security+ all-in-one edition chapter 8 – infrastructure security brian e. brzezicki
TRANSCRIPT
![Page 1: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/1.jpg)
Security+All-In-One Edition
Chapter 8 – Infrastructure Security
Brian E. Brzezicki
![Page 2: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/2.jpg)
WARNING!ALOT of the material in these slides and in this
lecture is NOT in the book. This book does a good job of presenting most of the material needed for the security+ exam. However the info in chapter 8 is a little thin… so play close note to the slides. Perhaps I provide a little too much depth for the security+ exam… but it’s well worth doing the extra learning… especially if you want to take the CISSP or really understand networks and network security concepts to be USEFUL in real life!
![Page 3: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/3.jpg)
Infrastructure Security
Infrastructure security is concerned with providing security for the entire network infrastructure. Infrastructure security is concerned with providing availability to authorized users, ensuring no one is allowed to access resources in an unauthorized manner, and ensuring that the network integrity is maintained. That is Infrastructure security is concerned with the entire CIA triad.
![Page 4: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/4.jpg)
Devices on the Network
![Page 5: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/5.jpg)
Workstations
![Page 6: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/6.jpg)
Workstations (202)
Often overlooked in security, workstations are a very attractive target for hackers. Often IT staff spend time securing servers and don’t realize the dangers their unprotected workstations are.
(more)
![Page 7: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/7.jpg)
Workstations (202)
Workstations are often “low hanging fruit” manned by end users who are themselves are a security risk. Once a workstation is infiltrated an attacker may have access to data directly, via the authorized users on the system, and that workstation can be used as an attack point into the network.
Workstation security is CRITICAL to the “holistic” network health and security.
![Page 8: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/8.jpg)
Workstation Security Best Practices (basic hardening) (203)
Physical• Physically restrict access to workstation• Use locking devices to ensure computer cannot be
opened, or be stolen (whether in whole or in part)• Set a BIOS password• Do not allow booting from removable media / or
allow altering of the boot order• Remove removable media attachments if possible• Use an encrypted file system (efs) or disk
encryption technology (Bit Locker) if possible
(more)
![Page 9: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/9.jpg)
Workstation Security Best Practices (basic hardening) (203)
Basic Account hardening
• Rename the administrator account, set a strong password
• Disable un-needed accounts
• Set strong password policies
(more)
![Page 10: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/10.jpg)
Workstation Security Best Practices (basic hardening) (203)
Basic software hardening and maintenance• Shutdown services that are not needed• Remove software that is not needed• Use a standard workstation image for consistent
installs and configuration• Keep the OS and applications patched!• Install anti-virus and anti-spyware on the workstation,
keep it auto-updated *• Install host based firewall tools and tcp-wrappers.
(more)
![Page 11: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/11.jpg)
Workstation Security Best Practices (basic hardening) (203)
Basic System Network Hardening
• Remove un-necessary protocols such as NetBIOS or IPX/SPX
• Remove any file/printer shares (generally workstations should not share files)
• Use a host based firewall
• Use host based IDS if possible
• Remove workstation remote access (ex. Modems… remote desktop etc)
![Page 12: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/12.jpg)
Workstation Hardening
Please note the last few slides showed only the BASIC/minimum levels of workstation hardening. These are much more specific details you should be concerned with in real life. However the last few slides provide the info the security+ exam is conserned with and also provide a solid base from which you can expand to protect your workstations.
![Page 13: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/13.jpg)
Servers
![Page 14: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/14.jpg)
Servers (204)Ok everyone understand that you need to protect servers right?
With servers• Follow best practices of securing workstations• Identify which servers need to run which services (web,
email, file sharing)• Try to ensure only one server runs one specific service and
that service and OS is configured for maximum security• Set network service daemons to run as non-privileged users• Set strict permissions on network resources• Disable or completely remove if possible all NON essential
services
(more)
![Page 15: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/15.jpg)
Servers (204)• If you cannot have a dedicated machine for each
specific service, consider using virtualization. (use virtualization even if you have multiple servers)
• As an Administrator UNDERSTAND which processes are required for the OS and service. Try to ensure only those processes are running and be weary if you see other processes running
• Once installed run tripwire or other checksum software to indentify and verify that critical files don’t “change” (why is this important, what could it mean?)
(more)
![Page 16: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/16.jpg)
Servers (204)• On Internet access servers (mail servers,
web proxies etc) ensure that you have anti-virus and malware protection on the incoming data streams, even if your workstations have anti-virus. If possible use a different anti-virus product/engine then you use on your workstations.– Layered security / defense in depth– Diversity of defense
(more)
![Page 17: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/17.jpg)
Servers (204)• Run a host based IDS on your servers
• Periodically do vulnerability assessments on your servers
• Periodically verify software and configuration files have not changed and no new services have been run. Use version control if possible on configuration files.
![Page 18: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/18.jpg)
Virtualization (n/b)Virtualization is KEY to network security, availability
and maintenance/ease of operation.
(see next slide)
Can anyone describe to me what virtualization is?
What does it allow you to accomplish
How does it make your life as an admin easier
How does it increase availability
How does it allow you to make servers more modular?
How does it increase security and integrity?
![Page 19: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/19.jpg)
Virtualization
![Page 20: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/20.jpg)
Virtualization migration
![Page 21: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/21.jpg)
OSI Model
Oh no…
![Page 22: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/22.jpg)
OSI (n/b)
![Page 23: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/23.jpg)
OSI (n/b)Before we talk about network equipment we need to
discuss the OSI framework briefly.
The OSI is a model of how network communications should be broken down into functional “tasks”. Each layer performs one task. It provides “services” to the layer above it, and uses services from the layer below it.
The OSI model is broken down into 7 levels (layers) which we will discuss.
![Page 24: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/24.jpg)
OSI model – layer 1 physical (n/b)• Layer 1 Physical – simply put is concerned
with physically sending electric signals over a medium. Is concerned with – specific cabling, – voltages and – Timings
• This level actually sends data as electrical signals that other equipment using the same “physical” medium understand – ex. Ethernet
![Page 25: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/25.jpg)
OSI model – layer 2 data link (n/b)• Layer 2 Data Link – data link goes hand in hand with
physical layer. The data link level actually defines the format of how data “Frames”* will be sent over the physical medium, so that two network cards of the same network type will actually be able to communicate. These frames are sent to the “physical” level to actually be turned into the electronic signals that are sent over a specific network. (layer 2 uses the services of layer 1)
• Two network cards on the same LAN communicate at the data link layer.
![Page 26: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/26.jpg)
OSI model – layer 3 network (n/b)
Layer 3 Network – Layer 3 is concerned with network addressing and specifically moving packets between networks in an optimal manner (routing). Some Layer 3 network protocols are– IP– IPX/SPX– Apple Talk
![Page 27: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/27.jpg)
OSI model Layer 4 Transport (n/b)• OSI Layer 4 Transport – Provides “end-to-
end” data transport services and establishes a logical connection between 2 computers systems”
• Virtual connection between “COMPUTERS”
![Page 28: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/28.jpg)
OSI Model Layer 5 Session (n/b)• OSI Layer 5 Session – responsible for
establishing a connection between two APPLICATIONS! (either on the same computer or two different computers)
• Create connection
• Transfer data
• Release connection
![Page 29: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/29.jpg)
OSI model Layer 6 – Presentation (n/b)
• OSI Layer 6 – present the data in a format that all computers can understand– Concerned with encryption, compression and formatting
Example: big endian vs. little endianDecimal 10 is written in binary as 1010However some computers read binary left to right and
some read it right to left1010 != 0101 1010 = 10, 0101 = 5So all computers on a network must agree what
format to represent binary data in (left to right, or right to left) (note this is not “truly” what big endian means… but it’s easier to explain it this way ;)
![Page 30: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/30.jpg)
OSI model Layer 7 – Application (n/b)
• This defines a protocol (way of sending data) that two different programs or protocols understand. – HTTP– SMTP– DNS
• This is the layer that most software uses to talk with other software.
![Page 31: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/31.jpg)
OSI vs. TCP/IP model
![Page 32: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/32.jpg)
TCP/IP model
• Network Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that?
• Network = OSI layer 3 – defines addressing and routing
• Transport/Host to Host = OSI layer 4, 5 – defines a communication session between two applications on one or two hosts
• Application = OSI layers 6,7 the application data that is being sent across a network
![Page 33: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/33.jpg)
Network Access
• Maps to Layer 1 and 2 of the OSI model
• The Level that a Network Interface Card Works on
• Source and Destination MAC addresses are used defining communications endpoints
• Protocols include– Ethernet– Token Ring– FDDI
![Page 34: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/34.jpg)
Network Layer
• Maps to layer 3 of the OSI model
• Concerned with moving data from one LAN (network) to another.
• Breaks data into packets
• Source and Destination endpoints are defined by IP Addresses
• Protocols is IP
(IP addresses next slide)
![Page 35: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/35.jpg)
IP addressesIP addresses which in IPv4 have the form 0-255 . 0-255 . 0-255 . 0-255Example: 130.85.1.4
There are a few ranges of IPs that are considered “private”
10.x.x.x192.168.x.x172.16.x.x – 172.31.x.xWhat does it mean to be a private address?
![Page 36: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/36.jpg)
Transport / (Host to Host)
• Maps to layer 4 and 5 of the OSI model
• Concerned with establishing sessions between two applications
• Source and destination endpoints are defined by port numbers
• The two transport protocols in TCP/IP are TCP and UDP
(TCP and UDP next)
![Page 37: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/37.jpg)
TCP (n/b)Connection oriented “guaranteed” delivery.
Advantages– Easier to program with– Truly implements a “session”– Adds security
Disadvantages– More overhead / slower
![Page 38: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/38.jpg)
UDP (n/b)Connectionless, non-guaranteed delivery (best
effort)Advantages
– Fast / low overhead
Disadvantages– Harder to program with– No true sessions– Less security– A pain to firewall (due to no connections)
![Page 39: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/39.jpg)
Application Layer
• Maps to layer 7 of the OSI model
• The actual protocol/language that the application uses
Examples– HTTP– SMTP– DNS
![Page 40: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/40.jpg)
Network Equipment
The network is the backbone of a company, as such it’s pretty important you understand some of the critical network equipment and concepts.
![Page 41: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/41.jpg)
Network Interface Cards
![Page 42: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/42.jpg)
Network Interface Cards (205)Network Interface Cards are used to connect a
computer to a LAN. NICS work on the physical and data link layer of the OSI model.
• A NIC is the physical connection to the network.
• NICS only understand how to package and move data between two computers on the same LAN.
• NICS use MAC addresses… they don’t understand IP addresses.
![Page 43: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/43.jpg)
MAC addresses (206)A layer 2 (Data link) address. It's how NICs
communicate• Consists of 6 “2 hex digit” characters
– Example:
00:1A:4D:56:02:5E• A portion of the MAC address space is assigned to
NIC vendors• NICS communicate directly with MAC addresses,
the OS maps IP addresses to MAC addresses with ARP.
(more)
![Page 44: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/44.jpg)
A quick discussion on IPs (n/b)• Every computer on an IP network has at
least 1 IP address• Every NIC port has 1 MAC address• Any IP address can be spread across
multiple NICs (for performance)So every computer has at least 1 IP address
and every IP address corresponds to at least one MAC address.
ALL network traffic will designate both an IP address and a MAC address!
![Page 45: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/45.jpg)
IPs and MACs
![Page 46: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/46.jpg)
MAC address security (n/b)• ARP - Operating systems and applications
use IP addresses, but the network cards use MAC addresses. ARP is a protocol to translate IP addresses into MAC addresses.
• ARP poisoning is an attack against a network, where one computer send fake ARP replies, in the attempt to trick another computer on the same network to communicate with it instead of the real machine. This can be used as a man in the middle attack, or a straight “hijacking” attack.
![Page 47: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/47.jpg)
Next a bit about Network Traffic Types (n/b)
• Unicast – network traffic sent from one specific computer to another specific computer.
• Broadcast – network traffic sent to ALL computers on a network
• Multicast – network traffic sent to a specific group of computers on a network
(see visualization next slide)
![Page 48: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/48.jpg)
Unicast, Broadcast and Multicast
![Page 49: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/49.jpg)
Hub (206)
![Page 50: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/50.jpg)
Hub (206)An OSI layer 1 (physical layer) device. Simply sends
and electrical signal received down all ports.
• Hubs are unintelligent• All computers connected to the hub receive the
signal (so it’s easy to see other peoples network traffic)
• Everyone shares the network for speaking, only one at a time. If two nodes try to speak at the same time that is called a collision.
• All computers connected to a hub are in the same collision domain.
![Page 51: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/51.jpg)
Bridge (206)
A bridge connects two segments of the SAME LAN together. However a bridge has some interesting features
• It is intelligent, it learns which MAC addresses are on each side of the bridge and uses that to determine how to send traffic
• A bridge isolates traffic to each side of the bridge and only forwards it across the bridge if necessary (good for security and performance) See next 3 slides
![Page 52: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/52.jpg)
Bridge (206)
A bridge learns which computers (MAC addresses) are on each side of the bridge) It will forward traffic across the bridge if necessary.
![Page 53: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/53.jpg)
Bridge (206)
A bridge will only forward traffic across the bridge IF and ONLY IF, a computer on one side of the bridge is trying to communicate with a computer on the other side of the bridge.
![Page 54: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/54.jpg)
Bridge (206)
A bridge can optimize performance, by allowing two conversations to occur (one on each side of the bridge).
A and B can communicate at the SAME time C and D communicate
![Page 55: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/55.jpg)
Bridge (206)
Bridges will forward all broadcasts. Bridges will also forward traffic if doesn’t know which side the destination address is.
![Page 56: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/56.jpg)
Bridge Overview (n/b)
A bridge separates segments into two or more collision domains. However it still remains one broadcast domain.
A bridge builds a table of MAC addresses known for each port
A bridge increases performance and security
A bridge is a layer 2 (data link device)
A bridge can be used to mix different LAN technologies (ex. a wireless AP is a bridge)
![Page 57: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/57.jpg)
Switches
![Page 58: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/58.jpg)
Switch (206)A network Switch is just a multi-port bridge. Switches
will often have 24 or more ports, and learns which MAC addresses are on which ports.
• Works at layer 2 (data link)• On a switch a computer can send data AND receive
data at the same time (full duplex… increasing performance by up to 2x)
• On a switch each port is it’s own collision domain, and will not have a collision, therefore allowing line speed communication on each port
(more)
![Page 59: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/59.jpg)
Switch (206)• A switch only sends traffic from the sending
computer to the receiving computer, therefore stops sniffing (watch for MAC flooding attacks though)
• Since switches inspect the MAC address on all traffic, a switch can be programmed to only allow certain MAC addresses to communicate, and ignore other MAC addresses.
![Page 60: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/60.jpg)
Switch (206)
Multiple conversations can occur on a switch at the same time!
![Page 61: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/61.jpg)
Switch Specific Attacks (n/b)Mac Flooding – Putting out tons of packets with
different MAC addresses in the attempts to overfill the switches MAC tables. If this happens a switch might simply drop into “hub mode” and start simply sending traffic down each port.
(see visualization next slide)
![Page 62: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/62.jpg)
MAC flooding (n/b)
![Page 63: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/63.jpg)
Switch Security (207)Switches are intelligent devices with memory, CPU
and an firmware/Operating System. As such switches can be attacked/hacked.
Best Practices• Switches should have their firmware/OS updated to
proper levels at all times• Switches should be managed from a serial console
whenever possible• If using a network management interface, ensure
encryption and proper authentication practices.• If possible restrict network management to
“management network IP addresses”
![Page 64: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/64.jpg)
Hubs Bridges and Switches (n/b)
An important concept… all computers connected via Hubs, Bridges and switches are in the same broadcast domain and these computers form a LAN. They SHOULD be on the same IP network. (see slide)
192.168.1.4 / 255.255.255.0
192.168.1.100 / 255.255.255.0
192.168.1. 14 / 255.255.255.0
![Page 65: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/65.jpg)
LAN (n/b)
All these computers are on the same LAN, and logical IP network. All are in the same broadcast domain.
![Page 66: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/66.jpg)
VLANs (207)A VLAN is the concept of creating multiple broadcast
domains (LANs) on a single switch
• Why would it be used?• Do you still have to route between VLANS?*• Two different VLAN protocols• 802.1Q*, or Cisco ISL* for trunking between
switches• Use VLANS for convenience and for creating
network security zones. One use is to create “dead” or “restricted” networks unless authentication is done via 802.1x
![Page 67: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/67.jpg)
VLAN
![Page 68: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/68.jpg)
Routers (208)Can anyone define what a router does (in
layman's terms) without using the word route?
(answers next slide)
![Page 69: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/69.jpg)
Routers (208)Routers connect different networks (LANS) and allow
these LANs to communicate with each other. They allow traffic to leave a local network and help direct the best path to get to the destination network.
• Layer 3 (network) devices• Look at IP addresses NOT MAC addresses• Routers do NOT forward broadcasts, as such they
create different broadcasts domains!• Can statically determine routes, or dynamically• Can apply access control lists to allow or deny
certain types of traffic (firewall)
see visualization next page
![Page 70: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/70.jpg)
Router (208)
Routers create separate LAN networks. These networks will have different IP ranges
192.168.1.0 / 255.255.255.0 10.1.2.0 / 255.255.255.0
![Page 71: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/71.jpg)
Router Security (209)Routers like switches are intelligent devices with
memory, CPU and an firmware/Operating System. As such switches can be attacked/hacked.
Best Practices (same as switches)• Routers should have their firmware/OS updated to
proper levels at all times• Routers should be managed from a serial console
whenever possible• If using a network management interface, ensure
encryption and proper authentication practices.• If possible restrict network management to
“management network IP addresses”
![Page 72: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/72.jpg)
Firewall (209)
![Page 73: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/73.jpg)
Firewall (209(An advanced network device. It’s purpose is to enforce
an organizations network security policy.
A firewall is often a “router” on steroids. Firewalls generally connect 2 or more networks, however firewall generally are not concerned heavily with finding best routes. Instead they are concerned with analyzing packets to see if the packets should be allowed or dropped base on the network security policy.
(more)
![Page 74: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/74.jpg)
Firewalls (209)
• Firewalls have advanced functionality and can operate on layer 3 (network), 4 (transport) all the way to layer 7 (application).
• Firewalls generally consult Access Control Lists (ACLs) which are simply rules of what types of traffic to allow or deny
• Firewalls should always follow the principals of least access and implicit deny
There are many types of firewalls which we will discuss on the upcoming slides.
![Page 75: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/75.jpg)
Firewall Types (211)There are a few types of firewalls we will talk
about in the next couple slides
• Packet Filters
• State full Filters
• Circuit Level Proxies– SOCKS– NAT
• Application Proxies
![Page 76: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/76.jpg)
Packet Filters (211)A packet filter is the most basic and first type of
firewall. IT is effectively a router that inspects layer 3 (network) and layer 4 (transport) headers for each packet. It compares these headers with a list of allowed or denied actions (ACL) to determine how to handle a packet.
Ex.permit tcp any any host www.myserver.com eq 80
![Page 77: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/77.jpg)
Packet Filter (211)Advantages:
• Cheap
• Does not keep state (can be rebooted)
Disadvantages
• Does not keep state • Only look at layer 3 and 4 addresses
• Can be broken via fragmentation
• Cannot inspect actual packet data
• Can be complex to setup
![Page 78: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/78.jpg)
State full Packet Filter (211)
Like a Packet filter, but actually builds a table of ongoing communication and understands whom is communicating to whom. What type of communication is happening and when communication is over.
Can allow return traffic without a specific return traffic rule (which is convenient)
![Page 79: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/79.jpg)
State full Packet Filters (211)Advantages:• Cheap• Does keep state (makes return rules easier, and
adds some security)Disadvantages• Does not keep state (rebooting breaks stuff)• Only look at layer 3 and 4 addresses• Might be broken via fragmentation• Cannot inspect actual packet data• Can be complex to setup (less though than regular
packet filters)
![Page 80: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/80.jpg)
Proxies (212)
A Proxy is simply a middleman. When you want to communicate with the internet, you contact a proxy, who communicates on your behalf to the destination server. Then the Proxy will return the data to you from the destination… You NEVER directly communicate with the destination when using a proxy
Two Types
• Circuit Level Proxy – Example: SOCKS, NAT
• Application Proxy – Example: Squid
![Page 81: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/81.jpg)
Circuit Level Proxy (212)Simply put a middleman.
You talk to a proxy which takes your information and sends it to a remote server, it also receives a response and sends it back to you.
![Page 82: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/82.jpg)
Circuit Level Proxies (212)
Advantages• Fairly simple• Hides internal network addresses• When used with a firewall, stops people from directly
starting conversations with internal hosts, while still allowing internal hosts to communicate with the Internet
Disadvantages• A single point of failure and performance issues• Does not actually “analyze data” doesn’t protect
from “dangerous data”
![Page 83: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/83.jpg)
NAT/PAT (211)A proxy that works without special software and
is transparent to the end users.Remaps IP addresses, allowing you to use
“private addresses” (later) internally and mapping them to “public IP addresses”
NAT maps one “public” IP directly to a “private” IP
PNAT allows multiple “private IPs” to share one “public” IP
(see slides)
![Page 84: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/84.jpg)
NAT
![Page 85: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/85.jpg)
NAT
1. Computer 10.0.0.1 sends a packet to 175.56.28.32. Router grabs packet, notices it is NOT address to him..
Modifies the src address to one from it’s pool (215.37.32.202), then sends the packet on it’s way to the destination*
3. The end machine accepts the packet as it’s addressed to him.
4. End machine creates response, src = itself (172.56.28.3) dest = 215.37.32.202
5. Router grabs packet, notices the dest address, and looks up in it’s NAT table, rewrites the dest to 10.0.0.1 and sends it on its way*
6. Originating machine grabs response since it’s addressed to him, he processes it.
![Page 86: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/86.jpg)
PAT
![Page 87: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/87.jpg)
PAT 1. Client computer creates packet
SRC: 10.0.0.1:TCP:10000 DEST: 130.85.1.3:TCP:80
2. Router rewrites the SRC portion to be SRC: 208.254.31.1:1026 Makes an entry in the PNAT table
3. End server accepts packet4. End server creates return packet
SRC: 130.85.1.3:TCP:80 DEST: 208.254.31.1:1026
5. Router receives packet, rewrites destination to be– DEST: 10.0.0.1:TCP:10000
6. Client receives the return packet
![Page 88: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/88.jpg)
NAT/PAT difference (n/b)• NAT ONLY looks and rewrite the IP addresses.• NAT requires 1 public IP for each computer that
wants to access the Internet simultaneously. If you have 100 computer and you expect 20 of them to access the Internet at any time… you need 20 public IP addresses
• PAT looks at the IP and TCP/UDP headers and rewrites both
• PAT only requires 1 public IP address and can support about 64,000 simultaneous connections for each IP public IP address.
![Page 89: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/89.jpg)
NAT / PAT (n/b)Advantages
– Allows you to use private addresses Internally, you don’t need to get real public IP addresses for each computer
– Protects the network by stopping external entities from starting conversations to internal machines
– Hides internal network structure– Transparent, doesn’t require special software
Disadvantages– Single Point of Failure / Performance Bottleneck– Doesn’t protect from “bad data”
![Page 90: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/90.jpg)
Application Proxies (212)
Like circuit layer proxies, but actually understand the application/protocol they are proxing!
This allows for additional security as they can inspect the data for protocol violations or malware!
![Page 91: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/91.jpg)
Application Proxies (212)
Examples: Squid web proxy server
Internet Security and Acceleration Server (MS web proxy)
SMTP proxies
FTP proxies
![Page 92: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/92.jpg)
Application Proxies (212)
AdvantagesApplication proxies understand the protocol, so they can
add extra security– Ex. Restrict users to only allowed websites– Ex. Inspect data for protocol violations– Ex. Inspect data for malware (viri etc)
Disadvantages– Extra processing requires extra CPU (slower)– Proxies ONLY understand the protocols they were written
to understand. So you generally have a separate application proxy for EACH protocol you want to proxy
![Page 93: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/93.jpg)
PBX systems (215)
Some (almost all) medium to large organizations run their own PBX (Private Branch Exchange).
Beware of attacks against PBX systems. Hackers may use your PBX to get free long distance calls etc. (using 2600Hz whistles was famous.. Captain Crunch storey
Be aware that the original phone system hacking was called phreaking.
Be aware the concept of phishing using phones is called vishing.
![Page 94: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/94.jpg)
Network Access Control (216)Did we talk about NAC and NAP yet, if not
explain NAC and NAP.
![Page 95: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/95.jpg)
Security Zones
![Page 96: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/96.jpg)
Bastion Host (230)• Bastion Host – a server that is highly locked
down (hardened). Usually put in a DMZ (later). These machines can be directly accessed by the internet (though usually though one layer of firewall) so they are “hardened” (what do I mean by that?)
![Page 97: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/97.jpg)
Security Zones (229)It is common practice in network and physical
security to group different security levels into different areas or zones. Each zone is either more or less trusted then the other zones. Interfaces between zones have some type of access control to restrict movement between zones (like biometric and guard stations) or firewalls.) In Network security there is often a median zone between the Internet and internal network called a DMZ.
![Page 98: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/98.jpg)
DMZ (230)• A buffer zone between an unprotected
network and a protected network that allows for the monitoring and regulation of traffic between the two.– You generally put your “Internet” accessible
servers (bastion hosts) in a DMZ between your organizations internet network and the Internet.
![Page 99: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/99.jpg)
DMZ
![Page 100: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/100.jpg)
Multi Homed Firewall (n/b)
• Pretty much any firewall, dual homed means there are two network interfaces, one on the “Internet” one on the “Internal network”
• Multi-homed just means 2 or more interfaces. Multi-homed firewalls may be used to setup a DMZ with a single firewall. (see next slide)
• On any dual/multi-homed machine, “IP forwarding” should be disabled.*
![Page 101: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/101.jpg)
Multi-homed firewall
![Page 102: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/102.jpg)
Screened Subnet (n/b)
• A type of DMZ, where there is a “middle” network where internet services reside before the “Internal” network (see next slide). In a screen subnet, there is usually a router performing packet filtering before the “first firewall”
![Page 103: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/103.jpg)
Screened Subnet
![Page 104: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/104.jpg)
Internal firewalls (n/b)
• You may have a firewall that protects internal networks from each other!
![Page 105: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/105.jpg)
Networking Media / Cabling
![Page 106: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/106.jpg)
Coax (219)
![Page 107: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/107.jpg)
Coax (219)
• Coaxial – copper core surrounded by a shielding layer and a grounding wire.– 200 and 500 meter maximum lengths– More resistant to EMI than UTP
• Note used much anymore– Can be baseband (one channel Ethernet) or
broadband (multiple channels, cable TV)
![Page 108: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/108.jpg)
Twisted Pair
![Page 109: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/109.jpg)
Twisted Pair (219)• Like phone wire, but more wires.• 100 meter maximum lengths• RJ-45 connector• Two main “types” UTP, and STP• STP is shielded and better if you have EMI issues• UTP is unshielded and susceptible to EMI and
crosstalk• UTP also gives off signals which could be picked up
if you have sufficient technology. (tempest stuff)• “least secure vs. coax and fiber”
![Page 110: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/110.jpg)
Fiber
![Page 111: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/111.jpg)
Fiber (221)• Glass tubes
• High speed, long haul
• NOT effected by EMI, doesn’t “lose” signal either (attenuation)
• Does NOT radiate energy, better security
• Expensive
• Difficult to work with
• Used in backbones
![Page 112: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/112.jpg)
Random Terms
![Page 113: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/113.jpg)
Terms (231)Intranet - A network that has the same
functionality of the Internet, but lies within an organizations internal network.
Extranet – An extension of a companies “intranet” made available to external partners. Allowing businesses to share information and resources. Should be protected by some type of security mechanism such as a VPN, or an SSL based website.
(more)
![Page 114: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/114.jpg)
Chapter 8 - Review
Q. What layer of the OSI model does a switch operate at, what addresses does it “switch”
Q. What layer of the OSI model does a router look at, what addresses does it “route”
Q. The purpose of twisting the wires in a twisted pair cable is what?
Q. Fiber Optic cabling is / is not susceptible to electromagnetic interference?
![Page 115: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/115.jpg)
Chapter 8 ReviewQ. What is a Bastion Host
Q. What is the purpose of a DMZ
Q. What is NAC/NAP?
Q. What is the main purpose of a circuit layer proxy.
Q. How is an application layer proxy different than a circuit layer proxy?
![Page 116: Security+ All-In-One Edition Chapter 8 – Infrastructure Security Brian E. Brzezicki](https://reader031.vdocuments.mx/reader031/viewer/2022013011/56649eca5503460f94bd833d/html5/thumbnails/116.jpg)
Chapter 8 - ReviewQ. What are the Private IP ranges
Q. How is STP different than UTP?
Q. What is ARP poisoning?
Q. What is MAC flooding?