Lesson 9 -CertMaster

Lesson Introduction

  • Fundamental cybersecurity concepts include secure baselines, hardening, wireless security, and network access control (NAC).

  • Secure Baselines: Set of standardized security configurations for IT assets (operating systems, networks, applications).

    • Establish a minimum level of security.

  • Hardening: Process of reducing system vulnerabilities.

    • Involves disabling unnecessary services, configuring permissions, applying patches, ensuring secure configurations.

  • Wireless Security: Measures to protect wireless networks from threats.

    • Includes robust encryption (WPA3), secure authentication (RADIUS), and monitoring for rogue access points.

  • NAC: Security solution that enforces policy on devices accessing network resources.

    • Identifies, categorizes, and manages device activities while monitoring compliance with security policies.

  • These concepts provide a multilayered security approach against cyber threats.

Lesson Objectives

  • Describe the importance of secure baselines.

  • Explore device hardening concepts.

  • Summarize wireless network design considerations.

  • Explain wireless security settings.

  • Understand NAC capabilities.

Topic 9A: Network Security Baselines

  • Network Security Baselines: Minimum security controls/configurations.

    • Cover firewall configurations, router/switch security settings, wireless access point configurations, and protocols.

    • Baselines provide a starting point for hardening: disable unnecessary services, change default passwords, enforce secure protocols.

  • Automation: Tools like SCAP compliant tools automate assessment against baselines.

Benchmarks and Secure Configuration Guides

  • Secure baselines improve IT security, manageability, and operational efficiency.

  • CIS Benchmarks: Guides for securing IT systems and data, updated for evolving risks.

    • Cover networks, operating systems, applications.

    • Example benchmarks for compliance with frameworks like PCI DSS, NIST 800-53.

  • STIGs: Standardized security configurations for the Department of Defense (DoD).

Hardening Concepts

  • Default settings from manufacturers are often vulnerable.

  • Importance of changing default configurations to improve security.

  • Examples for Switches and Routers:

    • Change default credentials.

    • Disable unnecessary services/interfaces.

    • Use secure management protocols (SSH, HTTPS).

    • Implement Access Control Lists (ACLs).

    • Enable logging and monitoring.

Topic 9B: Network Security Capability Enhancement

  • Key Components: Firewalls, IDS, IPS, web filters.

  • Firewalls: Control incoming/outgoing traffic to create a barrier between trusted and untrusted networks.

  • Intrusion Detection Systems (IDS): Monitor for signs of incidents.

    • Alert administrators of suspicious activities.

  • Intrusion Prevention Systems (IPS): Detect and prevent threats by taking action dynamically.

  • Web Filters: Control access to Internet content, preventing malware infections and ensuring compliance.

Access Control Lists (ACL)

  • ACLs control traffic at a network interface level using permissions associated with network devices.

  • Implement rules to allow/deny traffic based on IP addresses and protocols.

  • Firewalls use similar rules to manage network traffic effectively.

Wireless Network Considerations

  • WAP Configuration: Ensure good coverage to avoid rogue access points.

    • Use 5 GHz band for nonoverlapping channels to reduce interference.

    • Site Surveys: Measure signal strength and channel usage to optimize WAP placement.

    • Produce heat maps to visualize signal strength and coverage.

Wireless Security Settings

  • Security Standards: Determine supported cryptographic protocols and authentication methods.

  • WPA Evolution: WPA3 improves upon WPA2 with stronger encryption and authentication methods.

  • WPS Vulnerabilities: WPS implementation can be susceptible to brute force attacks.

Advanced Authentication Techniques

  • 802.1x Authentication: Provides port-based network access control requiring authentication via RADIUS server.

  • Dynamic encryption key management for enhanced security during user sessions.

Network Access Control (NAC)

  • NAC ensures device compliance with security policies before granting network access.

  • Evaluates device status (OS version, patch level) and restricts access as necessary.

  • Supports BYOD policies and integration with VLAN for enhanced security measures.

  • Agent vs. Agentless Configurations:

    • Agent-based: Software agents installed to provide compliance info.

    • Agentless: Uses DHCP fingerprinting or network scans for evaluation.

Conclusion

  • Enhancing network security capabilities is essential for protecting sensitive data and maintaining IT infrastructure integrity.

  • Follow guidelines like selecting secure baselines, auditing networks, and implementing NAC to enhance security.