CompTIA CASP+ CAS-004 – Chapter 02 – Network and Security Components and Architecture Part 2
- Wireless Controller
The next device is the wireless controller. Wireless controllers are centralized appliances or possibly software packages that are used to monitor, manage and control multiple wireless access points. They provide a number of different security features that aren’t possible with independent APS. You have multiple access points operating by themselves. Valves, you don’t get these capabilities. They can include interference detection and avoidance.
So this can be achieved by adjusting the channel assignment as well as radio frequency power in real time load balancing. You can use that to connect a single user to multiple access points for better coverage and possibly even increased data rate, and then to provide coverage gap detection so it’ll increase the power to COVID holes that appear in real time. Wireless LAN controllers also will support forms of authentication such as 821 X, Protected EAP, Lightweight EAP, EAP, TLS and others, which give them a higher level of security. In the past, wireless access points always operated as standalone devices.
But now most enterprises are moving toward wireless controllers that will centrally manage multiple APS because they just provide a number of different benefits over the independent APS. Now they are certainly more costly, more complex configuration, but again, more seamless roaming control of access points, centralized authentication those are among the reasons why wireless controllers are heavily used.
- Routers and Switches
While not really particularly related to security, it’s important that we understand these concepts. It’s kind of this is one of those assumed things. You have some level of knowledge about routers and switches, so not going to spend a lot of time. But switches operate at layer two. Inherently there are layer three switches.
That just means basically their function as a router. So at layer two you have of the Mac address and any filtering that would be happening at layer two would be based on that Mac address. This is a physical address that’s associated with the network cards. So a standard switch will be able to provide filtering and segmentation, but it will do so based on layer two addresses. Now, an additional level of segmentation is possible through the virtual LAN or VLAN. Your enterprise level switches will have a default VLAN, but they’ll also have the ability to create multiple VLANs in order to isolate traffic and achieve security.
A switch can be called a managed switch, which means it could require authentication using 821 x. It could integrate with network access control at that point and so users would then have to identify themselves, or rather computers would have to identify themselves and then have their health evaluated prior to actually being able to obtain an IP address by connecting to a port on the switch. Routers on the other hand, are layer three. So routers are responsible for routing or forwarding layer three traffic from one segment to another. They use what’s called a routing table. The routing table just identifies the routes that a particular router is aware of, as well as a default route if it gets packet where it’s not aware of the destination. Routers can also provide access control lists on their interfaces and that can be used to control traffic flow. It’s not the same thing as a firewall, but it is technically a very simplistic firewall that’s simply based on IP addresses, port destination addresses and port numbers.
- Proxy Servers
We mentioned a proxy firewall. We also have proxy servers. Proxy servers can be appliances or they might be software just installed on a server operating system. They act like a proxy firewall, but the difference is they’re not their own independent device. In many cases, they typically will allow internal systems to access the internet.
They will provide additional security by masking the IP address of the internal system reaching out to the internet on its behalf. And they’ll provide various levels of additional functionality controlling the access to the internet in various ways, such as setting up times of the day when certain classifications of websites are available, like social media or completely disallowing other types gambling, fantasy sports, websites and things like that.
That can be globally or it can be based on user groups, it can be based on times of day. You have a lot of different levels of control there. And then the other main thing they do is web caching. So when a proxy server is configured to do web caching, it saves in its cache a copy of every web page that’s been delivered to an internal computer. And the reason that’s beneficial is because if another user requests the same page, the proxy server has a local copy at that point and it doesn’t need to spend the time and effort to retrieve it from the internet. So that’s greatly going to improve web performance for frequently requested pages.
- Topic B: Application and Protocol Level Security
In this next topic, we’re going to be looking at application and protocol level security. These type of technologies maintain current information about applications and as well as the protocols that are used to connect to them. And so they’re very intelligent technologies in that they use this information to try to optimize the functioning of the protocol and therefore optimizing the function of the application. So in this topic, we’re going to be looking at some of these technologies.
- Web Application Firewalls
The first of these technologies is the web application firewall or Was applies rule sets to an Http conversation and that’s going to COVID common attack types to which these session types are susceptible. Among the common types of attacks that they can address are going to be cross site scripting, SQL injections, et cetera. Technically, the web application firewall can be implemented as an appliance or as a server plug in. And while all the traffic is usually funneled in line through the device, some of the solutions are going to monitor a port and operate out of band.
There are advantages and disadvantages. So the inline can prevent live attacks but can slow down web traffic and possibly generate false positives and block legitimate traffic. The out of band is a little bit less intrusive.
It doesn’t interfere with traffic but it isn’t able to block live traffic. So those are quickly the advantages and disadvantages of those. There are some security issues involved with web application firewalls. It does make the It infrastructure more complex. It’s also application based so training can be a little bit intrusive in that you have to have training with each new release of the web application itself. Testing procedures have to change or may change with each release. False positives can frequently occur. Troubleshooting is more complex. They are not the necessarily the end all be all, but definitely a device you should be familiar with.
- Hardware Security Modules
Another device is the hardware security module. This is an appliance that safeguards and manages digital keys that are used with strong authentication. It provides crypto processing, which is cryptographic functionality.
Typically, these HSMs will attach directly to a computer or server and provide a number of different functions onboard secure cryptographic, key generation as well as key storage and management, the use of cryptographic and sensitive data material, and the offloading of application servers. It gives us really complete both asymmetric and symmetric cryptography. They can be used in a number of different scenarios. Typically, they’re used in a public key infrastructure environment to generate, store and manage key pairs. They can also be used in card payment systems to encrypt Pin numbers and load keys into protected memory.
They can be used to perform processing for applications that use SSL. And they can also be used in conjunction with the Domain Name System Security Extensions, or DNS SEC, which is just a secure form of DNS that protects the integrity of the data found in zone files.
So the HSM would be used to store the keys that are used to sign the zone file. There are some drawbacks, of course. They are fairly costly, difficult to upgrade and manage, and really there’s a lack of a standard for the strength of random number generators. So something to be aware of there. There is also a microSD HSM, which is just an HSM M that connects to the micro SD port on a device that would have a port that helps it to be supported primarily by mobile devices like Android phones.
- Vulnerability Scanners
The next type of application would be the Passive Vulnerability Scanners, or technically just vulnerability scanners. Sorry, these are both passive and active. These are tools that tools are utilities that are used to look at the network, to probe it, to try to reveal weaknesses in security. A passive vulnerability scanner or PVs is going to monitor traffic at the packet layer in order to determine the topology of the network services and vulnerabilities. It does avoid the instability that can be introduced to a system by actively scanning for vulnerabilities. Active scanners will differ from passive.
Passive can only gather information. Active scanners can actually take action to block attacks like block a dangerous IP address. It can also be used to simulate an attack to try to assess readiness. They function by examining the responses, which means they do actually disrupt network traffic. Then you have the database activity Monitor. This is an application that monitors transactions and the activity of database services.
So they can be used for monitoring unauthorized access as well as fraudulent activities and also be used for compliance auditing. There are a number of different implementations of this that exist and they operate and gather information at a number of different levels.
A few different architectures for dam interception based watches, the communications between the client and server memory based is going to use a sensor that’s attached to the database and then it’s just going to continually pull the system and collect the SQL statements as they’re being issued. And then the log based model is going to take a look at logs, analyze and extract information from the transaction logs. So they are useful tools.
They do have some limitations. In some cases they can only capture traffic on its way to the database. Other solutions do a poor job of tracking responses to SQL queries and then it’s complex. And as the number of policies and complexity increases, then the performance declines.
- Topic C: Advanced Network Design
In this next topic, we’re going to be looking at advanced network design. Changes in network design and the approaches to securing the network infrastructure come very fast. And it’s really easy to fall behind. It’s really easy to be hanging on to outdated approaches. But new technologies, new design principles, they’re not going away. They’re constantly coming. And so we we want to look in the section at some of the most recent advances and their cost and benefits.
- Virtual Private Networks
A virtual private network isn’t really a recent advance, but it was under that section in the objectives. I mean, today most of our organizations don’t have all the workers gathered together in the same controlled environment. That’s really fading into the past. So workers are increasingly working from other locations, from their home or distant remote offices.
And so having a secure remote access solution is really critical. The original type of these was of course, the dial up connection, but that’s pretty much gone by the wayside. Now we utilize virtual private networks or VPNs. It’s the primary means today, providing a trusted connection on top of an untrusted carrier network. VPN operations will utilize encapsulation and optional encryption to help maintain the confidentiality of transmitted data.
The untrusted network of course, is the Internet. And then you’re trying to communicate from a client to a corporate network over the Internet. So encapsulation is going to essentially package up the land protocols along with remote access protocols, authentication protocols, and encryption protocols. Bundle that all into a package that is then encrypted between two endpoints the remote access client and the VPN server. So when you think of encapsulation, I assume it’s not the first time you’ve heard that, but if you think of that, just think about packages. I take my package, that is what I want to send to somebody. And what do I do? Well, I put it in another package that I can affix a label to it. It’s kind of the same type of thing with VPNs, although obviously we’re doing other things. There are two kinds of two major kinds of VPNs remote access and site to site.
Remote access VPNs is when you have an individual who is connecting to a VPN server. If the VPN server terminates multiple VPN connections, then it is technically a VPN concentrator. And those usually have the most advanced encryption and authentication techniques out there. But the remote access VPN, the tunnel starts at the user’s computer and ends at the VPN concentrator. So only traffic traveling from that computer to the VPN concentrator would use that tunnel.
And the system has to have a client installed on it. Site to site VPN securely connect two physical locations. So the tunnel endpoints are two VPN routers or firewalls. The individual clients don’t need a VPN connection. They don’t even need to know that the VPN exists. This has become in a pretty popular and inexpensive way of creating wide area networks.
- VPN Protocols
There are several different VPN protocols that have been used. These are the top four. A couple of them are older. Here the first two really point to Point tunneling protocol or PPTP. It’s actually a Microsoft based protocol built on a pointtopoint protocol. It uses the builtin Microsoft point to point encryption and supports a number of different authentication methods from Chap to Ms, Chap to EAP TLS. It does only work on IP networks.
So if the Wan connection is not IP based, it wouldn’t be able to function. That’s increasing likelihood that that would happen. Plus PPTP is not very secure at this point. Layer two tunneling protocol was a newer protocol. It operated at layer two of the OSI model, as the name would imply. It could also use various authentication mechanisms and could support nonip networks.
But it did not actually provide any encryption. So typically you would see it listed as L twotpipec. IP security is a suite of protocols that does provide very strong encryption mechanisms. The next type of protocol there is SSTP or an SSL style VPN. That’s another option for creating secure connections. It works at the application layer of the OSI.
It’s used mainly SSL at least is used mainly to protect Http traffic or web servers. Its functionality is a part of every browser, and so typically it doesn’t require any action on the part of the user. So you’ve got a couple of types of these the SSL portal VPN, VPN, and the SSL tunnel VPN. We’ll go into those a little bit more here in just a minute. The Ike or Internet Key Exchange is technically an IPsec only VPN in the Windows operating system. It’s supported in Windows Seven and later.