Security+: Network Design Elements and Components (SY0-401) [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
One of the objectives of the CompTIA Security+ exam is to gauge your knowledge of how to ensure network security. How you design the network and build its components directly contributes to the protection of the organization. Understanding the various elements of network design and knowing their functions is central to creating an overall security solution that includes multiple layers of protection.
The CompTIA Security+ Certification is a worldwide standard for recognizing competency in IT security, and network design and security are crucial components of this exam. While it would be impossible to study every facet of network design before taking the test, the following information provides a good starting point for further investigation.
What network design elements do I need to know for the Security+ exam?
Perimeter network boundaries, firewalls, and VLANs are just some of the components of network design that help ensure a secure network. Security+ is designed to test your knowledge of these elements and more.
The below topics have been recognized as some of the main areas covered on the Security+ exam, but the list is by no means exhaustive. For additional Security+ preparation, check out the InfoSec Security+ Boot Camp.
A secure network is a divided network. Subnetting divides a network into smaller, more manageable, components. When creating a subnet, you take bits from the host node and group them with the network mask to create a subnet mask. In addition to making the network more secure by controlling traffic and creating additional broadcast domains, subnets also increase IP address efficiency.
A DMZ (Demilitarized Zone) is a subnet used to keep public information separate from private information. Any service an organization wants to make public is placed in a DMZ as an extra layer of security. Firewalls are used to keep the public from accessing private areas of the network.
For example, you can create a public server and place it in a DMZ. The server is accessible to both the private network and the public (such as the Internet), but a firewall blocks the public’s view of the private network, making it inaccessible. The best firewall for this purpose transmits in three directions: internally, externally, and to the DMZ, which allows you to direct traffic accordingly.
Virtual Local Area Networks (VLANs) are groups of segmented hosts that do not require the network administrator to relocate nodes or rewire data links. VLANs are simply broadcast domains that are configured via software, so instead of a physical link between hosts, there is a virtual link. VLANs have several advantages, including broadcast scope reduction and improved performance and manageability. Of course, the most important advantage of a VLAN is the increased security offered by grouping similar users together into segments.
Similar to a firewall, a NAT (Network Address Translation) server hides a network from outside users by displaying a small amount of IP addresses for connected computers. The NAT server assigns IP addresses to network hosts and devices while tracking incoming and outgoing traffic. Network users connect either through the NAT server or a router that supports NAT, so unauthorized users will only see one address rather than all network connections.
The majority of systems that use NAT have private IP addresses for network hosts and public IP addresses that the NAT uses to translate and communicate with outside networks; this is called dynamic NAT. The NAT is thus a proxy between the local network and the Internet. For further study, one might look at the different NAT options, such as static vs. dynamic.
Port Address Translation (PAT) is a more limited option form of NAT. A NAT system can use more than one public IP address, whereas PAT systems use only one address and share the network port. PAT gives network hosts access to outside networks using a router’s IP address. The protocol, either TCP or UDP, and the port can be specified by the administrator. Because it is such a limited option, PAT is usually employed on smaller home networks.
The merger of telecommunications and networking resulted in telephony, or Voice over IP (VoIP). This technology allows communications services like voice calling, SMS, fax and voice messaging to be provisioned over computer networks. Telephony uses IP telephones and a network connection to transmit telecommunications via data packets.
When it comes to security, telephony services have to be protected in the same way as other network services. VoIP is vulnerable to DOS attacks, call interception, theft of service and malware embedded in the session, so it is extremely important that telephony services are considered when designing network security.
Often referred to as RAS, Remote Access Services allow network connection via remote systems. Remote access can be established with a dial-up modem or network systems, like VPNs or DSL. The most popular remote access service is remote administration, which is used to take control of another user’s workstation. Depending on the protocols used, the remote connection can either be in the clear or secured. Because of the security risks involved with RAS, it is recommended that network administrators set up remote access via a manual start service and only launch the application when it is needed to prevent back-door access to the network.
In order to ensure operational security of a network, a set of standards called Network Access Control (NAC) defines the client requirements before granting access to the network. Typically, NAC makes sure that clients have no viruses and adhere to the network’s specific policies before allowing access to the network. NAC protocols enforce pre-admission and post-admission guidelines, controlling not only which clients have access to the network but also where those clients can go and what they can do once access is granted.
In order to make cloud computing possible, hardware virtualization is necessary. This means that the physical hardware of a device is abstracted using a hypervisor, also known as a Virtual Machine Manager, and made available on a virtual machine. The physical device is known as the host and the virtual devices are guests.
Virtual machines can run several operating systems in parallel from a single physical computer. Because so many systems use virtualization, it is important to study several different use examples and have a general understanding of the implementation of virtual hardware.
What cloud services are covered on the Security+ exam?
The cloud is built on the concept of virtualization and Internet-based computing. The cloud is an on-demand, ever-present resource of distributed computer services.
The National Institute of Standards and Technology (NIST) recognizes three standard cloud service models, which the Security+ exam covers: SaaS, PaaS, and IaaS. However, all cloud-services models must have broad network access, measured service, rapid elasticity, on-demand self-service, and resource pooling. Once the service model is determined, the NIST recognizes four methods of delivery: private, public, community, and hybrid.
Cloud Service Models
Software as a Service, or SaaS, provides users with the ability to use a provider’s cloud-based applications. These applications can be accessed through a thin client interface, like a web browser or a program interface. The user has no access to the provider’s infrastructure outside of user application settings. An example of a SaaS service is Microsoft’s Office Web Apps, wherein users can create documents using Word Online or spreadsheets with Excel Online and save them to another SaaS cloud-storage service such as Google Drive or Microsoft’s OneDrive.
In the Platform as a Service (PaaS) model, users can implement user-created or acquired applications that use provider-supported tools, libraries, programming languages and services. Like SaaS, the user cannot access the provider’s cloud infrastructure with PaaS. These types of cloud services are primarily for software development. Examples include computing platforms like Windows Azure and Google App Engine.
The Infrastructure as a Service model gives the most control to the user. They are provisioned with access to storage, processing, network and other basic resources in order to implement and run the software. IaaS can give users access to both the operating system and applications, but not the cloud infrastructure. Examples of IaaS services include Google Compute Engine and Amazon Web Services.
Cloud Service Delivery Models
When it comes to cloud service, the possibilities are nearly limitless. However, for the Security+ exam there are four main categories of cloud services that you should focus on. Within each category you should study a couple of different examples to familiarize yourself with the objectives and uses of each category.
- Private Cloud
A private cloud gives a group of users, usually a business or organization, exclusive access to the cloud infrastructure. Private clouds are typically owned and operated by the business/organization, which allows them to keep their data off the Internet.
- Public Cloud
The opposite of a private cloud, a public cloud is open to use by the general public. These are owned and operated by a variety of organization types, such as academic institutions, government organizations and businesses. The public clouds typically operate under a pay-as-you-go system for their cloud services.
- Community Cloud
Similar to a private cloud, a community cloud also gives a group of users access to the cloud infrastructure, but users come from organizations that have mutual interests. This can include departments with shared security clearances, organizations that operate under the same policies or groups that share similar missions. The key differential here is that community cloud users have joint interests and the cloud has limited enrollment. A community cloud can be owned and operated by multiple organizations or a single organization within the community.
- Hybrid Cloud
This cloud type is a combination of the three above. Typically, hybrid clouds are comprised of both public and private cloud elements. These elements are joined together to allow for application and data portability, but they maintain their individual components.
What do I need to know about layered security and in-depth defense?
The terms “layered security” and “defense in depth” are used synonymously with each other. The concept underlying these terms is that one security method or one layer does not provide enough protection for the network. Administrators should never rely on a single method of defense for network security. The more layers of security there are to guard the network, the harder intruders will have to work to infiltrate the system.
Dulaney, E., &Easttom, C. (2014). CompTIA Security+ Study Guide (6th ed.). Indianapolis, IN: Sybex. [electronic resource].
Hassan, Qusay (2011). “Demystifying Cloud Computing” (PDF). The Journal of Defense Software Engineering. CrossTalk. 2011 (Jan/Feb): 16–21. Retrieved 11 December 2014.