5.1 Security Appliances
Wireless
A wirelessly broadcasted network is used on most internal networks so that internal users do not require a physical connection to a router or switch.
Security Zones
Security zones are portions of the network or system that have specific security concerns or requirements. All devices with the same zone have the same security access and security protection needs. These zones are often separated by a traffic control device, such as a firewall or a router, that filters incoming and outbound traffic. For example, you can define a zone that includes all hosts on your private network protected from the internet. You can also define a zone within your network for controlled access to specific servers that hold sensitive information.
As you study this section, answer the following questions:
> What are the benefits and risks of using proxy servers? > What is the purpose of a content filtering server? > How can network access controls (NACs) improve a network's security? > What is the difference between the intranet and the internet? > What are the uses of a demilitarized zone (DMZ)? > Why is a honeynet useful? > What are the features of an all-in-one security appliance? > What size organization should employ a all-in-one security appliance? In this section, you will learn to: > Install a security appliance. > Configure a security appliance. > Configure network security appliance access. > Configure Quality of Service (QoS) or traffic shaping.
Ad hoc
A decentralized network that allows connections without a traditional base station or router. It allows users to connect two or more devices directly to each other for a specific purpose.
Application-aware devices
A device that has the ability to analyze and manage network traffic based on the application-layer protocol.
Guest
A guest network at an organization often grants internet access only for guest users, but it also has some type of firewall to regulate that access. There could be limited internal resources made available on a guest network. Normally it is just a way for guests to access the internet without being allowed on the intranet or internal network.
Honeynet
A honeynet is a special network created to trap potential attackers. Honeynets have vulnerabilities that lure attacks so that you can track their actions and protect your real network. Honeynets can generate extremely useful security information.
Demilitarized Zone (DMZ)
A network that contains publicly accessible resources and is located between the private network and an untrusted network, such as the internet. It is protected by a firewall.
Wireless Network
A network that does not require a physical connection.
Guest Network
A network that grants internet access only to guest users. A guest network has a firewall to regulate guest user access.
Intranet zone
A private network that employs internet information services for internal use only.
Extranet
A privately-controlled network distinct from but located between the internet and a private LAN.
Proxy Server
A proxy server is a type of firewall that stands as an intermediary between clients requesting resources from other servers. A proxy server is often called an application-level gateway because it performs filtering at the Application layer. Proxies can be configured to: > Restrict users on the inside of a network from getting out to the internet. > Restrict access by user or specific website. > Restrict users from using certain protocols. > Use access controls to control inbound or outbound traffic. > Shield or hide a private network to provide online anonymity and make it more difficult to track web surfing behavior. > Cache heavily access web content to improve performance. Proxy servers can also be a security risk and can be used to circumvent network security and even attack a network.
Internet
A public network that includes all publicly available webs servers, FTP servers, and other services.
Honeynet
A special zone or network created to trap potential attackers.
Proxy server
A type of firewall that stands as an intermediary between clients requesting resources from other servers.
Ad hoc
An ad hoc network is a decentralized network that allows connections without a traditional base station or router. It allows users to connect two or more devices directly to each other for a specific purpose.
All-in-one security appliance
An appliance that combines many security functions into a single device.
Application-aware devices
An application-aware device has the ability to analyze and manage network traffic based on the Application layer protocol that created it. Some of these devices can also apply quality of service (QoS) and traffic-shaping rules based on the application that created network traffic. Consider the following examples: > An application-aware firewall can enforce security rules based on the application that is generating network traffic instead of the traditional port and protocol. > An application-aware IDS or IPS can analyze network packets to detect malicious payloads targeted at Application layer services (such as a web server). > An application-aware proxy manages traffic based on the Application layer protocols they support, such as FTP or HTTP. This allows the proxy to perform two key functions: 1. Prevent the application client from performing undesirable actions. For example, an FTP proxy could be configured to allow FTP clients to perform downloads but inhibit uploads. 2. Improve application performance. For example, an HTTP proxy can be configured to cache frequently accessed web pages.
All-in-one security appliances
Combine many security functions into a single device. All-in-one security apliances are also known as unified threat security devices or web security gateways. This type of device may be the best choice for: > A small company without the budget to buy individual components. > A small office without the physical space for individual components. > A remote office without a technician to manage the individual security components. Security functions in an all-in-one security appliance can include: > Spam filters > URL filters > Web content filters > Malware inspection > Intrusion detection systems. In addition to security functions, all-in-one security appliances can include: > Network switches > Routers > Firewalls > Tx uplink (integrated CSU/DSU) > Bandwidth shaping
Security Zone
Portions of the network or system that have specific security concerns or requirements.
Network Access Control (NAC)
Network Access Control (NAC) controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements. > NAC attempts to unify endpoint security by defining the security measures that must be in place for a computer requesting access to the network. > NAC requires a NAC agent (software to monitor the health of a machine) to be installed on each computer as part of the security requirements for computers attempting to gain access. > A client determined healthy by the NAC agent is given access to the network. > An unhealthy client (one that has not met all the checklist requirements) is either denied access or can be given restricted access to a remediation network. After this, remediation servers can help the client become compliant. > NAC is often used with 802.1x as an authentication protocol for port-based security. In addition to meeting authentication requirements, the lcient must also meet health requirements before access is granted through 802.1x > Microsoft version of the NAC security tool is Network Access Protection (NAP).
5.1.5 Security Solution Facts
Network Security Solutions The following table lists additional network security solutions that can be configured to increase network security:
5.1.8 Configure Network Security Appliance Access Lab
Required Actions > Change the password for the admin account to P@ssw0rd. > Set a 15 minute session timeout for pfSense. > Create and configure a new pfSense user: - UN: zolsen - PW: St@yout! - Full Name: Zoey Olsen - Is a member of the admins group > Enable anti-lockout for HTTP. Complete this lab as follows: 1. Access the pfSense management console. a. From the taskbar, select Google Chrome. b. Maximize the window for better viewing. c. In the Google Chrome address bar, enter 198.28.56.18 and then press Enter. d. Enter the pfSense sign-in information as follows: Username: admin Password: pfsense e. Select SIGN IN. 2. Change the password for the default (admin) account. a. From the pfSense menu bar, select System > User Manager. b. For the admin account, under Actions, select the Edit user icon (pencil). c. For the Password field, change to P@ssw0rd (use a zero). d. For the Confirm Password field, enter P@ssw0rd. e. Scroll to the bottom and select Save. 3. Create and configure a new pfSense user. a. Select Add. b. For Username, enter zolsen. c. For the Password field, enter St@yout!. d. For the Confirm Password field, enter St@yout! e. For Full Name, enter Zoey Olsen. f. For Group Membership, select admins and then select Move to Member of list. g. Scroll to the bottom and select Save. 4. Set a session timeout for pfSense. a. Under the System breadcrumb, select Settings. b. For Session timeout, enter 15. c. Select Save. 5. Disable the webConfigurator anti-lockout rule for HTTP. a. From the pfSense menu bar, select System > Advanced. b. Under webConfigurator, for Protocol, select HTTP. c. Select Anti-lockout to disable the webConfigurator anti-lockout rule. d. Scroll to the bottom and select Save.
5.1.7 Configure a Security Appliance Lab
Required Actions > Configure DNS Servers - Configure the DNS1 server - Give the primary DNS server an IP address of 163.128.78.93 - Name primary DNS server DNS1 - Configure the DNS2 server - Give the secondary DNS server an IP address of 163.128.80.93 - Name secondary DNS server DNS2 > Configure the WAN settings - Enable the WAN interface - Use static IPv4 - Use IP address 65.86.24.136 - Use a subnet mask of 255.0.0.0 (/8) > Add and configure a new gateway. - Use a gateway name of WANGateway - Use the gateway IP address of 65.86.1.1 Complete this lab as follows: 1. Access the pfSense management console. a. From the taskbar, select Google Chrome. b. Maximize the window for better viewing. c. In the address bar, type 198.28.56.18 and then press Enter. d. Sign in using the following case-sensitive information: Username: admin Password: pfsense e. Select SIGN IN or press Enter. 2. Configure the DNS Servers. a. From the pfSense menu bar, select System > General Setup. b. Under DNS Server Settings, configure the primary DNS Server as follows: Address: 163.128.78.93 Hostname: DNS1 Gateway: None c. Select Add DNS Server to add a secondary DNS Server and then configure it as follows: Address: 163.128.80.93 Hostname: DNS2 d. Scroll to the bottom and select Save. 3. Configure the WAN settings. a. From pfSense menu bar, select Interfaces > WAN. b. Under General Configuration, select Enable interface. c. Use the IPv4 Configuration Type drop-down to select Static IPv4. d. Under Static IPv4 Configuration, in the IPv4 Address field, enter 65.86.24.136. e. Use the IPv4 Address subnet drop-down to select 8. f. Under Static IPv4 Configuration, select Add a new gateway. g. Configure the gateway settings as follows: Default: Select Default gateway Gateway name: Enter WANGateway Gateway IPv4: 65.86.1.1 h. Select Add. i. Scroll to the bottom and select Save. j. Select Apply Changes.
Network access control
Software that controls access to the network by not allowing computers to access network resources unless that meet certain predefined security requirements.
Internet content filter
Software used to monitor and restrict content delivered across the web to an end user.
Internet content filter
Software used to monitor and restrict content delivered across the web to an end user. Companies, schools, libraries, and families commonly use content filters to restrict internet access, block specific websites, or block specific content. > Two types of configurations are commonly used, which are: - Allow all content except for the content you have identified as restricted - Block all content except for the content you have identified as permitted. > Allowed or blocked content is identified by the following: - Whitelists identify allowed sites or content. - Blacklist identify disallowed or blocked content. - Category levels use classification to block content based on content type. > Common methods for restricting content include: - Categorization of the content (such as sport sites, gambling sites, etc...) - URLs - DNS > Parental controls is content filtering software used by parents at home to monitor and restrict child web access. > Content filtering software can be expanded to include email, instant messaging, and other application in addition to web content. > Most internet content filters can also block pop-ups and filter spam. > Keyword filtering can be configured to block the results of searches on specific words.
5.1.10 Configure QoS Lab
Task Summary Required Actions & Questions > Create an aliase - Name the firewall alias HighBW - The alias description name: High bandwidth users - One IP address for the IP or FQDN field is: 172.14.1.25 - The other IP address for the IP or FQDN field is: 172.14.1.100 > Use Traffic Shaper wizard for dedicated links using one WAN connection > Configure the traffic shaper - Interface select: GuestWiFi - Upload configured - Upload set to: 5 - Upload set to Mbit/s - Download configured - Download set to: 45 - Download set to Mbit/s > Prioritize voice over IP traffic - Voice over IP is enabled - Voice over IP upload rate set to: 15 - Voice over IP upload units set to: Mbit/s - Voice over IP download rate set to: 20 Voice over IP download units set to: Mbit/s > Enable and configure a penalty box - Penalty Box is enabled - Address is set to: HighBW - Bandwidth is set to: 1 > Raise and lower the applicable application's priority - MSRDP raised to higher priority - VNC set to Higher priority - PPTP raised to higher priority - IPSEC raised to higher priority > Q1How many firewall rules were created? 7 > Change the port number used for the MSRDP outbound rule Complete this lab as follows: 1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Create a high bandwidth usage alias. a. From the pfSense menu bar, select Firewall > Aliases. b. Select Add. c. Configure the Properties as follows: - Name: HighBW - Description: High bandwidth users - Type: Host(s) d. Add the IP addresses of the offending computers to the host(s) configuration as follows: - Under Host(s), in the IP or FQDN field, enter 172.14.1.25. - Select Add Host. - In the IP or FQDN field, enter 172.14.1.100. e. Select Save. f. Select Apply Changes. 3. Start the Traffic Shaper wizard for dedicated links. a. From the pfSense menu bar, select Firewall > Traffic Shaper. b. Under the Firewall bread crumb, select Wizards. c. Select traffic_shaper_wizard_dedicated.xml. d. Under Traffic shaper Wizard, in the Enter number of WAN type connections field, enter 1 and then select Next. 4. Configure the Traffic Shaper. a. Make sure you are on Step 1 of 8. b. Using the drop-down menu for the upper Local interface, select GuestWi-Fi. c. Using the drop-down menu for lower Local interface, make sure PRIQ is selected. d. For the upper Upload field, enter 5. e. Using the drop-down menu for the lower Upload field, select Mbit/s. f. For the top Download field, enter 45. g. Using the drop-down menu for the lower Download field, select Mbit/s. h. Select Next. 5. Prioritize voice over IP traffic. a. Make sure you are on Step 2 of 8. b. Under Voice over IP, select Enable to prioritize the voice over IP traffic. c. Under Connection #1 parameters, in the Upload rate field, enter 15. d. Using the drop-down menu for the top Units, select Mbit/s. e. For the Download rate, enter 20. f. Using the drop-down menu for the bottom Units, select Mbit/s. g. Select Next. 6. Enable and configure a penalty box. a. Make sure you are on Step 3 of 8. b. Under Penalty Box, select Enable to enable the penalize IP or alias option. c. In the Address field, enter HighBW. This is the alias created earlier. d. For Bandwidth, enter 2. e. Select Next. 7. Continue to step 6 of 8. a. For Step 4 of 8, scroll to the bottom and select Next. b. For Step 5 of 8, scroll to the bottom and select Next. 8. Raise and lower the applicable application's priority. a. Make sure you are on Step 6 of 8. b. Under Raise or lower other Applications, select Enable to enable other networking protocols. c. Under Remote Service / Terminal emulation, use the: - MSRDP drop-down menu to select Higher priority. - VNC drop-down menu to select Higher priority. d. Under VPN: - Use the PPTP drop-down menu to select Higher priority - Use the IPSEC drop-down menu to select Higher priority e. Scroll to the bottom and select Next. f. For step 7 of 8, select Finish. Wait for the reload status to indicate that the rules have been created (look for Done). 9. View the floating rules created for the firewall. a. Select Firewall > Rules. b. Under the Firewall breadcrumb, select Floating. c. In the top right, select Answer Questions. d. Answer the question and then minimize the question dialog. 10. Change the port number used for the MSRDP outbound rule. a. For the m_Other MSRDP outbound rule, select the edit icon (pencil) b. .Under Edit Firewall Rule, select GuestWi-Fi. c. Under Destination, use the Destination Port Range drop-down menu to select Other. d. In both Custom fields, enter 3391. e. Select Save. f. Select Apply Changes. g. In the top right, select Answer Questions. h. Select Score Lab.
Common Security Zones
The following table lists common zones: Intranet - An intranet is a private network (LAN) that employs internet information services for internal use only. For example, your company network might include web servers and email servers that are used by company employees. Internet - The internet is a public network that includes all publicly available web servers, FTP servers, and other services. The internet is public because access is largely open to everyone. Extranet - An extranet is a privately controlled network distinct from the intranet but located between the internet and a private LAN. An extranet is often used to grant resource access to business partners, suppliers, and even customers outside of the organization. Wireless - A wireless zone is a broadcasted network connection used within an organization. Users don't need a physical connection to a network port to connect to the intranet or internal resources. Instead they use a wireless connection on their device to connect to a wireless access point. Demilitarized Zone - A DMZ is a network that contains publicly accessible resources. The DMZ is located between the private network and an untrusted network (such as the internet) and is protected by a firewall. A bastion host is a server that is exposed to attacks by untrusted networks. It can be placed inside the DMZ or exposed to the public network.
Security Zone Networks
The following table lists types of networks found in your security zones:
5.1.3 Security Zone Facts
This lesson covers the following topics: > Security zones > Security zone networks > Common security zones