Ciampa CompTIASec+ 7e PPT Mod09
Ciampa CompTIASec+ 7e PPT Mod09
Ciampa CompTIASec+ 7e PPT Mod09
to Network Security
Fundamentals, 7th Edition
Module 9: Network Security
Appliances and Technologies
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. A
ll Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in
Module Objectives
By the end of this module, you should be able to:
1. List the different types of network security appliances and how they can be used
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Security Appliances
• Security can be achieved through appliances that directly address security and by using the
security features in standard networking devices
• Using both standard networking devices and security appliances can result in a layered
security approach
• Appliances include:
• Firewalls
• Proxy servers
• Deception instruments
• Intrusion detection and prevention systems
• Network hardware security models
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (1 of 6)
• To use firewalls effectively, you must understand the function of firewalls and know the
different types of firewalls and specialized firewall appliances
• Firewall Functions
• A firewall uses bidirectional inspection to examine outgoing and incoming packets
• The actions are based on specific criteria or rules (called rule-based firewalls)
• A more flexible type of firewall is a policy-based firewall which allows more generic
statements instead of specific rules
• Firewalls can also apply content/URL filtering
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (2 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (3 of 6)
• Firewall Categories
• Stateful vs. stateless
• Open source vs. proprietary
• Hardware vs. software
• Host vs. appliance vs. virtual
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (4 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (5 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Firewalls (6 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Proxy Servers (1 of 2)
• Proxies are devices that act as substitutes on behalf of the primary device
• A forward proxy is a computer or an application that intercepts user requests from the
internal secure network and processes the requests on behalf of the user
• A reverse proxy routes requests coming from an external network to the correct internal
server
• A proxy server can provide a degree of protection
• It can look for malware by intercepting it before it reaches the internal endpoint
• It can hide the IP address of endpoints inside the secure network so that only the proxy
server’s IP address is used on the open Internet
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Proxy Servers (2 of 2)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Deception Instruments (1 of 3)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Deception Instruments (2 of 3)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Deception Instruments (3 of 3)
• Honeypots (continued)
• Different types of honeypots:
• A low-interaction honeypot may only contain a login prompt
• A high-interaction honeypot is designed for capturing more information from the
threat actor
▶
This type of honeypot can collect information from threat actors about attack
techniques or the particular information they are seeking from the organization
• A honeynet is a network of honeypots set up with intentional vulnerabilities
• Sinkholes
• A sinkhole is a “bottomless pit” designed to steer unwanted traffic away from its
intended destination to another device
• The goal is to deceive the threat actor into thinking the attack was successful
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Intrusion Detection and Prevention Systems (1 of
3)
• An intrusion detection system (IDS) can detect an attack as it occurs
• An intrusion prevention system (IPS) attempts to block the attack
• Inline system is connected directly to the network and monitors the flow of data as it occurs
• A passive system is connected to a port on a switch, which receives a copy of network
traffic
• IDS systems can be managed in different ways:
• In-band management is through the network itself by using network protocols and tools
• Out-of-band management is using an independent and dedicated channel to reach the
device
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Intrusion Detection and Prevention Systems (2 of
3)
• Monitoring Methodologies
• Anomaly-based monitoring compares current detected behavior with baseline
• Signature-based monitoring looks for well-known attack signature patterns
• Behavior-based monitoring detects abnormal actions by processes or programs
• Alerts user who decides whether to allow or block activity
• Heuristic monitoring uses experience-based techniques
• Attempts to answer the question “Will this do something harmful if it is allowed to
execute?”
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Intrusion Detection and Prevention Systems (3 of
3)
• A network intrusion detection system (NIDS) watches for attacks on the network
• NIDS sensors installed on firewalls and routers gather information and report back to
central device
• A network intrusion prevention system (NIPS) monitors to detect malicious activities and
also attempts to stop them
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Network Hardware Security Modules
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Configuration Management
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Knowledge Check Activity 1
Which of the following network security devices is a computer that is purposely located in an
area with limited security to attract threat actors?
a. Forward proxy
b. Honeypot
c. Inline system
d. Behavior monitor
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Knowledge Check Activity 1: Answer
Which of the following network security devices is a computer that is purposely located in an
area with limited security to attract threat actors?
Answer: b. Honeypot
A honeypot is a computer located in an area with limited security that serves as
“bait” to threat actors. Its purpose is to deflect and discover threats.
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Security Technologies
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Access Technologies (1 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Access Technologies (2 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Access Technologies (3 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Access Technologies (4 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Access Technologies (5 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Access Technologies (6 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Access Technologies (7 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Technologies for Monitoring and Managing (1 of 6)
• Port Security
• Threat actors who access a network device through an unprotected port can reconfigure
the device to their advantage
• Route security is the trust of packets sent through a router
• False route information can be injected or altered by weak port security
• Broadcast storm prevention can be accomplished by loop prevention
• Loop prevention uses the IEEE 802.1d standard spanning-tree protocol (STP)
• STP uses an algorithm that creates a hierarchical tree layout that spans the entire
network
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Technologies for Monitoring and Managing (2 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Technologies for Monitoring and Managing (3 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Technologies for Monitoring and Managing (4 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Technologies for Monitoring and Managing (5 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Technologies for Monitoring and Managing (6 of 6)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Design Technologies (1 of 7)
• Network Segmentation
• Examples of network segmentation include virtual LANs and a demilitarized zone
• Zero trust is a strategic initiative about networks that is designed to prevent successful
attacks
• It attempts to eliminate the concept of trust from an organization’s network
architecture
• Zero trust requires that networks be segmented
• A network can be segmented by separating devices into logical groups by creating a
virtual LAN (VLAN)
• VLANs can be isolated so that sensitive data is transported only to members of the
VLAN
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Design Technologies (2 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Design Technologies (3 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Design Technologies (4 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Design Technologies (5 of 7)
• Load Balancing
• Load balancing is a technology that can help to evenly distribute work across a network
and can allocate requests among multiple devices
• Advantages of load-balancing technology:
• Reduces probability of overloading a single server
• Optimizes bandwidth of network computers
• Load balancing is achieved through software or hardware device (load balancer)
• Different scheduling protocols used in load balancers:
• Round-robin
• Affinity
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Design Technologies (6 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Design Technologies (7 of 7)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Knowledge Check Activity 2
What type of access technology routes some traffic over a secure VPN while other traffic
accesses the Internet directly without going through the VPN?
a. Split tunnel
b. Site-site VPN
c. Router ACL
d. Full tunnel
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Knowledge Check Activity 2: Answer
What type of access technology routes some traffic over a secure VPN while other traffic
accesses the Internet directly without going through the VPN?
Answer: a. Split tunnel
A split tunnel routes only some traffic over the secure VPN while other traffic directly
accesses the Internet (this helps preserve bandwidth).
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Self-Assessment
Consider the network security appliances and technologies you have studied in
this module. Based on what you know now, if you could pick only one network
security appliance and one security technology you could deploy on a network
you were managing, which would they be and why?
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Summary (1 of 2)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Summary (2 of 2)
• A network hardware security module is a special trusted network computer that performs
cryptographic operations such as key management, key exchange, onboard random
number generation, key storage facility, and symmetric and asymmetric encryption
• An access control list (ACL) contains rules that administer the availability of digital assets by
granting or denying access to the assets
• Network access control (NAC) examines the current state of an endpoint before it can
connect to the network
• Data loss prevention (DLP) is a system of security tools used to recognize and identify data
critical to the organization and ensure that it is protected
• Broadcast storm prevention can be accomplished by loop prevention, which uses the IEEE
802.1d standard spanning-tree protocol (STP)
Mark Ciampa, CompTIA Security+ Guide to Network Security Fundamentals, 7th Edition. © 2022 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.