CompTIA CSA+ Study Guide. Mike Chapple
Чтение книги онлайн.
Читать онлайн книгу CompTIA CSA+ Study Guide - Mike Chapple страница 10
NAC solutions are designed to manage the systems that connect directly to an organization’s wired or wireless network. They provide excellent protection against intruders who seek to gain access to the organization’s information resources by physically accessing a facility and connecting a device to the physical network. They don’t provide protection against intruders seeking to gain access over a network connection. That’s where firewalls enter the picture.
Network firewalls sit at the boundaries between networks and provide perimeter security. Much like a security guard might control the physical perimeter of a building, the network firewall controls the electronic perimeter. Firewalls are typically configured in the triple-homed fashion illustrated in Figure 1.6. Triple-homed simply means that the firewall connects to three different networks. The firewall in Figure 1.6 connects to the Internet, the internal network, and a special network known as the demilitarized zone (DMZ). Any traffic that wishes to pass from one zone to another, such as between the Internet and the internal network, must pass through the firewall.
Figure 1.6 A triple-homed firewall connects to three different networks, typically an internal network, a DMZ, and the Internet.
The DMZ is a special network zone designed to house systems that receive connections from the outside world, such as web and email servers. Sound firewall designs place these systems on an isolated network where, if they become compromised, they pose little threat to the internal network because connections between the DMZ and the internal network must still pass through the firewall and are subject to its security policy.
Whenever the firewall receives a connection request, it evaluates it according to the firewall’s rule base. This rule base is an access control list (ACL) that identifies the types of traffic permitted to pass through the firewall. The rules used by the firewall typically specify the source and destination IP addresses for traffic as well as the destination port corresponding to the authorized service. A list of common ports appears in Table 1.1. Firewalls follow the default deny principle, which says that if there is no rule explicitly allowing a connection, the firewall will deny that connection.
Table 1.1 Common TCP ports
Several categories of firewalls are available on the market today, and they vary in both price and functionality:
● Packet filtering firewalls simply check the characteristics of each packet against the firewall rules without any additional intelligence. Packet filtering firewall capabilities are typically found in routers and other network devices and are very rudimentary firewalls.
● Stateful inspection firewalls go beyond packet filters and maintain information about the state of each connection passing through the firewall. These are the most basic firewalls sold as stand-alone products.
● Next-generation firewalls (NGFWs) incorporate even more information into their decision-making process, including contextual information about users, applications, and business processes. They are the current state-of-the-art in network firewall protection and are quite expensive compared to stateful inspection devices.
● Web application firewalls (WAFs) are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting. WAFs are discussed in more detail in Chapter 13, “Cybersecurity Toolkit.”
Firewalls use a principle known as network segmentation to separate networks of differing security levels from each other. This principle certainly applies to the example shown in Figure 1.6, where the internal network, DMZ, and Internet all have differing security levels. The same principle may be applied to further segment the internal network into different zones of trust.
For example, imagine an organization that has several hundred employees and a large datacenter located in its corporate headquarters. The datacenter may house many sensitive systems, such as database servers that contain sensitive employee information, business plans, and other critical information assets. The corporate network may house employees, temporary contractors, visitors, and other people who aren’t entirely trusted. In this common example, security professionals would want to segment the datacenter network so that it is not directly accessible by systems on the corporate network. This can be accomplished using a firewall, as shown in Figure 1.7.
Figure 1.7 A triple-homed firewall may also be used to isolate internal network segments of varying trust levels.
The network shown in Figure 1.7 uses a triple-homed firewall, just as was used to control the network perimeter with the Internet in Figure 1.6. The concept is identical, except in this case the firewall is protecting the perimeter of the datacenter from the less trusted corporate network.
Notice that the network in Figure 1.7 also contains a DMZ with a server called the jump box. The purpose of this server is to act as a secure transition point between the corporate network and the datacenter network, providing a trusted path between the two zones. System administrators who need to access the datacenter network should not connect their laptops directly to the datacenter network but should instead initiate an administrative connection to the jump box, using secure shell (SSH), the Remote Desktop Protocol (RDP), or a similar secure remote administration protocol. After successfully authenticating to the jump box, they may then connect from the jump box to the datacenter network, providing some isolation between their own systems and the datacenter network. Connections to the jump box should be carefully controlled and protected with strong multifactor authentication technology.
Jump boxes may also be used to serve as a layer of insulation against systems that may only be partially trusted. For example, if you have contractors who bring equipment owned by their employer onto your network or employees bringing personally-owned devices, you might use a jump box to prevent those systems from directly connecting to your company’s systems.
Cybersecurity professionals may wish to go beyond typical security controls and engage in active defensive measures that actually lure attackers to specific targets and seek to monitor their activity in a carefully controlled environment.
Honeypots are systems designed to appear to attackers as lucrative targets due to the services they run, vulnerabilities they contain, or sensitive information that they appear to host. The reality is that honeypots are designed by cybersecurity experts