CompTIA Network+ N10-008 – Network Security Part 2
Multifactor authentication. Now, in the lesson on security policies, we talked about the importance of using multifactor authentication. But what does that really mean? Well, when you have multifactor authentication, it means you authenticate or prove your identity using more than one method. Now, that can be something you know, something you have, something you are, something you do, or somewhere you are. And we’ll talk about each of those as we go through this lesson. The first one is something you know, and this is the most common factor. It is also known as the knowledge factor. So if it’s something you know, it could be something like a username, a password, a PIN, or answers to personal questions. All of those things are knowledge factors. If you know it and I can figure it out, then I know it; I now have that knowledge.
So one of the common questions I see is what would be considered two-factor authentication, and one of the choices they’ll give you will be something like a username and password. And a lot of students think that if you have a username and a password, that is multifactor or two-factor authentication because you’ve got two things right: I have a username and I have a password. Well, both of those are knowledge factors and so that is still considered a single factor authentication and that is not going to be giving you the best security. So instead, we’d want to add a second factor. Now, what are some of the weaknesses with passwords? Well, some of the most common weaknesses are that people don’t change their default credentials. You get a brand new system like a wireless router, for instance, or a wireless access point, and the default password is password, and nobody bothers to change it.
Don’t do that whenever you get a device; change the default credentials because default credentials are really easy to guess. Also, people will use common passwords, and that will become a big issue. Things like love and passwords and secrets are just way too common. Every year there is an attacker’s dictionary that comes out that shows the most commonly used passwords, and we can use those as part of our dictionary attack to find your password pretty darn quickly. The third type of password is one that is both short and weak. Short-term passwords are those that begin with the letters dog, puppy, or cupcake. Anything that is a standard dictionary word is bad. Anything that’s less than eight characters is probably bad. You really want to get a nice, long, secure password using upper- and lower-case letters, numbers, and special characters that will help increase the security of your password. And so if you are only using single-factor authentication like a username and password, at least make it a good password. Next, we have something you have; this is what we call the possession factor. This can be something like a smart card, which stores digital certificates on a card and allows access once a pin is provided. Something you have is the card; something you know is the pin number. You can also use RSA keys and buttons, as shown here on the screen. And every 30 to 60 seconds, the number on that display will change.
And so when I go to log into my machine, it will ask for my username and password and then that rotating pin number because that pin number is being provided by that Fob device. That is something you have. And combining that with my username and password, I know now that I have two-factor authentication. And finally, you can use something like an RFID tag. Some badges worn by employees will have an RFID tag built into them. And to log into the system, you tap your badge onto the computer, something you have, and then enter a pin, something you know—again, that’s good two-factor authentication. Next, something you are This we refer to as the inherent factor. The inherence factor now includes things like fingerprints because only I have my fingerprints, as well as retina scans; only I have my eye and voice prints. The way I talk is different than the way other people talk, right? And so my voiceprint is unique to me. All of these things can be used as an inherent factor or as something you are. These are not nearly as common because they feel intrusive to people. If every time I wanted to log on to my computer, I had to put my eye up to a scanner, I probably wouldn’t want to log on to my computer very often. And so most of the time, two-factor authentication is going to be something you know and something you have. Now, something you are using is often used in high-security environments, usually as a door lock or something of that nature. Next, something you do This is an action.
The way you sign your name, the way you draw a particular pattern, the way you say a certain passphrase—all of these are things you do that are unique to you. And that action can be measured by a computer and used for authentication. Usually you don’t want this to be a single factor, but you’ll add it to something you know to give you that two-factor authentication because people can forge your name and the way you sign, but generally the way you press and the way you put pressure on certain parts of your signature are unique to you. Finally, you are somewhere. This is the location factor. And we do this one of two ways: either using geotagging or geofencing. When we talk about geotagging, we’ll be using the GPS on your phone or the device that you’re using. So, if I try to log into my local server in Maryland, but my GPS coordinates show Moscow, Russia, it will reject me because it says you’re not here, you don’t need to be on our network, right? Geofencing is more commonly used when a device leaves a specific area; it sends an alert and notifies you. However, any of these uses of the location—country, state, city, or GPS coordinates—can all be used as a location factor as an additional layer of security and authentication in addition to something like a username and password.
Firewalls. One of the most common network security devices out there is a firewall. We’ve talked briefly about firewalls up to this point, but in this lecture, we’re going to delve deeper into firewalls to really understand the different types of firewalls and how they work. When we look at firewalls, we can see that they use a set of rules to define the types of traffic that are allowed or denied through the device. They act as a barrier to our networks.
They can be virtual or physical. They could also be on the host’s computer or on the network. It really depends on your implementation. But they’re all going to work about the same way. Another thing a firewall can do for you, particularly a physical one at the network’s edge, is perform network address translation, NAT or port address translation, and PAT functionality. That way, you can use one public IP and many private IPs.
Now, the first type of firewall we’re going to talk about is what’s called a packet-filtering firewall. These are going to permit or deny traffic based on the packet header, which means they have access to information such as the source or destination IP and the source or destination port. It’s going to look at each of these packets individually and then make its decision whether to permit or deny them based on its access control list. In the diagram here at the bottom, I want you to consider the access control list item that I showed here. Control List 100 Deny IPNE is available to me. What that means is that any IP is going to be denied if it meets these rules. Now, in this case, we have Interface FA 10 IP Group 100 in. And what that’s saying is that we’re going to apply this to any incoming traffic. So in the case of this one, if we have traffic coming in from the Internet, like an HTTP reply, it’s going to get blocked because nothing is allowed in because we had to deny any statement there.
Now, even though the request was able to go out because that’s outbound, that didn’t match one of our rules, but inbound will be blocked. And this is the bad thing about packet-filtering firewalls. They are only based on the ACL and only on ports or IP addresses. In this case, we blocked any port and any IP trying to make its way into our networks. That wouldn’t make for a very effective firewall if we wanted to be able to enable two-way communications. So the second type of firewall we have is what’s called a stateful firewall, and they’re going to inspect your traffic as part of a session. So let’s take the example on the screen. If I’m sitting on PC 1, and I make an SSH connection out to a server on the Internet, that is session 1.
The server can then reply to me with that SSH traffic, and the firewall will let it in because I opened the firewall by making the request. But if a second SSH server tried to come back and create its own session, the firewall is going to deny it. Now why is that? Because the firewall kept track of the fact that I had made a request, I was only going to get an answer to my request. Anything else is going to be blocked. You can see how this is far superior to that packet-filtering firewall that simply allows everything in or everything out, or everything for SSH in but no other ports in. In this case, we can keep track of those sessions and get a much more specific sense of what’s going to be allowed.
This is what people are using now to redo a phishing attack in order to exploit your networks. Because if I send you an email and you click the link, what you just did was request a session, and the firewall is going to let me come back in onto your network. That is the bad thing about a stateful firewall. If you have users who are doing the wrong things, the firewall is still going to let them through because they’re making that request out. Now, we can combine the ACLs and permit-deny statements of a packet filtering firewall with the stateful capabilities of a stateful firewall to really give us a good security device. And most modern firewalls will support both of those things. Now, the next type of firewall we have is called NextGen, or “next generation firewalls,” also abbreviated as “NGFW.” Now, unlike the stateful and stateless packet-filtering firewalls that operate at layer four and below, these third-generation firewalls can conduct deep packet inspection and packet filtering. They’re going to operate in layers five, six, and seven of the OSI model, where they can actually get really in depth and understand what those packets are containing. These are also referred to as “web application firewalls” if they are specific to a web server or “next-gen firewalls” if they’re for the entire network. And they’re a great way to inspect HTTP traffic in a network and understand what’s going on, then dig in and decide whether to allow it or not based on your rule sets.
Now, when we talk about ACLs, or access control lists, what exactly are they? They are the set of rules that are typically applied to a router interface or a firewall to allow or deny specific traffic based on IP or Mac address if dealing with switches or port if dealing with firewalls. Now, the ACLs are going to do this based on source IP, destination IP, source port, destination port, source Mac, and destination Mac. And you can choose any or all of these as criteria. Here’s an example: On the board, I have three different access control list entries. I have the first one, which is going to permit or deny, in the first column. The protocol you’re using, whether it’s TCP or UDP, is the second one. The next column is the source IP, and this can be any to signify all IP addresses or a specific IP address or range.
And then you have a destination IP. It can be, again, any; it can be a specific client or server, or it can be an entire range, as in the case here. After that, we have the destination port, which can be www for port 80, SSH for port 22, or telnet for port 23. You get the idea here. So in our case, we have this group on serial interface 10 that is going to be allowed in the inbound direction. We’re going to apply these three rules: it’s going to permit port 80 web traffic to come in; it’s going to permit SSH or port 22 to come in; but it’s going to deny port 23 or telnet traffic from coming in. And this is the way you can deal with your ACLs. for the network plus exam you should be able to read an ACL just like I did here on the screen, but you don’t need to come up with it by yourself and actually be able to create the ACL. Next, we have firewall zones. All firewall interfaces are classified as a certain zone, and you can set up rules based on those zones so that all inside rules apply to these interfaces and all outside rules apply to those interfaces.
And we have three zones: inside, outside, and the DMZ. Inside is going to be your intranet, and it’s going to be connecting to your corporate local area network. Outside is typically going to be your internet or your external network. And then we have this other zone called the DMZ, or demilitarised zone. It’s going to connect devices that should have some restricted access from the outside zone, like web servers and email servers, but still aren’t necessarily trusted by your internal network. It’s a kind of limbo between being trusted on the inside and not trusted on the outside. It’s part of your network, but it’s segmented off. Now, what does this look like in a network diagram? Well, here’s an example: Inside, I have three PCs and a switch, and they’re going to be able to tie into the firewall and allow traffic to go between certain zones. And then we have the DMZ, where my email and my web server are up at the top.
And then I have this outside internet zone. So if I have an untrusted Internet, am I going to allow traffic to go into my internal network or my inside network? Well, no, the only way I’m going to do that is if somebody has requested it, like using a stateful firewall. So in general, we’re going to block everything from going from the internet into my internal network. now from my internal network to my DMZ. Again, the DMZ is not fully trusted, so we’re going to treat it like the internet from our internal network. If we request information from the email or web server, we’ll get returned traffic. Now let’s talk about the DMZ from the outside. The DMZ, on the other hand, should always be able to leave and request whatever they want from the outside world or the internet. But we do have to allow certain things to come into the DMZ, and that would be things like port 25 for sending email, port 1110 for POP3, and port 143 for IMAP. Those email-type services need to be able to receive inbound traffic from the internet because that’s what the email server is designed to do. same thing for the web server.
We’re going to need to allow ports 80 and 443 for unsecured and secured web browsing, respectively. And that way, if we’re running a web server, people outside our network can get to those web servers. That’s why the DMZ is considered a semi-trusted zone. We can really lock it down, but we still have to have some open access to it. Now the last type of device I want to mention here is what’s called a UTM, and these have gained a lot of popularity in recent years. This is a device that’s going to combine your firewall, your router, your intrusion detection and intrusion prevention systems, any malware solutions, and other securities into one singular device that is placed on your network. This is generally a border device.
There’s an agent that is run on your internal clients, and they can be queried by the UTM before allowing any connection to the network. So they can serve as NAC, network authentication, and network authorization prior to allowing a new device on your network. As well. These unified threat managers can be purchased as a physical device or as a virtualized device for installation in your networks. And they also have cloud solutions that are available, so you can just route all your traffic to a cloud service provider, and they’ll do all this security for you and then route your traffic out to the internet. UTMs are expanding in popularity, and you’re going to see them more and more in networks because they have this always-on, always-updated signature with the latest threat intelligence, providing you with additional security for your networks that a firewall alone just can’t provide.
Intrusion detection and intrusion prevention systems, or IDs and IPS, Now, an intrusion detection and prevention system can recognise network attacks, and in the case of an intrusion prevention system, it can even respond appropriately. It’s going to analyse the incoming data streams for any attacks using different detection mechanisms such as signature-based or behavioral-based. And we’ll talk about those more as we go through this lesson. One of the most common ones is what’s called Snortsnort, which you can see here on the screen. It is a software-based intrusion detection and intrusion prevention system that is open source and widely used in the industry. Now, an intrusion detection system is a passive device. It’s going to operate in parallel to your network, and you can see it here hanging off just below the switch in this network.
It will monitor all traffic, log it, and issue alerts if it detects anything suspicious. If it thinks there’s an attack going on, like a port scan, a denial of service attack, or anything else that matches its database of signatures, it will alert the system administrator, but it won’t respond. All it’s going to do is log it and maybe capture some packet data on it. If you’ve configured it for packet capture, you should send the alert to the administrator to look into it further. Now, if you have an intrusion prevention system, this is an active device, and it’s going to operate as normal. Notice how it’s placed there between the firewall and the switch. So as traffic goes from the attacker through the Internet, to the router, to the firewall, through the intrusion prevention system, and then off through the switch to the destination target, it can actually stop and block that data. This will be determined once again by its signatures.
It’s going to monitor all the traffic, send the alerts, do the logging, and do the packet capture, but it can also drop or block offending traffic, which therefore can stop attacks in progress. If you’re worried about a denial-of-service attack, an IPS is one of the best ways to prevent this from happening. Now, why would we use an ID versus an IPS? Well, one of the problems is that IPSes and IDSes are not always tuned properly, so if you have a false positive, you can drop legitimate traffic. And that’s one reason why a lot of organisations operate these as a detection system instead of a prevention system.
Now, speaking of detection, how can we detect things? Well, there are three main methods. There is signature-based detection, policy-based detection, and anomaly-based detection. When you deal with signature-based detection, this is when a signature contains a string of bytes that is a unique fingerprint, some sort of pattern that’s going to trigger detection. Think of it like a signature for malware, right? or your handwritten signature. I can look at that and go, “Oh, I know that’s John Smith’s signature.” That’s what we’re doing here with the data flowing through the network. Now you have to create these signatures or download them from a central repository. And if that signature matches something that is not threatening and you have it in prevention mode, it could actually cause issues for you. Next, you have policy-based detection, and this is going to rely on a specific declaration of the security policy. So you may say something like “no telnet allowed.” And so if we see anything trying to talk on port 23, we know that’s a policy issue, and it’s going to flag that in the logs and the alerts. Next, we have anomaly-based detection, and this is either statistical or non-statistical.
If it’s a statistical anomaly, it’ll look for traffic patterns and create this baseline. And then any time it sees something outside of what it thinks is normal, it’s going to flag it again. If you’re using an IPS, this can be very dangerous because something that is completely normal and routine, but just a little bit outside the baseline, could flag and cause issues for your users. When you have a non-statistical anomaly, this is based on a pattern or baseline that the administrator defines. So I will go in and actually configure it so that it says, “Hey, anytime I see more downloads than one gigabit per user per day, flag that.” That might be something you want to do. Those kinds of things are going to be set by the administrator, and that would be a non-statistical anomaly. Now, in addition to having intrusion detection systems and intrusion prevention systems, we also have host-based and network-based systems.
And this works for both IDs and IPS. Network security devices safeguard the entire network. The diagrams I showed you earlier, where it was hanging off the switch or between the switch and the firewall, were examples of network intrusion detection systems and network intrusion prevention systems. But you can also have it installed as software on your host. So if you’re running Windows or Mac, you can instal a piece of software that can actually serve as an intrusion detection or prevention system for you. And that’s called a host base because it’s sitting on a host, a client, or a server. Now, network and host bases can actually be used together to give you even more protection. You may have a network intrusion prevention system in place to protect against a denial of service attack. But you might have a host intrusion prevention system on your client so that people can’t instal and run software that you don’t authorize. and this is going to protect you from malware attacks. Now, what does this all look like when you put it together?
Well, it looks like this. Notice that I have two switches hanging off that router. I have my administrative and management network up top, and I have my users off to the left. In my user domain, I have an intrusion detection system that is network-based, hanging off the switch. Then I also have an intrusion protection system sitting there between the firewall and the router to protect myself from denial-of-service attacks. And then, if I have a DMZ, I might put another IPS there that is between the switch and the firewall that’s going to protect that web server. Now, in addition to all those network-based defenses, I can instal software on PC 1, PC 2, and PC 3. That is a host ID, a host IPS, that is going to be connected back to the management PC up at the top, which is going to take and correlate all those logs and alerts and then be able to investigate them. And you can see how this all works together to give us additional security.
Virtual private networks, or VPNs, What is a virtual private network? Well, a VPN is going to enable work in remote offices and telecommuting. There’s going to be a VPN device sitting at the head office, and we can then connect back into it to securely connect corporate users over an untrusted network such as the Internet. That may be a site-to-site VPN, like going from my regional offices to my head office. Or it might be for remote and roaming users going from a client to site VPN, such as the laptop and desktop at the bottom of the screen connecting back to the head office. Now, when we talk about site-to-site, this is where we interconnect these two sites and provide an inexpensive alternative to lease lines. We talked about this back in Wan connections as well.
If I want to be able to connect my remote regional office to my head office and say I’m going from California to Washington, DC, that’s 3000 miles. If I had to pay for a T-1 connection between those two sites, that would be very expensive. But instead, I can just create a VPN tunnel from the regional office over the Internet. Since they already have Internet connectivity, that may only cost me $50 or $100 per month. That tunnel will take all the traffic from the regional office, route it back to the head office, and then out to the Internet, creating this nice, secure tunnel that nobody can see the internal network traffic through, even though we’re going over this external Internet connection. Now, when we deal with client-site connectivity, instead of doing it from router to router or device to device, we’re doing it from one single host, like a laptop, a cell phone, a smartphone, or a tablet, and connecting it back to our head office. This allows the remote user to be able to connect back to the head office, and that’s why we call it Client to site. Now, when we deal with VPNs, we have a lot of different types of VPNs, and we’re going to talk about those here.
The first one is SSL, or Secure Socket Layer. Secure Socket Layer is going to provide cryptography and reliability using the upper layers of the OSI model, specifically layers 5, 6, and 7. This has been replaced in recent years by TLS, or “transport layer security,” in most of our modern networks, and it allows us to have secure web browsing over HTTP. So when you log into my site to watch this video and you put in your username and password and you saw that green lock, that was an HTTPS connection, and you were using either SSL or TLS to create a secure VPN tunnel through your browser from your computer to my server to be able to pull these videos. Next, we have TLS. And TLS is the updated version of SSL, and it stands for “transport layer security.” Again, if you’re using HTTPS these days, you’re probably using TLS. The new one that we have is called DTLs, which is datagram transport layer security. While TLS and SSL both operate using TCP connections, DTLs use UDP connections. Now, it’s based on the TLS protocol, but it’s using Datagram, so it’s using UDP traffic. Why did we have to invent this? Well, everyone was trying to use TLS for everything, and TLS is great when you’re dealing with text-based traffic and lower bandwidth traffic. But as we started wanting to go into video streaming and things like that, using something like DTLs is actually more efficient because of the lower overhead of the UDP protocol.
This gives you security over UDP and prevents eavesdropping, tampering, and message forgery. Next, we have the layer-two tunnelling protocol, or L-TP. It lacks security features like encryption and was a very early VPN. This was actually invented back in the 1990s, and it can be used for secure VPNs if you combine it with another protocol to give you that encryption service. If you implement it with that extra encryption, it is used in a lot of modern networks. Cisco created Layer 2 forwarding, or L2F, to provide a tunnelling protocol for point-to-point protocols. Unfortunately, it, like the Layer 2 tunnelling protocol, lacks native security and encryption features. And so we’ve also moved away from layer-two forwarding for that reason. PPTP is the point-to-point tunnelling protocol, and it’s an older protocol that was used for dial-up networks. It lacks the native security features, but Windows has added some of those in in their implementation. And so PPTP, if you’re using a dial-up VPN through Windows, is still considered relatively secure. Now, all of these VPN types are able to be used. It’s just a matter of which one is going to be most secure for your implementation. In modern VPNs, though, most of the time we’re going to use something called IPsec or IP security. And that one will be covered in a separate lecture because it is a little more in depth than what you need to know.
IP Security, or IPsec Now, we talked about a lot of different VPN modes, but the most commonly used one for traffic over the Internet is IPsec. And it’s the one you’re most likely going to come across when you’re designing your networks. The great thing about IPsec is that it provides data confidentiality, integrity, and authentication. Encryption gives you intentional integrity by ensuring the data is not modified in transit by checking it with hashes, and it gives you authentication by verifying both parties are who they claim to be. It really does go after the entire three legs of the CIA triad. Now, the first thing we need to talk about when we talk about IPsec is keying. And this uses Internet Key Exchange, or IKE, which is what it uses to create its secure tunnel. IC will employ encryption between authenticated peers. Now, it’s going to have three different modes that you can use. There is the main mode, which uses three separate key exchanges that happen.
There is an aggressive mode, which achieves the secure tunnel’s results faster but only uses three packets. And then there’s Quick Mode, which negotiates parameters over the IPsec session. Most of the time when I’ve implemented IC and done IPsec, we’ve used IKE in main mode because it does give you three full separate key exchanges and gives you a little bit more security. Now, how is an IPsec tunnel established? Well, there are two phases to this Internet key exchange. In the first phase, we’re going to establish an encryption and authentication protocol between our two VPN endpoints, and that’s going to create the tunnel itself. In that tunnel, we’re going to use Isocamp IsaKMP to establish either the main or aggressive mode to create what we call a security association. And at that point, the first-key exchange happens in both directions. Now, in IC phase two, this is going to happen as a tunnel inside of a tunnel.
And so within that IC phase one tunnel, we’re going to establish authentication and encryption protocols again and create an IPsec tunnel. This way, the data will be able to flow using separate key exchanges as well. And we have this tunnel inside a tunnel that creates this secure VPN tunnel, which is what we call it. Now, let’s go through this step-by-step to see how it really works. First, we’re going to establish the IPsec tunnel, and the peers are going to authenticate using certificates or some pre-shared secret. If we both have our own public key and private key infrastructure, we can exchange digital certificates like those shown here on the screen. Now, once we have that, each side is going to create its own private key and derive a public key from it. And then they’re going to exchange those keys. This is using what we call the “Diffy Helming key exchange.” So as you can see, PC One and PC Two each create their own private key, which I’ve labelled PRI. From that key, they use a mathematical algorithm to calculate their public key and hand that over to the other PC to create this key exchange.
So now PC Two has its private key and the public key for PC One. PC One has its own private key, and PC Two has its own public key for PC Two. At this point, each side is then going to calculate a shared secret using the Diffi-Hellman protocol. By using their private key and the other person’s public key and this mathematical algorithm, they get the Diffie-Hellman key, which is the same on both sides, which now allows us to create our tunnel. At this point, they’ve both agreed to the encryption and integrity methods, and they’re going to establish their ICPhase-2 tunnel using that Diffi Hellman key. Now at this point, they’re going to use the IPsec tunnel created with what is called the Phase Two key. Once they have this encryption and integrity intact, this now becomes the tunnel inside the tunnel. And now we can have a secure method to communicate between the two. So I know that was a lot. Let me break it down into five steps. PC One is going to send traffic to PC Two, and then Router One is going to create the initiation of this IPsec tunnel. Router One and Router Two are going to negotiate their security associations to form the IPsec tunnel, the IC Phase One tunnel, or the Isocamp tunnel. Now IC Phase Two is going to create this tunnel inside the tunnel. When it’s negotiated and set up, that tunnel is established in step four, and the information starts flowing securely between PC One and PC Two securely. When they’re all done, the tunnel is going to be torn down and the IPsec security associations deleted. And if you wanted to be able to create another VPN, you would have to start this whole process over from the beginning. There are two approaches you can take when communicating from one PC to another via VPN.
There are two modes of operation: transport and tunneling. Now, Transport mode is going to use the packet’s original IP header, which is used for client-to-site VPNs. This approach works well if you have problems increasing packet size because of the maximum transmission unit size. And it does work very well in client-to-site VPNs. Now if you’re going to do site-to-site VPNs, like from the regional office back to the main office, you probably should use a tunnelling mode. Tunnel mode is going to encapsulate the entire packet and put another header on top of it. Think about taking an envelope and putting it inside another envelope to readdress it, and then shipping it to somebody. This new header is going to have a new source and destination for the VPN terminating devices at a different site. It wants to go to And again, this is used from site to site. We’ve covered a lot of ground in VPNs. What do you need to know for the exam? Well, you don’t need to know how VPNs work and create this entire tunnelling protocol or the tunnel inside a tunnel for the network plus exam. If you move on to the Security Plus exam, this will definitely be fair game, and you’ll see a lot of questions on it. But for network plus, be aware of transport mode and tunnelling mode, and be aware of some of the terms like IKE or Isaac Hemp or security associations. If you see those terms, recognise that they’re dealing with IPsec and VPN.
Popular posts
Recent Posts