3.2 - CompTIA Security+

Infrastructure considerations

Device placement

Security zones

• Security zones: Segments within a network that are designed to isolate and protect different types of data and services, typically categorized into trusted, untrusted, and semi-trusted areas. Each security zone has its own unique security configuration.

Attack surface

• Attack surface: The total sum of the vulnerabilities and entry points in a system that could be exploited by an attacker, including hardware, software, and network aspects.

Connectivity

• Connectivity: The manner in which components of a system are interconnected, influencing both the potential attack vectors and the security measures required to protect against unauthorized access.

Failure modes

Fail-open

• Fail-open: A condition where a security device/network component allows data to flow through its connection even during a failure or malfunction, potentially exposing the system to security risks if proper safeguards are not in place.

Fail-closed

• Fail-closed: A condition where a security device/network component prevents data flow during a failure or malfunction.

Device attribute

Active vs. passive

• Active monitoring configuration: This configuration allows for real-time analysis/prevention of security events and incidents, enabling immediate response to potential threats. It can potentially lead to downtime or over-aggressive IPS systems. Uses an inline monitoring configuration

• Passive monitoring configuration: Network configuration that allows devices to communicate normally through a switch, then the switch redirects traffic to a network tap/monitoring device without impacting performance or network flow.

Inline vs. tap/monitor

• Explained in active vs. passive

Network appliances

Jump server

• Jump server: A device on an internal network that is accessible to outside users. Typically hardened and configured to only allow authorized connections to itself and other internal devices.

Proxy server

• Proxy server: A network device designed to intercept client requests, receive responses from servers, and forward results back to clients.

Intrusion prevention system (IPS)/intrusion detection system (IDS)

• Intrusion detection system (IDS): A software/hardware solution that detects unauthorized access to a network or system.

• Intrusion prevention system (IPS): A software/hardware solution that detects and prevents unauthorized access to a network or system.

Load balancer

• Load balancer: A device or software application that distributes incoming network traffic across multiple servers to ensure optimal resource use, minimize response time, and prevent overload on any single server.

Sensors

• Sensors: Devices that monitor physical and/or logical conditions in a network environment to gather data on system performance, identify potential threats, and facilitate automated responses to security incidents.

Port security

• Port security: Security on the individual interfaces (logical and physical) that are on a device or connections to a wireless access point.

802.1X

• 802.1X: This is a network protocol that provides centralized authentication (with RADIUS) to devices trying to connect to a LAN or WLAN, ensuring that only authorized users can access resources.

Extensible Authentication Protocol (EAP)

• Extensible Authentication Protocol (EAP): An authentication framework that supports multiple authentication methods, allowing various types of credentials, such as passwords, certificates, or smart cards, to be used for the authentication process.

Firewall types

Web application firewall (WAF)

• Web application firewall (WAF): Firewalls designed to analyze input into web-based applications and either allow or disallow that traffic based on what the input happens to be. Common for HTTP/S web server traffic.

  • Example: A WAF can identify SQL injections within a traffic flow and block them from reaching the web application.

Unified threat management (UTM)

• Unified threat management (UTM): Older firewalls that bundle multiple security features in a single device. Also called web security gateways or an all-in-one security appliance.

Next-generation firewall (NGFW)

• Next-generation firewall (NGFW): A security solution that can filter application-level traffic and includes features such as deep packet inspection, integrated intrusion prevention, and application awareness.

Layer 4/Layer 7

• Layer 4 device: A firewall/network device that is able to inspect traffic over OSI layer 4 (Transport layer, TCP/UDP port numbers).

• Layer 7 device: A firewall/network device that is able to inspect traffic over OSI layer 7 (Application layer, application-specific traffic/protocols).

Secure communication/access

Virtual private network (VPN)

• Virtual private network: A device that encrypts internet traffic and creates a secure tunnel for remote access, ensuring confidentiality and data integrity across public networks.

Remote access

• Remote access: A method that allows users to connect to a private network over the internet, enabling secure communication with SSL/TLS, and access to resources as if they were physically present at the network's location.

Tunneling

• Tunneling: A technique used to encapsulate and encrypt data packets within another packet, creating a secure connection over a less secure network, allowing for safe data transmission between devices.

Transport Layer Security (TLS)

• Transport Layer Security (TLS): A cryptographic protocol designed to provide secure communication over a computer network, an upgrade to the older SSL protocol.

Internet Protocol Security (IPSec)

• Internet Protocol Security (IPSec): A Network security protocol used to encrypt IP packets and authenticate packet sources for greater security. Typically used with VPNs.

Software-defined wide area network (SD-WAN)

• Software-defined wide area network (SD-WAN): Networking technology that uses software-defined networking (SDN) to manage wide area network (WAN) performance.

Secure Access Service Edge (SASE)

• Secure Access Service Edge (SASE): A cloud-based architecture that integrates network security functions with WAN capabilities to deliver secure, flexible access to users regardless of their location.

Selection of effective controls