Chapter 10: Infrastructure Security
Infrastructure security:
begins with the design of the infrastructure itself. The proper use of components improves not only performance but security as well. (routers, switches, firewalls, cables, etc...)
Coaxial Cable
coaxial cable is familiar to many households as a method of connecting televisions to VCRs, satellite, or cable services. It is used because of its high bandwidth and shielding capabilities. It is prone to less outside interference than phone cables (twisted pair).
Open Proxy
An open proxy is essentially a proxy that is available to any internet user and often has some anonymizing capabilities as well. This type of proxy has been the subject of some controversy, with advocates for Internet privacy and freedom on one side of the argument, and law enforcement, corporations, and government entities on the other.
VPN Concentrator
A VPN concentrator is a special endpoint inside a network designed to accept multiple VPN connections and integrate these independent connections into the network in a scalable fashion. (Hardware) IPSEC is the most common implementation of VPN. It can be implemented in hardware, software, or a combination of both and is used to encrypt all IP traffic.
Network Attached Storage (NAS)
Because of the speed of today's Ethernet networks, it is possible to manage data storage across the network. The combination of inexpensive hard drives, fast networks, and simple application-based servers has made NAS devices in the Terabyte range affordable for even home users. They are susceptible to network sniffing and brute force attacks.
Backup Lifetimes:
A common misconception is that data backed up onto magnetic media will last for long periods of time. Although once touted as lasting decades, modern micro-encoding methods are proving less durable than expected, sometimes with lifetimes less than 10 years. A secondary problem is maintaining operating system access via drivers to legacy equipment.
Network Monitoring/Diagnostic
A computer network itself can be considered a large computer, with performance and operating issues. Just as a computer needs management, monitoring, and fault resolution, so too do networks. SNMP was developed to perform this function across networks. The concept of a Network Operations Center (NOC) comes from the old telephone company network days, when central monitoring centers supervised the health of the telephone network and provided interfaces for maintenance and management. SNMP (Simple Network Management Protocol) is a part of the internet protocol suite of protocols. It is an open standard, designed for transmission of management functions between devices. NOC use SNMP (port 161) to monitor network devices. In any significant network, coordinating system changes, dynamic network traffic levels, potential security incidents, and maintenance activities are daunting tasks requiring numerous personnel working together.
Physical Security Concerns
A balanced approach is the most sensible approach when addressing physical security, and this applies to transmission media as well. Many common scenarios exist when unauthorized entry to a network occurs, including these: -Inserting a node and functionality that is not authorized on the network, such as a sniffer device or unauthorized wireless access point. -Modifying firewall security policies -Modifying ACLs for firewalls, switches, or routers -Modifying network devices to echo traffic to an external node.
Security Devices:
A range of devices can be employed at the network layer to instantiate security functionality.
Switches
A switch forms the basis for connections in most Ethernet based LANs. In high performance network environments a switch has replaced hubs and bridges. Each port on a switch is its own collision domain. Full Duplex = send and receive data simultaneously Half Duplex = send or receive data once at a time. Note: MAC filtering can be employed on switches, permitting only specified MACs to connect to the switch. This can be bypassed if an attacker learns the allowed MAC addresses and clones (spoofs) it on their NIC. 802.1X (Authentication) is more secure. 802.1X can also be referred as MAC limiting. MAC limiting can also mean reducing the number of MAC addresses that can be learned on a switch to prevent flooding attacks. Note 2: Network traffic segregation can also act as a security mechanism, by preventing access to some devices from other devices. To ensure security on a switch, you should disable all access protocols other than a secure serial line or a secure protocol such as SSH using only secure methods to access a switch will limit the exposure to hackers and malicious users. Maintaining secure network switches (and infrastructure) is more important than securing individual boxes, because the span of control to intercept data is much wider on a switch, especially if its reprogrammed by a hacker.
Web Proxy
A web proxy is solely designed to handle traffic and is sometimes called a Web Cache. Most web proxies are essentially specialized caching proxies.
Anonymizing Proxy
An anonymizing proxy is designed to hide information about the requesting system and make a user's web experience "anonymous" This type of proxy service is often used by individuals who are concerned about the amount of personal information being transferred across the internet and the use of tracking cookies and other mechanisms to tack browsing activity.
Application Cells/Containers
Application Cells/Containers are the same idea (virtualization) but rather than having multiple independent OSs, a container holds the portions of an OS that it needs separate from the kernel. In essence, multiple containers can share an OS, yet have separate memory, CPU, and storage threads, guaranteeing that they will not interact with other containers. This allows multiple instances of an application or different applications to share a host OS with virtually no overhead. Containers can be thought of as the evolution of the VM concept into the application space. A container consists of an entire runtime environment - an application, plus all the dependencies, libraries, other binaries, and configuration files needed to run it, all bundled into one package. Because of the application platform, including its dependencies is containerized, any differences in OS distributions, libraries, and underlying infrastructure are abstracted away and considered moot.
Firewall Operations:
Application Layer Firewalls such as proxy servers can analyze information in the header and the data portion of the packet, whereas packet filtering firewalls can analyze only the header of a packet. Firewalls can mitigate specific types of DOS/DDOS attacks.
Web Security Gateway
Are a combination of proxy and content filtering functions Web Security Gateways typically provide the following: Real-time malware protection - The ability to scan all outgoing and incoming web traffic to detect and block undesirable traffic such as malware, spyware, malicious scripts, file-based attacks, etc.. Content monitoring - The ability to monitor the content of web traffic being examined to ensure that it complies with organizational policies. Productivity monitoring - The ability to measure types and quantities of web traffic being generated by specific users, groups of users, or the entire organization. Data protection and compliance - Scanning web traffic for sensitive or proprietary information being sent outside of the organization as well as the use of social network sites or inappropriate sites.
Load Balancers
Are designed to distribute the processing load over two or more systems. They are used to help improve resource utilization and throughput, but they also have the added advantage of increasing the fault tolerance of the overall system since a critical process may be split across several systems. Should any system fail, the others can pick up the processing it was handling. Virtual IPs: In a load-balanced environment, the IP addresses for the target servers of a load balancer will not necessarily match the address associated with the router sending the traffic. Scheduling Load Balancers: The scheduling of the next recipient of load-balanced traffic is either by affinity scheduling or round-robin. Affinity Scheduling = Maintains a connection to a specific resource. Round-Robin = Moves to the next available resource. The other issue is redundancy, and they can either be active-passive or active-active. The first word indicates the state of the primary system and the second word refers to the redundant system.
Device Security Common Concerns:
As more and more interactive devices are being designed, a new threat source has appeared. In an attempt to build security into devices, typically, a default account and password must be entered to enable the user access and configure the device remotely. These default credentials are well known in the hacker community, so one of the 1st steps one must take to secure such devices is to change the default credentials. Default Accounts: Always reconfigure all default accounts on all devices before exposing them to external traffic. This is to protect others from reconfiguring your devices
Removable Storage
Because removable devices can move data outside of the corporate controlled environment, their security needs must be addressed. Removable devices can bring unprotected or corrupted data into the corporate environment. They should be scanned by antivirus software upon connection to the corporate environment. corporate policies should address the copying of data to removable devices.
Bridges
Bridges are networking equipment that connect devices using the same protocol at the Data Link Layer (Layer 2) of the OSI model. Bridges reduce collisions by separating the network into two separate collision domains.
Category 5 (cat5/5e) (unshielded twisted pair)
Cat 5 is for Fast Ethernet - 100 MBPS Cat 5e is an enhanced version that addresses far-end crosstalk and is suitable for 1,000 MBPS/gigabit Ethernet.
Category 6 (cat 6/6a) (UTP/STP)
Cat 6 is suitable for 10 Gigabit Ethernet over short distances. Cat 6a is used for longer distance up to 100 meters, 10 Gigabit Ethernet.
Cloud Computing Service Models:
Clouds can be created by many entities, both internal and external to an organization. Commercial cloud services are already available and offered by a variety of firms, as large as Google and Amazon and as small as local providers.
Content-filtering Proxy
Content filtering proxies examine each client requests and compare it to an established acceptable use policy (AUP) Requests can usually be filtered in a variety of ways, including by the requested URL, destination system, or domain name or by keywords in the content itself. Content filtering proxies typically support user level authentication, so access can be controlled and monitored and activity through the proxy can be logged or analyzed. This type of proxy is very popular in schools, business, and government networks.
Spanning Tree Protocol (STP)
Defined by the IEEE 802.1D standard, it allows a network to have redundant Layer 2 connections, while preventing a loop, which could lead to symptoms such as broadcast storms and MAC address table corruption.
Cloud Types:
Depending on the size and particular needs of an organization there are three basic types of cloud: Private: Private clouds are essentially reserved resources used only for your organization - your own cloud within the cloud. Public: A cloud service rendered over a system that is for public use. Hybrid: A hybrid cloud is one where elements are combined from private, public, and community structures.
Devices:
Devices are needed to connect the clients and servers, and to regulate the traffic between them. each device has a specific network function and plays a role in maintaining network infrastructure security.
Fiber
Fiber-optic cable uses beams of laser light to connect devices over a thin glass wire. The biggest advantage to fiber is its bandwidth, with transmission capabilities into the Terabits per second range. Fiber optic cable is used to make high-speed connections between servers and is the backbone medium of the internet and large networks. The drawback of fiber is its cost. When measured by bandwidth, using fiber is cheaper than using competing wired technologies. The length of the cable can be longer, and the data capacity much higher. It is also impossible to splice optic fiber and a repeater must be used. It is also impervious to EMI emanations.
How do Firewalls work?
Firewalls enforce the established security policies. They can do this through a variety of mechanisms. including the following: NAT Network Address Translation: Converts a Private IP (intranet/non-routable) to a Public IP (routable/Internet) that is assigned to you by your ISP. Basic Packet Filtering: Looks at each packet entering or leaving the network and then either accepts the packet or rejects the packet based on user defined rules. each packet is examined separately. Stateful Packet Filtering: Also looks at each packet, but it can examine the packet in its relation to other packets Stateful firewalls keep track of network connections and can apply slightly different rule sets based on whether or not the packet is part of an established session. Access Control Lists (ACL): Are simple rule sets that are applied to port numbers and IP addresses. They can be configured for inbound and outbound traffic and are commonly used on routers and switches. Application Layer Proxies: An application layer proxy can examine the content of the traffic as well as the ports and IP addresses. For example: An application layer proxy has the ability to look inside a user's web traffic, detect a malicious web site attempting to upload malware into the user's system, and block the malware.
Category 7 (cat 7) (S/FTP)
For 10- GBPS Ethernet or higher. cat 7 has been used for 100 GBPS up to 15 meters.
Next Generation Firewalls
Have significantly more capabilities and are characterized by these features: -Deep Packet Inspection -Move beyond Port/Protocol inspection and blocking -Add application-level inspection -Add intrusion prevention -Bring intelligence from outside the firewall Next generation firewalls are more than just a firewall and IDS coupled together; They offer a deeper look at what the network traffic represents.
Patch compatibility
Having a OS operate in a virtual environment does not change the need for security associated with the OS. Patches are still needed and should be applied, independent of the virtualization status.
Intrusion Detection System (IDS)
IDS are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact. there are 2 types: 1. Network-based (protects and see things on the network) 2. Host-based (protects and see things on the host)
Infrared
Infrared is a band of electromagnetic energy just beyond the red end of the visible color spectrum. It bounces off walls and cannot pass through solid objects. It is used by many devices. example: cameras, remote TV controllers
Network Admission Control (NAC)
Is Cisco's technology for controlling network admission. Cisco's NAC system is built around an appliance that enforces policies chosen by the network administrator. A series of third party solutions can interface with the appliance, allowing the verification of many different options, including client policy settings, software updates, and client security posture. The use of third-party devices and software makes this an extensible system across a wide range of equipment. It is being replaced by 802.1X Authentication.
Network Access Protection (NAP)
Is a Microsoft technology for controlling network access of a computer host. Microsoft's NAP is based on measuring the system health of the connecting machine, including patch levels of the OS, antivirus protection, and system policies. The objective behind NAP is to enforce policy and governance standards on network devices before they are allowed data-level access to a network. For example, a vulnerable mobile device is placed on an isolated network until it is patched and cleared to access the company's network. It is being replaced by 802.1X Authentication
Hypervisor
Is a low-level program that allows multiple operating systems to run concurrently on a single host computer. they are the layer that enables virtualization. They use a thin layer of code to allocate resources in realtime. It acts as a traffic cop that controls I/O and memory management. Type 1: Type 1 hypervisors run directly on the system hardware. They are referred to as native, bare-metal, or embedded hypervisors. (doesn't require an OS) Type 2: Type 2 hypervisors run on top of a host operating system. Type 2 = VirtualBox and VMWare workstation player. they are designed for limited numbers of VMs, typically in a desktop or small server environment. (operates over an OS)
Platform as a Service (PaaS)
Is a marketing term used to describe the offering of a computing platform in the cloud. Multiple sets of software working together to provide services, such as database services, can be delivered via the cloud as a platform.
Infrastructure as a Service (IaaS)
Is a term used to describe cloud-based systems that are delivered as a virtual platform for computing. (data center for rent).
Private Branch Exchange (PBX) (telephony)
Is an extension of the public telephone network into a business. (VOIP) They are computer based switching equipment designed to connect telephones into the local phone system. digital switching systems can be compromised from the outside and used by phone hackers called Phreakers to make phone calls at the company's expense. they also need firewalls for protection.
Security as a Service (SECaaS)
Is the outsourcing of security functions to a vendor that has advantages in scale, costs, or speed. Security is a complex, wide ranging cornucopia of technical specialties all working together to provide appropriate risk reductions in today's enterprise. Different security vendors offer different specializations - from network to email, web application security, Incident response, and even infrastructure updates.
Reverse Proxy
Is typically installed on the server side of a network connection, often in front of a group of web servers. The reverse proxy intercepts all incoming web requests and can perform a number of functions, including traffic filtering and shaping, SSL decryption, serving common static content such as graphics, and performing load balancing.
MAC Flooding (switches)
Is when a switch is bombarded with packets from different MAC addresses, flooding the switch's table and forcing the device to respond by opening all ports and acting as a hub. (this opens it up for network sniffing).
Magnetic Media
Magnetic media stores data through the rearrangement of magnetic particles on a non-magnetic substrate. common forms include hard drives, floppy disks, zip disks and magnetic tape. All of these devices share some common characteristics: -each has sensitivity to external magnetic fields. -They are also affected by high temperatures, as in fires, and by exposure to water. Hard drives: Hard drives used to require large machines in mainframes. Now they are small enough to attach to mobile devices. Diskettes: Floppy disks were the computer industry's first attempt at portable magnetic media. They reached 1.4 MB capacities but are obsolete now. Tape: Magnetic tape has held a place in computer centers since the beginning of computing. Its primary use has been bulk offline storage and backup. Several types of magnetic tape are in use today, ranging from quarter-inch to Digital Linear Tape (DLT) and Digital Audio Tape (DAT). These cartridges can hold upwards of 60 GB of compressed data
Firewalls and ACLs:
Many firewalls read firewall and ACL rules from top to bottom and apply the rules in sequential order to the packets they are inspecting. Typically they will stop processing rules when they find a rule that matches the packet they are examining. If the 1st line in you rule set reads "allow all traffic", the the firewall will pass any network traffic coming into or leaving your firewall Many firewalls have an implied "deny all/implicit deny" line as part of their rule sets. This means that any traffic not specifically allowed by a rule will be blocked by default.
Unified Threat Management (UTM)
Many security venders offer "all-in-one security appliance" which are devices that combine multiple functions into the same hardware appliance. most commonly these functions are firewall, IDS/IPS, antispam, malicious web traffic filtering, antispyware, content filtering, traffic shaping, etc...
Category 3 (unshielded twisted pair cable)
Minimum for voice and 10 MBPS Ethernet.
Mobile Devices
Mobile devices such as laptops, tablets, and mobile phones are the latest devices to join the corporate network. Mobile devices can create a major security gap, as a user may access separate email accounts - one personal without antivirus protection, and the other corporate
Modems
Modems were once a slow method of remote connection that was used to connect client workstations to remote services over standard telephone lines (dial-up) Modem - Is a shortened form of modulator/demodulator, converting analog signals to digital, and vice versa. DSL Modem - Provides a direct connection between a subscriber's computer and a internet connection at the local telephone company's switching station. (always ON connection). This private connection offers a degree of security, as it does not involve others sharing the circuit. Cable Modems - Are a always on internet connection. They are designed to share a party line (bandwidth) in the terminal signal area, and the cable modem standard, Data Over Cable Service Interface Specification (DOCSIS) was designed to accommodate this process. DOCSIS includes built-in support for security protocols, including authentication and packet filtering. Both cable and DSL services are designed for a continuous connection. A static IP address has the advantage of remaining the same and enabling convenient DNS connections for outside users. The security issue with Static IPs is that it is a stationary target for hackers. Cable/DLS Security: The most common security used in cable/dsl connections is a router that acts as a hardware firewall.
Concentrators
Network devices called concentrators act as traffic management devices, managing flows from multiple points into single streams. They act as endpoints for a particular protocol, such as SSL/TLS or VPN. The use of specialized hardware can enable hardware - based encryption and provide a higher level of specific service than a general purpose server.
Networking:
Networks are used to connect devices together. Networks are composed of components that perform networking functions to move data between devices. Networks begin with network interface cards, then continue in layers of switches and routers.
Removable Media
One common concept common to all computer users is data storage sometimes storage occurs on a file server and sometimes it occurs on movable media, which can then be transported between machines. Moving storage media represents a security risk from a couple of angles - the 1st being the potential loss over the data on the moving media. the 2nd risk is the introduction of unwanted items, such as a virus or worm, when the media is reattached to the network. Both of these issues can be remedied through policies and software. (Disable autoplay of USB devices). The key is to ensure that the software is effective. Media can be divided into 3 categories: -Magnetic -Optical -Electronic
Optical Media
Optical media involves the use of a laser to read data stored on a physical device. Instead of having a magnetic head that picks up magnetic marks on a disk, a laser picks up deformities embedded in the media containing the information. CD/DVD: The Compact Disc (CD) took the music industry by storm, and then it took the computer industry by storm as well. CD = 640 MB - 800 MB of data DVD = 5GB - 8.5GB of data CD-R = recordable CD-RW = Rewritable BluRay Discs: The latest version of optical disc is the blu-ray disc, using a smaller, violet-blue lase, this system can hold significantly more than a DVD. BluRay = 128 GB in four layers
Proxies
Proxies serve to manage connections between systems, acting as relays for the traffic. Proxies can function at the circuit level, where they support multiple traffic types, or they can be application level proxies, which are designed to relay specific application traffic. Though not strictly a security tool, a proxy server (proxy) can be used to filter out undesirable traffic and prevent employees from accessing potentially hostile websites. There are several categories of proxy servers in use: -Anonymizing proxy -Caching proxy -Content-filtering proxy -Open proxy -Reverse proxy -Web proxy Deploying a proxy solution within a network environment is usually done either by setting up the proxy and requiring all client systems to configure their browsers to use the proxy or by deploying and intercepting a proxy that actively intercepts all requests without requiring client side configuration. from a security perspective, proxies are most useful in their ability to control and filter outbound requests.
Data Loss Prevention (DLP)
Refers to technology employed to detect and prevent transfers of data across an enterprise. DLP technology can scan packets for specific data patterns. It can be tuned to detect account numbers, secrets, specific markers or files and blocks the data transfer.
Sandboxing
Refers to the quarantining or isolation of a system from its surroundings. virtualization can be used as a form of sandboxing with respect to an entire system.
Loop Protection (switches)
Switches operate at layer 2 (data link), where there is no countdown mechanism to kill the packets that get caught in loops or on paths that will never resolve. To prevent loops, a technology called Spanning Tree Protocol (STP/802.1D) is employed by all switches. prevents Broadcast storms
On-premises vs Hosted vs Cloud
Systems can exist in a wide array of places, from on premises to hosted to in the cloud. On-Premises: The system resides within a local enterprise. Whether a VM, storage, or even a service, if the solution is locally hosted it is considered on premises. Advantages: Control and high connectivity Disadvantages: Resource intensive and not scalable Hosted: Having the services housed somewhere else, commonly in a shared environment, and you have a set cost based on usage. Advantages: Cost and scalability (for big companies) small scale storage needs are easily met in house, while large scale storage needs are either hosted or in the cloud.
Media:
The base of communications between devices is the physical layer of the OSI model. This is the domain of the actual connection between devices, whether by wire, fiber, or radio frequency waves. The physical layer separates the definitions and protocols required to transmit the signal physically between boxes from higher level protocols that deal with the details of the data itself. The four common methods used to connect equipment at the physical layer are: -Coaxial Cable -Twisted-Pair Cable -Fiber-Optics -Wireless
Electronic Media
The lastest form of removable media is electronic memory. Electronic circuits of static memory, which can retain data even without power, fill a niche where high density and small size are needed. examples: Smart cards, smart media, SD cards, Flash cards, memory sticks, and Compact Flash devices. Solid State Hard Drives: Solid State Hard Drives are moving into mobile devices, desktops, and even servers. Memory densities are significantly beyond physical drivers, there are no moving parts to wear out or fail, and SSDs have vastly superior performance specifications.
Security Concerns for Transmission Media
The primary security concern for a system administrator has to be preventing physical access to a server by an authorized individual. One of the administrator's next major concerns should be preventing unfettered access to a network connection. Access to switches and routers is almost as bad as direct access to a server, and access to network connections would rank third in terms of worst case scenario.
RF/Mircowave
The used of Radio Frequency (RF) waves to carry communication signals goes back to the beginning of the 20th century. RF waves are a common method of communicating in a wireless world. They use a variety of frequency bands, each with special characteristics Microwave - Is a term used to describe a specific portion of the RF spectrum that is used for communication and other tasks, such as cooking, energy transmission, etc... One key feature of microwave communication is that microwave RF energy can penetrate reasonable amounts of building structure. This allows you to connect network devices in separate rooms, and it can remove constraints on equipment location imposed by fixed wiring. the "last mile" problem is the connection of individual consumers to a backbone (Fiber network/ISP, etc.).
Caching Proxy
This type of proxy keeps local copies of popular client requests and is often used in large organizations to reduce bandwidth usage and increase performance. When a request is made, the proxy server 1st checks to see whether it has a current cop of the requested content in the cache; If it does, it services the client request immediately without having to contact the destination server.
Network Interface Cards (NIC)
To connect a server or workstation to a network, a device known as a network interface card (NIC) is used. A NIC is a card with a connector port for a particular type of network connection, either Ethernet or Token Ring. The most common network type in use for LAN is the Ethernet protocol, and the most common connector is the RJ-45 connector. The purpose of the NIC is to provide lower-level protocol functionality from the OSI model. Because the NIC defines the type of physical layer connection, different NICs are used for different physical protocols. Each NIC port is serialized with a MAC (Media Access Control) address. It is 48 bits long and the 1st 24 bits specify the manufacturer of the device and the last 24 bits detail what the device is. MAC addresses can be spoofed. Device/OSI layer Interaction: Hub = Layer 1 (physical) Switch/Bridge = Layer 2 (data link/MAC address) Router/L3 Switch = Layer 3 (Network/IP) Layer 4 (Transport/TCP/UDP) Layer 5 (Session) Layer 6 (Presentation) Layer 7 (Application) Managed switched can create VLANs (Logical Virtual LANs) to separate network traffic. Routers are gateways that allow us to communicate with the WAN (Internet) by using NAT.
Shielded Twisted Pair (STP) / Unshielded Twisted Pair (UTP)
Twisted pair cables have all but completely replaces coaxial cables in ethernet networks. Twisted pair wires use the same technology used by the phone company for the movement of electrical signals. Shielded Twisted Pair - has a foil shield around the pairs to provide extra protection from electromagnetic interference Unshielded Twisted Pair - relies on the twisting of the cables to reduce interference. UTP is more cost effective than STP and is usually sufficient for connections, except in very noisy electrical areas. Twisted pair lines are categorized by the level of data transmissions they can support. there are currently 4 categories in use: -Cat 3 -Cat 5 -Cat 6 -Cat 7 they use RJ-45 connectors to terminate them
some UTM functions:
URL Filtering - URL filters block connections to web sites that are on a prohibited list. The use of a UTM appliance, typically backed by a service to keep the list of prohibited websites updated, provides an automated means to block access to sites deemed dangerous or inappropriate. Because of the highly volatile nature of web content, automated-enterprise level protection is needed to ensure a reasonable chance of blocking sources of inappropriate content, malware, and other malicious content. Content Inspection - Instead of just relying on a URL to determine the acceptability of content being served. Content inspection is used to filter web requests that return content with specific components, such as names of body parts, music or video content, and other content that is inappropriate for the business environment. Malware Inspection - Malware is another item that can be detected during network transmission, and UTM appliances can be tuned to detect malware. Networked based malware detection has the advantage of having to update only a single system as opposed to all machines.
VDI (Virtual Desktop Infrastructure) / VDE (Virtual Desktop Environment)
Virtual Desktop Infrastructure and Virtual Desktop Environment are terms used to describe the hosting of a desktop environment on a central server. Advantages: -Easy to backup -Accessible from any device - Internet required -More secure
Wireless Devices
Wireless devices bring additional security concerns. There is, by definition no physical connection to a wireless device; radio waves or infrared carry data, which allows anyone within range access to the data. Wireless Access Point = provides an entry point to a wired network.
Web Application Firewalls vs Network Firewalls
Web Application Firewalls - is the term given to any software package, appliance, or filter that applies a rule set to HTTP/HTTPS traffic. Web application firewalls shape web traffic and can be used to filter out SQL injection attacks, malware, cross-site scripting (XSS), etc.... Network Firewalls - Is a hardware or software package that controls the flow of packets into and out of a network. Web application firewalls operate on traffic at a much higher level than network firewalls, as they must decode the web traffic to determine if it is malicious. Network firewalls operate on simpler traffic aspects such as source/destination ports and addresses.
Security Control Testing
When applying security controls to a system to manage security operations, you need to test the controls to ensure they are providing the desired results. It is essential to specifically test all security controls inside the virtual environment to ensure their behavior is still effective.
VM Escape Protection
When multiple VMs are operating on a single hardware platform one concern is VM escape. This is where software typically malware or an attacker escapes from one VM to the underlying OS and resurfaces in a different VM. When you examine the problem from a logical point of view, you see that both VMs are using the same RAM, Processors, etc.; Therefore, the difference is one of timing and specific combinations of elements within the VM environment. Large scale VM environments have specific modules designed to detect escape and provide VM escape protection to other modules. Note: Virtual environments have several specific topics that may be asked on the exam. Understanding the difference between type 1 and type 2 hypervisors, and where you would use each. Understand the difference between VM sprawl and VM escape, and the effects of each.
Host Availability / Elasticity
When you set up a virtualization environment, protecting the host OS and hypervisor level is critical for system stability. (hypervisor type 2) The best practice is to avoid the installation of any applications on the host-level machine. This aids in the system stability by providing separation between the application and the host OS. One of the advantages of virtualization is that a virtual machine can be moved to a larger or smaller environment based on need. If a VM needs more processing power, then migrating the VM to a new hardware system with greater CPU capacity allows the system to expand without you having to rebuild it.
Hubs
a Hub is a networking equipment that connects devices that are using the same protocol at the physical layer of the OSI model. Connections of a hub share a single collision domain, a small cluster in a network where packet collisions can occur. The collision issue made hubs obsolete in newer, high performance networks, with inexpensive switches and switched ethernet keeping costs low and usable bandwidth high. on hubs, networked traffic can be sniffed by all devices connected to it. (no security)
Cloud Access Security Broker (CASB)
are integrated suites of tools and services offered as security as a service (SECaaS), or third party Managed Security Service Provider (MSSP), focused on cloud security. CASB vendors provide a range of security services designed to protect cloud infrastructure and data.
Servers
are the computers in a network that host applications and data for everyone to share. servers can range from a small single CPU to multiple CPU monsters, up to and including mainframes. The OS on a server tends to be more robust than the OS on a workstation system and is designed to service multiple users over a network at the same time.
Cloud Computing
is a common term used to describe computer services provided over a network. These computing services are computing, storage, applications, and services that are offered via the Internet Protocol.
Firewall
is a network device (hardware, software, or a combination thereof) whos purpose is to enforce a security policy across it's connections by allowing or denying traffic to pass into or out of the network. A firewall is a lot like a gate guard at a secure facility. All network traffic passing through is examined - traffic that does not meet the specified security criteria or violates the firewall policy is blocked. Firewall Rules: Firewalls are in reality policy enforcement devices. Each rule in a firewall should have a policy behind it, as this is the only manner of managing firewall rule sets over time. The steps for successful firewall management begins and ends with maintaining a policy list by firewall of the traffic restrictions to be impose. Managing this list via a configuration-management process is important to prevent network instabilities from faulty rule sets or unknown "left-over" rules. Orphan or left over rules are rules that were created for a special purpose (testing emergency, visitor or vendor, etc..) and then forgotten about and not removed after their use ended. These rules can clutter up a firewall and can result in unintended challenges to the security team. A key to security policies for firewalls is the same for every security policy - the principle of least access. only allow necessary access for a function and block or deny all unneeded functionality. Firewalls are designed to block attacks before they get to a target machine. common targets are webservers, email servers, DNS servers, FTP services, and databases.
Routers
is a network traffic management device used to connect network segments together. Routers operate at the network layer (Layer 3) of the OSI model, using network addresses (IP) to route traffic using routing protocols to determine optimal routing paths across a network. They examine the packet's destination address and us algorithms and tables (IP tables) to determine where to send the packet next. Routers us ACL (Access Control Lists) to determine if a packet is allowed to enter the network. Setting up and maintaining a router's ACL can be a cumbersome process and as the ACL grows in size, the router's routing efficiency can decrease. It is also possible to set up the router to act as a Quasi - application gateway, performing Stateful Packet inspection by having it inspect the packet's contents as well as IP addresses in order to determine whether or not to let the packet pass. This can significantly decrease a router's throughput. It is also important to limit who has access to the router and control over its internal functions. (Change the default credentials). like a switch a router can be accessed via SNMP and telnet (SSH) and could be programmed remotely.
Snapshots
is a point-in-time saving of the state of a virtual machine. Snapshots have great utility because they are like a save point for an entire system. They act as a form of backup and are typically much faster than a normal system backup and recovery operations.
Network Access Control (NAC)
is a security methodology that manages endpoints on a case-by-case basis as they connect. There are two main competing methodologies that deal with network access control, they are: 1. Network Access Protection (NAP) 2. Network Admission Control (NAC)
Unguided Media
is a term used to cover all transmission media not guided by wire, fiber or other constraints; It includes radio frequency, infrared, and microwave methods. Because they are unguided, they can travel to many machines simultaneously. Transmission patterns can be modulated by antennas, but the target machine can be one of many in a reception zone. As such, security principles are even more critical, as they must assume that unauthorized users have access to the signal.
Internet Content Filters
is any device, application, or software package that examines network traffic for undesirable or restricted content. Content filters can also filter out browser hijacking or cross site scripting attacks (XSS).
Virtualization
is the abstraction of the OS layer, creating the ability to host multiple OSs on a single piece of hardware. virtualization technology is used to allow a computer to have more than one OS present, and in many cases, operating at the same time. One of the advantages of virtualization is the separation of the software and the hardware creating a barrier that can improve many system functions including security. Host machine = underlying hardware Guest OS = the virtualized machine Virtualization Solutions = VMWare, VirtualBox, Parallels, and Citrix Xen Virtualization offers much in terms of host-based management of a system. From snapshots that allow easy rollback to previous states, faster system deployment via pre-configured images, ease of backup, and the ability to test systems, virtualization offers many advantages to system owners.
Workstations
is the machine that sits on the desktop and is used every day for sending and receiving email, creating spreadsheets, writing reports in a word processing program, and playing games.
Software as a Service (SaaS)
is the offering of software to end users from within the cloud. (software for rent) example: Microsoft Office 365, Google (docs, drives, cloud), etc...
VM Sprawl
is the uncontrolled spreading of disorganization caused by a lack of organizational structure when many similar elements require management. When you have hundreds of files, developed over a long period of time, and not necessarily in an organized manner, sprawl does become a problem. The same thing can happen with virtual machines in an enterprise. VM sprawl avoidance is a real thing that should be implemented via a policy. You can fight VM sprawl through using naming conventions and proper storage architectures so that the files are in the correct directories, thus making finding a specific VM easy and efficient. But like any filing system, it is only good if it's followed; Therefore, policies and procedures need to ensure that proper VM naming and filing are done on a regular basis.
ARP Poisoning (switches)
is when a device spoofs their MAC address in order to change the ARP address tables (cache) through the use of spoofed traffic and the ARP-table update mechanism.
Elasticity
refers to the ability of a system to expand/contract as system requirements dictate.