CompTIA CASP+ CAS-004 – Chapter 02 – Network and Security Components and Architecture Part 5

41. Topic F: Advanced Configuration of Network Devices

In this topic, we’re going to be looking at the advanced configuration of network devices. Devices like routers and switches and some other devices will often require some additional configuration in order to ensure their security.

42. Additional Configurations

When you’re configuring layer three devices like routers, layer two devices like switches, possibly wireless access points and other network devices, there are some specific advanced configurations that are required in order to adequately secure the systems that those devices support. And so we’re going to be talking in the next few sections about some of these, like tran transport, security, trunking security for when in use with VLANs, how we can configure these devices to provide some protection against common attacks like spoofing and VLAN hopping port security on managed switches as well as wireless access points. Mac filtering, same thing. Managed switches, wireless access points and also the configuration of security zones.

43. Transport Security

Certain encryption protocols like Secure Sockets Layer, SSL and Transport Layer Security TLS provide protection for application layer protocols like Http, but those protocols don’t really offer any sort of protection for the information that’s contained in the transport layer or the network layer, whereas Transport Security is focused on packing packets that have information at those areas. And it’s protocols like IPsec, a suite of protocols that we spoke of earlier that can and should be used to provide this type of security. If you remember, we said that IPsec was a collection or suite of protocols much like TCP IP, and that each protocol provides particular services.

So digital signatures for authentication and integrity verification, encryption for confidentiality key exchange security associations. And we don’t need to go into all of that again. But if you recall, one of the unique things about IPsec was that it was sort of application layer agnostic, if you will. It doesn’t really care about the applications, the applications don’t have to support it because it is implemented completely at the network layer.

So we’re mentioning Transport Security here because these routers might be needing to be configured for an IC style VPN connection or even transport mode. And same thing with layer three switches, wireless access points potentially that are a VPN endpoint. So you may have to configure IPsec. We’ve really already discussed IPS SEC, but that would be one of the possible advanced configurations.

44. Trunking Security

The next advanced configuration that we haven’t talked about yet is trunking security. Now, trunk links are just links between switches and between routers and switches that are going to carry the traffic of multiple VLANs. VLAN, of course, is just a virtual local area network. It’s just a software configured subnet, if you will, that can exist on a single switch or can can exist and be ported across multiple switches.

And when you have the ladder, then you have trucking that’s happening. Now, normally, if a hacker is trying to capture traffic with a protocol analyzer, that individual is going to be confined to capturing just unicast data on the same switch port, whatever one they happen to be attached to. And the only places that I’d be able to capture broadcast and multicast data would be from the same VLAN. So if I’m in a port that’s in VLAN one, then I can only capture information from that particular VLAN. But if an attacker is able to create a trunk link with one of your switches, then they would be able to capture traffic in all the VLANs on the trunk link.

Now, it’s pretty difficult for this to happen, but it is possible on Cisco switches, especially for somebody to take advantage of the operations of a protocol called dynamic trunking protocol. And you can use that to create a trunk link, and it’s actually not that difficult. So what happens is we need to have some configuration on the switch port to help and try to deter this possibility. What you can do is you can hard code a particular port on the Cisco router as a trunk port, and that will prevent switch spoofing. All right? If you hard code it as a trunk port, then that’s the only one. So then conversely on the access ports, you would hard code them so that they’ll never become a trunk port.

So it’s completely impervious to a switch spoofing attack. And there’s a couple of interface commands using the Cisco iOS that we would use to make that happen. Anytime you have trucking that’s happening and a VLAN traffic is being passed across the trunk, then you have the concept of tagging. And so tags are just used to identify the VLAN that each frame belongs to. And these tags can be involved in a type of attack on trunk ports called VLAN hopping. In this situation, an attacker is using a process called double tagging and would essentially create a packet that has two tags.

The first tag is going to be stripped off by the trunk port of the first switch it encounters, but the second tag remains, so it allows the frame to hop over to another VLAN. To prevent this type of attack, you need to do these things. So you, number one, need to specify a native VLAN, native VLAN or default VLAN, typically VLAN one, but you want to specify that as an unused VLAN ID for all your trunk ports. And the way that we’ll do that is we’ll specify a different number for the default VLAN. We’ll then move all of our access ports out of VLAN One.

So you can use that by using the interface command and the range of interfaces that you want to affect, and then place all your unused ports in an unused VLAN. That’s the same command. And you don’t necessarily have to worry about the commands here. This isn’t going to be a Cisco exam, but really more just the concepts. So the problem is when the default VLAN happens to be VLAN One, that this can occur. So if we make some modifications to the switch, then we can prevent VLAN hopping from being successful.

45. Port Security

When we use the term port security, we’re talking about a security that’s applied to ports on a switch. And this does rely on monitoring the Mac addresses of the devices that are attached to the switch ports. So it’s referred to as layer two security. Remember, the Mac address lives at layer two of the OSI model, and so that’s why we call it that.

Now you can disable any ports that aren’t in use. That’s certainly always a good idea, Dia, but port security is going to take it a step further. And it allows you to keep the port enabled, but only for legitimate devices, so it prevents illegitimate devices from connecting to that particular port. If you’re wondering why we might do this, just think of ports in a conference room, potentially, or ports at a desk where this should only ever be used by this particular computer.

I don’t want somebody walking up with a laptop and hardwiring it in and replacing that computer’s connection. There’s a couple of different types of restrictions to a switch port. You can restrict the specific Mac addresses that are allowed to send to that port. You could also restrict the total number of different Mac addresses allowed to send to the port. If you did need some differentiation, or if you needed more than just one, you could use that.

Sticky Mac is a feature that allows the switch to learn the Mac address of the devices that are connected and then convert them into secure Mac addresses. Okay, so instead of you having to hard coded and know the Mac address, you can utilize that capability. Now, you can still define the maximum number, and then the sticky Mac function will convert up to that number of addresses into secure Mac addresses. A secure Mac address just means it’s in the table of allowable Mac addresses. Port security is something that does have to be turned on on the switch.

And this is all done with commands at the interface level. The Port Security command, followed by a Mac address, port security command followed by the keyword maximum, and then the number that you want to allow. As I said, those are more Cisco related things and won’t be asked on the exam. So we just want to understand the concepts.

46. Ports and Sockets

Now, you probably recall from the OSI model that transport layer protocols like TCP and UDP are used to transport packets for the upper layer, the application layer protocols, and in order to successfully identify those upper layer protocols, they have to use port numbers. The port number in combination with the IP address makes up what we call a socket, and that’s defined by ah, IETF, which is the Internet Engineering Task Force. And so because of that they can be used to allow or disallow traffic. I I can clearly identify port 80 for Http, port 25 for SMTP and email port 53 for DNS, queries, 88 for Kerberos authentication.

And so firewalls and routers with access list can clearly identify and allow the type of traffic that they want. Now, your ports from zero to 1023 are the well known ports. These are at least the first 100 or so are associated with default application layer protocols. In the TCP IP suite from 1024 to 49,151 are the user ports, and so applications will often use those. And then you have the dynamic ports which are also referred to as private ports, and those are above 49,152 all the way up to 65,535. It is important for us to know some of these ports.

These are on virtually every CompTIA exam, it seems like, and so we just kind of go over some of the common ports here. Telnet 23 is a remote administration protocol. It’s not heavily used these days because it lacks in security.

SMTP still heavily used for email. That is an anonymous unencrypted style connection by default on port 25, although it can be utilized on other ports like port 587 for client relay and can be used in conjunction with TLS http port 80. The Http with SSL is port 443, FTP is port 20 and 21 21 is technically the inbound communication port, and then 20 is a control channel coming back for signals being sent from the client to the server. And that’s the file transfer protocol.

Then you have DNS for queries TCP and UDP. 53. It just kind of depends on what exactly you’re doing. Queries are on. UDP zone transfers and other types of communication between DNS servers are often on using TCP DHCP dynamic host configuration protocol to assign IP addresses that support 67 and 68 SMB server message block port 445, Kerberos, the authentication protocol of active directory and other directory services port 88.

And there are, you know, many more remote desktop protocol port 33 89 Sip, which is used for voiceover IP. That would be 50 for the secure version SSH. We had mentioned earlier in the course port 22 we could go on. So make sure you’re well aware of the default ports here. Those ports can be changed. If those ports are changed, then they have to be identified by both the client and the server to uniquely identify the upper layer protocols.

47. Security Zones

Now, when you’re designing a network, it’s usually a good idea to create security zones. These security zones are separated by subnetting, by firewall rules, access list, and other tools that can be used for isolation. So we want to just be clear as to why these are used. Now, one of the most common types of security zones is one that we’ve already mentioned, and that is known as the DeMille zone or DMZ.

The DMZ gives us a lot of advantages because it provides controlled access to publicly available servers. So I have servers that I need to get access to from the Internet, but I don’t want to allow access into my internal network, so I place them on the DMZ. It also gives us very precise control of traffic between the different security zones internal, external, and DMZ. We talked about that. In relation to multi homed firewalls, DMZ does require additional interfaces.

It will require multiple public IP addresses for anybody that’s in the DMZ and also additional configuration. The DMZ, though, does provide that fundamental protection that’s needed once it’s understood that not all networks should have the same level of security and thus separate separation needs to be applied. And that really can be said of security zones in general. Separation of data is provided through this level of isolation. It can also be provided through moving to cloud services.

48. Network Segmentation

A very broad term for the practice of placing routers switches and firewalls throughout the organization in order to create separate subnets. VLANs, et cetera, is just network segmentation. Administrators can use VLANs on switches, they can deploy a DMZ on firewalls, they can deploy screen subnets on routers. In any of these cases, what you are doing is providing network segmentation. And network segmentation has both security benefits as well as performance benefits.

Now, how you would go about doing it would be things like Mac filtering, closing ports, having other types of port security, the Mac address, port security, ACLs firewall file roll rules, separate virtual networks, and software defined networking. There are a number of different ways that you can create this segmentation. When you create the segmentation you’re lowering or you’re lessening the size of your broadcast networks, which is why you can get some performance benefits. You’re also lessening the size of contention based networks. But even more appropriate to the purpose and kind of line of this course is we’re actually able to provide security because the more interfaces you got to go through, then the more potential that we have for locking down those interfaces and controlling the type of traffic.

49. Network Access Control

Now we had mentioned earlier network Access control, at least briefly, we want to COVID that in a little bit more detail because this is one way to enforce security zones. Network Access control is sort of the general term. We mentioned that Cisco’s was network admission services. Microsoft’s Network Access Protection. In either case, what we’re trying to do is we’re trying to evaluate the connecting device. We’re asking them to submit the health state of themselves before allowing them to make a connection. And then only when their health state is adequate in comparison with a health policy are they able to actually grant access.

So the image here we have is of actual network access protection. And in that case you can see a Windows client trying to make a connection through a network enforcement endpoint. This could be a WAP, it could be a VPN server, it could be DHCP or others, let’s say it’s DHCP. So I’m just trying to connect, get an IP address. The DHCP server actually is configured to communicate with the network policy server and therefore request an Soh or Statement of Health from the Windows client. Now the Windows client has an agent, system Health Agent that’s running on it, that’s capable of receiving this request and responding to it. And so it responds with the Statement of Health.

And the Statement of Health is forward to the NPS. The component on the NPS called an SHV or System Health Validator, will compare the health state of the client against what is called an actual health policy. If you are compliant, then you have any restraints lifted from you and you are able to access the corporate network. If you are not compliant, or not Nap compatible, then you would be remediated to a restricted network. In the case of DHCP, as well as VPNs, you’re really just getting some packet filters assigned so that you have no ability to communicate outside of that restricted network.

 And the only things that are on that restricted network would be remediation servers. It’s very likely a logical network, not a physical network, but these servers would provide Windows updates, maybe updated versions of Anti, malware, updated signatures, instructions on how to enable the firewall, et cetera. So you can check a few different things in the default Windows SHV. And then Micro has the ability to extend the capabilities of Network Access Protection by using third party plugins. So they would have their own System Health Validator, and they would potentially be able to query for additional information, like a particular version of Antimalware, a particular version of the AV, definitions and the like.

50. NAC Concepts

There are some limitations of using network access protection or technically any form of network access control. It does work well for organization owned systems because it makes sure that they remain incomplating. Salesperson, for instance, and they’ve gone off. They haven’t been back in a month, so they’re missing some patches. Maybe they disabled their antivirus. Last time they were at Hotel WiFi they turned off their firewall and forgot to turn it back on because it wasn’t getting them to the login page. Who knows? But then they make a connection back and then we’re able to say, hey, we’re identifying that this is a problem. You’re not compliant.

And then they can be directed as to how to get back in the good graces and be able to connect. But when you have non company managed computers a little bit less successful, it is reactive in nature and it’s really reacting to known threats, not new threats. Technically it’s still an unproven technology and some implementations will be a bit confusing. They’re all going to require additional configurations. Some of them are a little bit confusing. Let’s just talk about some of the concepts here. Quarantine and Remediation is just we’re going to quarantine you. We’re going to put you off on this separate network where you can only communicate with certain systems and those systems are capable of bringing you into compliance with our policies. Persistent versus non persistent.

A persistent is a non volatile connection. Okay? A non persistent would be a volatile and I sorry, I said connection. I should have said agent. This is the agent that is installed on the client computer. It either sticks around persistent or it does not. Non persistent, right? So non persistent is just on an as needed basis. They’re there and they’re gone. Agent versus agent less. A lot of times network access control is used by installing an agent on the client device.

But it’s possible that without that, you don’t have to have that. And of course it’s easier to deploy if there is no agent. But it has less control, fewer inspection capabilities and whatnot. So the way Microsoft handles it is well, the agent is already built in on Windows Seven and later it simply has to be turned on and there are very easy ways to do that. So as I said, it is unproven. It depends on your scenario. It depends on the type of clients that you have. Are they personal devices? Are they work devices, et cetera? Microsoft, I believe I mentioned before, has sort of moved away from network access control because it’s just not that it didn’t work, but it doesn’t appear to have been utilized by very many companies.

51. Network Enabled Devices

Now beyond your typical infrastructure devices like routers switches, firewalls, et cetera. Security professionals also are going to have to manage and protect specialized devices that have evolved over time into IP devices. In the past, the networking of systems were managed out of band from the IP network and that kind of continues to grow. Now let’s talk about some of the systems now that have merged into the modern network. First is SoC or system on a chip.

This is an integrated circuit that includes all the components of a computer or other electronic system. It can be built around a microprocessor and these are designed for particular applications. They often provide certain functionality like secure booting. Secure booting is just a set of authentication processes that are performed against hardware and software that’s used in the boot sequence. And so secure booting can ensure that the startup environment isn’t altered in any way and that you’re going through all of the security steps that are necessary.

Secured Memory can be divided into multiple partitions and that based on the type of data that’s on the partition. The partition is either designated as security sensitive or non-security sensitive. And when we have a breach, it detects tampering, for instance. Then the contents of the security sensitive partition can actually be erased by the controller automatically.

Runtime data integrity check. This is a process that ensures the integrity of peripheral memory in its contents during runtime execution. And then we have the central security breach response. This is a unit that monitors security intrusions. So in the event that an intrusion is reported by a hardware detector so that the voltage, frequency, temperature monitors those kinds of things, the response unit would move the state of the SoC into a non secure state. And that’s going to that particular state is going to be characterized by particular restrictions that are put in place that differentiate it from the secure state.

52. Automation Systems

The networking of a facility has also enhanced the ability to automate the management of systems like lighting, HVAC, water systems and security alarms. We need the ability to bring together these disparate systems because it’s going to allow for a lot better orchestration their interaction in ways that were never possible. This is referred to as IoT.

When we’re talking about IoT, the Internet of things well, we’re talking about an area of technology that has made a number of advances. They show the value of successful automation and what we can have when we’re dealing with these network systems. These systems usually pay for themselves in the long run because they allow us to centrally manage the entire system ecosystem more efficiently in real time than a human could ever do. There are some possible issues, especially if you use a wireless version of this type of system.

We have interference issues, so construction materials may prevent you from using wireless everywhere you have security. We would need to use encryption and then power. When power over Ethernet is not capable of providing power to controllers and sensors, then we need to make sure the battery life is going to have a reasonable lifetime. So these are automated systems that are being more heavily used today and just something that we need to be aware of.

53. Physical Security

Physical access control systems. We mentioned some of these earlier. These are just devices that are there to enhance the physical security. What’s going to prevent me from walking in to the server room, to the wiring closet? What’s going to prevent me from pretending to be an employee at your organization? That is going to be physical security. So I just want to make sure that we’re aware of what these things are. Some of them are probably self explanatory.

So IP based video access control systems, essentially those are just looking for unusual traffic. We can have security guards, of course, that are monitoring them, but we’re often just trying to identify unauthorized traffic. The sensors. Sensors are designed to gather information of some sort and make it available. In the case of physical, we’re just talking about motion sensors and things like that. The man trap is a physical access control series of two doors with a small area of space or room in between them. And once you enter the first door, that door has to completely shut and lock before you are able to enter into the second door.

This is typically only in very high security situations. I actually had to long ago teach an exchange email class at the Federal Reserve Bank in Philadelphia. That’s the only Man Trap that I’ve ever seen and it was getting in there and yeah, that’s a pretty high security type of situation. Proximity readers, door controls that read a proximity card from a short distance. We’ve generally all seen this IP based access control and video systems, AV systems, audio visual that can be completely connected to IP networks. So they give us video conferencing capabilities, of course, but they can also operate in other areas as well and so that can be used for physical security. Then of course, you have security guards, right? I mean, you have the actual physical human beings that are going to be there and provide access control to the organization.

54. Chapter 02 Review

In this chapter, we focused on security for the network and security devices. We talked about a number of different things physical and virtual network security devices. Of course, the first one that comes to mind is the Firewall and its ability to protect our organization networks as well as host systems. We also talked about application and protocol level security things in advanced network design using bastion, host and virtual networking network solutions for data flow.

How to protect the data that’s flowing from source to destination on the network, discovering and identifying secure baselines of networking and security components, understanding what the normal is and establishing what the normal is so that we can then handle the abnormal.

That’s essentially the goal there, followed by the advanced configuration of network devices. What are some of the things that we can go through and do in order to increase security? So hopefully the information here has been helpful as you move forward because it’s identifying a number of different components as well as configurations that are needed. As a security professional, national.