CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

3.5.3.9.2  Databases 1 2 3 4 5 6 7 8 9 10 3.7  Success Questions

In this chapter, we looked at the topics in the third domain of the Security+ exam, Infrastructure Security. The chapter covers everything from physical components to applications – all the components that are likely to be part of your network infrastructure.

Devices you learned about include:

• Firewalls, which protect an internal network from the outside world; more about these later in this summary.
  
  
• Routers, the traffic directors of the Internet at the Network Layer, which connect networks, forwarding packets between them; you can limit sniffing by using routers to send to a subnet only the traffic required to be on it, and use Access Lists to control traffic passing through routers based on source IP address, destination IP address, port number, direction and other characteristics.
  
  
• Switches, which direct traffic at the Data Link, or MAC, Layer, forwarding to subnets only required traffic in order to minimize opportunities for sniffing; unlike hubs, they do not automatically make a packet appearing at one switch port, available to the connections on all other switch ports.
  
  
• Wireless, which implements network connectivity without the need for physical connections; due to the current state of the most common 802.11-based wireless protocols, access control and the sniffing of unencrypted wireless network traffic are security concerns.
  
  
• Modems, which allow users to connect to your network from outside it, may allow users to bypass security if dial-ins are not restricted by a firewall or VPN as with connections to your network from outside on the Internet; you can limit access to your modem pool by using call-back technology, but attackers can sometimes defeat this by using call-forwarding.
  
  
• RAS, which stands for Remote Access Services, discussed in Section 2, that authenticates users connecting to the network from a remote location and allows them network resource access; it can use many authentication mechanisms, including CHAP and MS-CHAP (considered more secure), and PAP and SPAP (considered less secure); RAS attempts should be logged so that you have a record of successful and unsuccessful connections.
  
  
• Telecom/PBX, which is becoming more of an issue as more organizations combine computers and telephony, possibly even integrating them with IP telephony; phone networks have similar security concerns as data networks, and in some cases, less security; you should change all default passwords on your PBX, limit administrative access permissions to locations requiring physical access to the administrative console, and be on guard for social engineering attempts.
  
  
• VPNs, Virtual Private Networks, which allow you to simulate a private network over a public network through secure authentication and data encryption; VPN’s are a cost effective alternative to dedicated private networks, and may be used to protect services used by both internal and external users; VPN’s can be used internally to provide an extra level of security for sensitive transactions such as payroll; VPN security vulnerabilities include susceptibility to Internet traffic interruptions and flakiness, lack of encryption of some packet fields such as source/destination address under some VPN’s, susceptibility to DoS attacks, and configuration challenges.
  
  
• IDS, Intrusion Detection Systems, which detect attempts to break into or misuse a system or network; attacks they can detect include network scans, packet-spoofing, DoS and other common script-kiddie attacks, unauthorized service connection attempts, malformed packets, changed system files and improper activities; an IDS should be placed on your network anywhere you want to monitor for suspicious activities.
  
  
• Network monitoring/Diagnostic Tools, which include tools working at low layers such as TDR’s and SNMP-enabled devices like switches, as well as higher-level tools that monitor packet traffic, capture network configuration information, and scan a network or system for open ports; SNMP is the Simple Network Management protocol, used to query devices for information and sometimes alter parameters; because SNMP traffic is very vulnerable to sniffing, and its “community name” authentication is insecure, we recommend that you disable it unless you can configure your devices to use the more secure SNMPv2.
  
  
• Workstations, which are the machines your network’s users employ to get their work done, and often the source of troubles like viruses spread by users opening email attachments, staff installing and running unauthorized applications, not adequately securing their machines when away from them, using insecure passwords, or hooking a modem up to their PC for access from home; other issues include the ability to “boot” the workstation into an OS that allows direct access to disk contents, the ability to change BIOS information, and theft.
  
  
• Servers, which usually run services used by many client users, are a security priority; they’re also a hacker target because of the importance of the data they hold, or functionality they offer the network; placing a server in your internal network is no guarantee against attack, since some attacks originate internally; if uptime is a concern, consider adding a UPS or generators, or even implementing a “clustered” system with multiple redundant high-availability hardware components such as RAID arrays and hot-swappable devices.
  
  
• Mobile Devices, which span from Pocket PC and Palm handhelds, to RF scanners and notebooks, are those items on your network which typically aren’t restricted to just one location; because of their portability, you are advised to set a password on the device if possible, encrypt data stored on the device, and consider encryption for any wireless networking to minimize the potential for loss of confidential data; because these devices move around a lot, they are also vulnerable to loss of the units themselves and data corruption, so upload collected data from the mobile device to your network as soon after collection as possible.

3.5.3.9.2  Databases 1 2 3 4 5 6 7 8 9 10 3.7  Success Questions