Security Plus Notes Network Security Network Architecture and Topology: Network Architecture: 1. General Overview: Network architecture refers to the overall design and layout of a computer network. It encompasses the arrangement of components, devices, protocols, and services that make up the network. 2. Key Components: The key components are routers, switches, servers, clients, firewalls, and network cables. Routers: Overview: Routers are devices that connect different networks and forward data packets between them. They operate at the network layer (Layer 3) of the OSI model. Function: Routers determine the best path for data to travel from the source to the destination across interconnected networks. They are essential for connecting local networks to the internet and for segmenting networks into smaller subnetworks. Security Role: Routers can enforce network access control, limit exposure to external threats, and implement Network Address Translation (NAT) to hide internal network structures. Switches: Overview: Switches are devices that operate at the data link layer (Layer 2) of the OSI model. They connect devices within a local network (LAN). Function: Switches efficiently forward data packets to the appropriate destination device within a LAN based on the device's Media Access Control (MAC) address. Security Role: Switches provide network segmentation and help control network traffic, but they primarily function as a network infrastructure device. Servers: Overview: Servers are powerful computers or devices designed to provide services, data, or resources to other devices on the network. They can serve various purposes, such as hosting websites, managing email, storing data, and running applications. Function: Servers respond to client requests, process data, and deliver services to users or clients on the network. Security Role: Servers are a critical element of network security as they often store sensitive data and provide entry points for attackers. Protecting servers is a key security concern. Clients: Overview: Clients are the end-user devices, such as desktop computers, laptops, smartphones, and tablets, that access network resources and services. Function: Clients request and receive data, services, or resources from servers and other devices on the network. Security Role: Securing clients is essential to prevent malware infections, data breaches, and unauthorized access to network resources. Firewalls: Overview: Firewalls are security devices or software applications that control network traffic by examining and filtering packets based on predefined rules and policies. Function: Firewalls block or permit network traffic based on criteria like source and destination IP addresses, ports, and protocols. They protect against unauthorized access and security threats. Security Role: Firewalls are a primary security measure for protecting networks from external threats and controlling traffic within the network. Network Cables: Overview: Network cables are physical cables or wires used to transmit data between network devices. There are various types of network cables, including Ethernet (Cat 5e, Cat 6, Cat 6a, Cat 7) and fiber optic cables. Function: Network cables carry data between devices within a network. The type of cable used depends on factors like data speed requirements, distance, and environmental conditions. Security Role: While not directly a security device, the choice of network cables can impact data transmission security, especially in terms of data integrity and confidentiality. 3. Design Considerations: When designing a network architecture, factors such as scalability, performance, redundancy, fault tolerance, security, and cost-effectiveness are considered. 4. Types of Network Architectures: Common network architectures include client-server, peer-to-peer, and hybrid models. Each has its own advantages and is suitable for different use cases. 5. Security Implications: Network architecture can have a significant impact on security. For instance, the placement of firewalls, intrusion detection systems, and access control mechanisms within the architecture can influence the network's security posture. Network Topology: 1. General Overview: Network topology refers to the physical or logical layout of devices and connections in a network. It defines how devices are interconnected and how data flows between them. 2. Types of Network Topologies: Common network topologies include: Bus Topology: All devices are connected to a central cable, creating a linear network. Star Topology: Devices are connected to a central hub or switch. Ring Topology: Devices are connected in a circular or ring-like fashion. Mesh Topology: Every device is connected to every other device. Hybrid Topology: A combination of two or more topologies. 3. Security Implications: The network topology can influence the security of a network. For example, in a star topology, the central hub or switch may be a single point of failure, making it a critical security consideration. 4. Scalability and Performance: Different topologies have different characteristics related to scalability and performance. The choice of topology can impact a network's ability to expand and its overall performance. 5. Reliability and Redundancy: Network topologies can affect reliability and redundancy. For example, mesh topologies are highly redundant, as data can travel through multiple paths. 6. Network Management: Network topology also affects network management and troubleshooting. The layout of devices can influence how network administrators monitor, maintain, and troubleshoot the network. Basic Information: Security Protocols: Overview: Familiarize yourself with common network security protocols such as SSL/TLS for encryption, SSH for secure remote access, IPsec for VPNs, and WPA/WPA2/WPA3 for securing wireless networks. Summary: Security protocols are sets of rules and procedures that are designed to ensure the secure communication and exchange of data between two or more entities in a network or system. Cryptography Protocols: Encryption Protocols: Understand encryption methods and protocols like SSL/TLS for securing data in transit over the internet, and IPsec for securing virtual private networks (VPNs). Public Key Infrastructure (PKI): Learn about PKI, which includes protocols like X.509 for managing digital certificates, and how it supports secure authentication and data encryption. Authentication Protocols: RADIUS: Be familiar with the Remote Authentication Dial-In User Service (RADIUS) protocol, which is commonly used for authenticating and authorizing network users, especially in remote access scenarios. TACACS: Know about Terminal Access Controller Access-Control System (TACACS) and TACACS+ protocols, used for remote authentication and authorization in network devices. Access Control Protocols: LDAP: Learn about the Lightweight Directory Access Protocol (LDAP), used for accessing and managing directory services like Microsoft Active Directory, which plays a significant role in user authentication and authorization. Secure Wireless Protocols: WPA/WPA2/WPA3: Understand the various iterations of the Wi-Fi Protected Access (WPA) protocol, which provide security features for wireless networks, and the importance of choosing strong encryption and authentication methods. 1. WEP (Wired Equivalent Privacy): WEP was the original security protocol used for wireless networks. However, it is now considered weak and easily compromised. Its use is strongly discouraged. 2. WPA (Wi-Fi Protected Access): WPA is an improvement over WEP and provides stronger security. It uses TKIP (Temporal Key Integrity Protocol) for encryption and includes authentication mechanisms like WPA-PSK (Pre-Shared Key) and WPA-Enterprise (using an authentication server). 3. WPA2 (Wi-Fi Protected Access 2): WPA2 is the current standard for wireless network security. It uses the AES (Advanced Encryption Standard) algorithm for encryption and offers stronger security than WPA. It supports both WPA2-PSK and WPA2-Enterprise authentication modes. 4. WPA3 (Wi-Fi Protected Access 3): WPA3 is the latest iteration of Wi-Fi security protocols. It enhances security by introducing new features like SAE (Simultaneous Authentication of Equals) and stronger encryption methods. WPA3 is backward compatible with WPA2. 5. EAP (Extensible Authentication Protocol): EAP is an authentication framework used in wireless networks. It allows for different authentication methods to be used, such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled TLS), PEAP (Protected EAP), and EAP-FAST (Flexible Authentication via Secure Tunneling). Secure Email Protocols: S/MIME: Be aware of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, which provides email message encryption and digital signatures for email security. PGP/GPG: Know about Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) for end-to-end email encryption and authentication. Secure File Transfer Protocols: SFTP: Understand the Secure File Transfer Protocol (SFTP) for secure file transfers over SSH. FTPS: Learn about FTPS, which is FTP over SSL/TLS, providing secure file transfer capabilities. Firewalls: Understand the purpose of firewalls, including stateful and stateless firewalls, and how they are used to filter network traffic and protect against unauthorized access. Types of Firewalls: Packet Filtering Firewalls: These firewalls inspect each network packet and allow or block it based on predefined rules. They operate at the network layer (Layer 3) and are often the first line of defense. Stateful Firewalls: Stateful firewalls keep track of the state of active connections and make decisions based on the state table. They provide greater security and are aware of the state of the connection, helping to prevent unauthorized access. Proxy Firewalls: Proxy firewalls act as intermediaries between clients and servers. They inspect and filter traffic at the application layer (Layer 7) and can provide enhanced security by hiding the internal network structure. Next-Generation Firewalls (NGFW): NGFWs combine traditional firewall capabilities with advanced features such as intrusion detection and prevention, deep packet inspection, and application layer filtering. Firewall Rule Configuration: Understand how firewall rules work. Rules specify which traffic is allowed or denied based on criteria such as source and destination IP addresses, ports, and protocols. Stateful Inspection: Comprehend the concept of stateful inspection, which allows stateful firewalls to keep track of the state of network connections and make decisions based on the context of the traffic. Network Address Translation (NAT): Learn about NAT, which is often used in conjunction with firewalls to map internal private IP addresses to a single public IP address. This helps hide the internal network structure. Application Layer Filtering: Understand how proxy firewalls and some NGFWs perform deep packet inspection to filter traffic at the application layer, allowing granular control over the applications and services being accessed. Firewall Security Policies: Be aware that firewalls are configured with security policies that define which traffic is allowed and which is blocked. You should understand how to create, implement, and manage these policies. Intrusion Detection and Prevention: Some firewalls can have intrusion detection and prevention capabilities. Be aware of how these features enhance security by identifying and responding to potentially malicious traffic. Logging and Reporting: Understand that firewalls typically log network traffic and security events. This information can be useful for monitoring and incident response. Intrusion Detection and Prevention Systems (IDPS): Learn about the role of IDPS in network security and how they monitor network traffic to identify and respond to suspicious activities. 1. Intrusion Detection vs. Intrusion Prevention: 2. 3. 4. 5. 6. 7. 8. Intrusion Detection Systems (IDS) are designed to identify and alert on suspicious or potentially malicious activities. They monitor network or system traffic and compare it against known patterns or signatures to detect anomalies. Intrusion Prevention Systems (IPS) go a step further by not only detecting intrusions but also actively blocking or preventing them. They can take automated actions to stop threats in real-time. Types of IDPS: Network-Based IDPS (NIDS): These systems monitor network traffic to detect and respond to suspicious activities. They analyze packets and network data, looking for signs of intrusion or anomalies. Host-Based IDPS (HIDS): HIDS are installed on individual hosts (such as servers or workstations) to monitor activities on those specific devices. They can identify attacks or misconfigurations on the host itself. Hybrid IDPS: Some systems combine NIDS and HIDS capabilities to provide comprehensive network and host-based intrusion detection and prevention. Signature-Based and Anomaly-Based Detection: Signature-Based Detection: This approach involves comparing network or system activity to known attack signatures or patterns. If a match is found, it triggers an alert. Anomaly-Based Detection: Anomaly-based IDPS looks for deviations from established baselines. It identifies activities that are unusual or inconsistent with normal behavior, which may indicate an attack. Behavioral Analysis: Some modern IDPS incorporate behavioral analysis to identify abnormal patterns of behavior. This includes tracking user behavior and network traffic for deviations from typical usage. Response Mechanisms: Learn about the response mechanisms used by IDPS, which can include alerting administrators, blocking traffic, isolating compromised systems, and triggering incident response procedures. Tuning and False Positives: Understand that IDPS systems may generate false positives (incorrectly identifying normal activity as an intrusion). You might need to know how to tune the system to reduce false alarms. Log Analysis and Reporting: IDPS generate logs of detected events. These logs can be used for incident analysis and reporting. You should be familiar with interpreting these logs for potential security incidents. Integration with Other Security Systems: Be aware that IDPS often work in conjunction with other security systems, such as firewalls and antivirus so Network Segmentation: Understand the concept of network segmentation, which involves dividing a network into smaller, isolated segments to limit the spread of threats and secure sensitive data. 1. Purpose of Network Segmentation: Network segmentation is primarily used to improve security by isolating different parts of a network from each other. It limits the "blast radius" of a security incident, making it more challenging for an attacker to move freely throughout the network. 2. Benefits of Network Segmentation: Isolation: Each segment operates independently and has restricted communication with other segments, reducing the impact of a security breach. Access Control: Segments can have their own access control policies and authentication mechanisms, limiting who can access them. Performance: Smaller segments can lead to improved network performance as there is less broadcast traffic and congestion. Compliance: Segmentation can help organizations meet regulatory compliance requirements by enforcing separation of sensitive data. 3. Types of Network Segmentation: Logical Segmentation: This involves using VLANs (Virtual Local Area Networks) to separate network traffic logically. VLANs can be created without the need for physical separation. Physical Segmentation: Physical separation involves using separate physical networks, such as separate LANs or even completely isolated networks, to segment traffic. 4. Segmentation Use Cases: Guest Networks: Many organizations create separate guest networks to isolate guest traffic from internal resources. DMZ (Demilitarized Zone): A DMZ is a network segment that sits between the public internet and the internal network. It typically hosts public-facing services like web servers and email servers. Secure Zones: Segments can be created for critical assets, separating them from less critical systems. IoT Networks: Internet of Things (IoT) devices can be placed on their own segments to reduce security risks. 5. Access Control and Security Policies: Understand that each network segment can have its own access control policies and security measures. For example, you might need to configure firewall rules and access controls for different segments. 6. Challenges and Considerations: Be aware of the challenges of network segmentation, such as the need for proper planning, maintenance, and the potential complexity it introduces. Access Control: Be aware of access control mechanisms, including role-based access control (RBAC) and mandatory access control (MAC), and how they restrict access to network resources based on user roles and permissions. 1. Access Control Basics: Access control is the process of determining who is allowed to access what, when, and under what conditions. It involves granting or denying permissions based on the identity and authorization level of users or entities. 2. Components of Access Control: Access control systems typically include three primary components: Subjects: These are the entities seeking access, which can be users, devices, or processes. Objects: These are the resources or assets being accessed, such as files, directories, databases, networks, and systems. Access Controls: These are the rules, policies, and mechanisms that define and enforce access permissions. 3. Access Control Models: Different access control models are used to define and enforce access rights. Common models include: Discretionary Access Control (DAC): Users have control over the permissions they grant to others on objects they own. Mandatory Access Control (MAC): Access is based on security labels and set by administrators or security policies. Role-Based Access Control (RBAC): Access is determined by the role or job function of users. Attribute-Based Access Control (ABAC): Access decisions are based on attributes and conditions. Rule-Based Access Control (RBAC): Access rules are predefined, and access is granted or denied based on these rules. 4. Access Control Lists (ACLs): ACLs are commonly used to specify which users or groups have access to specific objects. You may need to understand how to configure and manage ACLs. 5. Authentication and Authorization: Authentication: Ensures that users are who they claim to be. Knowledgebased authentication (passwords), biometrics, and multi-factor authentication are relevant here. Authorization: Determines what resources or actions users are allowed to access after they've been authenticated. It's about defining permissions and rights. 6. Access Control Policies: Organizations typically define access control policies that specify who has access to what, based on job roles, data sensitivity, and other factors. These policies need to be enforced consistently. 7. Access Control Mechanisms: Different technical mechanisms are used to enforce access control, including user accounts, permissions, access tokens, encryption, and access control lists (ACLs). 8. Access Control Enforcement: Understand how access control is enforced through methods like access request processing, access approval, and access auditing. Wireless Network Security: Know the fundamentals of securing wireless networks, including the use of encryption protocols like WPA3, disabling unnecessary services, and implementing strong passwords. 1. Wireless Network Threats: Understand the various security threats that can affect wireless networks, including unauthorized access, eavesdropping, denial of service (DoS) attacks, and rogue access points. 2. Encryption and Authentication: Be familiar with encryption protocols like WPA2, WPA3, and the use of AES (Advanced Encryption Standard) for securing wireless communications. Understand authentication methods such as pre-shared keys (PSK) and EAP (Extensible Authentication Protocol), which are used to verify the identity of wireless clients. 3. Wireless Access Control: Learn about MAC filtering, which allows or denies access to a wireless network based on the physical addresses of wireless devices. Be aware of the use of captive portals and 802.1X authentication for controlling access to Wi-Fi networks. 4. SSID Management: Understand the importance of properly configuring Service Set Identifiers (SSIDs) to avoid broadcasting them unnecessarily, and how hiding SSIDs can be a security measure. 5. WPS Vulnerabilities: Be aware of the vulnerabilities associated with Wi-Fi Protected Setup (WPS) and why it's often recommended to disable WPS on wireless routers. 6. Wireless Intrusion Detection and Prevention: Learn about wireless intrusion detection systems (WIDS) and wireless intrusion prevention systems (WIPS), which help detect and respond to unauthorized wireless devices or activities. 7. Guest Networks: Know why organizations often set up separate guest networks with limited access to the internet to protect their internal networks from potential threats from guest devices. 8. Wireless Network Auditing: Be aware of the use of tools like Wireshark and network analyzers for monitoring and auditing wireless traffic for security vulnerabilities. 9. Security Best Practices: Understand best practices for securing wireless networks, such as regularly changing default passwords, enabling strong encryption, and updating firmware to patch known vulnerabilities. 10. Wireless Security Protocols: Familiarize yourself with WPA2, WPA3, and the security features they offer, such as protection against dictionary attacks and better encryption methods. Security Policies: Be prepared to understand the importance of network security policies, including acceptable use policies, incident response plans, and disaster recovery plans. 1. Types of Security Policies: Acceptable Use Policy (AUP): Defines what is and isn't allowed when using an organization's IT resources, including computers, networks, and the internet. Data Classification Policy: Establishes how data should be classified based on its sensitivity and how it should be handled, stored, and shared. Password Policy: Outlines requirements for creating and managing passwords, including complexity, change frequency, and storage. Incident Response Policy: Defines how the organization will respond to security incidents, including the roles and responsibilities of incident response teams. Remote Access Policy: Addresses secure remote access to the organization's systems and data, specifying access methods, authentication, and encryption requirements. BYOD (Bring Your Own Device) Policy: Governs the use of personal devices for work purposes, including security measures and restrictions. Network Security Policy: Covers the organization's approach to network security, including firewall rules, intrusion detection/prevention, and network segmentation. Physical Security Policy: Specifies measures to protect physical assets, such as access controls, surveillance, and environmental controls. Social Media Policy: Guides employees on the appropriate use of social media for work-related activities and the protection of sensitive information. 2. Content and Structure: Understand that security policies should be well-organized and clearly written. They typically include sections for purpose, scope, responsibilities, definitions, enforcement, and revision. 3. Compliance and Legal Requirements: 4. 5. 6. 7. Be aware that many security policies must align with industry-specific regulations and legal requirements. These policies may also be influenced by international standards, such as ISO 27001. User Awareness and Training: Security policies should include provisions for user training and awareness, ensuring that employees understand their responsibilities and the consequences of policy violations. Policy Enforcement: Policies must define how they will be enforced and the potential consequences of policy violations. This can include disciplinary actions and legal consequences. Review and Revision: Recognize that security policies should be regularly reviewed and updated to reflect changing threats, technology, and business needs. Role-Based Policies: Some organizations implement role-based policies that specify the responsibilities and access rights of specific job roles. Threat Mitigation Techniques: Learn about various threat mitigation techniques, such as intrusion prevention, network monitoring, and security awareness training for employees. 1. Antivirus and Antimalware Software: Antivirus and antimalware software helps protect systems from malicious software, including viruses, worms, Trojans, and spyware. Regular updates are essential to keep up with new threats. 2. Firewalls: Firewalls filter network traffic, allowing or blocking data packets based on defined rules. They are essential for controlling inbound and outbound traffic and protecting against unauthorized access. 3. Intrusion Detection and Prevention Systems (IDPS): IDPS are used to monitor network and system activities, identify suspicious patterns, and take actions to prevent or mitigate intrusions. 4. Encryption: Encryption techniques protect data by converting it into a secure, unreadable format. This safeguards data during transmission (e.g., SSL/TLS for web traffic) and at rest (e.g., full-disk encryption). 5. Access Control: Access control mechanisms limit user access to resources based on permissions, roles, or policies. This includes user authentication, authorization, and accounting (AAA). 6. Patch Management: Regularly applying software and firmware updates (patches) helps address known vulnerabilities and reduce the risk of exploitation. 7. Backup and Disaster Recovery: Backup solutions create copies of data, and disaster recovery plans help organizations recover quickly after incidents like data loss, hardware failures, or natural disasters. 8. Security Awareness and Training: Educating employees and users about security best practices, policies, and potential threats is vital for reducing human error and improving overall security. 9. Network Segmentation: Dividing a network into smaller segments can limit the spread of threats and improve overall network security. 10. Incident Response Plans: Incident response plans define procedures for identifying, responding to, and recovering from security incidents, including data breaches and cyberattacks. 11. Vulnerability Scanning and Assessment: Regularly scanning and assessing systems and networks for vulnerabilities helps organizations proactively address potential weaknesses. 12. Secure Coding Practices: Developers should follow secure coding guidelines and practices to reduce the risk of software vulnerabilities. 13. Security Policies and Procedures: Establishing and enforcing security policies and procedures helps ensure consistent and compliant security practices within an organization. 14. Physical Security Measures: Physical security measures, such as access controls, surveillance, and environmental controls, protect physical assets and prevent unauthorized access. 15. Web Application Firewalls (WAFs): WAFs are specialized firewalls designed to protect web applications from common attacks like SQL injection and cross-site scripting (XSS). 16. Secure File Transfer Protocols: Using secure file transfer protocols like SFTP and FTPS helps protect data during file transfers. Threats, Attacks, and Vulnerabilities Identity and Access Management, Technologies and Tools Risk Management and Incident Response