CompTIA Security+: Network Security

Guides

Module 6:

Network security is at the forefront of modern cybersecurity. In an interconnected world, understanding the principles and practices of securing your network is vital. In this post, we’ll explore the critical aspects of network security, its importance, and its role in the CompTIA Security+ certification.

Implementing Network Security

Configure Network Security Technologies
Secure Network Design Elements
Implement Secure Networking Protocols and Services
Secure Wireless Traffic

Network Components

Component	Description
Device	Any piece of hardware such as a computer, server, printer, or smartphone.
Media	Connects devices to the network and carries data between devices.
Network adapter	Hardware that translates data between the network and a device.
Network operating system	Software that controls network traffic and access to network resources.
Protocol	Software that controls network communications using a set of rules.

Network Devices

Router
Switch
Proxy
Firewall
Load Balancer

Routers

A Routers is a device that connects multiple networks and network devices, that use the same protocol.

Can determine most efficient path for network traffic to take.
Most routers will not forward broadcast traffic.

An Access Control List (ACL) is a list of rules for blocking or allowing traffic.

Router can filter network traffic through ACLs and block unwanted traffic.
Example: Filter out inbound traffic from external router using private IP range.

Switches

A Switch is a device with multiple network ports that combines multiple physical network segments into a single logical network.

Creates dedicated connections involving only two hosts in a transmission.
Sends individual packets to specific destination host based on their physical addresses.
Some switches can perform routing functions.

Security protections provided by switches:

Can limit access to specific ports based on MAC address.
Can implement flood guards to protect against DoS attacks.
Can implement loop prevention to shut down network loops.

Proxies

Proxies act on behalf of one end of a network connection when communicating with the other end of the connection.

Used as a way to filter content.
Forward proxies intercept client traffic before it leaves the internal network.
Proxies can modify traffic or just forward it. Reverse proxies intercept traffic coming from an external network.
Intended to protect destination servers from compromise.
Some proxies are multi-purpose and have application-level awareness.

Firewalls

Hardware-based Firewalls are devices that protects a system or network by blocking unwanted traffic.

Software-based Firewalls are programs that protect a system or network by blocking unwanted traffic.

Implicit deny is a firewall mode in which all traffic one way is blocked unless explicitly allowed.

Predefined rule sets determine what traffic to block.
Connection information can be saved to a log for monitoring purposes.

Types of firewalls:

Host-based
Network-based
Web application

Load Balancer

A Load Balancer is a device that distributes workload among multiple devices in a network.

All devices can perform more efficiently.
Individual devices are protected against DDoS.

Scheduling: How the load balancer determines where to route traffic to.

Round robin: A scheduling approach in which the load balancer forwards traffic to each server on a list one-by-one.

Affinity: A scheduling approach in which the load balancer forwards traffic to a server a client is already connected to.

Network Scanners and Analysis Tools

Network Tool	Description
Packet analyzer	Monitors wireless or wired network communications. Captures traffic data. Can be used to gather information by examining packet contents.
Protocol analyzer	Uses data captured by packet analyzer. Identifies protocols and applications used by traffic. Can reveal malicious traffic using specific vectors.
Network enumerator	Identifies logical topology of a network to reveal connection pathways. Provides high-level overview of network architecture.

Intrusion Detection System (IDS)

A system that scans, evaluates, and monitors computer infrastructure for signs of an attack in progress.

Can also analyze data and alert security admins to issues.

Can include Hardware sensors, Intrusion detection software, Management software.

Each implementation is unique and depends on organizations security needs.

Network IDS

A type of IDS that primarily uses passive hardware sensors to monitor traffic on a network segment.

Can sniff traffic and send alerts.

Uses:

Rogue system detection.
Reconnaissance identification.
Attack pattern identification.

Intrusion Prevention Systems (IPS)

A system that performs the functions of an IDS but that can also take action to block threats.

Configure the threats that should be handled automatically.
Passive response still implemented for other incidents.

Useful, but with some pitfalls:

False positives may lead to the blocking of legitimate behavior.
False negatives may lull you into a false sense of security.
A well-managed and finely tuned IPS is still a powerful defense option.

Network IPS (NIPS)

A type of IPS that can detect suspicious traffic on the network and move to block it.

Blocking involves dropping unwanted packets or resetting the connection.
NIPS can regulate traffic according to specific content.
Differs from a stateless firewall, which only blocks based on IP addresses and ports.

Types of Network Monitoring Systems

Monitoring System	Description
Signature-based	Uses predefined set of rules to identify unacceptable events. Events have specific and known characteristics.
Anomaly-based	Uses a definition of expected patterns to events. Identifies events that dont follow these patterns. Requires a pre-configured baseline of acceptable events.
Behavior-based	Identifies how an entity acts and reviews future behavior against this. Detects if future behavior deviates from the norm. Records patterns in reaction to entity being monitored.
Heuristic	Identifies how an entity acts in a specific environment. May conclude that an entity is a threat to the environment.

Security Information and Event Management

A security solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

Provides expanded insights into IDS/IPS.
Can be implemented as software, hardware, or cloud services.
Typically pulls security data from logs of all types of networked systems.
Aggregation ensures all relevant logs are included for a holistic picture.
Correlation ensures that related events are placed in proper context.

Additional features:

Automated alerting.
Time synchronization.
Event deduplication.
Write once read many (WORM).

Data Loss/Leak Prevention (DLP)

A solution that detects and prevents sensitive info from being stolen or falling into the wrong hands.

Monitors data to stop unauthorized destruction, movement, or copying.

Network-based example:

DLP can detect confidential files sent over email and block the transmission.

Host-based example:

DLP can block USB port entirely or block certain files from being written to USB drives.
Prevents user from copying sensitive data to USB drive and leaving the premises.
Can be implemented in software, hardware, or using the cloud.

Virtual Private Networks (VPN)

A method of extending a private network by tunneling through a public network like the Internet.

Provides secure connections between endpoints.
Encapsulates and encrypts data through the tunnel.
VPN protocols provide tunneling and encryption services.

VPN Concentrators

A single device that incorporates advanced encryption and authentication methods to handle a large number of VPN tunnels.

Can accommodate remote access or site-to-site.
May have always-on capabilities.

Common tunneling protocols:

The IPSec protocol gives site-to-site access.
The SSL/TLS protocols gives remote access.

Security Gateways

Ensure that controls are applied to inbound and outbound network traffic.
Several different controls can be applied.

Mail gateway:

Spam filters reject incoming email messages with known spam contents.
DLP solutions prevent data from leaking outside the network.
Encryption ensures confidentiality and integrity of data as it leaves the network.
Security controls can apply to more than just email traffic.
Encryption and DLP can help keep voice and intellectual property traffic secure.

Unified Threat Management

A system that centralizes various security techniques into a single appliance.

Usually include a single console from which to administrate defenses.
Created in response to cost and complexity issues of discrete systems.
Can streamline security process and make management of defenses easier.

Downsides:

Creates a single point of failure in the network.
Can struggle with network latency issues.

Guidelines for Configuring Network Security Technologies

Familiarize yourself with common network devices and their security concerns.
Implement network scanning technology.
Implement network intrusion detection systems.
Be aware of the risks in intrusion prevention technology.
Consider incorporating SIEMs for network event aggregation and correlation.
Consider implementing DLP solutions.
Implement VPN technology to authenticate and encrypt traffic.
Consider using a VPN concentrator in more complex environments.
Consider always-on functionality for VPN clients.
Incorporate security gateways to control inbound and outbound traffic.
Consider using a UTM to streamline device management.
Be aware of the risks involved in UTM.

Network Access Control (NAC)

The collected protocols, policies, and hardware that govern access on device interconnections.

Provides a layer of security to scan for conformance to policy.
NACs use health checks to verify minimum security is met.

Agent vs. agentless:

Agent software installed on devices.
Permanent vs. dissolvable.
Agentless uses network scanning without agent software.

Deployed based on three main elements:

Authentication method.
Endpoint vulnerability assessment.
Network security enforcement.

Demilitarized Zone

A section of a private network made available for public access.

Network Isolation

Network Isolation/segregation: The practice of keeping networks separate from one another.

Air gap: The isolation practice of physically separating a network from all other networks.

Segmentation/subnetting: Isolating a network by dividing it into multiple subnets.

Attackers cannot easily move from segment to segment.
Limits the amount and scope of damage attackers can do.
Segmentation can be achieved through several means, including physically.

Virtual Local Area Networks (VLAN)

A logical method of segmenting a network at the data link layer (Layer2)
Similar to subnets, but subnets are layer3
VLANs enable grouping of network hosts not on the same physical switch.
Also enable multiple VLANs to exist on the same physical switch.
If network configuration changes, the physical cabling and devices dont need to.
Made possible through virtualization.
VLANs can be configured with one or more subnets.

Network Security Device Placement

Device	Recommended Placement
Aggregation switches	Combines multiple ports into a single link for redundancy and bandwidth. Typically placed between access switches and core networking segments.
Firewalls	Typically placed at network perimeter. In a DMZ, a second firewall may sit between the DMZ and the private network.
Proxies and filters	Usually placed close to network perimeter. Firewall products often include proxy and filtering functionality.
Load balancers	Placed in DMZ before web servers to handle excess traffic. Can also be placed outside DMZ and before dependent servers.
Taps and Sensors/Monitors	Tap copies network traffic to a sensor or monitor (e.g, an IDS). Placing taps at perimeter can be very noisy. More valuable to place them within the private network for traffic monitoring.
Collectors and Correlation Engines	Placed outside DMZ and in private network to pull log data from hosts. Not directly exposed to the Internet.
VPN concentrators	Often placed behind perimeter firewall in a DMZ. Can also be placed alongside perimeter firewall.

Network Address Translation (NAT)

A service that translates between different IP addressing schemes, such as between public-facing and private IP addresses.

Offers simple security by concealing internal addresses from the Internet.
Packets sent by router to the Internet appear to come from the public address.

Software-Defined Networking (SDN)

A network design approach that separates network control systems from traffic forwarding systems.

Admins can directly program control systems by themselves.
They can more easily manage the flow and logistics of the network.
SDN also provides greater security insight through a centralized view of the network.

Guidelines for Securing Network Design Elements

Consider implementing a NAC solution.
Implement a DMZ to separate public-facing resources from internal resources.
Make one firewall external-facing and another internal-facing for a DMZ.
Design the network with isolation in mind.
Air gap networks that shouldnt communicate with the larger network.
Create subnets in order to segment hosts with a common purpose.
Implement VLANs to streamline the management of network segments.
Identify the most effective physical and logical placement of all security devices.
Implement NAT to conceal internal IPv4 addresses from external networks.
Consider implementing SDN to improve the network management process.

The Open Systems Interconnection Model (OSI)

Application Layer 7: Enables client interactions with software.

Presentation Layer 6: Transforms data into formats that can be understood by software.

Session Layer 5: Controls persistent connections between devices.

Transport Layer 4: Control’s reliability of data transmissions between nodes.

Network Layer 3: Provides protocols for transferring data to nodes with unique addresses.

Data Link Layer 2: Provides links between two directly connected nodes.

Physical Layer 1: Defines connections between devices and physical media.

OSI Model and Security

Understanding layers makes it easier to identify threats and targets.
Can also help you secure your network by layers.
If layer 1 fails, then the rest will likely fail.
If an attack succeeds at layer 7, the bottom layers will be unable to stop it.

Internet Protocol Suite (TCP/IP)

The native protocol suite of the Internet, of which TCP and IP were the original protocols.

TCP/IP	Description
IPv4	32-bit numbers assigned to computers on TCP/IP network Some bits represent the network segment, others represent the node. Four 8-bit octets: 10101100.00010000.11110000.00000001 Converted to decimal: 172.16.240.1
IPv6	128-bit address space. Additional features beyond IPv4, like simplified headers. Eight groups of four hexadecimal digits. Leading zeros omitted. Groups of consecutive zeros replaced with two colons. Not compatible with IPv4, not as widely adopted.
DHCP	Automatically assigns IP addressing info to network hosts. Most hosts obtain addressing from central DHCP server or router.

Domain Name System (DNS)

The primary name resolution service of the Internet and private IP networks.

A hierarchical system of databases that map computer names to IP addresses.
DNS servers store, maintain, and update databases.
Respond to client requests to translate human-intelligible names to IP addresses.
Work together to provide global name resolution for all Internet hosts.

Hypertext Transfer Protocol (HTTP)

The TCP/IP protocol that enables clients to connect to and interact with websites.

Responsible for transferring data on web pages between systems.
Defines how messages are formatted and transmitted.
Defines what actions web servers and browsers can take in response to commands.

HTTP Secure (HTTPS)

A secure version of HTTP that supports encrypted communications between a browser and server.

Uses SSL/TLS to encrypt data.
Virtually all web browsers and server software support HTTPS.
Web addresses with SSL/TLS enabled begin with https://

Secure Sockets Layer/Transport Layer Security (SSL/TLS)

SSL/TLS: Security protocols combining digital certificates for authentication with public key encryption.

Protect TCP/IP communications from eavesdropping and tampering.
Server-driven process that works with all current browsers.

SSL/TLS accelerator: Hardware device that can offload encryption calculations from a server.

Server can perform primary duties more efficiently with accelerator.
Accelerators can be plugged into any server that requires it.

Secure Shell

A protocol used in secure remote access and secure transfer of data.

Consists of a client and server.
Implements terminal emulation software for remote login sessions.
Entire session is encrypted.
Preferred protocol for use with FTP.
Used on Unix/Linux, requires third party software on Windows.

Simple Network Management Protocol (SNMP)

SNMP is a service used to collect information from network devices for diagnostic and maintenance purposes.

Two components: management system and agents.
Agents are installed on network devices and send info to management systems.
Management systems can notify admins or take corrective actions.
SNMPv3 adds encryption support.

Real-Time Transport Protocol (RTP)

The Real-Time Transport Protocol provides audio and video streaming media over a TCP/IP network.

Used in services like VoIP, web conferencing, content delivery, etc.
Uses UDP to carry media itself with low overhead.
Used in conjunction with RTCP to provide Qos.

Secure Real-Time Transport Protocol (SRTP)

The Secure Real-Time Transport Protocol adds encryption services to RTP to uphold authenticity and integrity of streaming media.

Internet Control Message Protocol (ICMP)

ICMP is an IP network service that reports on connections between two hosts. It’s used for simple functions like ping to check a target host for a response.

Attacks using ICMP:
Flood system with Smurf Attack
Reconfigure routing tables with forged packets.

Internet Protocol Security (IPSEC)

IPSEC is a set of open standards used to secure data as it traverses a network.

Uses different protocols to provide security services.
Operates at network layer (Layer3)

Authentication Header (AH): An IPSec protocol that provides authentication, integrity and anti-replay protection.

Encapsulating Security Payload (ESP): An IPSec protocol that provides the same functionality as AH with additional encryption for confidentiality.

Supported by windows, Linux etc.
Implemented differently with each operating system and device.

Network Basic Input/Output System

A service that enables applications to properly communicate over different computers in a network.

Three basic functions:

Communication over sessions.
Connectionless communications using datagrams.
Name registration.

Attackers can glean reconnaissance info from NetBIOS.

To harden NetBIOS:

Implement strong password policies.
Limit root access on network.
Disable null sessions.

File Transfer Protocols

Protocol	Description
FTP	Enables transfer of files between client and remote host.
SFTP	Unsecured file transfer protocol now considered obsolete.
TFTP	Limited protocol used for configuring boot files between machines and firmware updates for routers and switches. Offers little security
FTP over SSH/Secure FTP	FTP that uses an SSH tunnel for encryption. Primarily used on Windows systems.
SCP	Uses SSH to transfer files between remote hosts. Primarily used on Linux/Unix systems.
FTPS/FTP-SSL	Combines FTP with SSL/TLS encryption.

Email Protocols

Post Office Protocol (POP): An older protocol used in email transmissions.

Internet Message Access Protocol (IMAP): A more recent email protocol that improves upon POPs shortcomings.

Neither POP nor IMAP have native encryption.
Secure POP/IMAP extensions enable SSL/TLS encryption.

Multipurpose Internet Mail Extensions (MIME): An email message formatting standard.

Secure/Multipurpose Internet Mail Extensions (SMIME): An encryption standard that adds digital signatures using public key encryption to MIME.

S/MIME upholds confidentiality, integrity, authentication, and non-repudiation.

Additional Networking Protocols and Services

Protocol/Service	Description
Telephony	Provides voice and video communications over a distance. Most common TCP/IP telephony protocol is VolP.
Routing and switching	Defines language these devices use to communicate. RIPv2 adds authentication to RIP. IGRP and EIGRP are Ciscos improvements to RIPv2. STP is used by switches to prevent network loops.
Time synchronization	Ensures software is coordinated and events are accurate. Most prominent is NTP, which sync systems to UTC. Can sync to public time servers or custom on-premises time servers.
Subscription	Enables publisher to send messages through a channel clients are subscribed to. Publisher has no knowledge of recipients. Most popular is RSS, enabling users to subscribe to website feeds. User can keep track of content published to all feeds they are subscribed to.

Ports and Port Ranges

Ports are the endpoint of a logical network connection.

Client computers connect to server programs through a designated port.
All ports assigned are between the numbers 0 and 65535.

IANA separates these numbers into three blocks:

Well-known (O to 1023).
Assigned to widely used and core services.
Attackers often target these.

Registered (1024 to 49151)

Available to services requesting registration.
Attackers may scan for open ports.

Dynamic (49152 to 65535)

Assigned by operating systems to client software as needed.
Attackers may scan for open ports.

Some services and their corresponding port numbers to remember:

Port	Service
21	FTP
22	SSH
53	DNS
80	HTTP
443	HTTPS
990	FTPS
993	Secure iMAP
995	Secure POP
3389	RDP

Wireless Networks

Networks that do not rely entirely on physical cabling.
Data is transmitted through invisible radio waves.
Signals can cover large distances and pass through physical objects.
Propagation of wireless signals raises unique security concerns.

Advantages:

Portability
Reducing cost on cabling.
Using less physical space.

Wireless Antenna Types

Omni-directional antennas cover wider area but have less gain.
Directional antennas cover limited area but have more gain.

Gain: The reliable connection range and power of a signal measured in decibels.

Antenna Category	Antenna Type	Description
Omni-directional	Rubber Duck	Small antenna sealed in a rubber jacket. Ideal for mobility.
Omni-directional	Ceiling dome	Covers rooms in a building.
Directional	Yagi	Used primarily in radio. Used to extend range of wireless hotspots.
Directional	Parabolic	Very precise with a significant amount of gain. Difficult to establish connection with.
Directional	Backfire	Small version of a parabolic dish. Efficiently target an area for wireless coverage.
Directional	Cantenna	Homemade antenna for discovering wireless signals. Involves placing a metal can over an existing antenna.

802.11 Protocols

802.11 is a collection of wireless LAN communication protocols.

802.11 Protocol	Description
802.11a	At the time, fast, secure but quite expensive. Speeds up to 54Mbps at 5GHz Limited range of 60feet
802.11b	First specification to be called Wi-Fi Speeds up to 11Mbps at 2.4GHz Range of up to 1,000feet in an open space
802.11g	Speeds of up to 54Mbps at 2.4GHz Compatible with 802.11b
802.11n	Speeds of up to 600Mbps at 2.4GHz or 5GHz
802.11ac	Adds wider 5GHz channels Speeds of up to 1300Mbps

Wireless Cryptographic Protocols

Protocol	Descritption
WEP	Provides encryption using RC4 algorithm. Deprecated due to weak initialization vector (IV).
WPA	Addresses some of WEPs shortcomings. Provides dynamic reassignment of keys. Uses TKIP to fix key length issues of WEP.
WPA2	Improves on WPA to implement all mandatory components of 802.11i. Adds CCMP to improve on TKIP.

Wireless Authentication Protocols

Protocol	Description
EAP	A framework enabling client-server authentication. Provides a variety of authentication methods: EAP-TLS EAP-TTLS LEAP EAP-FAST
IEEE 802.1x	A standard for encapsulating EAP communications over a LAN. Adapted to work with wireless LANS. Provides port-based authentication.
PEAP	An open standard developed by Cisco, Microsoft, and RSA. Encapsulates EAP communications over SSL/TLS tunnel. Similar to EAP-TTLS, but supports less authentication protocols.
RADIUS federation	RADIUS is a network authentication protocol. Federation implies a shared level of trust among disparate networks. 802.1X is often used with RADIUS for port-based authentication.

VPNs and Open Wireless

Open wireless networks are a major risk.
Attackers can compromise communications.

If forced to use open wireless, tunnel through with a VPN.

Can encrypt data even when using an insecure wireless hotspot.
Must use a strong tunneling protocol like IPSec.

Wireless Client Authentication Methods

WPA/2-Personal:

Also called WPA/2-PSK.
Relies on pre-shared key (PSK) generated from a passphrase.
All clients use the same passphrase.
Attacker can glean this passphrase and use it to authenticate.

WPA/2-Enterprise:

Requires client to authenticate with a RADIUS server (802.1x).
Helps mitigate against guess/brute force of PSK.
Ideal for larger corporate networks.

WPS:

Simplifies client authentication.
Client can enter a PIN associated with an access point.
Also, can press a button on the access point to connect with client and authenticate.
PIN method is vulnerable and should be avoided.

Wireless Access Point Security Methods

Security Method	Description
MAC filtering	Disabling SSID broadcast Description Blacklisting or whitelisting of devices with certain MAC addresses. Can prevent unwanted devices from authenticating with the network Not a sufficient security method -MAC addresses are easily spoofed.
Disabling SSID Broadcast	APs broadcast identifiers for users to recognize a wireless network. Can disable SSID broadcast so user must enter SSID manually. Not a sufficient security method-scanners can reveal networks.
Signal Configuration	Adjusting signal strength can contain the range of a network. Prevents war driving attacks by reducing signal range. 2.4 GHz band has larger range. 5 GHz has more bandwidth but smaller range.
Deciding between fat vs. thin APS	Thin APs offload some tasks to centralized devices. Thin APs useful for 802.1X authentication to RADIUS server. Fat APs take on most tasks themselves. Fat APs may reduce complexity.

Captive Portals

A technique requiring a client connecting to a wireless network to authenticate through a web page.

Clients packets are intercepted until client completes the portals steps.
Typically used in public Wi-Fi hotspots to get users to agree to an AUP.
Can also authenticate users through login credentials.

Site Surveys

The collection of information on a location for the purpose of constructing something in the best possible way.

Wireless network site surveys determine how best to position hardware devices.
Ensures networks and users have quality coverage and bandwidth.
Also ensures network is conforming to security practices.
Use RF signal tools to model proposed wireless environments.

Guidelines for Securing Wireless Traffic

Choose wireless antenna types that best suit your infrastructure needs.
Select an 802.11x protocol that meets your bandwidth and signal range needs.
Configure your Wi-Fi networks with WPA2 encryption.
Consider the different wireless authentication protocols.
Use a VPN when connecting to an open Wi-Fi network.
Consider using WPA2-Enterprise in a large corporate environment
Avoid using the PIN feature of WPS.
Dont rely solely on MAC filtering and disabling SSID broadcasts.
Select the appropriate frequency band and configure the signal strength as needed.
Consider using thin APs in a controller-based architecture.
Implement a captive portal requiring login credentials.
Conduct a site survey to determine optimal device placement.

Network security is a foundational component of a robust cybersecurity strategy. By understanding the principles and practices discussed in this post, you can better protect your organization’s data and communication. Whether you’re preparing for the CompTIA Security+ certification or aiming to enhance your network security expertise, this guide offers valuable insights.

You can find all of our CompTIA Sec+ guides here: CompTIA Sec+

We also have guides for the CompTIA A+ here: CompTIA A+

Recommendation:

Basic Security Testing with Kali Linux: https://amzn.to/3S0t7Vq

4 thoughts on “CompTIA Security+: Network Security”

Kay says:

October 30, 2023 at 3:40 am

I want to thank you for your assistance with this post. It’s been great.

Elza says:

October 23, 2023 at 11:45 pm

You helped me a lot with this post. I love the subject and I hope you continue to write excellent articles like this.

Schoen says:

October 17, 2023 at 10:43 am

Great content! Super high-quality! Keep it up!

1. Admin_techNerd says:
  
  October 17, 2023 at 12:47 pm
  
  Thank you!