-ins/feeds
Many attack tools do not conform to specific signatures
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Behavior and Anomaly-Based Detection
Behavioral-based detection
Train sensor with baseline normal behavior to recognize anomalous behavior
Network behavior and anomaly detection (NBAD)
Heuristics (learning from experience)
Statistical model of behavior
Machine learning assisted analysis
User and entity behavior analytics (UEBA)
Network traffic analysis (NTA)
Anomaly-based detection as irregularity in packet construction
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Next-generation Firewalls and Content Filters
Next-generation firewall
Application-aware filtering, user account-based filtering, IPS, cloud inspection, …
Unified threat management (UTM)
Combining security controls into single agent and management platforms
Firewall, anti-malware, network intrusion prevention, spam filtering, content filtering, data loss prevention, VPN, cloud access gateway, …
Content/URL filter
Focuses on outgoing user traffic
Content block lists and allow lists
Time-based restrictions
Secure web gateway (SWG)
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Host-Based Intrusion Detection Systems
Host-based IDS
Network, log, and file system monitoring for endpoints
File integrity monitoring (FIM)
Cryptographic hash or file signature verifies integrity of files
Compare hashes manually or verify signature with publisher’s public key
Windows File Protection/sfc
Tripwire and OSSEC
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Web Application Firewalls
Able to inspect code in HTTP packets
Matches suspicious code to vulnerability database
Can be implemented as software on host or as appliance
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Network Security Monitoring
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
Review Activity
CompTIA Lab
Configuring an Intrusion Detection System
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
Lab Activity
Summarize the Use of SIEM
Topic 10C
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
27
1.7 Summarize the techniques used in security assessments
3.3 Given a scenario, implement secure network designs
4.1 Given a scenario, use the appropriate tool to assess organizational security
Syllabus Objectives Covered
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
Packet capture
Sniffers and flow analysis
Traffic and protocol statistics
Packet analysis
Network monitors
Appliance state data
Heartbeat availability monitoring
Logs
System logs to diagnose availability issues
Security logs to audit access
Monitoring Services
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
29
Security Information and Event Management
Log collection
Agent-based
Local agent to forward logs
Listener/collector
Protocol-based remote log forwarding (syslog)
Sensor
Packet capture and traffic flow data
Log aggregation
Consolidation of multiple log formats to facilitate search/query and correlation
Normalization of fields
Time synchronization
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
Screenshots used with permission from AT&T Cybersecurity.
Analysis and Report Review
Correlation
Relating security data and threat intelligence
Alerting of indicators of compromise (IOC)
Basic rules versus machine learning
User and entity behavior analytics (UEBA)
Sentiment analysis
Machine interpretation of natural language
Emotion AI
Security orchestration, automation, response (SOAR)
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
31
cat
View contents of one or more files
head and tail
View first and last lines of file
logger
Write input to system log
File Manipulation
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
Regular expression syntax
Search operators, quantifiers, logic statements, and anchors/boundaries
grep
Searches file contents
Simple string matching or regex syntax
Regular Expressions and grep
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
grep -F 192.168.1.254 access.log
grep -r 192\.168\.1\.[\d]{1,3}
Use of SIEM
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
Review Activity
Summary
Lesson 10
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
35