This chapter discusses securing networks through the use of intrusion detection and prevention systems, wireless security best practices, and virtual private networks (VPNs) for remote access. It covers topics such as IDS and IPS detection methods, securing wireless networks using encryption and authentication, common wireless attacks, and site-to-site and remote access VPN configurations. Network access control is also examined to inspect client devices and restrict unhealthy systems.

1. Chapter 4
Securing Your
Network
CompTIA Security+
Get Certified Get Ahead
1

2. Introduction
• Exploring advanced security
devices
• Securing wireless networks
• Understanding wireless attacks
• Using VPNs for remote access

3. Understanding
IDSs and IPSs
• Intrusion Detection System (IDS)
– Detective control
– Attempts to detect attacks after
they occur
• Firewall is a preventive control
– Attempts to prevent the attacks
before they occur.
• Intrusion Prevent System (IPS)
– A preventive control
– Will stop an attack in progress.

4. Packet Sniffing
• Also called protocol analyzer
• Captures and analyzes network
traffic
• Wireshark – free packet sniffer
• IDSs and IPSs include packet
sniffing capabilities

5. Host- and
Network-
Based IDS
• Additional software on a
workstation or server
• Can detect attacks on the local
system
• Protects local resources on the
host such as operating system
files
• Cannot monitor network traffic
HIDS

6. Host- and
Network-
Based IDS
• Installed on network devices,
such as routers or firewalls
• Monitors network traffic
• Can detect network-based
attacks such as smurf attacks
• Cannot monitor encrypted
traffic and cannot monitor
traffic on individual hosts.
NIDS

7. Sensor and
Collector
Placement

8. IDS Detection
Methods
• Also called definition-based
• Use a database of predefined
traffic patterns (such as CVE list)
• Keep signature files up-to-date
• Most basic form of detection
• Easiest to implement
Signature-based
Heuristic-, behavior-based
• Also called anomaly-based
• Starts with a performance baseline of
normal behavior
• IDS compares activity against this
baseline
• Alerts on traffic anomalies
• Update the baseline if the
environment changes

9. IDS
Considerations
• Data sources and trends
• Reporting
• IDS thresholds
• False positives
• Increase administrator’s
workload
• False negatives
• No report during an incident

10. IDS Responses
Passive
• Notifies
– Pop-up window
– Central monitor
– E-mail
– Page
– Text message
Active
• Notifies
• Modifies environment
– Modify ACLs
– Close processes
– Divert the attack
Counterattacks
• Don’t do it
– Attackers are dedicated
– Attackers have unlimited time

11. IDS vs IPS
• IPS is a preventive control
– Can actively monitor data streams
– Can detect malicious content
– Can stop attacks in progress
• IPS is placed in line with traffic
– IDS is out-of-band

12. SSL/TLS Tools
• SSL/TLS accelerators
– Offloads encryption services to
another hardware device
– Place close server needing the
service
• SSL decryptors
– Placed in DMZ between users and
Internet
– Allows inspection of content

13. Other Tools
• Honeypots and Honeynets
– Used to divert an attacker
– Allow IT administrators an opportunity
to observe methodologies
– Can be useful to observe zero day
exploits
• 802.1x port security
– Provides port-based authentication
– Prevents rogue devices from connecting

14. Securing
Wireless
Networks
• WAPS and wireless routers
– All wireless routers are WAPs
– Not all WAPs are wireless routers

15. Wireless Routers

16. Fat vs Thin APs
• Fat AP
– Also known as stand-alone, intelligent,
or autonomous AP
– Includes everything needed to run
wireless network
• Thin AP
– Controller-based AP

17. Band Selection
and Channel
Widths

18. Access Point
SSID
• Network name
• Change default SSID
• Disabling SSID broadcast
– Hides from some devices
– Does not hide from attackers

19. MAC Filtering

20. Wireless
Antennas
• Antenna types and placement
• Wireless power and signal strength

21. Network
Architecture
and Zones
• Wireless
– Provides wireless devices access to
wired networks
• Guest
– Typically provides Internet access to
guests
– Rarely gives access to network
resources
• Ad hoc
– Network between two or more wireless
networks
– As needed

22. Wireless
Cryptographic
Protocols
• WPA – Interim replacement for
WEP
– Deprecated
• WPA2 – Current standard
– Provides best security when used with
CCMP
• TKIP
– Older encryption protocol used with
WPA
• CCMP
– Based on AES
– Recommended to be used with WPA2

23. Wireless
Settings
PSK vs Open

24. Enterprise
Mode
• Adds strong authentication
• Uses an 802.1X server
(implemented as a RADIUS server)
to add authentication
– RADIUS server
– RADIUS port
– Shared secret
• Similar to a password

25. Enterprise Mode

26. Authentication
Protocols
• EAP-TLS
– Most secure (compared to other EAP
methods)
– Provides mutual authentication
– Requires certificate on 802.1x server
– Requires certificate on the clients
• EAP
– Uses pairwise master key
• EAP-FAST
– Replaced LEAP
• PEAP
– Requires certificate on server
• EAP-TTLS
– Requires certificate on 802.1x server

27. Wireless
• RADIUS federation
– Provides single sign-on for two or more
entities
– Federation includes multiple 802.1x
servers
– Can use any of the EAP versions
• Captive Portals
– Free Internet access
– Paid Internet access
– Alternative to IEEE 802.1x

28. Wireless
Attacks
• Disassociation attack
– Removes a wireless client from a
wireless network
• WPS
– Streamlines process of configuring
wireless clients
• WPS attack
– Brute force method to discover WPS PIN
– Reaver

29. Wireless
Attacks
• Rogue access points
– Unauthorized AP
• Evil twins
– Rogue AP with same SSID as legitimate
AP
• Jamming attack
– Broadcasts noise or other signals on
same frequency

30. Wireless
Attacks
• IV attack
– Attempts to discover PSK from the IV
• NFC attack
– Uses an NFC reader to capture data

31. Bluetooth
Wireless
• Bluejacking
– Unauthorized sending of text messages
from a Bluetooth device
• Bluesnarfing
– Unauthorized access to or theft of
information from a Bluetooth device
• Bluebugging
– Allows an attacker to take over a mobile
phone

32. Wireless
Attacks
• Wireless replay attacks
– Captures data
– Attempts to use to impersonate client
• RFID attacks
– Sniffing or eavesdropping
– Replay
– DoS

33. Misconfigured
Access Points
• Use WPA2 with CCMP
• Disable WPS

34. Exploring
Remote Access
VPNs and VPN concentrators

35. VPN Tunnel
Comparisons
• Split tunnel
– Encrypts only some traffic (such as traffic
going to private network)
• Full tunnel
– Encrypts all traffic from client
– Can route client traffic through UTM in
private network for monitoring and
protection

36. Site-to-Site
VPNs
• Gateways as VPN servers

37. Always-On
VPNs
• Site-to-site VPNs
• Regular VPNs for users
• Mobile devices

38. Network
Access Control
• Health agents
– Inspects clients for predefined conditions
– Restricts access of unhealthy clients to a
remediation network
– Used for VPN clients
and internal clients

39. NAC Agents
• Permanent
– Installed on client and remains on client
– Persistent NAC agent
• Dissolvable
– Does not stay on client
– Downloaded to client when session starts
– Removed during or after session
– Commonly used for mobile devices

40. Identity and
Access
Services
• PAP – Sends passwords in cleartext
• CHAP – uses shared secret
• MS-CHAP – replaced by MS-CHAPv2
• MS-CHAPv2 – provides mutual
authentication

41. Identity and
Access
Services
• RADIUS

42. Identity and
Access
Services
• TACACS+
– Cisco alternative to RADIUS
– Uses TCP port 49
– Encrypts entire authentication process
– Uses multiple challenges and responses
• Diameter
– Extension of RADIUS
– Supports EAP

43. AAA Protocols
• Provide authentication,
authorization, and accounting
– Authentication verifies a user’s
identification
– Authorization provides access
– Accounting tracks user access with logs

44. Chapter 4
Summary
• Exploring advanced security devices
• Securing wireless networks
• Understanding wireless attacks
• Using VPNs for remote access