Segmentation and Access Control - CompTIA Security+ SY0-701 - 2.5

Segmenting the network

• Physical, logical, or virtual segmentation

• Devices, VLANs, virtual networks

• Performance - High-bandwidth applications

• Security

• Users should not talk directly to database servers

• The only applications in the core are SQL and SSH

• Compliance

• Mandated segmentation (PCI compliance)

• Makes change control much easier

Access Control Lists (ACLs)

• Allow or disallow traffic based on tuples

- Groupings of categories

- Source IP, Destination IP, port number, time of day,

application, etc.

• Restrict access to network devices

- Limit by IP address or other identifier

- Prevent regular user / non-admin access

• Be careful when configuring these

- You can accidentally lock yourself out

Access control list

List the permissions

- Bob can read files

- Fred can access the network

- James can access network 192.168.1/24 using TCP 8-, 443 and 8088

Many operating systems use ACL's to provide access to files

A trustee and the access rights allowed

Application allow/deny list

Any application can be dangerous

- Vulnerabilities, trojan horses, malware

Security policy can control app execution

- Allow list, deny/block list

Allow list

- Nothing runs unless it's approved

- Very restrictive

Deny list

- Nothing on the "bad list" can be executed

- Anti-virus, anti-malware

Examples of allow and deny lists

Decisions are made in the operating system

- Often built-in to the operating system management

Application hash

- Only allows applications with this unique identifier

Certificate

- Allow digitally signed apps from certain publishers