Fluent Essays

For each reflection essay, students should write a short essay (at least 300 words) to reflect upon their learning experiences in lessons 6 - 10. The student should identify and discuss at least three concepts or issues in the essay. These concepts or issues can be something from the textbook or external sources. Also, every student must write a second post/comment to a classmates post. Implementing Public Key Infrastructure Lesson 6 1 Implement Certificates and Certificate Authorities Topic 6A 2 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 3.9 Given a scenario, implement public key infrastructure Syllabus Objectives Covered 3 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Public key cryptography When you want others to send you confidential messages, you give them your public key to use to encrypt the message When you want to authenticate yourself to others, you create a signature and sign it by encrypting the signature with your private key But how does someone trust the public key? Public key infrastructure (PKI) validates the identity of the owner of a public key Public key is wrapped in a digital certificate signed by a certificate authority (CA) Sender and recipient must both trust the CA Public and Private Key Usage 4 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Certificate Authorities Private CAs versus third-party CAs Define services offered Ensure validity of certificates and users Establish trustworthy working procedures Manage servers and keys Screenshot used with permission from Microsoft. 5 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org PKI Trust Models and Certificate Chaining Single CA Hierarchical/chain of trust Root CA Intermediate CAs Leaf certificates Online versus offline Screenshot used with permission from Microsoft. 6 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Registration identification and authentication procedures Private versus third-party CAs Certificate Signing Request (CSR) Client generates key pair and sends public key to CA with CSR CA performs subject identity checks CA signs and issues certificate Registration authority (RA) Registration and CSRs 7 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Digital Certificates Contains subject’s public key Information identifying the subject plus usage and validity Digital certificate standards X.509 Public Key Infrastructure (PKIX) PKCS (Public Key Cryptography Standards) Screenshot used with permission from Microsoft. 8 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8 Certificate Attributes Field Usage Serial Number A number uniquely identifying the certificate within the domain of its CA. Signature Algorithm The algorithm used by the CA to sign the certificate. Issuer The name of the CA. Valid From/To Date and time during which the certificate is valid. Subject The name of the certificate holder, expressed as a distinguished name (DN). Within this, the Common Name (CN) part should usually match either the fully qualified domain name (FQDN) of the server or a user email address. Public Key Public key and algorithm used by the certificate holder. Extensions V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage. Subject Alternative Name (SAN) This extension field is the preferred mechanism to identify the DNS name or names by which a host is identified. 9 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Subject Name Attributes Common Name (CN) Legacy method of recording FQDN Deprecated by standards BUT still used in many implementations Subject Alternative Name (SAN) Structured identifiers List multiple host/subdomains Use wildcard subdomain Screenshot used with permission from Microsoft. 10 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Types of Certificate Certificate policies and templates Key usage Extended Key Usage/Enhanced Key Usage Critical or non-critical Screenshot used with permission from Microsoft. 11 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Web Server Certificate Types Domain Validation (DV) More rigorous identity checks Extended Validation (EV) Even more rigorous identity checks Screenshot used with permission from Microsoft. 12 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Other Certificate Types Machine/computer Servers and network appliances Identify by FQDN Email/user certificate Can be various types (email, encryption, smart card logon, and so on) Identify by email address Code signing Validate publisher name Root certificate Self-signed certificate for the CA Self-signed certificate Must be manually trusted Screenshot used with permission from Microsoft. 13 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Certificates and Certificate Authorities CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14 Review Activity Assisted Labs CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Managing the Lifecycle of a Certificate 15 Lab Activity Implement PKI Management Topic 6B 16 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16 3.9 Given a scenario, implement public key infrastructure 4.1 Given a scenario, use the appropriate tool to assess organizational security (OpenSSL only) Syllabus Objectives Covered 17 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Certificate and Key Management Key life cycle Key generation Certificate generation Storage Revocation Expiration and renewal Vulnerabilities from improper management 18 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Key Recovery and Escrow M-of-N control for critical keys (root servers) Keys can be backed up to protect against data loss Anyone with access to backup keys could impersonate the true key holder Key recovery processes can be protected by M of N control Escrow backup Placing archived keys with a trusted third party 19 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Certificate Expiration Certificate duration Certificate renewal Use existing key pair Re-key with newly generated key pair Expiration Public key will no longer be accepted Archiving versus destroying key material Secure erasing methods 20 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Certificate Revocation Lists Revocation versus suspension Reason codes Certificate Revocation List (CRL) List of revoked and suspended certificates Browser CRL checking Screenshot used with permission from Microsoft. 21 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Online Certificate Status Protocol Responders Online Certificate Status Protocol (OCSP) OCSP responder Provide real-time status information (though some rely on CRLs) Client queries single certificate per transaction OCSP stapling Clients might need to make lots of certificate queries for a chain of trust Queries can be used to track clients Stapling proxies the OCSP response 22 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Certificate Pinning Defend against MitM attacks on chain of trust Web server references authorized public key(s) in HTTP header HTTP Public Key Pinning (HPKP) Certificate Transparency framework 23 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Certificate Formats Distinguished Encoding Rules (DER) Binary format Privacy-enhanced Electronic Mail (PEM) Represent binary as ASCII using Base64 encoding .CER and .CRT file formats may be either binary or ASCII Personal information exchange Export a private key (binary and password-protected) .PFX or .P12 (PKCS #12) Export a certificate chain .P7B (PKCS #7) Screenshot used with permission from Microsoft. 24 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org OpenSSL Windows Certificate Services and certutil/PowerShell OpenSSL Key pair generation and CA root certificate Certificate requests Viewing and verifying certificates Converting certificate formats 25 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25 Certificate Issues Troubleshoot rejection of certificates by servers and clients Existing certificate—check expiry and status New certificate Check key usage settings and requirements Check subject name Check chain of trust/root certificates Verify time and date settings Audit certificate and PKI infrastructure 26 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org PKI Management CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27 Review Activity Assisted Labs Managing Certificates with OpenSSL 28 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Lab Activity Summary Lesson 6 CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29 29 Implementing Identity and Account Management Controls Lesson 8 1 Implement Identity and Account Types Topic 8A CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 2 3.7 Given a scenario, implement identity and account management controls 5.3 Explain the importance of policies to organizational security Syllabus Objectives Covered CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3 Identity Management Controls Certificates and smart cards Public key cryptography Subject identified by a public key, wrapped in digital certificate Private key must be kept secure Tokens Authorizations issued under single sign-on Avoids need for user to authenticate to each service Identity provider Provisions and manages accounts Processes authentication Federated identity management CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4 Background Check and Onboarding Policies Human resources (HR) and personnel policies Recruitment (hiring) Operation (working) Termination/separation (firing or retiring) Background check Onboarding Welcoming a new employees or contractors to the organization Account provisioning Issuing credentials Asset allocation Training/policies Non-disclosure Agreement (NDA) CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5 Personnel Policies for Privilege Management Mitigate insider threat Separation of duties Standard operating procedures (SOPs) Shared authority Least privilege Assign sufficient permissions only Reduce risk from compromised accounts Job rotation Distributes institutional knowledge and expertise Reduces critical dependencies Mandatory vacations CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6 Offboarding Policies Identity and access management checks Disable the user account and privileges Ensure integrity and availability of information assets managed by the employee Retrieving company assets Returning personal assets Consider shared/generic accounts, security procedures that must be changed CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7 7 Security Account Types and Credential Management Standard users Limited privileges Should not be able to change the system configuration Restricted to account profile Credential management policies for personnel Password policy Protect access to the account and prevent compromise Educate risks from reusing credentials and social engineering Guest accounts Account with no credentials (anonymous logon) Unauthenticated access to hosts and websites Must have very limited privileges or be disabled CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8 Security Group-Based Privileges User-assigned privileges Assign privileges directly to user accounts Unmanageable if number of users is large Group-based privileges Assign permissions to security groups and assign user accounts to relevant groups Issues with users inheriting multiple permissions CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9 Images © 123RF.com. 9 Administrator/Root Accounts Privileged/administrative accounts Can change system configuration Generic administrator/root/superuser User account with full control over system Key target for attackers Often disabled or usage restricted after install Administrator credential policies Create specific accounts with least privileges (generic account prohibition) Enforce multifactor authentication Default security groups Administrators/sudoers CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10 Service Accounts Windows service accounts System Local Service Network Service Linux accounts to run services (daemons) Deny shell access Managing shared service account credentials CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11 Screenshot used with permission from Microsoft. Shared/Generic/Device Accounts and Credentials Shared accounts Accounts whose credentials are known to more than one person Generic accounts Accounts created by default on OS install Only account available to manage a device Might use a default password Risks from shared and generic accounts Breaks principle of non-repudiation Difficult to keep credential secure Credential policies for devices Privilege access management software CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12 Secure Shell Keys and Third-party Credentials Secure Shell (SSH) used for remote access Host key identifies the server User key pair used to authenticate to server Server holds copy of valid users’ public keys Keys must be actively managed Third-party credentials Passwords and keys to manage cloud services Highly vulnerable to accidental disclosure CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13 Screenshot used with permission from Amazon.com. Identity and Account Types CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14 Review Activity Implement Account Policies Topic 8B CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15 15 3.7 Given a scenario, implement identity and account management controls Syllabus Objectives Covered CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16 Account Attributes and Access Policies Account attributes Security ID, account name, credential Extended profile attributes Per-app settings and files Access policies File permissions Access rights Active Directory Group Policy Objects (GPOs) Screenshot used with permission from Microsoft. CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17 Account Password Policy Settings Length Complexity Character combinations Aging History and reuse NIST guidance Password hints CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18 Account Restrictions Network location Connecting from a VLAN or IP subnet/remote IP Connecting to a machine type or group (clients versus servers) Interactive versus remote logon Geolocation By IP address By Location Services Geofencing Geotagging Time-based restrictions Logon hours Logon duration Impossible travel time/risky login CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19 19 Account Audits Accounting and auditing to detect account misuse Use of file permissions to read and modify data Failed login or resource access attempts Recertification Monitoring use of privileges Granting/revoking privileges Communication between IT and HR Screenshot used with permission from Microsoft. CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20 Account Permissions Impact of improperly configured accounts Insufficient permissions Unnecessary permissions Escalating and revoking privileges Permission auditing tools Screenshot used with permission from Microsoft. CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21 Usage Audits Account logon and management events Process creation Object access (file system / file shares) Changes to audit policy Changes to system security and integrity (anti-virus, host firewall, and so on) Screenshot used with permission from Microsoft. CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22 Account Lockout and Disablement Disablement Login is disabled until manually re-enabled Combine with remote logoff Lockout Login is prevented for a period and then re-enabled Policies to enforce automatic lockout CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23 Screenshot used with permission from Microsoft. Account Policies CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24 Review Activity Assisted Labs CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Managing Access Controls in Windows Server Configuring a System for Auditing Policies 25 Lab Activity Implement Authorization Solutions Topic 8C CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26 26 2.4 Summarize authentication and authorization design concepts 3.8 Given a scenario, implement authentication and authorization solutions 4.1 Given a scenario, use the appropriate tool to assess organizational security (chmod only) Syllabus Objectives Covered CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27 Discretionary and Role-Based Access Control Access control model determines how users receive permissions/rights Discretionary Access Control (DAC) Based on resource ownership Access Control Lists (ACLs) Vulnerable to compromised privileged user accounts Role-Based Access Control (RBAC) Non-discretionary and more centralized control Based on defining roles then allocating users to roles Users should only inherit role permissions to perform particular tasks CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28 File System Security Access Control List (ACL) Access Control Entry (ACE) File system support Linux permissions and chmod Symbolic (rwx) User, group, world Octal r=4 w=2 x=1 Screenshot used with permission from Microsoft. CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29 29 Mandatory and Attribute-Based Access Control Mandatory Access Control (MAC) Labels and clearance System policies to restrict access Attribute-Based Access Control (ABAC) Access decisions based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes Conditional access CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30 Rule-Based Access Control Non-discretionary System determines rules, not users Conditional access Continual authentication User account control (UAC) Privileged access management Policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31 Directory Services Database of subjects Users, computers, security groups/roles, and services Access Control Lists (authorizations) X.500 and Lightweight Directory Access Protocol (LDAP) Distinguished names Attribute=Value pairs CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32 CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=foo Federation and Attestation Federated identity management Networks under separate administrative control share users Identity providers and attestation Cloud versus on-premises requirements CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33 Images © 123rf.com. Security Assertions Markup Language Open standard for implementing identity and service provider communications Attestations/assertions XML format Signed using XML signature specification Communications protocols HTTPS Simple Object Access Protocol (SOAP) CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34 OAuth and OpenID Connect “User-centric” federated services better suited to consumer websites Representational State Transfer (REST) Application Programming Interfaces (APIs) (RESTful APIs) Framework for implementation not a protocol OAuth Designed to communicate authorizations rather than explicitly authenticate a subject Client sites and apps interact with OAuth IdPs and resource servers that hold the principal’s account/data Different flow types for server to server or mobile app to server JavaScript object notation (JSON) web token (JWT) OpenID Connect (OIDC) Adds functions and flows to OAuth to support explicit authentication CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35 Authorization Solutions CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36 Review Activity Assisted Lab Managing Access Controls in Linux CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 37 Lab Activity Explain the Importance of Personnel Policies Topic 8D CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 38 38 5.3 Explain the importance of policies to organizational security Syllabus Objectives Covered CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 39 Conduct Policies Acceptable use policy (AUP) Employee use of employer’s hardware and software assets Rules of behavior and social media analysis General requirements for professional standards Covers personal communications and social media accounts Additional clauses for privileged users Use of personally owned devices Bring your own device Shadow IT Clean desk CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 40 User and Role-based Training Impacts and risks from untrained users Topics for security awareness Overview of security policies Incident response procedures Site security procedures Data handling Password and account management Awareness of social engineering and malware threats Secure use of software such as browsers and email clients Role-based training Appropriate language Level of technical content CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 41 Engagement and retention Training delivery methods Phishing campaigns Simulating phishing messages to test employee awareness Capture the flag Computer-based training (CBT) Simulations Branching scenarios Gamification elements Diversity of Training Techniques CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 42 Importance of Personnel Policies CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 43 Review Activity Applied Lab Configuring Identity and Access Management Controls CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 44 Lab Activity Summary Lesson 8 CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 45 45 <samlp:Response xmlns:samlp=urn:oasi s:names:tc:SAML:2.0:protocol xmlns:saml=urn:oasis:names:tc:SAML:2.0:assertion ID=200 Version=2.0 IssueInstant=2020-01-01T20:00:10Z Destination=https://sp.foo/saml/acs InResponseTo=100. <saml:Issuer>https://idp.foo/sso</saml:Issuer> <ds:Signature>...</ds:Signature> <samlp:Status>...(success)...</samlp:Status. <saml:Assertion xmlns:xsi=http://www.w3.org/2001/XMLSchema -instance xmlns:xs=http://www.w3.org/2001/XMLSchema ID=2000 Version=2.0 IssueInstant=2020-01-01T20:00:09Z> <saml:Issuer>https://idp.foo/sso</saml:Issuer> <ds:Signature>...</ds:Signature> <saml:Subject>... <saml:Conditions>... <saml:AudienceRestriction>... <saml:AuthnStatement>... <saml:AttributeStatement> <saml:Attribute>... <saml:Attribute>... </saml:AttributeStatement> </saml:Assertion> </samlp:Response> Implementing Network Security Appliances Lesson 10 1 Implement Firewalls and Proxy Servers Topic 10A CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 2 3.3 Given a scenario, implement secure network designs Syllabus Objectives Covered CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3 Packet Filtering Firewalls Enforce a network access control list (ACL) Act to deny (block or drop), log, or accept a packet Inspect headers of individual packets Source and destination IP address Protocol ID/type (TCP, UDP, ICMP, routing protocols, and so on) Source and destination port numbers (TCP or UDP application type) Inbound, outbound, or both Stateless operation CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4 State table stores connection information Transport layer (layer 4) TCP handshake New versus established and related connections Application layer (layer 7) Validate protocol Match threat signatures Application-specific filtering Stateful Inspection Firewalls Screenshot used with permission from Rubicon Communications, LLC CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5 iptables CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6 6 Firewall Implementation Firewall appliances Routed (layer 3) Bridged/transparent (layer 2) Router/firewall Application-based firewalls Host-based (personal) Application firewall Network operating system (NOS) firewall Screenshot used with permission from Cisco. CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7 Proxies and Gateways Forward proxy server Proxy opens connections with external servers on behalf of internal clients Application-specific filters Non-transparent and transparent proxies User authentication Reverse proxy server Proxy opens connections with internal servers on behalf of external clients Screenshot used with permission from Rubicon Communications, LLC. CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8 Access Control Lists Least access Top to bottom processing order Implicit deny Explicit deny all Criteria for rules (tuples) Documenting and testing configuration Screenshot used with permission from Rubicon Communications, LLC. CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9 Network Address Translation Source NAT Static and dynamic NAT Overloaded NAT/Network Address Port Translation (NAPT)/Port Address Translation (PAT) Destination NAT/port forwarding Advertise a resource using a global IP address but forward it to a local IP address Usually forward specific ports only Screenshot used with permission from Rubicon Communications, LLC. CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10 Hypervisor-based Filtering built into the hypervisor or cloud service Virtual appliance Deployed as a virtual machine to the cloud Multiple context Firewall appliance running multiple instances East-west security design and microsegmentation Virtual Firewalls CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11 11 Source code inspection and supply chain issues Wholly proprietary appliance OS UNIX or Linux kernel with proprietary features Wholly open-source Support arrangements and subscription features Open-source versus Proprietary Firewalls CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12 Firewalls and Proxy Servers CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13 Review Activity Assisted Lab Configuring a Firewall CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14 Lab Activity Implement Network Security Monitoring Topic 10B CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15 15 3.3 Given a scenario, implement secure network designs Syllabus Objectives Covered CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16 Network-Based Intrusion Detection Systems Intrusion detection system (IDS) Network sensor captures traffic Detection engine performs real-time analysis of indicators Passive logging/alerting CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17 Screenshot Security Onion securityonion.net TAPs and Port Mirrors Sensor placement Inside firewall In front of application servers Managing volume of traffic/alerts Switched port analyzer (SPAN)/mirror port Passive test access point (TAP) Active TAP Aggregation TAP CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18 Network-Based Intrusion Prevention Systems Intrusion prevention system (IPS) Active response to threats Reset session Apply firewall filters on the fly to shun traffic Bandwidth throttling Packet modification Run a script or other process Anti-virus scanning/content filtering Inline placement—risk of failure CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19 Signature-Based Detection Analysis engine Signature-based detection Pattern matching Database of known attack signatures Must be updated with latest definitions /plug-ins/feeds Many attack tools do not conform to specific signatures CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20 Behavior and Anomaly-Based Detection Behavioral-based detection Train sensor with baseline normal behavior to recognize anomalous behavior Network behavior and anomaly detection (NBAD) Heuristics (learning from experience) Statistical model of behavior Machine learning assisted analysis User and entity behavior analytics (UEBA) Network traffic analysis (NTA) Anomaly-based detection as irregularity in packet construction CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21 Next-generation Firewalls and Content Filters Next-generation firewall Application-aware filtering, user account-based filtering, IPS, cloud inspection, … Unified threat management (UTM) Combining security controls into single agent and management platforms Firewall, anti-malware, network intrusion prevention, spam filtering, content filtering, data loss prevention, VPN, cloud access gateway, … Content/URL filter Focuses on outgoing user traffic Content block lists and allow lists Time-based restrictions Secure web gateway (SWG) CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22 Host-Based Intrusion Detection Systems Host-based IDS Network, log, and file system monitoring for endpoints File integrity monitoring (FIM) Cryptographic hash or file signature verifies integrity of files Compare hashes manually or verify signature with publisher’s public key Windows File Protection/sfc Tripwire and OSSEC CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23 Web Application Firewalls Able to inspect code in HTTP packets Matches suspicious code to vulnerability database Can be implemented as software on host or as appliance Screenshot used with permission from Microsoft. CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24 Network Security Monitoring CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25 Review Activity CompTIA Lab Configuring an Intrusion Detection System CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26 Lab Activity Summarize the Use of SIEM Topic 10C CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27 27 1.7 Summarize the techniques used in security assessments 3.3 Given a scenario, implement secure network designs 4.1 Given a scenario, use the appropriate tool to assess organizational security Syllabus Objectives Covered CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28 Packet capture Sniffers and flow analysis Traffic and protocol statistics Packet analysis Network monitors Appliance state data Heartbeat availability monitoring Logs System logs to diagnose availability issues Security logs to audit access Monitoring Services CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29 29 Security Information and Event Management Log collection Agent-based Local agent to forward logs Listener/collector Protocol-based remote log forwarding (syslog) Sensor Packet capture and traffic flow data Log aggregation Consolidation of multiple log formats to facilitate search/query and correlation Normalization of fields Time synchronization CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30 Screenshots used with permission from AT&T Cybersecurity. Analysis and Report Review Correlation Relating security data and threat intelligence Alerting of indicators of compromise (IOC) Basic rules versus machine learning User and entity behavior analytics (UEBA) Sentiment analysis Machine interpretation of natural language Emotion AI Security orchestration, automation, response (SOAR) CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31 31 cat View contents of one or more files head and tail View first and last lines of file logger Write input to system log File Manipulation CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32 Regular expression syntax Search operators, quantifiers, logic statements, and anchors/boundaries grep Searches file contents Simple string matching or regex syntax Regular Expressions and grep CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33 grep -F 192.168.1.254 access.log grep -r 192\.168\.1\.[\d]{1,3} Use of SIEM CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34 Review Activity Summary Lesson 10 CompTIA Security+ Lesson 10 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35 35 Implementing Secure Network Designs Lesson 9 1 Implement Secure Network Designs Topic 9A CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 2 3.3 Given a scenario, implement secure network designs Syllabus Objectives Covered CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3 Secure Network Designs What problems arise from weaknesses in the network design/architecture? Single points of failure Complex dependencies Availability over confidentiality and integrity Lack of documentation and change control Overdependence on perimeter security Best practice design and architecture guides Cisco’s SAFE Architecture Places in the Network CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4 Corporate network Access Email mailbox server Mail transfer server Segmentation Data flows and access controls Business Workflows and Network Architecture CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5 Network Appliances CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6 Images © 123rf.com. 6 Routing and Switching Protocols Forwarding Layer 2 forwarding Layer 3 forwarding Address Resolution Protocol (ARP) Map IP addresses to MAC addresses Internet Protocol (IP) IPv4 and IPv6 Network prefix/subnet mask Routing protocols Communicate routing table updates CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7 7 Network segment Nodes can communicate at layer 2 Broadcast domain Implementing network segments Separate unmanaged switches Configure virtual LANs (VLANs) on managed switches Layer 3 subnets Map subnets to VLANs Network Segmentation CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8 Network Topology and Zones Physical and logical topologies Zones represent isolated segments for hosts that have the same security requirement Traffic between zones is subject to filtering by a firewall Main zone types Intranet (private) Extranet Internet (public) Enterprise architecture zones Access blocks representing host groups CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9 Images © 123rf.com. Demilitarized Zones Demilitarized zones (DMZs) isolate hosts that are Internet-facing Communications through the DMZ should not be allowed Ideally use proxies to rebuild packets for forwarding Bastion hosts Not fully trusted by internal network Run minimal services Do not store local network account credentials Using different types of DMZ for different functions CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10 Demilitarized Zone Topologies CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11 Images © 123rf.com. Screened host Local network screened by a single firewall “SOHO DMZ” SOHO router configuration option Host configured to accept connections from the Internet Screened Host CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12 Images © 123rf.com. 12 Enabled by default configuration issues Risks of unmanaged configurations IPv6-specific attack vectors Map IPv6 address space to appropriate security zones Configure IPv6 firewall rules Typically no need for address translation Implications of IPv6 CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13 Other Secure Network Design Considerations Data center and cloud design requirements East-west traffic North-south traffic enters and leaves data center East-west traffic is between servers within the data center Problem for security inspection and filtering Zero trust Do not rely on perimeter security Continuous/context-based authentication Microsegmentation Single host zones CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14 14 Secure Network Designs CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15 Review Activity Implement Secure Switching and Routing Topic 9B CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16 16 1.4 Given a scenario, analyze potential indicators associated with network attacks 3.1 Given a scenario, implement secure protocols Routing and switching only 3.3 Given a scenario, implement secure network designs Syllabus Objectives Covered CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17 Man-in-the-Middle (MitM) attacks Threat actor can intercept and modify communications On-path attack Snooping Spoofing MAC address cloning/spoofing Media Access Control (MAC) hardware interface address Easy to change for a different value Man-in-the-Middle and Layer 2 Attacks CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18 ARP Poisoning and MAC Flooding Attacks Address Resolution Protocol (ARP) poisoning Broadcasting unsolicited ARP replies to poison the cache of local hosts with spoofed MAC address Attacker usually tries to masquerade as default gateway MAC flooding Overwhelm switch memory to trigger unicast flooding Facilitates sniffing Screenshot used with permission from wireshark.org. CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19 Loop Prevention Spanning Tree Protocol (STP) Broadcast storm prevention Broadcast and flooded unicast getting amplified as it loops continually around network Storm control if STP has failed Bridge Protocol Data Unit (BPDU) guard Configure switches to defeat attempts to engineer a loop Portfast setting configured for access ports BPDU guard disables port if STP traffic is detected Images © 123RF.com. CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20 20 Physical Port Security and MAC Filtering Physical port security Secure switch hardware Physically disconnect unused ports Disable unused ports via management interface MAC address limiting and filtering Configure permitted MACs Limit number of MAC changes DHCP snooping Dynamic ARP inspection CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21 Network Access Control Endpoint security/defense in depth IEEE 802.1X/port-based network access control (PNAC) Can also enforce health policy Posture assessment Agent-based Persistent versus non-persistent Agentless Scanning software Device polling CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22 Screenshot used with permission from packetfence.org. Route Security Sources of routing table updates Preventing route injection Source routing Patch management and router appliance hardening CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23 Secure Switching and Routing CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24 Review Activity Assisted Lab CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Implementing a Secure Network Design 25 Lab Activity Implement Secure Wireless Infrastructure Lesson 9C CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26 26 1.4 Given a scenario, analyze potential indicators associated with network attacks 3.4 Given a scenario, install and configure wireless security settings Syllabus Objectives Covered CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27 Wireless Network Installation Considerations Ensure maximum availability from legitimate access points Wireless access point (WAP) placement Service set identifier (SSID) and basic service set identifier (BSSID) Frequency bands and channels Co-channel interference (CCI) Adjacent channel interference (ACI) Site surveys and heat maps Architectural plan Wi-Fi analyzer Heat map plots signal strength from high (red) to low (green/blue) Channel layout shows overlapping usage CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28 28 Controller and Access Point Security Configuration of multi-WAP WLANs Hardware and software controllers Fat versus thin WAPs Physical security and management interfaces CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29 Screenshot used with permission from Ubiquiti Networks. Wi-Fi Protected Access WPA (v1) RC4 with Temporal Key Integrity Protocol (TKIP) Wi-Fi protected access 2 (WPA2) Advanced Encryption Standard (AES) replaces RC4 Counter Mode with Cipher Block Chaining Message Authentication Code (CBC-MAC) Protocol (CCMP) replaces TKIP Also enables enterprise authentication options Wi-Fi protected access 3 (WPA3) Simultaneous Authentication of Equals (SAE) Enhanced Open Updated cryptography Management protection frames CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30 Screenshot used with permission from TP-Link Technologies. 30 Wi-Fi Authentication Methods WPA2 pre-shared key authentication Passphrase used to generate a pairwise master key (PMK) 4-way handshake PMK is used to derive session keys WPA3 personal authentication Password Authenticated Key Exchange (PAKE) Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake Dragonfly handshake CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31 31 Wi-Fi Protected Setup (WPS) Pushbutton or passcode autoconfiguration of access points and clients Brute-force vulnerability in passcode algorithm Access point may support lockout to mitigate Make sure access point firmware is up-to-date EasyConnect and Device Provisioning Protocol (DPP) CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32 Open Authentication and Captive Portals Use an access point without authentication (or encryption) Secondary authentication via captive portal or splash page Everything sent over link can be snooped Use secure protocols for confidential data (HTTPS, Secure IMAP, FTPS) Use a Virtual Private Network (VPN) to create a secure tunnel Wi-Fi Enhanced Open CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33 Enterprise/IEEE 802.1X Authentication Extensible Authentication Protocol (EAP) over Wireless (EAPoW) Network directory authorization via RADIUS or TACACS+ User credential is used to generate session encryption key Screenshot used with permission from Cisco. CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34 Extensible Authentication Protocol Designed to provide for interoperable security devices and software EAP-TLS Transport Layer Security (TLS) to authenticate via device certificates/smart cards Both server and supplicant must have certificates Mutual authentication Screenshot used with permission from Microsoft. CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35 PEAP, EAP-TTLS, and EAP-FAST Secure tunneling for user credentials Protected EAP (PEAP) Password authentication through a TLS-protected tunnel Server certificate only PEAPv0 (EAP-MSCHAPv2) PEAPv1 (EAP-GTC) EAP with Tunneled TLS (EAP-TTLS) Similar to PEAP but with more flexibility on inner authentication method EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) Cisco alternative to PEAP that can be set up without certificate infrastructure CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36 RADIUS Federation Federated identity solution Mesh network for RADIUS servers operated by different institutions Eduroam CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 37 Rogue Access Points and Evil Twins Rogue access point Troubleshooting access point misconfiguration Disable unused devices and interfaces Evil twin Masquerade as legitimate AP Use similar SSID Capture authentication information Wi-Fi analyzers Screenshot used with permission from Xirrus. CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 38 Disassociation and Replay Attacks Deauthentication attack Attacker sends spoofed deauth packet DoS and assists other attacks Disassociation attack Similar but just causes station to disassociate Configure Management Frame Protection (MFP/802.11w) Initialization vector (IV) attack Generate packets to strip IV KRACK/key reinstallation CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 39 Jamming Attacks Environmental versus malicious interference Jamming attacks Denial of service Promote evil twin Use spectrum analyzer to locate source CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 40 Secure Wireless Infrastructure CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 41 Review Activity Implement Load Balancers Topic 9D CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 42 42 1.4 Given a scenario, analyze potential indicators associated with network attacks 3.3 Given a scenario, implement secure network designs Syllabus Objectives Covered CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 43 Distributed Denial of Service (DDoS) Leverage bandwidth from compromised hosts/networks Handlers form a command and control (C&C) network Compromised hosts installed with bots that can run automated scripts Co-ordinated by the C&C network as a botnet Overwhelm with superior bandwidth (number of bots) Consume resources with spoof session requests (SYN flood) CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 44 44 Amplification, Application, and OT Attacks Distributed Reflection DoS (DRDoS) Amplified SYN flood Spoof victims IP address and attempt to open connections with multiple servers Those servers direct their SYN/ACK responses to the victim Application attacks Bogus DNS/NTP queries Direct responses at victim Queries can be constructed to generate large response packets Operational technology (OT) networks DoS against embedded systems Can be more vulnerable to miscrafted packets than computing hosts CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 45 Distributed Denial of Service Attack Mitigation Attacks use spoofed addresses, making them hard to block Drop traffic to protect other hosts in the routing domain Access control list (ACL) remotely triggered blackhole (RTBH) Sinkhole routing Cloud DDoS mitigation services Screenshot used with permission from Security Onion. CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 46 Load Balancing Distributes requests across farm or pool of servers (nodes) Layer 4 load balancer Layer 7 load balancer (content switch) Scheduling Round robin Fewest existing connections / best response time Weighting Heartbeat and health checks Source IP affinity Session persistence CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 47 Images © 123rf.com. Clustering Configure nodes for failover Virtual IP Common Address Redundancy Protocol (CARP) Active/passive versus active/active Application clustering Provides stateful fault tolerance Images © 123RF.com. CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 48 Compared to best effort and first in, first out (FIFO) Quality of service (QoS) to prioritize traffic with certain characteristics Bandwidth Latency and jitter Traffic marking DiffServ and 802.1p Traffic policing Denial of service and trust boundaries for traffic marking Ensure bandwidth for management and security monitoring traffic Quality of Service CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 49 49 Load Balancers CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 50 Review Activity Summary Lesson 9 CompTIA Security+ Lesson 9 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 51 51 Implementing Authentication Controls Lesson 7 1 Summarize Authentication Design Concepts Topic 7A CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 2 2.4 Summarize authentication and authorization design concepts Syllabus Objectives Covered CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3 Identity and Access Management Subjects Users or software that request access Objects Resources such as networks, servers, and data Identification Associating a valid subject with a computer/network account Authentication Challenge to the subject to supply a credential to operate the account Authorization Rights, permissions, or privileges assigned to the account Accounting Auditing use of the account CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4 Authentication Factors Something you know Knowledge factor Password Personal identification number (PIN) Swipe pattern Challenge questions/password reset Something you have Ownership factor Hardware tokens and fobs Something you are/do Biometric factor Screenshot used with permission from Microsoft. CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5 Meet requirements for confidentiality, integrity, and availability Confidentiality Keep credentials secure Integrity Threat actors cannot bypass or subvert the authentication mechanism Availability The mechanism does not cause undue delay or support issues Authentication Design CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6 Multifactor Authentication Strong authentication requires two (or three) types Knowledge factor only is weak in terms of confidentiality Multifactor authentication (MFA) Two-factor authentication (2FA) Something you KNOW and something you HAVE Something you KNOW and something you ARE NOT something you KNOW and something else you KNOW CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7 Authentication Attributes Somewhere you are Geolocation via location services IP location (logical versus geolocation) Switch port, virtual LAN (VLAN), or wireless network name Something you can do Performing an action in a way that can be captured as a unique pattern Something you exhibit A behavior or personality trait that can be captured as a unique pattern Someone you know Web of trust CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8 Authentication Design Concepts CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9 Review Activity Implement Knowledge-based Authentication Topic 7B CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10 10 1.2 Given a scenario, analyze potential indicators to determine the type of attack 3.8 Given a scenario, implement authentication and authorization solutions 4.1 Given a scenario, use the appropriate tool to assess organizational security (Password crackers only) Syllabus Objectives Covered CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11 Local , Network, and Remote Authentication Authentication providers Passwords versus password hashes Windows authentication Local sign-in Network sign-in (Kerberos and NTLM) Remote sign-in Linux authentication /etc/passwd and /etc/shadow Pluggable authentication modules (PAMs) Single sign-on (SSO) CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12 12 Kerberos Authentication Single sign-on authentication and authorization provider Clients Application servers Key Distribution Center (KDC) Authentication Service – Ticket Granting Ticket Ticket Granting Service – Service Ticket CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13 Images © 123rf.com. Kerberos Authorization CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14 Images © 123rf.com. PAP, CHAP, and MS-CHAP Authentication Password authentication designed to work with remote access protocols (Point-to-Point Protocol) Password Authentication Protocol (PAP) Completely unsecure Challenge Handshake Authentication Protocol (CHAP) Challenge/Response similar to NTLM Challenge is repeated during the session to prevent replay Various implementations (Cisco, MS-CHAPv2) Not secure enough to use without an encrypted tunnel CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15 Screenshot used with permission from Microsoft. Password Attacks Plaintext/unencrypted Sniffing passwords from unsecure protocols Locating passwords in documents/code repositories Online password attack Adversary interacts with authentication service Restrict logon rates Shun suspect hosts Horizontal brute force/password spraying Offline attacks Password database Hash transmitted directly Hash used as key to sign an HMAC CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16 Brute Force and Dictionary Attacks Exploit weak user password selection or weak cryptographic mechanisms Brute force attack Generate every possible combination to match a hash Large output space and sufficiently long input password increase time required Dictionary attack and rainbow tables Use a dictionary to test common words or phrases first Rainbow tables assist dictionary attacks against Windows password databases by precomputing hash chains Using salt means hash chains cannot be pre-computed Hybrid attack Dictionary and brute force Fuzzing of dictionary terms (james1, james2, tom1, tom2,…) CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17 Password Crackers Cain and L0phtcrack Hashcat Hash type Attack mode Dictionary/word lists Brute force Masked CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18 Screenshot hashcat (hashcat.net/hashcat.) Hardware and software solutions for storing and submitting multiple user passwords Password key USB token Possibly Bluetooth/NFC connectivity Password vaults Software-based Federal Information Processing standard (FIPS 140-2) Authentication Management CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19 Knowledge-Based Authentication CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20 Review Activity Assisted Lab Auditing Passwords with a Password Cracking Utility CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21 Lab Activity Implement Authentication Technologies Topic 7C CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22 22 2.4 Summarize authentication and authorization design concepts 3.3 Given a scenario, implement secure network designs (HSM only) 3.8 Given a scenario, implement authentication and authorization solutions Syllabus Objectives Covered CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23 Smart Card Authentication Kerberos-based smart card logon Card readers Card stores user’s private key and certificate Use of card is protected by a PIN Image © 123RF.com. CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24 Key Management Devices Provision keys with risk of insider threat reduced Smart cards and USB keys Trusted Platform Module (TPM) Virtual smart cards Hardware Security Module (HSM) Provision keys to devices across the network Key archive and escrow Reduced attack surface and tamper-evident Cryptographically secure pseudorandom number generator (CSPRNG) Plug-in card and network rack form factors CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25 Images © 123RF.com. 25 Extensible Authentication Protocol/IEEE 802.1X Authenticate user at network access devices Wireless networks Port authentication for switched networks Remote access over a virtual private network Extensible Authentication Protocol (EAP) Supports multiple authentication implementations Certificates and smart cards IEEE 802.1X Port-based Network Access Control Supplicant Network access server (NAS) AAA server CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26 Remote Authentication Dial-in User Service 27 Images © 123RF.com. 27 Terminal Access Controller Access-Control System TACACS+ Centralizing administrative logins for network appliances Reliable TCP transport (over port 49) Data encryption Discrete authentication, authorization, and accounting functions CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28 Token Keys and Static Codes One-time password (OTP) Generated by some algorithm and used only once RSA SecurID Static code “Dumb” smart cards Fast Identity Online (FIDO) Universal Second Factor (U2F) Image © 123RF.com. CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29 Open Authentication (OATH) HMAC-based One-time Password Algorithm (HOTP) Time-based One-time Password Algorithm (TOTP) CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30 Transmit a code via an out-of-band channel Short message service (SMS) Phone call Push notification Email account Possibility of interception 2-Step Verification CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31 31 Authentication Technologies CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32 Review Activity Assisted Lab CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org Managing Centralized Authentication 33 Lab Activity Summarize Biometrics Authentication Concepts Topic 7D CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34 34 2.4 Summarize authentication and authorization design concepts Syllabus Objectives Covered CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35 Biometric Authentication Enrollment Sensor and feature extraction Efficacy rates and considerations False Rejection Rate (FRR) or Type I error False Acceptance Rate (FAR) or Type II error Crossover Error Rate (CER) Throughput (speed) Failure to Enrol Rate (FER) Cost/implementation Privacy concerns Accessibility concerns CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36 Fingerprint Recognition Fingerprint sensors Small capacitive cells Easy to implement Relatively simple enrollment Quite vulnerable to spoofing Vein matching (vascular biometrics) More complex scanner Android is a trademark of Google LLC. CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 37 Facial Recognition Facial recognition Enrollment can be relatively slow Privacy issues Prone to relatively high false acceptance/rejection rates/spoofing Retinal scan Pattern of blood vessels Scanning relatively intrusive and complex Iris scan Pattern of eye surface Easier to scan More vulnerable to spoofing Photo by Ghost Presenter on Unsplash. CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 38 Behavioral Technologies Something you do Voice recognition Gait analysis Signature recognition Typing Other uses than authentication Identification/alerting Continuous authentication/account locking CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 39 Biometrics Authentication Concepts CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 40 Review Activity Summary Lesson 7 CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 41 41