Access Control

Access control describes the mechanisms used to filter network traffic to determine who is and who is not allowed to access the network and network resources. Firewalls, proxy servers, routers, and individual computers all can maintain access control to some degree by protecting the edges of the network. Because the security strategy limits who can and cannot access the network and its resources, it is easy to understand why access control plays a critical role. Several types of access control strategies exist, as discussed in the following sections.

Mandatory Access Control

Mandatory access control (MAC) is the most secure form of access control. In systems configured to use mandatory access control, administrators dictate who can access and modify data, systems, and resources. MAC systems are commonly used in military installations, financial institutions, and, because of new privacy laws, medical institutions.

MAC secures information and resources by assigning sensitivity labels or attributes to objects and users. When users request access to an object, their sensitivity level is compared to the object’s. A label is a feature applied to files, directories, and other resources in the system. It is similar to a confidentiality stamp. When a label is placed on a file, it describes the level of security for that specific file. It permits access by files, users, programs, and so on that have a similar or higher security setting.

Discretionary Access Control

Unlike mandatory access control, discretionary access control (DAC) is not enforced from the administrator or operating system. Instead, access is controlled by an object’s owner. For example, if a secretary creates a folder, he decides who will have access to that folder. This access is configured using permissions and an access control list (ACL).

DAC uses an ACL to determine access. The ACL is a table that informs the operating system of the rights each user has to a particular system object, such as a file, a folder, or a printer. Each object has a security attribute that identifies its ACL. The list has an entry for each system user with access privileges. The most common privileges include the ability to read a file (or all the files in a folder), to write to the file or files, and to execute the file (if it is an executable file or program).

Microsoft Windows servers/clients, Linux, UNIX, and macOS are among the operating systems that use ACLs. The list is implemented differently by each operating system.

In Windows Server products, an ACL is associated with each system object. Each ACL has one or more access control entries (ACEs) consisting of the name of a user or group of users. The user can also be a role name, such as “secretary” or “research.” For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask. Generally, the system administrator or the object owner creates the ACL for an object.

Rule-Based Access Control

Rule-based access control (RBAC) controls access to objects according to established rules. The configuration and security settings established on a router or firewall are a good example.

When a firewall is configured, rules are set up to control access to the network. Requests are reviewed to see if the requestor meets the criteria to be allowed access through the firewall. For instance, if a firewall is configured to reject all addresses in the 192.166.x.x IP address range, and the requestor’s IP is in that range, the request would be denied.

In a practical application, RBAC is a variation on MAC. Administrators typically configure the firewall or other device to allow or deny access. The owner or another user does not specify the conditions of acceptance, and safeguards ensure that an average user cannot change settings on the devices.

Role-Based Access Control

In role-based access control (RBAC), access decisions are determined by the roles that individual users have within the organization. Role-based access requires the administrator to have a thorough understanding of how a particular organization operates, the number of users, and each user’s exact function in that organization.

Because access rights are grouped by role name, the use of resources is restricted to individuals who are authorized to assume the associated role. For example, within a school system, the role of teacher can include access to certain data, including test banks, research material, and memos. School administrators might have access to employee records, financial data, planning projects, and more.

The use of roles to control access can be an effective means of developing and enforcing enterprise-specific security policies and for streamlining the security management process.

Roles should receive only the privilege level necessary to do the job associated with that role. This general security principle is known as the least privilege concept. When people are hired in an organization, their roles are clearly defined. A network administrator creates a user account for a new employee and places that user account in a group with people who have the same role in the organization.

Least privilege is often too restrictive to be practical in business. For instance, using teachers as an example, some more experienced teachers might have more responsibility than others and might require increased access to a particular network object. Customizing access to each individual is a time-consuming process.

Closely related to least privilege is the concept of a zero trust network. As the name implies, it simply means that you don’t automatically trust anyone and instead always authenticate and authorize. Everything must be verified explicitly, data protection is held to utmost ideal, and all sessions are encrypted end to end.

Defense in Depth

Defense in depth is based on the premise that implementing security at different levels or layers to form a complete security strategy provides better protection and greater resiliency than implementing an individual security defense. This level of defense can be accomplished in a number of different ways; some of the most popular are through the use of network segmentation, screened subnet, separation of duties, network access control, and honeypots. Each variant of defense in depth is discussed in the sections that follow.

Screened Subnet

An important firewall-related concept is that of the screened subnet. This concept was formerly known as a demilitarized zone (DMZ) and sometimes called a perimeter network. A screened subnet is part of a network where you place servers that must be accessible by sources both outside and inside your network. However, the screened subnet is not connected directly to either network, and it must always be accessed through the firewall. The military term DMZ was used previously because it describes an area that has little or no enforcement or policing.

Using screened subnets gives your firewall configuration an extra level of flexibility, protection, and complexity. Figure 9.1 shows a screened subnet (DMZ) configuration.

By using a screened subnet, you can create an additional step that makes it more difficult for an intruder to gain access to the internal network. In Figure 9.1, for example, an intruder who tried to come in through Interface 1 would have to spoof a request from either the web server or proxy server into Interface 2 before it could be forwarded to the internal network. Although it is not impossible for an intruder to gain access to the internal network through a screened subnet, it is difficult.

ExamAlert

Be prepared to identify the purpose of a screened subnet and that this concept was previously known as a DMZ.

Separation of Duties

Separation of duties policies are designed to reduce the risk of fraud and to prevent other losses in an organization. A good policy will require more than one person to accomplish key processes. This may mean that the person who processes an order from a customer isn’t the same person who generates the invoice or deals with the billing.

Separation of duties helps prevent various problems, such as an individual embezzling money from a company. To embezzle funds successfully, an individual would need to recruit others to commit an act of collusion—that is, an agreement between two or more parties established for the purpose of committing deception or fraud. Collusion, when part of a crime, is also a criminal act in and of itself.

In addition, separation of duties policies can help prevent accidents from occurring in an organization. Suppose that you’re managing a software development project. You want someone to perform a quality assurance test on a new piece of code before it’s put into production. Establishing a clear separation of duties prevents development code from entering production status until quality testing is accomplished.

Many banks and financial institutions require multiple steps and approvals to transfer money. These policies help reduce errors and minimize the likelihood of fraud.

Honeypots

When we talk about network security, honeypots and honeynets are often mentioned. Honeypots are a rather clever approach to network security but perhaps a bit expensive. A honeypot is a system set up as a decoy to attract and deflect attacks from hackers. The server decoy appears to have everything a regular server does—OS, applications, and network services. The attacker thinks she is accessing a real network server, but she is in a network trap.

The honeypot has two key purposes. It can give administrators valuable information on the types of attacks being carried out. In turn, the honeypot can secure the real production servers according to what it learns. Also, the honeypot deflects attention from working servers, allowing them to function without being attacked.

A honeypot can do the following:

• Deflect the attention of attackers from production servers

• Deter attackers if they suspect their actions may be monitored with a honeypot

• Allow administrators to learn from the attacks to protect the real servers

• Identify the source of attacks, whether from inside the network or outside

One step up from the honeypot is the honeynet. The honeynet is an entire network set up to monitor attacks from outsiders. All traffic into and out of the network is carefully tracked and documented. This information is shared with network professionals to help isolate the types of attacks launched against networks and to proactively manage those security risks. Honeynets function as a production network, using network services, applications, and more. Attackers don’t know that they are actually accessing a monitored network.

RADIUS and TACACS+

Among the potential issues network administrators face when implementing remote access are utilization and the load on the remote-access server. As a network’s remote-access implementation grows, reliance on a single remote-access server might be impossible, and additional servers might be required. Remote Authentication Dial-In User Service (RADIUS) can help in this scenario.

RADIUS functions as a client/server system. The remote user dials in to the remote-access server, which acts as a RADIUS client, or network access server (NAS), and connects to a RADIUS server. The RADIUS server performs authentication, authorization, and auditing (or accounting) functions and returns the information to the RADIUS client (which is a remote-access server running RADIUS client software); the connection is either established or rejected based on the information received.

Terminal Access Controller Access Control System (TACACS) is a security protocol designed to provide centralized validation of users who are attempting to gain access to a router or NAS. Like RADIUS, TACACS is a set of security protocols designed to provide AAA of remote users. Terminal Access Controller Access Control System Plus (TACACS+) is a proprietary version of TACACS from Cisco and is the implementation commonly in use in networks today. TACACS+ uses TCP port 49 by default.

Although both RADIUS and TACACS+ offer AAA services for remote users, some noticeable differences exist:

• TACACS+ relies on TCP for connection-oriented delivery. RADIUS uses connectionless UDP for data delivery.

• RADIUS combines authentication and authorization, whereas TACACS+ can separate their functions.

Kerberos Authentication

Kerberos is an Internet Engineering Task Force (IETF) standard for providing authentication. It is an integral part of network security. Networks, including the Internet, can connect people from all over the world. When data travels from one point to another across a network, it can be lost, stolen, corrupted, or misused. Much of the data sent over networks is sensitive, whether it is medical, financial, or otherwise. A key consideration for those responsible for the network is maintaining the confidentiality of the data. In the networking world, Kerberos plays a significant role in data confidentiality.

In a traditional authentication strategy, a username and password are used to access network resources. In a secure environment, it might be necessary to provide a username and password combination to access each network service or resource. For example, a user might be prompted to type in her username and password when accessing a database, and again for the printer, and again for Internet access. This is a time-consuming process, and it can also present a security risk. Each time the password is entered, there is a chance that someone will see it being entered. If the password is sent over the network without encryption, it might be viewed by malicious eavesdroppers.

Kerberos was designed to fix such problems by using a method requiring only a single sign-on (SSO). This single sign-on enables a user to log in to a system and access multiple systems or resources without the need to repeatedly reenter the username and password. Additionally, Kerberos is designed to have entities authenticate themselves by demonstrating possession of secret information.

Kerberos is one part of a strategic security solution that provides secure authentication services to users, applications, and network devices by eliminating the insecurities caused by passwords stored or transmitted across the network. Kerberos is used primarily to eliminate the possibility of a network “eavesdropper” tapping into data over the network—particularly usernames and passwords. Kerberos ensures data integrity and blocks tampering on the network. It employs message privacy (encryption) to ensure that messages are not visible to eavesdroppers on the network.

For the network user, Kerberos eliminates the need to repeatedly demonstrate possession of private or secret information.

Kerberos is designed to provide strong authentication for client/server applications by using secret key cryptography. Cryptography is used to ensure that a client can prove its identity to a server (and vice versa) across an unsecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all their communications to ensure privacy and data integrity.

The key to understanding Kerberos is to understand its secret key cryptography. Kerberos uses symmetric key cryptography, in which both client and server use the same encryption key to cipher and decipher data.

In secret key cryptography, a plain-text message can be converted into cipher text (encrypted data) and then converted back into plain text using one key. Thus, two devices share a secret key to encrypt and decrypt their communications. Figure 9.2 shows the symmetric key process.

Kerberos authentication works by assigning a unique key, called a ticket, to each client that successfully authenticates to a server. The ticket is encrypted and contains the user’s password, which is used to verify the user’s identity when a particular network service is requested. Each ticket is time stamped. It expires after a period of time, and a new one is issued. Kerberos works in the same way that you go to a movie. First, you go to the ticket counter, tell the person what movie you want to see, and get your ticket. After that, you go to a turnstile and hand the ticket to someone else, and then you’re “in.” In simplistic terms, that’s Kerberos.

Local Authentication

Most of the time, the goal is to authenticate the user using a centralized authentication server or service of some type. When that cannot be done—such as when there is no Internet connectivity available—authentication is done locally by the operating system using values stored within it. In Windows, for example, the Local Authentication Subsystem (LASS) performs this function and allows users access to the system after their stored username and password variables match.

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol (LDAP) provides a mechanism to access and query directory services systems. In the context of the Network+ exam, these directory services systems are most likely to be UNIX based or Microsoft Active Directory based. Although LDAP supports command-line queries executed directly against the directory database, most LDAP interactions are via utilities such as an authentication program (network logon) or locating a resource in the directory through a search utility.

Using Certificates

A public key infrastructure (PKI) is a collection of software, standards, and policies combined to enable users from the Internet or other unsecured public networks to securely exchange data. PKI uses a public and private cryptographic key pair obtained and shared through a trusted authority. Services and components work together to develop the PKI. Some of the key components of a PKI include the following:

• Certificates: Certificates are electronic credentials that validate users, computers, or devices on the network. They are digitally signed statements that associate the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key.

• Certificate authorities (CAs): CAs issue and manage certificates. They validate the identity of a network device or user requesting data. CAs can be either independent third parties, known as public CAs, or they can be organizations running their own certificate-issuing server software, known as private CAs.

• Certificate templates: These templates are used to customize certificates issued by a certificate server. This customization includes a set of rules and settings created on the CA and used for incoming certificate requests.

• Certificate revocation list (CRL): This list identifies certificates that were revoked before they reached the certificate expiration date. Certificates are often revoked because of security concerns, such as a compromised certificate.

Auditing and Logging

Auditing is the process of monitoring occurrences and keeping a log of what has occurred on a system. A system administrator determines which events should be audited. Tracking events and attempts to access the system helps prevent unauthorized access and provides a record that administrators can analyze to make security changes as necessary. This record, or log, also provides administrators with solid evidence if they need to look into improper user conduct.

The first step in auditing is to identify what system events to monitor. After the system events are identified, in a Windows environment, the administrator can choose to monitor the success or failure of a system event. For instance, if “logon” is the event being audited, the administrator might choose to log all unsuccessful logon attempts, which might indicate that someone is attempting to gain unauthorized access. Conversely, the administrator can choose to audit all successful attempts to monitor when a particular user or user group is logging on. Some administrators prefer to log both events. However, overly ambitious audit policies can reduce overall system performance.

Multifactor Authentication Factors

Multifactor authentication is defined as having two or more access methods included as part of the authentication process; for example, using both smartcards and passwords. An ATM card and PIN are another common example representing multifactor authentication (in this case, two-factor authentication), as opposed to just one (which constitutes single-factor authentication). The ATM card is something you have, and the PIN is something you know.

The factors used in authentication systems or methods are based on one or more of these five factors:

• Something you know, such as a password or PIN

• Something you have, such as a smartcard, token, or identification device

• Something you are, such as your fingerprints or retinal pattern (often called biometrics)

• Somewhere you are (based on geolocation)

• Something you do, such as an action you must take to complete authentication

Additional Access Control Methods

Today, there are many ways to establish access into networks. You could fill an entire tome with a discussion of the possibilities. What follows are some of the more important ones to know for this exam (others appear on other CompTIA exams, such as Security+).

MAC Filtering

Another name for a network card or network adapter is a network controller. Every controller has a unique MAC address associated with it. Filtering network traffic using a system’s MAC address typically is done using an ACL. This list keeps track of all MAC addresses and is configured to allow or deny access to certain systems based on the list. As an example, look at the MAC ACL from a router. Figure 9.3 shows the MAC ACL screen. Specific MAC addresses can be either denied or accepted, depending on the configuration. It would be possible, for example, to configure it so that only the system with the MAC address of 02-00-54-55-4E-01 can authenticate to the router.

Note

When administrators are configuring security for wireless networks, filtering by MAC address is a common practice. Typically, in MAC filtering security, MAC addresses can be added to an “allow” ACL or “deny” ACL.

Risk Management

Risk management involves recognizing and acknowledging that risks exist and then determining what to do about them. Sometimes, the best solution is to do nothing. If, for example, there is a risk that some data could be lost in the event of a fire but the value placed on that data is below the cost of protecting it from that harm, the economically feasible solution could be to accept the risk and do nothing further. In most cases, acceptance alone is not enough and two likely approaches are mitigation (trying to minimize the risk) and/or transference (shifting a part of the risk to another party such as an insurance provider).

To determine how to manage risk, assessments are usually employed. An assessment can be done on threats, vulnerabilities, or business operations (process assessment and vendor assessment).

Penetration Testing

It is becoming more common for companies to hire penetration testers to test their system’s defenses. Essentially, a penetration tester will use the same techniques that a hacker would use to find any flaws in a system’s security. These flaws may be discovered by means other than directly accessing the system, such as collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering. This approach is known as passive reconnaissance. In contrast, active reconnaissance directly focuses on the system (port scans, traceroute information, network mapping, and so forth) to identify weaknesses that could be used to launch an attack.

When you’re doing penetration testing, it is important to have a scope document outlining the extent of the testing that is to be done. It is equally important to have permission from an administrator who can authorize such testing—in writing—enabling the testing to be conducted.

One weakness a good penetration test looks for is escalation of privilege; that is, a hole created when code is executed with higher privileges than those of the user running it. By breaking out of the executing code, the users are left with higher privileges than they should have.

Three types of penetration testing are black box/unknown environment (the tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker), white box/known environment (the tester has significant knowledge of the system, which simulates an attack from an insider—a rogue employee), and gray box/partially known environment (a middle ground between the first two types of testing. In gray box testing, the tester has some limited knowledge of the target system). While the “box” analogy is used to describe the environment, “hats” have often been used to describe the person doing the testing, but that terminology is now being replaced by level of authorization. Therefore, a white hat tester is equivalent to an authorized tester, a black hat tester to an unauthorized tester, and a gray hat tester to a semi-authorized tester.

Security Information and Event Management

Security information and event management (SIEM) products provide notifications and real-time analysis of security alerts and can help you head off problems quickly. Chapter 8, “Network Operations,” discussed event management and looking at log files, including the security log.

SIEM tools collect, correlate, and display data feeds that support response activities. A SIEM can take individual benign events and tie them together to reveal more details about what occurred and why it’s of concern.

Dashboards are an important element in SIEM solutions, presenting data (and analysis) in actionable format. Most SIEM packages allow organizations to customize their dashboard(s) based on their needs and requirements. One need of any SIEM is to be able to interpret (and visualize) data coming from different sources and, thus, different formats. Normalizing logs involves extracting and processing entries to put them into a readable and structured format that can be displayed and acted upon.

Denial-of-Service and Distributed Denial-of-Service Attacks

Denial-of-service (DoS) attacks are designed to tie up network bandwidth and resources and eventually bring the entire network to a halt. This type of attack is done simply by flooding a network with more traffic than it can handle. When more than one computer is used in the attack, it is technically known as a distributed DoS (DDoS) attack. These attacks typically use a botnet to launch a command and control attack through a traffic spike. Almost every attack of this type today is DDoS, and we will use DoS to mean both.

A DoS attack is not designed to steal data but rather to cripple a network and, in doing so, cost a company huge amounts of money. It is possible, in fact, for the attack to be an unintentional, or friendly, DoS attack coming from the inside. Just as with friendly fire in combat, it matters not that the attack was unintentional; it does just as much damage.

The effects of DoS attacks include the following:

• Saturating network resources, which then renders those services unusable

• Flooding the network media, preventing communication between computers on the network

• Causing user downtime because of an inability to access required services

• Causing potentially huge financial losses for an organization because of network and service downtime

Other Common Attacks

This section details some of the more common attacks used today.

Vulnerabilities and Prevention

The threat from malicious code is a real concern. You need to take precautions to protect your systems. Although you might not eliminate the threat, you can significantly reduce it.

One of the primary tools used in the fight against malicious software is antivirus/antimalware software. Antimalware software (which includes antivirus software and more) is available from a number of companies, and each offers similar features and capabilities. You can find solutions that are host based, cloud/server based, or network based. Common features and characteristics of antivirus software are as follows:

• Real-time protection: An installed antivirus program should continuously monitor the system looking for viruses. If a program is downloaded, an application opened, or a suspicious email received, the real-time virus monitor detects and removes the threat. The virus application sits in the background, largely unnoticed by the user.

• Virus scanning: An antivirus program must scan selected drives and disks, either locally or remotely. You can manually run scanning or schedule it to run at a particular time.

• Scheduling: It is a best practice to schedule virus scanning to occur automatically at a predetermined time. In a network environment, this time typically is off hours, when the overhead of the scanning process won’t impact users.

• Live updates: New viruses and malicious software are released with alarming frequency. It is recommended that the antivirus software be configured to regularly receive virus updates.

• Email vetting: Emails represent one of the primary sources of virus delivery. It is essential to use antivirus software that provides email scanning for both inbound and outbound email.

• Centralized management: If antivirus software or antimalware is used in a network environment, it is a good idea to use software that supports managing the virus program from the server. Virus updates and configurations need to be made only on the server, not on each client station.

Managing the threat from viruses is considered a proactive measure, with antivirus software only part of the solution. A complete security protection strategy requires many aspects to help limit the risk of malware, viruses, and other threats:

• Develop in-house policies and rules: In a corporate environment or even a small office, you need to establish what information can be placed on a system. For example, should users download programs from the Internet? Can users bring in their own storage media, such as USB flash drives? Is there a corporate BYOD policy restricting the use of personal smartphones and other mobile devices?

• Monitor virus threats: With new viruses coming out all the time, you need to check whether new viruses have been released and what they are designed to do.

• Educate users: One of the keys to a complete antivirus solution is to train users in virus prevention and recognition techniques. If users know what to look for, they can prevent a virus from entering the system or network. Back up copies of important documents. Keep in mind that no solution is absolute, so care should be taken to ensure that the data is backed up. In the event of a malicious attack, redundant information is available in a secure location.

• Automate virus scanning and updates: You can configure today’s antivirus software to automatically scan and update itself. Because such tasks can be forgotten and overlooked, it is recommended that you have these processes scheduled to run at predetermined times.

• Don’t run unnecessary services: Know every service that is running on your network and the reason for it. If you can avoid running the service, equate it with putting another lock on the door and do so.

• Keep track of open ports: Just as you don’t want unnecessary services running, you don’t want unnecessary ports left open. Every one of them is an unguarded door through which a miscreant can enter.

• Avoid unencrypted channels and clear-text credentials: The days when these were acceptable have passed. Continuing to use them is tantamount to inviting an attack.

• Shun unsecure protocols: Once upon a time, clear-text passwords were okay to use because risks of anyone getting on your network who should not were minimal. During those days, it was okay to use unsecure protocols as well because the priority was on ease of use as opposed to data protection. These practices went out of acceptance decades ago, so you must—in the interest of security—be careful with the following unsecure protocols: Telnet, HTTP, SLIP, FTP, TFTP, and SNMP (v1 and v2). Secure alternatives—offering the same functionality but adding acceptable levels of security—are available for each. Where possible, opt instead for SSH, SNMPv3, TLS/SSL, SFTP, HTTPS, and IPSec.

• Install patches and updates: All applications, including productivity software, virus checkers, and especially the operating system, release patches and updates often, designed to address potential security weaknesses. Administrators must keep an eye out for these patches and install them when they are released. Pay particular attention to unpatched/legacy systems and keep them as secure as possible.

One of the best tools to use when dealing with problems is knowledge. In several locations, CompTIA stresses that user education is important, but even more important is that administrators know what is going on and keep learning from what is going on now and what has gone on in the past. As an example, TEMPEST is the name of a project commenced by the U.S. government in the late 1950s that all administrators should be familiar with. TEMPEST was concerned with reducing electronic noise from devices that would divulge intelligence about systems and information. This program has become a standard for computer systems certification. TEMPEST shielding protection means that a computer system doesn’t emit any significant amounts of electromagnetic interference (EMI) or radio frequency interference (RFI) (RF emanation). For a device to be approved as a TEMPEST, it must undergo extensive testing, done to exacting standards that the U.S. government dictates. Today, control zones and white noise are used to accomplish the shielding. TEMPEST-certified equipment often costs twice as much as non-TEMPEST equipment.

Disposing of Assets

Almost every asset reaches the end of its life at some point in time. Whether that asset is a workstation, a hard drive, a piece of backup media, or something else altogether, care needs to be taken when disposing of it to reduce the risk of sensitive data falling into the wrong hands. As an example, consider that the capacity of a flash drive (also known as a thumb drive, USB drive, jump drive, etc.) is now greater than that of many hard drives only a few years ago and many users now store all of their files on a small drive that they transport with them.

A policy should be created, and implemented, governing the disposal of all assets that hold data. Options of what can be done include performing factory resets (for laptops, tablets, and similar devices), wiping the data, and sanitizing the device before disposal. Sanitizing is simply removing the data and the traces of it; this is usually done with storage devices, such as hard drives, and is often referred to as purging. Wiping goes further than purging and is also known as overwriting (or shredding). With wiping, the data that was there is first replaced with something else and then removed. That way, if the data is somehow recovered, what comes back is the overwritten data rather than the original data. The simplest overwrite technique writes a pattern of zeros over the original data.

Implementing Physical Security

Physical security is a combination of good sense and procedure. The purpose of physical security is to restrict access to network equipment only to people who need it.

The extent to which physical security measures can be implemented to protect network devices and data depends largely on their location. For instance, if a server is installed in a cabinet located in a general office area, the only practical physical protection is to make sure that the cabinet door is locked and that access to keys for the cabinet is controlled. Using other antitheft devices might be practical, but that depends on the location of the cabinet.

However, if your server equipment is located in a cupboard or dedicated room, access restrictions for the room are easier to implement and can be more effective. Again, access should be limited only to those who need it. Depending on the size of the room, this factor might introduce a number of other factors.

Servers and other key networking components are those to which you need to apply the greatest level of physical security. Nowadays, most organizations choose to locate servers in a cupboard or a specific room.

Access to the server room should be tightly controlled, and all access doors must be secured by some method, whether it is a lock and key or a retinal scanning system. Each method of server room access control has certain characteristics. Whatever the method of server room access, it should follow one common principle: control. Some access control methods provide more control than others.

Two-Factor and Multifactor Authentication

When two or more access methods are included as part of the authentication process, you’re implementing a multifactor system. A system that uses any two items—such as smartcards and passwords—is referred to as a two-factor authentication system. A multifactor system can consist of a two-factor system, a three-factor system, and so on. As long as more than one factor is involved in the authentication process, it is considered a multifactor system.

For obvious reasons, the two or more factors employed should not be from the same category. Although you do increase difficulty in gaining system access by requiring the user to enter two sets of username/password combinations, it is preferred to pair a single username/password combination with a biometric identifier or other check.

Secured Versus Unsecured Protocols

As you know, any network needs a number of protocols to function. This includes both LAN and WAN protocols. Not all protocols are created the same, however. Some are designed for secure transfer, whereas others are not. Table 9.1 lists several protocols and describes their use.

Hardening Best Practices

In addition to physically securing network devices and opting to run secure protocols in favor of unsecured ones, an administrator should take the following best practices steps to further network hardening:

• Utilize Secure SNMP: The Simple Network Management Protocol (SNMP) collects a lot of data that could be of value to someone looking to compromise a network. Secure SNMP, utilizing SNMPv3, protects the data more by moving from ports 161 and 162 to 10161 and 10162 and enables secure authentication and communication between the SNMP manager and agent.

• Configure Router Advertisement guard: With IPv6, routers will send out multicast messages (router advertisements) to announce their availability and associated information. This information is used by Neighbor Discovery Protocol (NDP) to detect what is available and configure accordingly. A problem is that the messages are unsecured, making them susceptible to spoofing. To increase security, you can configure IPv6 Router Advertisement (RA) guard to protect the network against RA messages generated by unauthorized routers (rogues) trying to join the network.

• Employ Port Security and Dynamic ARP: Port security works at Layer 2 of the OSI model and allows an administrator to configure switch ports so that only certain MAC addresses can use the port. This is a common feature on both Cisco’s Catalyst as well as Juniper’s EX Series switches and essentially differentiates so-called dumb switches from managed (or intelligent) switches. Similarly, Dynamic ARP Inspection (DAI) works with these and other smart switches to protect ports from ARP spoofing.

• Implement Control Plane Policing: Many routers and switches include a Control Plane Policing feature that enables you to configure a quality of service (QoS) filter to protect against DoS attacks. When enabled, the control plane (CP) can continue to forward packets despite an attack or abnormally heavy traffic load on the router/switch.

• Use private VLANs: Also known as port isolation, creating a private VLAN is a method of restricting switch ports (now called private ports) so that they can communicate only with a particular uplink. The private VLAN usually has numerous private ports and only one uplink, which is usually connected to a router, or firewall.

• Disable unneeded ports: Disabling unnecessary services (mentioned next) increases security by removing doors that someone could use to enter the server. Similarly, IP ports that are not needed for devices also represent doors that could be used to sneak in. It is highly recommended that unused ports be disabled to increase security along with device ports (both physical and virtual ports).

• Disable unneeded services: Every unnecessary service that is running on a server is akin to another door on a warehouse that someone unauthorized may choose to sneak in. Just as an effective way to secure a warehouse is to reduce the number of doors to only those needed, so too is it recommended that a server be secured by removing (disabling) services not in use.

• Change default passwords: The easiest way for any unauthorized individual to access a device is to use the default credentials. Many routers, for example, come configured with an “admin” account and a simple value for the password (“admin,” “password,” and so on). Anyone owning one of those routers knows those values and could use them to access any other of the same make if the values have not been changed. To make it more difficult for unauthorized users to access your devices, change those default usernames and passwords as soon as you start using them.

• Avoid common passwords and increase complexity: It is a good thing to preach password security to users, but often administrators are guilty of using too-simplistic passwords on network devices such as routers, switches, and the like. Given the large number of devices in question, sometimes the same passwords are also used on multiple devices. Common sense tells every administrator that this approach is wrong, but often it is done anyway with the hope that no miscreant will try to gain unauthorized access. Don’t be that administrator: use complex passwords, with notable length, and use a different password for each device, increasing the overall security of your network.

• Enable DHCP snooping: As was mentioned when discussing rogue DHCP servers earlier in this chapter, DHCP snooping is a good thing. It provides a way for a switch to look at packets and drop DHCP traffic that it determines to be unacceptable based on a set of defined rules to prevent rogue DHCP servers from offering IP addresses to clients.

• Change the default VLAN: On switches, the native VLAN is the only VLAN that is not tagged in a trunk. This means that native VLAN frames are transmitted unchanged. By default, the native VLAN is port 1, and that default represents a weakness in that it is something known about your network that an attacker could use. To strengthen security, albeit a small amount, you can change the native VLAN to another port. The command or commands used to do so are dependent on the vendor and model of your switch but can be easily found online.

• Utilize patch and firmware management: There is a reason why each firmware update is written. Sometimes, it is to optimize the device or make it more compatible with other devices. Other times, it is to fix security issues and/or head off identified problems. Keep firmware on your production machines current after first testing the upgrades on lab machines and verifying that you’re not introducing any unwanted problems by installing. Just as firmware upgrades are intended to strengthen or solve problems, patches and updates do the same with software (including operating systems). Test each release on a lab machine(s) to make sure you are not adding to network woes, and then keep your software current to harden it.

• Put an access control list in place: Discussed at length in this chapter, access control is necessary to limit who can access resources to only those who should have access and thus protect those resources. Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them access to certain network capabilities. You may find that a certain IP address is constantly scanning your network, and you can block this IP address at the router and the IP address will automatically be rejected any time it attempts to utilize your network.

• Apply role-based access: It is recommended that role-based access be applied where possible. The difference between this approach and others was discussed earlier in this chapter.

• Enforce firewall rules: Firewall rules are used to dictate what traffic can pass between the firewall and the internal network. Three possible actions can be taken based on the rule’s criteria: block the connection (explicit deny), accept the connection, or allow the connection if conditions are met (such as it being secured). It is this last condition that is the most difficult to configure, and conditions usually end with an implicit deny clause. An implicit deny clause means that if the proviso in question has not been explicitly granted, access is denied.

• Verify file hashes: File hashing is used to verify that the contents of files are unaltered. A hash is often created on a file before it is downloaded and then hashed after the download so the two values can be compared to make sure the contents are the same. When downloading files—particularly upgrades, patches, and updates—check hash values and use this one test to keep from installing those entities that have had Trojan horses attached to them.

• Generate new keys: Keys are used as a part of the encryption process, particularly with public key infrastructure (PKI), to encrypt and decrypt messages. The longer you use the same key, the longer the opportunity becomes for someone to crack that key. To increase security, generate new keys on a regular basis: The commands to do so will differ based on the utility that you are creating the keys for.

Wireless Security

Wireless systems transmit data through the air and can be much more difficult to secure than those dependent on wires that can be physically protected. The growth of wireless systems in every workplace and home creates many opportunities for attackers looking for signals that can be easily intercepted. This section discusses various types of wireless systems that you’ll likely encounter and some of the security issues associated with this technology.

IoT Access Considerations

With so many sensors being added to networks today, the Internet of Things (IoT) opens up a can of networking opportunities, but each comes with its own set of security issues. From the standpoint of a network administrator, it is critical that you treat these devices the same as any other resource connected to the network, constantly keep abreast of discovered security vulnerabilities, and patch when/where needed.

Remote File Access

File Transfer Protocol (FTP) is an application that allows connections to FTP servers for file uploads and downloads. FTP is a common application that uses ports 20 and 21 by default. It is used to transfer files between hosts on the Internet but is inherently insecure. A number of options have been released to try to create a more secure protocol, including FTP over SSL (FTPS), which adds support for SSL cryptography, and SSH File Transfer Protocol (SFTP), which is also known as Secure FTP.

An alternative utility for copying files is Secure Copy (SCP), which uses port 22 by default and combines an old remote copy program (RCP) from the first days of TCP/IP with SSH.

On the opposite end of the spectrum from a security standpoint is the Trivial File Transfer Protocol (TFTP), which can be configured to transfer files between hosts without any user interaction (unattended mode). It should be avoided anywhere there are more secure alternatives.

VPNs

A virtual private network (VPN) encapsulates encrypted data inside another datagram that contains routing information. The connection between two computers establishes a switched connection dedicated to the two computers. The encrypted data is encapsulated inside Point-to-Point Protocol (PPP), and that connection is used to deliver the data.

A VPN enables users with an Internet connection to use the infrastructure of the public network to connect to the main network and access resources as if they were logged on to the network locally. It also enables two networks to be connected to each other securely.

To put it more simply, a VPN extends a LAN by establishing a remote connection using a public network such as the Internet. A VPN provides a point-to-point dedicated link between two points over a public IP network. For many companies, the VPN link provides the perfect method to expand their networking capabilities and reduce their costs. By using the public network (Internet), a company does not need to rely on expensive private leased lines to provide corporate network access to its remote users. Using the Internet to facilitate the remote connection, the VPN enables network connectivity over a possibly long physical distance. In this respect, a VPN is a form of wide-area network (WAN).

Site-to-Site and Client-to-Site

The scope of a VPN tunnel can vary, with the two most common variations being site-to-site and client-to-site (also known as host-to-site). A third variation is host-to-host, but it is really a special implementation of site-to-site. In a site-to-site implementation, as the name implies, whole networks are connected together. An example would be divisions of a large company. Because the networks are supporting the VPN, each gateway does the work, and the individual clients do not need to have any VPN.

In a client-to-site scenario, individual clients (such as telecommuters or travelers) connect to the network remotely. Because the individual client makes a direct connection to the network, each client doing so must have VPN client software installed.

Virtual Desktops

What is called a virtual desktop can differ from vendor to vendor, but generally it is a preconfigured image of an operating system and applications wherein the desktop environment is separated from the physical device used to access it. The virtual desktop can be accessed remotely (thin clients were mentioned earlier in this section), and any endpoint device (laptop, tablet, smartphone, etc.) can be used.

Upon connecting, the virtual desktop provider installs the necessary client software on the endpoint device, and the user then interacts with that software on the device with it looking like a physical workstation. Depending on the type of implementation and configuration, users may or may not be able to save changes or permanently install applications, but they experience their desktop the same way every time they log in, no matter which device they are logging in from.

Virtual desktops differ from virtual machines in that the operating system for the virtual desktop lives in the data center, and not the endpoint. Typically, the virtual desktop is running within a virtual machine housed at the cloud host data center.

HTTPS/Management URL

HTTP Secure (HTTPS) is the protocol used for “secure” web pages that users should see when they must enter personal information such as credit card numbers, passwords, and other identifiers. It combines HTTP with SSL/TLS to provide encrypted communication. The default port is 443, and the URL begins with https:// instead of http://.

HTTPS is the common protocol used for management URLs to perform tasks such as checking server status, changing router settings, and so on.

Authentication and Authorization Considerations

When implementing remote access, administrators must recognize that they are increasing risk. The safest network to secure is one without users. The next safest is one in which all users must physically be present within a confined area. Once you open the network up to users from anywhere, you increase the risks of harm to data and security violations. In all cases, administrators should attempt to mitigate these risks as much as possible, and this is particularly true when it comes to authentication and authorization.

Throughout much of this chapter, the discussion has been on security and how to increase it, and thus, there is little new to add here other than to reiterate the importance of authenticating users (using multifactor authentication) and focusing on the CIA security triad—confidentiality, integrity, and availability. You should take every reasonable measure to prevent unauthorized users from accessing data, and, similarly, you should take every reasonable step to make sure that the data and systems are available for authorized users all the time.

Out-of-Band Management

When a dedicated channel is established for managing network devices, it is known as out-of-band management. A connection can be established via a console router, or modem, and this can be used to ensure management connectivity independent of the status of in-band network connectivity (which would include serial port connections, VNC, and SSH). Out-of-band management lets administrators monitor, access, and manage network infrastructure devices remotely and securely, even when everything else is down.