Chapter 10

Lesson 10
Implementing Network Security Appliances

Topic 10A
Implement Firewalls and Proxy Servers
CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered
• 3.3 Given a scenario, implement secure network designs
Packet Filtering Firewalls
• Enforce a network access control list (ACL)

• Act to deny (block or drop), log, or accept a packet
• Inspect headers of individual packets
• Source and destination IP address
• Protocol ID/type (TCP, UDP, ICMP, routing protocols, and so on)
• Source and destination port numbers (TCP or UDP application type)
• Inbound, outbound, or both
• Stateless operation: basic packet filtering firewall is stateless. This means
that it does not preserve information about network sessions. Each packet
is analyzed independently, with no record of previously processed packets.
This
Stateful Inspection Firewalls Session data is stored in a state table. When a
packet arrives, the firewall checks it to confirm
whether it belongs to an existing connection.
If it does not, it applies the ordinary packet
• State table stores connection filtering rules to determine whether to allow it.
information Once the connection has been allowed, the
firewall usually allows traffic to pass
• Transport layer (layer 4) unmonitored, in order to conserve processing
• TCP handshake effort.
• New versus established and
related connections
• Application layer (layer 7)
• Validate protocol
• Match threat signatures
• Application-specific filtering
Screenshot used with permission from Rubicon Communications, LLC
• firewall examines the TCP three-way handshake to distinguish new from
established connections.
• A legitimate TCP connection should follow a SYN > SYN/ACK > ACK
sequence to establish a session, which is then tracked using sequence
numbers.
• Deviations from this, such as SYN without ACK or sequence number
anomalies, can be dropped as malicious flooding or session hijacking
attempts.
• It can also track UDP connections, though this is harder as UDP is a
connectionless protocol.
• can inspect the contents of packets at the application layer.
• a web application firewall could analyze the HTTP headers and the HTML code
present in HTTP packets to try to identify code that matches a pattern in its
threat database.
iptables
Firewall Implementation
• Firewall appliances
• Routed (layer 3)
• Bridged/transparent (layer 2)
• Router/firewall
• Application-based firewalls
• Host-based (personal)
• Application firewall
• Network operating system
(NOS) firewall
Screenshot used with permission from Cisco.

Routed (layer 3)—the firewall performs forwarding between subnets. Each
interface on the firewall connects to a different subnet and represents a
different security zone.
Bridged (layer 2)—the firewall inspects traffic passing between two nodes,
such
as a router and a switch. This is also referred to as transparent mode. The
firewall
does not have an IP interface (except for configuration management). It bridges the
Ethernet interfaces between the two nodes. Despite performing forwarding at layer
2, the firewall can still inspect and filter traffic on the basis of the full range of
packet
headers. The typical use case for a transparent firewall is to deploy it without
Ahaving
router firewall or firewall router appliance implements filtering functionality as
part
to reconfigure subnets and reassign IP addresses on other devices.
of the router firmware. The difference is that a router appliance is primarily
designed
for routing, with firewall as a secondary feature.
• Host-based firewall (or personal firewall)—implemented as a software
application running on a single host designed to protect that host only
• Application firewall—software designed to run on a server to protect a

particular
application only.
• Network operating system (NOS) firewall—a software-based firewall running

under a network server OS, such as Windows or Linux. The
Proxies and Gateways
• Forward proxy server
• For example, you might deploy a • Proxy opens connections with
web proxy that enables client external servers on behalf of
computers on the LAN to connect internal clients
to websites and secure websites • Application-specific filters
on the internet. • Non-transparent and
transparent proxies
• A non-transparent proxy means that
• User authentication
the client must be configured with
• Reverse proxy server
the proxy server address and port
number to use it. • Proxy opens connections with
internal servers on behalf of
external clients
Screenshot used with permission from Rubicon Communications, LLC.
Access Control Lists
There is an implicit “deny” at the end of each
• Least access access list—this means that if a packet
• Top to bottom doesn’t match the condition on any of the lines
processing order in the access list, the packet will be
• Implicit deny: discarded.
• Explicit deny all If the firewall does not have a default
• Criteria for rules implicit deny rule, an explicit deny all
rule can be
(tuples)
added manually to the end of the ACL.
• Documenting and
testing configuration
Network Address Translation
• Source NAT
• 10.0.0.0 to 10.255.255.255 (Class A • Static and dynamic NAT
private address range). • Overloaded NAT/Network Address
Port Translation (NAPT)/Port
• 172.16.0.0 to 172.31.255.255 (Class B Address Translation (PAT)
private address range). • Destination NAT/port forwarding
• 192.168.0.0 to 192.168.255.255 (Class C • Advertise a resource using a
private address range). global IP address but forward it to
a local IP address
• Usually forward specific ports only
Overloading: really is a form of dynamic NAT
A NAT gateway is a service that that maps multiple unregistered IP addresses
translates between the private to a single registered IP address (many-to-
addressing scheme one) by using different source ports
used by hosts on the LAN and the Port forwarding :means that the route
public addressing scheme used by takes requests from the Internet for a
router, firewall, particular application (say, HTTP/port
Static
or proxy -one-to-one
server onmapping betweenedge.
the network local and 80) and sends them to a designated
global addresses
NAT host and port in the DMZ
Dynamic NAT This version gives you the or LAN.
ability to map an unregistered IP address to a
registered IP address from out of a pool of
registered IP addresses.
Virtual Firewalls
• Hypervisor-based
• Filtering built into the hypervisor or cloud service
• Virtual appliance
• Deployed as a virtual machine to the cloud
• Multiple context
• Firewall appliance running multiple instances
• East-west security design and microsegmentation
 Hypervisor-based—this means that filtering functionality is built into the
hypervisor
or cloud provisioning tool. You can use the cloud's web app or application
programming interface (API) to write access control lists (ACLs) for traffic arriving or
leaving a virtual host or virtual network.
• Virtual appliance—this refers to deploying a vendor firewall appliance instance

using
virtualization, in the same way you might deploy a Windows or Linux guest OS.
• Multiple context—this refers to multiple virtual firewall instances running on a

hardware firewall appliance. Each context has a separate interface and can
perform
a distinct filtering role.
Open-source versus Proprietary Firewalls
• Source code inspection and supply chain issues

• Wholly proprietary appliance OS
• UNIX or Linux kernel with proprietary features
• Wholly open-source
• Support arrangements and subscription features
Firewalls and Proxy Servers
Review Activity
Assisted Lab
• Configuring a Firewall
Lab Activity
Topic 10B
Implement Network Security Monitoring
Network-Based Intrusion Detection Systems
• Intrusion detection
system (IDS)
• Network sensor
captures traffic
• Detection engine
performs real-time
analysis of
indicators
• Passive
logging/alerting
Screenshot Security Onion securityonion.net
Network-Based Intrusion Prevention Systems
• Intrusion prevention system (IPS)

• Active response to threats
• Reset session
• Apply firewall filters on the fly to shun traffic
• Bandwidth throttling
• Packet modification
• Run a script or other process: Finally, the appliance may be able to run a script or third-
party program to perform some other action not supported by the IPS software itself.
• Anti-virus scanning/content filtering
• Inline placement—risk of failure
• Some IPS provide inline, wire-speed anti-virus scanning. Their rulesets can be configured to
provide user content filtering, such as blocking URLs, applying keywords ensitive block
lists or allow lists, or applying time-based access restrictions.
Signature-Based Detection
• Analysis engine
• Signature-based detection
• Pattern matching
• Database of known attack
signatures
• Must be updated with latest
definitions
/plug-ins/feeds
• Many attack tools do not
conform to
specific signatures
Behavior and Anomaly-Based Detection
Anything that deviates from this
baseline (outside a defined level of
• Behavioral-based detection tolerance) generates an incident.
• Train sensor with baseline normal behavior to recognize anomalous behavior
• Network behavior and anomaly detection (NBAD)
• Heuristics (learning from experience)
• Statistical model of behavior
• Machine learning assisted analysis
• User and entity behavior analytics (UEBA)
• Network traffic analysis (NTA)
• Anomaly-based detection as irregularity in packet construction
• For example, if a particular user regularly downloads 10 MB of files every day but
suddenly downloads gigabytes of files, the system would be able to detect this
anomaly and alert them immediately.
• UEBA uses machine learning, algorithms, and statistical analyses to know when there
is a deviation from established patterns, showing which of these anomalies could result
in a potential, real threat. UEBA can also aggregate the data you have in your reports
and logs, as well as analyze file, flow, and packet information
Network traffic analysis (NTA) is a method of monitoring network availability and

activity to identify anomalies, including security and operational issues.
Common use cases for NTA include: Collecting a real-time and historical record of
what's happening on your network.
Next-generation Firewalls and Content Filters
• Next-generation firewall
• Application-aware filtering, user account-based filtering, IPS, cloud
inspection, …
• Unified threat management (UTM): refers to a security product
that centralizes many types of security controls
• Combining security controls into single agent and management
platforms
• Firewall, anti-malware, network intrusion prevention, spam filtering,
content filtering, data loss prevention, VPN, cloud access gateway, …
• Content/URL filter
A content filter is designed to apply a number of user-focused
• Focuses on outgoing user traffic filtering rules, such as blocking uniform resource locators (URLs)
• Content block lists and allow lists that appear on content blacklists or applying time-based
restrictions to browsing. Content filters are now usually
• Time-based restrictions implemented as a class of product called a secure web gateway
• Secure web gateway (SWG) (SWG).
Host-Based Intrusion Detection Systems
• Host-based IDS :captures information from a single host, such as a server, router, or firewall.
• Network, log, and file system monitoring for endpoints
• The core ability is to capture and analyze log files, but more sophisticated systems can also monitor OS
kernel files, monitor ports and network interfaces, and process data and logs generated by specific
applications, such as HTTP or FTP.
• File integrity monitoring (FIM)
• Cryptographic hash or file signature verifies integrity of files
• Compare hashes manually or verify signature with publisher’s public key
• Windows File Protection/sfc
• Tripwire and OSSEC
• In Windows, the Windows File Protection service runs automatically
and the System File Checker (sfc) tool can be used manually to verify
OS system files. Tripwire (tripwire.com) and OSSEC (ossec.net) are
examples of multi-platform tools with options to protect a wider range
of applications.
Web Application Firewalls
• Able to inspect code in HTTP
packets
• Matches suspicious code to
vulnerability database
• Can be implemented as software
on host or as appliance
designed specifically to protect
software running on web servers and
their backend databases from code
injection and DoS attacks. WAFs use
application-aware processing rules to
filter traffic and perform application
specific Screenshot used with permission from Microsoft.
intrusion detection.
Network Security Monitoring
Review Activity
CompTIA Lab
• Configuring an Intrusion Detection System
Lab Activity
Topic 10C
Summarize the Use of SIEM
• 1.7 Summarize the techniques used in security assessments

• 4.1 Given a scenario, use the appropriate tool to assess organizational
security
Monitoring Services
• Packet capture
• Sniffers and flow analysis
• Traffic and protocol statistics
• Packet analysis
• Network monitors: network monitor collects data about network appliances,
such as switches, access points, routers, firewalls, and servers.
• load status for CPU/memory, state tables, disk capacity, fan speeds/
temperature, network link utilization/error statistics, and so on.
• Appliance state data
• Heartbeat availability monitoring: indicate availability
• Logs
• System logs to diagnose availability issues
• Security logs to audit access
Security Information and Event Management
• Log collection
• Agent-based
• Local agent to forward logs
• Listener/collector
• Protocol-based remote log
forwarding (syslog)
• Sensor
• Packet capture and traffic flow data
• Log aggregation
• Consolidation of multiple log
formats to facilitate search/query
and correlation
• Normalization of fields
• Time synchronization
Screenshots used with permission from AT&T Cybersecurity.
Analysis and Report Review
• Correlation: correlation can be performed using simple If … Then type

rules. However, many SIEM solutions use artificial intelligence (AI) and
machine learning as the basis for automated analysis.
• Relating security data and threat intelligence
• Alerting of indicators of compromise (IOC)
• Basic rules versus machine learning
• User and entity behavior analytics (UEBA) : As the name suggests, the
analytics software tracks user account behavior across different devices and
cloud services. Entity refers to machine accounts, such as client workstations
or virtualized server instances, and to embedded hardware, such as Internet
of Things (IoT) devices
• Sentiment analysis
• Machine interpretation of natural language
• Emotion AI CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36
• One of the biggest challenges for behavior analytics driven by machine
learning is to identify intent.
• It is extremely difficult for a machine to establish the context and
interpretation of statements in natural language, though much progress is
being made.
• The general efforts in this area are referred to as sentiment analysis, or emotion
AI.
• The typical use case for sentiment analysis is to monitor social media for
brand "incidents," such as a disgruntled customer announcing on Twitter what
poor customer service they have just received.
• In terms of security, this can be used to gather threat intelligence and try to
identify external or insider threats before they can develop as attacks.
Use of SIEM
Review Activity
Lesson 10
Summary

Chapter 10

Uploaded by

Document Informationclick to expand document informationstudy material

Document Informationclick to expand document information

Copyright:

Available Formats

Chapter 10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 10

Uploaded by

Copyright:

Available Formats

Lesson 10

Implementing Network Security Appliances

• 3.3 Given a scenario, implement secure network designs

• Enforce a network access control list (ACL)

Screenshot used with permission from Cisco.

• Application firewall—software designed to run on a server to protect a

• Network operating system (NOS) firewall—a software-based firewall running

Screenshot used with permission from Rubicon Communications, LLC.

• Virtual appliance—this refers to deploying a vendor firewall appliance instance

• Multiple context—this refers to multiple virtual firewall instances running on a

• Source code inspection and supply chain issues

• 3.3 Given a scenario, implement secure network designs

Screenshot Security Onion securityonion.net

• Intrusion prevention system (IPS)

Network traffic analysis (NTA) is a method of monitoring network availability and

• Configuring an Intrusion Detection System

• 1.7 Summarize the techniques used in security assessments

• Correlation: correlation can be performed using simple If … Then type

You might also like