CompTIA CASP+ CAS-004 – Chapter 02 – Network and Security Components and Architecture Part 4

31. Network Flow

Configuration lockdown is also known as system lockdown. This is a setting that can be implemented on various devices like servers, routers switches, firewalls, virtual host or hypervisors. You set it on the device after the device is correctly configured and what it does is it prevents any changes to the configuration and so that definitely helps to support change control.

This even includes users that would have the right to configure the device. Now, before you do this you need to make sure everything’s working right. We want full test for functionality of all the services, all the applications that should be functioning prior to implementing this setting because it will not allow anybody to change it. But it is a unique setting that is very important.

32. Topic E: Secure Baselines of Networking and Security Components

In this next topic we’re going to be looking at secure baselines of networking and security components. In order to take advantage of all the security features on the various devices that we’ve talked about, we have to have the proper configuration and management of those configurations so that it’s going to require a consistent change process and some method of restricting admissions, administrative access to these devices. And we’re going to look at those issues in this topic.

33. Securing Device Configurations

It’s important to be able to take advantage of all the security features on these devices. But we have to understand that these devices come with standard default configurations. And these standard default configurations are not inherently secure. So I have to take the steps to make sure that the initial configuration is secure, and then I have a change process and method for when I need to modify those configurations.

34. Access Control Lists (ACLs)

Access control list or ACLs or rule sets that can be implemented on a number of network devices to control access to interfaces and allow or deny traffic. We see ACLs on firewalls on routers as well as on switches and essentially it just defines what can flow through that particular interface. Depending on the vendor of the device and the type of the device you’re going to have a couple of different management interfaces. Many devices will have a web based interface and you can configure ACLs there and you can have more advanced configuration if you use a command line operating systems.

35. ACL Rule Sets

So firewalls use rule sets to do their job. You can create rule sets, as we said, at the command line or in a Gui. But really what’s important here is to understand the logic that a device uses to process the rules. And a few things are important here. The order of the rules is very important. If traffic matches a rule, then the action that that rule specifies going to be applied. It’s not going to go on and see how many other rules are applicable either or as well. On a lot of devices, there’s an implied deny rule at the very end. And that just means that if it gets all the way to the end, then it’s inherently denied. It denies everything unless there was something that allowed it.

It is possible as well to log all traffic that meets any of the rules. Now, when we’re creating these rule sets, we need to think of the type of traffic, the source of the traffic, the destination of the traffic, and then the action to take. That’s what I want. And here’s an example of setting an ACL on a particular interface. Actually, this is just creating an access list which will then later be applied to an interface in the Cisco iOS. So access list is the command, 101 is the name of the access list.

Deny is going to be the action TCP transport layer protocol. This is a host point to point rule. So the source IP would be 192, 168, 51. The destination IP would be ten six, but then equals www, which is Cisco’s way of saying port 80. Okay, so I’m saying don’t allow traffic from five one to six on TCP port 80, www type of traffic. So that’s one example. Again, in many cases you’re going to have not with routers, but with some other devices, you probably have the option to create these rule sets within a web interface.

36. Change Monitoring

Every network is going to evolve and grow and change over time and companies and their processes, those are going to change as well. That’s a good thing. But change can be a problem if it’s not managed in a structured way. We need to maintain a common sense of purpose about these changes. And if we can follow steps that are in a formal process, you can prevent change from becoming unwieldy. So change control policy should follow certain guidelines. Changes should require a formal request. Every request should then be analyzed to make sure it supports all the goals and policies of the organization.

Costs and effects of the methods of implementation should be reviewed prior to it being finally approved. Once it’s approved, then we go through the development of the change steps. Once we have developed those and during implementation, we should do incremental testing and we should also have a rollback or fallback strategy if necessary. And then we should complete the documentation and submit it with a formal report to management about the change. Now, is this every single change? Not necessary. But those changes that are implemented on the network are definitely going to be in this list. Anything related to security should be in this list. Essentially, the higher the level of impact, the more of a formal process we need to follow.

37. Configuration Lockdown

Configuration lockdown is also known as system lockdown. This is a setting that can be implemented on various devices like servers, routers switches, firewalls, virtual host or hypervisors. You set it on the device after the device is correctly configured and what it does is it prevents any changes to the configuration and so that definitely helps to support change control. This even includes users that would have the right to configure the device. Now, before you do this you need to make sure everything’s working right. We want full test for functionality of all the services, all the applications that should be functioning prior to implementing this setting because it will not allow anybody to change it. But it is a unique setting that is very important.

38. Availability Controls

Now we’ve mentioned before that security operations seem to focus attention on providing mainly the see and the eye of the CIA triad, right? Confidentiality, the integrity of data. But the availability of data is also an important goal. We need to make sure the data is available. And in order to do this, even as security professionals, we have to design and maintain processes and systems that maintain the availability availability of the resource. Despite the fact that we might have a hardware failure, software failure, network failures, we need to put availability controls in place to ensure that the resources available for use so they’re not only to be secure, but they have to be available. It doesn’t really matter if it’s secure if nobody can access it. You’re going to use a number of different measures to achieve this. But redundancy is one of the main words that you’re going to hear, right? And in many cases it’s redundant hardware because the failure of physical components like a hard drive, an entire server, a network card, a switch, those can interrupt access to resources.

So any single point of failure that we identify that we want to provide redundancy we can have redundant hardware components that will not only give you fault tolerance because the failure of one would not affect the system as a whole or the network as a whole, but it will also potentially give you load balancing and give you faster access to those systems. Sometimes your redundant hardware is hot swappable like a hard disk drive. A hard disk drive may be hot swappable, in fact, it may even be considered to be a hot spare where the drive is already inserted into a rate array and it’s only used when one of the other drives fail.

Or then hot swappable just means you can remove it and add in a replacement without powering down the system. Fault tolerant technologies that’s just kind of a general term. Fault tolerance is the ability to tolerate a fault of hardware or software. So fault tolerant technologies will always use redundancy. It’s not always at the hardware level only. It could be at the application level, at the service level, at the protocol level, et cetera.

These are going to use disk arrays, redundant hardware, duplicate servers set up in clustering technologies, virtual machines that can be automatically moved from one virtual host to another, et cetera. There are a number of metrics that are used to measure and control availability. Those are going to include service level agreements. SLA is the agreement about the ability of the support system to respond to problems and to do so within a particular time frame while at the same time providing an agreed upon level of service. And they can be internal between departments, they can be external with a service provider, and we’ve mentioned those before.

Also the mean time between failure and the mean time to repair. So meantime, between failures are going to be a value that’s published by a vendor. It describes the average amount of time between failures during normal operations. Another metric that’s valuable is the mean time to repair. The average amount of time it will take to get the device fixed and back online. So those are components within, typically components within an SLA.

39. Disk Availability

One of the most common methods of availability and one of the oldest used is Raid. Redundant array of independent disc. Sometimes it’s written as inexpensive, doesn’t matter. We’re talking about the same thing. It’s a fault tolerant disk technology that’s been available for many years, and it comes in many different types depending on the redundancy required and the performance necessary. Now, you should realize right out of the gate there is hardware and software. Raid software would be implemented by the operating system, whereas hardware would require a separate disk controller to be either embedded on the motherboard or inserted through an expansion slot. And it would handle all of the generation of redundant information. As a general rule, hardware is going to be much faster than software and typically provide more functionality. Don’t see a whole lot of software Raid out there in the real world. So what are some of the types here? Well, raid zero is disk striping. Disk striping is going to spread a single logical volume across multiple physical drives. At that point, it is going to write small chunks of data, usually 64 KB in size, across each disk. So as a file is written, it’s split up into multiple parts, and those parts are split across multiple disk. The problem with Raid Zero is that it improves performance by overlapping disk cycles, but it does not have any redundancy. So it’s zero raid. It’s not redundant at all, and therefore it doesn’t provide any fault tolerance. And therefore we typically don’t use it unless we’re dealing with non critical data where very high performance is required. And even in cases where very high performance is required, there’s usually other ways we can get that. So Raid One is referred to as disk mirroring. It does use two disk. It copies the data from one disk to the other so it can sustain the failure of a single drive.

There was Raid Three and Raid Four. Those aren’t really used anymore. Raid Five disk striping with parity. This one requires at least three drives. Dismaying and striping only required two. So at least three drives. It does use Disstriping, but it also uses parity. Parody is information that’s written that can be used to rewrite data on a failed disk. So when data is written on disk one of a three disk array, then Parity information would be added for that data on disk two.

When data is written on disk two, parity information for that data might be written on disk three. And so what Raid Five can do is it can sustain the failure of a single drive as long as you have both of the other drives. You can use the parity information across all drives to rebuild the failed data or the data from the failed drive. You lose more than one drive, then you have to restore from backup. Raid Five is very commonly used. Raid Ten is disk striping with mirrored arrays.

It combines Raid One and Zero. It does require a minimum of two disks, but most implementations of Raid Ten are going to have at least four drives, if not more so. Basically it contains a striped array, remember, disc striping that is then mirrored to a separate set of disks, separate stripe disc. So it provides a very high level of fault tolerance, provides high levels of performance, and very specific pairs of drives have to have to fail at the same time before you would ever need to restore from backup. There are others. There’s Raid 50, there’s rate six that has double parity. As we mentioned earlier, Raid Two, three and four really aren’t used anymore. So there are others out there. These are the four most common that you should be familiar with.

40. Key Availability Terms

Some other key terms as it relates to availability and fault tolerance are listed here. Failover is just the capacity of a system to switch over to a backup system when a failure occurs. This is typically used in relation to clustering technologies.

FailSoft is the capability of a system to terminate noncritical processes when a failure occurs and immediately then failed. Over clustering is just software product that provides load balancing of services. With clustering you have clients that are connecting to an instance of a particular application that could be hosted on one or more nodes within the cluster.

Load balancing is just a term that means we’re essentially transferring the performance load of an application or traffic across multiple systems. And there are different mechanisms that you can use to determine how the load is balanced, so to speak, in single point of failure. SPOF well, that’s what we’re trying to avoid when we’re trying to plan out high availability.

We look out at the system and we identify any single points of failure. Any single points of failure, there’s a potential to not achieve the availability aspect of the CIA Triad. It doesn’t mean you’re going to mitigate every one of those. But every single point of failure is a potential kink in the work, so to speak, of your security plan.