Security Baselines

Security Baselines

Of all the topics you need that to study regarding the Security+ exam as well as other security certification available today, you will find security baselines to be the most general and undefined subject of them all. This is simply because there is no particular set of standards or defined baseline rules that can be applied to every possible network infrastructure in use. Simply put, if you are responsible for administrating security in a networked environment, it is important for you to set your own security baselines based on your network environment.

Here are some good general guidelines to follow when creating a security baseline for your network:

• Evaluate your company's current processes, business plans, technical environment, and current security structure.

• Identify your company's security risk. This can be accomplished with a fundamental risk analysis and a good network security analysis scanner.

• Plan and set up a strong authentication method for your network. Implement encryption methods such as use of public/private keys and utilize built-in operating system security practices such as file-level security, passwords, and policies

• Plan and provide protection for remote users through the use of VPNs, firewalls, and extranets

• Create a choke point (a single entry and exit point through which data passes into and out of your network). This can be done with a firewall. It will provide one area to protect, monitor, and log.

• Define a security policy.

• Secure all resources and services.

• Perform testing, evaluation, and logging.

• Create multiple network segments.

• Segment operating systems from data. Partition hard drives so that the operating system is separate from data.

  Note

  Do not take this section lightly. There is a good possibility that the general guidelines just mentioned contain several answers to questions you will face on the exam. For example, what should you do first in preparation for avoiding potential risk? The exam is most likely going to drill you with such questions. Use your technical knowledge and common sense to answer the easier exam questions.

In order to create a structured network security baseline, you have to know the location of your vulnerabilities. In other words, you need a tool that identifies your network's weaknesses. There are some great tools available that will help network security personnel assess weaknesses and create security baselines. One of the best on the market is Enterprise Security Manager by Symantec. For more information on these as well as other excellent security software packages, visit the Symantec Web site at http://www.symantec.com/product/ .

Test Tips

It has been stated already that security is a very broad topic. In order to prepare yourself for the Security+ exam and the plethora of possible questions you might encounter, you should focus your test preparation study on the following network security- related Test Tips as well as the review questions at the end of the chapter.

These Test Tips serve primarily as a review of the chapter. However, you might notice that some of the tips have not been discussed. Be prepared and learn to be surprised by the unexpected. The real exam will show you no mercy. Know these tips inside and out!

• Multiplexing is the combining of data channels over a single transmission line.

• DNS (Domain Name Servers) resolve fully qualified domain names (or host names ) to IP addresses. For example, Microsoft.com is a domain name. A properly configured DNS could resolve Microsoft.com to the IP address 207.46.129.180.

• A bastion host is gateway or firewall that protects an internal network from external networks. Simply put, a bastion host is a system setup on an internal network that screens for possible attacks aimed at a particular internal network.

• ATM (Asynchronous Transfer Mode) is a dedicated switching technology that transmits data in fixed-length, 53-byte units called cells . ATM is well suited for the transmission of audio and video and is said to be the answer to the low bandwidth problems that face Internet users.

• A Demilitarized Zone (DMZ) is a neutral area between an internal network and the Internet that typically contains one host system or a small network of systems.

• Network Address Translation (NAT) is an Internet standard most often used with routers to provide firewall security by hiding an internal private network's range of IP addresses from outside networks.

• An FDDI ring is typically composed of two fiber- optic Token Rings. An outside ring is used for the primary transport of data and an inside ring acts as a backup if the primary ring fails. An FDDI ring is redundant and somewhat more secure than star, bus, or traditional ring topologies.

• The seven layers of the OSI reference model from layer 1 to layer 7 are Physical, Data Link, Network, Transport, Session, Presentation, and Application. Just remember 'Programmers Do Not Throw Sausage Pizza Away.'

• Secure Remote Procedure Call (RPC) is a protocol that is used to allow a client-side application program to execute or request a service from a server computer without being concerned with network intricacies or server procedures.

• IPSec employs two encryption modes: transport and tunnel . Using the transport mode, only the data portion (or payload ) of a packet is encrypted while the header remains unchanged. In tunnel mode, security is further enhanced because both the payload and header are encrypted. IPSec offers security services such as connectionless integrity, data origin authentication, and confidentiality.

• Frame relay is also much faster than X.25 and can take advantage of T1 (1.544 Mbps) and T3 (Mbps) speeds. Frame relay uses public switched WANs that can redirect packets if a segment goes bad.

• A circuit gateway is a packet filter that relays packets from one host to another based on the protocol and IP address. A circuit gateway forms a sort of tunnel through a firewall allowing two specified hosts to interact.

• The term , transparency , is used in network security lingo to describe how intrusive a network countermeasure, such as a firewall, is to a user. For example, a packet filter is more transparent to a user than an application proxy. In other words, users will typically not be aware that a router is filtering their data packets. However, if an application gateway is used, users will have to authenticate with the firewall or configure their applications to authenticate through the firewall.

• Point-to-Point Tunneling protocol (PPTP) allows a virtual private network (VPN) to be created using the Internet. PPTP is essentially a set of communication rules that allow the boundaries of private networks to be extended. PPTP has in many cases eliminated the need for companies to use expensive, dedicated leased lines to expand the privacy of their networks.

• Leased-line speeds are as follows :

  • DS-0 (Digital Signal Level 0): One channel transmits 64KBps on T1 line.

  • DS-1 (Digital Signal Level 1): Transmits 1.544MBps on T1 line.

  • DS-3 (Digital Signal Level 3): Transmits 44.736 MBps on a T3 line.

• CAT5 UTP is also referred to 100BaseT or 100BaseTX . It carries a data signal 100 meters or approximately 328 feet. It is the most popular UTP cable in use today.

• Application proxies or gateways are concerned more with specific applications and actual data. The application proxy offers much more control than packet filters and circuit gateways by controlling or limiting user access from within the protocol itself. In other words, with an application proxy, administrators can actually control what information can be sent out of or pulled into a network.

• CHAP uses a secret one-way hash value that is generated by the requester and sent to the server.

• SMTP (Simple Mail Transfer Protocol) is an unsafe protocol used to send e-mail messages between mail servers. SMTP was not originally developed to protect against e-mail and e-mail server attacks. The best way to protect your e-mail server and e-mail in general is to scan and filter all messages and secure each e-mail message with encryption.

• SNMP (Simple Network Management Protocol) is an unsafe network management protocol that allows the use of clear text passwords. SNMP traffic should be filtered at the firewall.

• A multihomed server (a system with two NICs) can be configured as a firewall by enabling IP forwarding and building a Routing Information Table (RIT) .

• Devices such as routers, hubs, and switches are a single point of failure. Each of these devices should be protected with a UPS (Uninterruptible Power Supply) in the event of power surges, spikes, and brownouts.

• The four primary types of firewall architectures are as follows:

  • Packet filter: A packet filter router uses an ACL (Access Control List). It is the oldest of the mentioned architectures. It separates a private network from a public network.

  • Screened host: This firewall architecture combines a bastion host and a packet filter firewall, which requires the intruder to get by two separate systems in order to reach an internal network. This is more secure than a traditional packet filtering firewall.

  • Dual- homed host: Straight to the point, this is a system with two NICs. One NIC supports access to a private network and the other is for a public network. This acts as a filter and is also known as a multihomed bastion host .

  • Screened subnet: This firewall architecture combines the security of two packet filters and a bastion host. This is the most secure of the firewall architectures and requires high overhead. This overhead is realized in high-maintenance requirements.

• VoIP (Voice over IP) technology is essentially the delivery of voice in digital packets over IP networks. This technology is generally less expensive than traditional circuit switching of voice using PSTN (Public Switched Telephone Network). VoIP is a rapidly growing technology that offers security and quality of service.

• Security services are a combination of security techniques, files, policies, and procedures. The following six security services are defined by OSI communication standards in order to provide secure communications:

  • Authentication

  • Access control

  • Data confidentiality

  • Data integrity

  • Non- repudiation

  • Monitoring and logging

• In order for packet-switching networks to work properly, packets must contain the network address of the sending system as well as that of the destination system.

• When the functionality of devices such as a network bridge and a network router are combined, the result is a device known as a brouter .

• Most communication takes place at the Data Link layer of the OSI reference model.

• An extranet is part of a private network (intranet) that is extended to customers, vendors , suppliers, and possibly other remote users. Most extranets use tunneling to connect multiple intranetwork connections to an extranet.

Similar products