Security+: Secure network administration principles (SY0-401) [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Securing the network is an important step in thwarting potential cyber attacks. Installation of software and hardware is not adequate in keeping your network secure. You need to implement appropriate configuration and proper maintenance to keep the network secure. It is an ongoing process and is defined as network principles.
The key aspects of administration principles for network security are as follows:
Management of rules is an important concept to control network communication. It is based on IT and controlled by rule, i.e., filter driven systems. Routers, proxies, IDS/IPS, firewalls and anti-viruses are some of the common attributes or the tools used in rule-based security management. These tools are designed to either allow or deny data or information packet on the basis of set rules. When any data packet is found to be not matching the rules then the data packet is denied by default.
Rules based management is also known as the concept of whitelist security management. Whenever an activity or security event does not match the rule, it is denied by default. White list security management tools are used to block zero-day attacks.
The rule system followed by a firewall is the first match-apply type. In this case, the final firewall rule by default is to deny. The principles of this rule are that if any data packet is not denied or allowed explicitly by any other rule systems then firewall rules always block that packet by default. It is a good example of white-list security management tools having separate rules for inbound (Data Packets coming in) and outbound (Data Packets going out) data depending on the firewall types such as stateful inspection firewall. However, it is important to review each of the rules very carefully before implementing them in the firewall to avoid blocking useful data packets and the creation of possible loopholes.
This is a hardware implementation that segregates the LAN with the help of switches. In Virtual Local Area Network, every port is assigned to VLAN 1 by default. The network administrator, of course, may change the assigned VLAN on any of the ports or group together different ports assigning the same VLAN. The main objective of using VLAN is to manage traffic on networks. VLAN offers fast communication within the network without any hindrance. However, VLAN communication needs to have a routing function which may be provided either by the routers or through a specialized switch called the multilayer switch.
The VLAN is utilized primarily to control traffic for enhanced performance and security of the network. It is also used for isolation of traffic from the network segment. During communication, certain VLANs can be avoided by not defining any specific route between them. This can also be achieved by specifying a filter between VLANs. The VLAN should be designed to allow necessary data packets while denying unnecessary ones.
Secure router configuration
Securing the router configuration is essential to prevent any unauthorized or malicious changes to the router. This can be done by following the configurations mentioned below:-
- Always use a unique and secret password for router access.
- The router configuration should deny every type 5 redirect message of Internet Control Message Protocol or ICMP.
- Use data encryption and secure authentication protocols to protect your router.
- Configure the IP addresses of trusted networks beforehand through which exchange of data packets will be made.
- Configuration of management interfaces should be made working on internal interfaces only using secure protocols.
Access control list
The ACL defines whether one can access or be allowed to carry forward a particular function. It is applicable mostly to access objects but can be extended for use in communication as well. ACL is mostly used in firewalls, switches and routers as a measure for security management. The ACL rules are known as “Filters” or “Rules of ACL” where data packets are allowed as an exception and denied by default.
Port Security refers to the various attributes in information technology related to security. It is a security feature which consists of a layer two traffic control system on Cisco Catalyst switches (like that of RJ-45 cables used on wall jacks), enabling administrators to configure switch ports for individuals, thus allowing only some specific sources to have access. It helps in avoiding unauthorized access, which is possible through open ports. Unused ports are thereby blocked or locked with the help of wiring closets and server vaults. Finally, it is disconnected from the main workstation by disconnecting from the patch panel.
MAC Address: Port security can also be achieved by installing a smart patch panel that monitors the MAC address of the system connected to the empty port. It also detects if a valid device is replaced or disconnected by any invalid device.
TCP and UDP ports: Checking for TCP and UDP ports is another way of securing ports in terms of TCP management. A port is active when any service is assigned to that port. The rest of the TCP or UDP ports remain closed until they are assigned any services. Hackers perform port scanning to derive information on which ports are open at any given time. These scans can be detected by IPS, IDS, firewalls and other security tools which either block these scans or feed the scans with false information and reduce the effectiveness of such malicious port scans.
802.1x: This is another security measure based on ports designed to increase the security of WLANs that follow the IEEE 802.11 standard, which is why it is called 802.1X. It provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. The actual algorithm that is used to determine whether a user is authentic is left open and multiple algorithms are possible. Here the mechanism used is an Extensible Authentication Proto color EAP, which is used commonly for closed environment wireless networks. However, this can also be used for VPN gateways, proxies and firewalls where some sort of authentication is needed. It is better to use as an authentication proxy and use the existing authentication proxy to change or configure other proxies.
In the case of 802.1x, it allows or denies a connection based on user or service authentication. At the beginning, 802.1x was primarily used to compensate the weaknesses in Wired Equivalent Privacy or WEP, but at present, it is considered as an important element of several complex authentication systems such as RADIUS, Diameter, TACACS+ and NAC.
This mechanism is used to thwart large-scale DDOS attacks. The primary purpose of using this process is to identify malicious activities and blocking them automatically. This action prevents cyber attackers from entering into the network.
A repeating transmission pathway in the network is known as a loop. It uses resources from networks, particularly from the network throughput capacity and usually, it takes place in the 2nd or 3rd layer related to the Ethernet and IP, respectively. Looping as Ethernet level can be overcome through the use of STP protocol that works both at the bridge and switch level. The STP learns about the path by using traffic management.
Different techniques are used by IP to resolve looping issues. IP usually controls packet distance to minimize looping amount instead of focusing on preventing the data packet pathway. IP packets are controlled with the help of countdowns in IP packet headers. This is known as the “Time to Live” or TTL and its initial value is set on the basis of the OS used. In current Windows versions it is set to 128 but older Windows versions had it set to 32, while the Linux system had it set from 64 to 255. Router decreases its value whenever a data packet is re-transmitted and the packet is discarded if the value reaches 1. An error message is sent to the sender (“ICMP Type 11—Timeout Exceeded”).
Another important security measure is the “implicit deny.” As the name suggests it is a denied by default system which grants resources specifically. The default-deny does not need to be defined as it is implicit in the management agreement’s permissions. The difference between implicit deny and firewalls is that here the routers have the default deny all calls as the last rule. The default response is an implicit deny only when in the absence of any explicit allow or deny.
A desired network design feature is Network Bridging, which has many good attributes. It avoids 5-4-3 later 1 limitations, maintains the isolation of collision domain and is inexpensive, transparent to layer 3+ protocols and self-configuring. However, it also carries drawbacks like latency, no option of collision division, not well scaled and can result in a loop formation. All these problems can be solved by adding the feature Network Separation.
This can be achieved in two ways, either by implementing IP subnets and using routers or by physically creating two separate networks that do not require mutual communication. Another way of achieving this is to use firewalls through secure filters and management of traffic.
This process aims to review the log files, audit trails and other types of records generated by computers to identify policy violations, malicious events, downtimes and other related issues. This process should be done at regular intervals in the active network environment. Sometimes log analysis is performed automatically through the various engines such as IPS or IDS. Manual log analysis time to time is also essential apart from the automatic ones to understand the pattern and set limits for automatic analysis.
Unified Threat Management
This is also known as “All in One Security Appliances.” It is hardware designed specifically to work in between the Internet and private networks. Undefined threat management is used for filtering the inbound and outbound traffic that is entering or leaving the network. Such management is implemented to act more as a firewall, IPS, IDS, DDOS protection, virus scanning, spam and web filtering, and for tracking activity. Several unified threat management tools work on the server end for the maintenance of web applications as well as for the wireless security features.
Unified threat management is more of a cost saving option for smaller companies. For bigger companies, it cannot be regarded as an optimal alternative as it suffers from less specialization, single point-of-failure and possible performance constraints (although it’s still better than traditional ones as it provides multiple security functions within a single system). Bigger companies can afford better options.
Secure Network Administration Principles is essential for ensuring the security and smooth trafficking of information through systems and controlling the access of such information. It also helps in tracking the network resources and their allotment method. You as a security professional must be committed to understand the importance and details of how these principles work in the bigger picture of InfoSec examination.
Secure networks are a primary necessity for organizations nowadays. However, even strong networks cannot always prevent threats coming from inside and many other issues related to security.