CompTIA Cloud+ CV0-003 – Domain 2.0 Cloud Security Part 2
APIs application Programming Interfaces Let’s discuss APIs in the sense that knowing what they are is really all you need to know. For the exam, I will touch on the different types of APIs and some other factories that might be of interest. APIs, or application and programme interfaces, This is the code that allows two software programmes to generally communicate with each other generally. For example, in order to access Amazon Web Services from a mobile device, such as an iPad, you must first download the APIs. In other words, this is done through the browser anyway. are able to communicate with each other. APIs are essentially codes that allow those programmes to communicate with each other. There are generally two parts. This is the specification of the API and the interface, essentially the code, and then how everything will communicate.
That’s the interface. With APIs, we have different types of APIs. You have the programme-based APIs. These are basically based on our PCs and help make the remote programme look local. These are basically for remote procedure calls. Web-based APIs are restful. Typically, this is a very common term in the industry: Rest or Restful. These are APIs that are used for web applications. And then you have local APIs. This is generally focused around middleware in most cases, but again, you may run into that as well. When it comes to Rest APIs, these are generally used by cloud providers generally. AWS. For example, Rest stands for representational state transfer. This is an architectural style used in the development of web-based services. In general, you’ll see either rest or soap being used. Rest is widely used by cloud providers. Soap isn’t something you see every day. Now, soap is different in the sense that it’s a little bit heavier and takes a little bit more effort. It’s not as agile as a Rest API, and it really wasn’t really meant for the web overall from a development standpoint. And that’s why Rest is really the API that’s used.
You would access these APIs through what’s called an end point. Now, an endpoint is simply a connection to the back end of the cloud provider or, in some cases, the front end, perhaps both. For example, the front end would typically have your merchant account in it, and the back end would be the services, for example. Google Endpoints is a great example of that. This is really extensively used, especially with mobile devices generally. Endpoints can also generate a lot of efficiencies. API security. There are some security concerns that you should be aware of. The first is: don’t just go out to any website and get APIs; get them from a known source. APIs are just like any other code. You can modify them and add vulnerabilities, backdoor zero days, whatever. With APIs, there are gateways and proxies. Some examples would be the masher, which is a very popular solution, as well as AWS. Gateway: use a secure endpoint and best practises as far as authentication and authorization; make sure you use that as well. Now, there are a couple of links that I left, especially on APIs that are programmable.
For those who are unfamiliar with APIs, the Web has some excellent reference material. But once again, for this exam, you really just need to know what a Rest API is and what an API does overall. That’s it. AWS API. Gateway. This is a managed rest API gateway. At the time of writing, there are 53 global edge networks. DDoS Protection, layer seven, and SinFloods, which is layer three, provide API stages like test, dev, and prod as well. Once again, you don’t need to know this for the exam. I just want to COVID some areas around the cloud to get you thinking about where you might be able to focus your efforts. The remainder is a transfer of representational state. This is an architectural style that focuses on the creation of web-based services. Remember that typically, rest is used over soap nowadays. Rest is lightweight and much more agile than Soap in general. Know what an API is? This is the code that allows two software programmes on different devices to communicate with each other.
Security services. Let’s talk about services that you’ll likely have set up not only in your infrastructure but also for your cloud services as well. when it comes to security services, automation, etc. You’re going to want to have specialised services that are generally going to be firewalls, IPS, IDs, et cetera. to be able to provide different layers of response and services to your end users, but also to be proactive in keeping out unauthorized users. When it comes to security services, these are the major ones you’ll run into. Of course, this is not exclusive. These are the ones you’ll likely see on the Cloud Plus exam. Now, one thing I would like to emphasise is the importance of knowing when to use a firewall, for example, an IDs IPS, or an antivirus or malware service, or whatever. In the right situation, we’ll go ahead and talk about each of these.
A firewall is a network security device that monitors incoming and outgoing traffic. Again, firewalls generally work either explicitly or implicitly by denying or allowing access. When it comes to cloud-based firewalls, AWS has one choice: Google. They all have different services. You need to understand what they support and how they support it. Google is different than AWS, for example. You need to understand the level of support by default. Are the ports and services on or are they off? Generally, firewalls can be hardware- or software-based, or even a combination. These are usually the first line of defense as well. Firewalls are typically built from north to south. However, with the advent of software-defined networking, we see quite a bit of micro segmentation and therefore provide additional firewalls for each of the VMs. For example, more of a “virtualized host type” of firewall schema, that is. So there are a couple of things to think about there. You’ll want to understand the different types of firewalls as well as firewalls as different types of firewalls.
A UTM is essentially a statefull inspection firewall with intrusion prevention and antivirus built in. This is a threat management firewall that consists primarily of proxies. These are more gateways than anything stateful. This will either allow or deny traffic—basically, explicitly deny or explicitly allow? Is port 21 allowed or not allowed? It’s pretty straightforward; it’s typically binary. The next generation is different. This is similar to the Apollo Alto firewall, for example, where the modern threats, like advanced malware issues, are typically addressed pretty well with the next-gen firewalls’ IDs and IPS. Now, my thought is that every organisation should have some level of ID and IPS protection. Although this is not common in many organizations, it is good to have some level of protection, especially if someone does break in, say, to one of your VMs and is able to traverse your VLANs and do VM hopping or something. It might be hard to determine what they’re doing without some kind of anomaly detection, for example, that an ID or IPS can provide. What is a hip system? That’s a host-based intrusion prevention system.
This is generally going to be deployed on a critical server that will monitor for malicious issues in general. It could now be viruses, malware, or A Pts. Once again, Hip is something you’ll want to have in most situations, and then an intrusion detection system is the same thing. This is going to detect issues. It may not prevent issues, but it should monitor them and let you know. I like to compare HIDs to hits or IPS to IDs. In the same way that if you’ve ever seen those Life Lock commercials where the security guard stands in the bank and the elderly couple says, “There’s a robbery,” I’m going to do something. And the security guard goes, “I’m not a security guard; I’m just a security monitor.” So basically, this is the difference. Do you get notified? But also, does the system do something to mitigate the issues? That’s sort of the difference. For this exam, you’ll definitely want to know these. You’ll likely see one of these, if not two, on the test in some format. At least, that’s what I see on the beta exam. Intrusion prevention and intrusion detection Know what they are? I won’t read this to you again. Here’s an exam tip. Make sure you know what the different types of security services are and when to use them. What’s the right use case? Use a host-based solution for a VM, but a network-based solution for the internet, for example. Pretty straightforward, right? As I previously stated, you will most likely be asked a scenario question on this exam, and I will ask you to provide the most likely correct solution for that case scenario.
Vulnerability assessments. Let us now discuss vulnerabilities, threats, and potential areas of investigation, such as pen testing. One of the things I just want to be clear on is that this exam does cover some of the areas around vulnerability assessments, but it doesn’t go very deep. As a result, you don’t have to be a professional cybersecurity analyst to get this right. Very simply, a vulnerability assessment is a process that defines, identifies, and classes security holds, also known as vulnerabilities, either in a network, a computer, or any kind of common infrastructure. Now, when it comes to vulnerability assessments, there are a couple of things to understand. The goal of an assessment is to determine the effectiveness of countermeasures. How exactly are you doing? Is the posture of the network secure? Is the posture of the cloud secure? Are the countermeasures effective? Does the IPS do its job? Does the firewall do its job?
Do users follow proper instructions and change passwords appropriately? When it comes to vulnerability assessments, you really should do them regularly, but also make sure you follow your cloud provider’s practices. So don’t just run an assessment against your AWS services without notifying support. The reason is that you could kick off some kind of response from AWS, and it wouldn’t be the first time if the services were shut down until you were able to validate that what you’re doing is actually what you should be doing. You could use scanners like Wasp or Boss. Those are commonly used in most corporate networks. You could also use the Google Cloud security scanner. This is typically utilized with the Google Cloud Platform, for example, with pen testing. Now, pen testing is different in the sense that pen testing is to essentially exploit vulnerabilities. This is trying to determine how you could get past a radio system, or how you could get past password policies, or how you could get past network protocols, whatever the situation is. Once again, never run a pentest without notifying your provider.
It’s a great way to get your cloud services shut down if you’re not following their instructions. Again, you can run Pen tests; that’s generally not a problem, but they want to be notified. Again, any kind of anomaly could be something that can be picked up as a threat, and they’re going to try to do what they can to stop those threats. When it comes to vulnerability assessments, know what they are. Now my recommendation is to go back and make sure you understand what a pen test is, but also know what a vulnerability assessment is. Don’t get confused between the two. On the exam, you could expect to see one of these. Here is a test tip. Once again, know the difference between a vulnerability assessment and a pen test. Vulnerability assessments are used to determine your security posture and how well you’re doing. A pen test is typically run to try to exploit the environment to see what cracks are actually open in that environment.
Let’s discuss network connectivity tools. There’s going to be one or two questions that, I guess, are going to test your skills or your knowledge around network connectivity and what kind of tools you’ll use to validate connectivity. We want you to understand that connectivity to your cloud resources is critical to your business, and there are going to be several areas around troubleshooting you’ll need to validate and look at; some of these are listed here. These are typical connectivity issues you’re running into due to incorrect networking, DNS and firewall issues, VLAN issues, et cetera. This is not an exclusive list, but I wanted to highlight the ones that would likely be part of a case study question or a scenario-based question that you’ll need to look at the architecture that they give you and determine what could be the root cause of the problem. Generally, it’ll probably be focused on latency or some kind of firewall rule generally, but that doesn’t mean, certainly based on the objectives of this exam, that they couldn’t test you on DNS or VLANs, for example. But, with that said, let’s go ahead and go over some of these. When we talk about latency, this is essentially latencyis usually realised because of a user base complaint.
In a lot of cases, however, latency could be the result of many different issues. Generally, it’s a result of either an application issue, a network bottleneck issue, or some kind of process that’s running that just doesn’t have enough resources. MTU size is important as well. One of the things about transferring data is that you could transfer little chunks of data or larger chunks of data. So look to see, for example, if jumbo frames are enabled or not; some of the routers support that and some don’t. You need to validate what is supported by the provider and by your own networking hardware as well. quality of service This is a way to guarantee specific levels of service for an application. Proxies are commonly used and confused with things like firewalls, but not everyone realises that they’re actually quite different. DNS issues could be a problem as well.
VLANs as well. I won’t spend a lot of time on this because you’ll likely not see these, but if you don’t know what an MX record is or what an error is with DNS, spend a little time looking into more detail. However, DNS can cause problems in general. For example, generally the biggest issue with DNS is that the name doesn’t resolve, and that could be just a response issue. Also, the MX records may not have been updated appropriately. For example, if you’re using a third-party like Go Daddy, they’re not really known for having the best service. So you generally need to use an enterprise service for an enterprise application, is the way I like to sum it up. But be aware that DNS could be an issue. Resolving connectivity issues You want to use the right tools. For example, you don’t want to use Lookup to resolve a non-DNS issue or to validate it. It doesn’t make sense. Don’t use ping for something that really requires net stat.
So identify the tools that are appropriate. Now these are some of the network tools that are out there. A lot of these are built-in commands that you could execute locally on your Windows or Linux machine. Identify the appropriate tool. You will likely get a question about one of these tools. I certainly did. I can’t tell you which one I saw, but I can certainly identify areas that you may want to look at to make sure you understand. For example, in networking, what are some of the major commands you could use to determine an ICMP request, whether a port is up and running, and how to connect to a host? For example, what commands do you use there? Also, how do you validate that a host is available? Or how do you find out about a domain name or an IP address? What do you use there? VLANs are also used. I didn’t see anything on a test about those, but you want to be aware of that just in case it was part of the objective. That’s why I am essentially covering that. But the problem with a lot of the commands, especially with networking—not so much networking per se but, let’s say, VLANs—is that these commands are really going to be different for different network switches.
For example, Cisco Brocade may have very different commands from Arista, so they’re not going to test you on specific commands for specific switches or anything. Just be aware of that. Common Ports Another area, too, that you’ll need to get really good at is understanding what the common ports are. It’s fair to ask you a question about what port SSH uses, or FTP, or DNS. Also know that, for example, DNS is a UDP protocol, not a TCP protocol. In general, just because it’s using port 53 doesn’t mean you can’t use specific TCP protocols, such as in some cases with specific ports. However, most of the time they want you to know the most commonly used ports as well as what the port is. As an example, https Everybody knows that’s pretty straightforward. But the ports that could be confusing to people could be DNS or DHCP. Most folks know http, FTP, and SSH, but usually the area where I’ve seen ports forgotten is typically DNS, DHCP, or http, not https, but SMTP. So don’t get confused between SMTPS and FTP, for example. Try to know those ports because, again, it’s fair game to test you on this. So, DNS makes use of the well-known port 53. Remember that for the exam. Exam tip. I’m going to remind you again: of the common ports, you’re going to definitely see one or two of them again.
Network protocols. So this is probably going to contain two terms that I think are probably the most widely confused and misused in the industry. And, once again, there’s nothing wrong with that if you understand Nat and Pat. Now, when I say typically confused, overused, or used widely incorrectly, a lot of people just think Nat and Pat are the same thing, but in reality they’re different, but then they’re the same. If you can appreciate that, we’ll talk about the main difference between network address translation and port address translation and the use cases for each of these. Now, you can guarantee yourself that you’ll see a question on this exam about NAD and Pat. I certainly did. And it appeared that this was something they wanted you to know based on the objective. Now, Nat and Pat are typically used in the cloud. It’s very common to see customers use these protocols for one reason or another. VLAN tagging and port mapping are also commonly used and, to some extent, confused terms. Let’s go ahead and cover what you need to know for the exam.
Network address translation This uses a pool of public addresses that are mapped one-to-one to the private ones. Now remember, a private address is typically inside. That means that’s beyond your firewall; typically, inside your firewall and your perimeter, these are going to map the port number intact. So that will translate addresses. Now let’s go ahead and put Pat side by side and see if you can see the difference. Pat uses a single outside public address, right? Nat, on the other hand, uses a pool of addresses and maps them to multiple internal addresses using different port numbers. So again, you can see that it’s basically manipulating addresses. It’s just the question of how it’s doing it. Now Nat is really focused on addresses, whereas Pad is really focused on ports. However, it’s common for customers to think that it’s also manipulating the addresses. Now, depending on the implementation, this may or may not be totally true, but the mapping is definitely going to be different.
So understand, it’s more of a one-to-one relationship versus a one-to-multiple to multiple. And that’s where the clue comes in for the test. What I’d like you to sort of remember is that Nat is going to translate those addresses, those IP addresses, whereas Pat will translate the ports. This could lead to a question on the exam. If you remember, when it comes to netgeneral, this is where a request for an IP address comes in, and it will redirect this to an internal host. Okay, so from this, is this going to be Nat or Pat? And the answer is right there. This is Nat, right there with port forwarding. Now, port forwarding is also known as “port mapping.” This is a technique where a gateway or similar device transmits all the traffic from a port to the same port on any internal node. This is different in the sense that this is essentially—don’t confuse us with Mary; we’re going to COVID that in a second. Port forwarding enables an external source or system to connect to an internal source or node. This will essentially allow you to connect to an internet service or private VLAN. For example, port forwarding uses what are called “well-known port numbers.” With Nat and AWS, there are some tricks that you’ll want to know.
You don’t need to know this for the exam because you won’t be tested on NAT or AWS, but rather to compare some of the capabilities of what you’re used to to what AWS does. For example, Nat is supported. You’re going to use this in a virtual private cloud. Now remember, a virtual private cloud is a container for your resources. Now, Gateway is a managed service. Remember that. So AWS is going to handle all the back-end stuff. You’re going to pay basically for the usage subscription; essentially, for that service, you do need to set up a security group. And of course, it’s much more complex than just what we’re saying from a planning perspective. But just know that Nat is supported. It uses the Nat gateway, which is a managed service. You want to create a security group. Now a security group is essentially a firewall. You want to, of course, use that in conjunction with the Nat Gateway VLAN tagging. So VLAN tagging is certainly different than port tagging in the sense that you’re going to insert a V. Now remember, tagging is different from memory. Tagging is going to do what it’s going to do, which is typically add some kind of header, in this case a packet header, and identify the VLAN that the packet belongs to.
So, for example, in this case, any packets that are on VLAN 100 will have a header that corresponds to VLAN 100, and so on with VLAN 203 hundred. Simply put, that’s probably easy to understand, but the terminology is what I see people getting confused over. Mirroring is where you’re basically having a replication of that port, whereas with tagging, you’re adding something to that VLAN or to that port, for example. For the exam, make sure you understand now, and Pat, once again, this is probably something that you need to spend a few minutes on. Make sure you get it. Don’t get confused between NAD and Pat. You’ll more than likely see a question on this. I just can’t tell you exactly how I saw it. But I will say, get familiar with it.
So another organisation I want to make sure you’re aware of, another company with products and services that you will likely use at some point in your careers, is called Fortinet. Fortinet now has a very broad and diverse capability, similar to Palo Alto with firewalls and threat mitigation capabilities—basically, a well-known service and solution provider. So if you go over to the products page again, they have the next-generation firewall just like Palo Alto. They’ve got endpoint security (IPS), just like a lot of other competitors do. They do have some unique features, like, for example, I do like some of their cloud capabilities, and they do act as a cloud broker. Now, for those folks that aren’t familiar with what a “broker” is for the cloud, this is someone that you could go to, or actually a company that you can go to, and have them sort of match you up with the right product and service. So it’s sort of a cool capability. And they do support AWS and GCP as well. You don’t see, once again, that GCP is clearly behind in cloud capabilities, at least in terms of market share. However, each of these cloud vendors does not typically support all three clouds at the same time.
So that’s sort of an unusual solution that they have. And actually, for a sandbox, this is a cool capability. So, for example, you go ahead and set up a sandbox for your infrastructure to basically contain issues in your environment, to allow hackers, for example, to be contained and also to control a threat as well. There are many different scenarios you could use a sandbox for. So, cool capabilities there. And also too, I wanted to make sure that our folks over in Europe were aware of what is called the GDPR responsibilities coming up in the next year for 2018, and I believe there are a couple of papers on it. I need a second; I just lost my place. Let me just go back to the home page. So anyway, if you go over here, here it is under Resources. Actually, you want to select this. So for folks that are in Europe, this is actually something you want to take a look at. And here’s why: Just like in the US, there are plenty of compliance requirements. As a matter of fact, in the US, we’re probably about as free as someone in a cage.
So we have so many controls, checks and balances, and regulations to follow that it’s absolutely ridiculous, and Europe is no exception. But this sort of goes above and beyond what you’re dealing with. So with GDPR, and again, this is only if you’re in England or Europe, and there are actually countries that do business with the EU, there are going to be some requirements you may have to look at.
As a result, you will need to collect more information, keep it longer, and deal with security breaches more quickly. So just realise that these are things you need to be aware of. And again, mainly for our EU friends, you may want to take a look at this, and there is a good white paper on it and webinars you could take a look at, but again, it explains why this is being thrown out there and areas you may want to focus on, and Fortinet can help you with that. So, with that said, you should be aware of the net’s capabilities for the exam, but you don’t need to know all the fine details. You can use it for thread analysis, next-generation firewalls, or general endpoint protection, and they are a firewall vendor, so be aware of that.
Popular posts
Recent Posts