SYO-701 Security Architecture Study Guide for the CompTIA Security+

Applying Security Principles

To ensure the security of a network and its infrastructure, multiple factors should be considered pertaining to both the physical and logical components of the network. Questions pertaining to this section will be in scenario form and will apply to securing an enterprise infrastructure.

Infrastructure Considerations

Securing the infrastructure or a network includes factors pertaining to the physical environment of the network, how the network communicates with external networks, and vulnerabilities that may be present throughout the infrastructure.

Device Placement

Device placement in a network infrastructure is vital to the security of the network and can be applied to both physical and logical device placement. For example, physical devices may be placed in a secure area, while logical connections may be segmented or placed on a virtual local area network (VLAN).

Security Zones

A security zone is a separation of a network segment from other network segments. Security zones may be physical, such as through the use of an air gap, or logical. For example, a guest connection may be used as a security zone to separate guest traffic from primary traffic.

Attack Surface

An attack surface refers to the potential vulnerable areas on a device, system, or network that may allow access to the network by a threat actor. To secure a network, the attack surface should be reduced as much as possible while still providing proper availability.

Connectivity

Connectivity refers to how a network connects to other outside networks, such as the internet. Connectivity considerations include the method through which connections occur, including both wired and wireless connection methods. Wired considerations include the type of wire medium used, while wireless considerations include the protocols used and their related vulnerabilities.

Failure Modes

A failure mode refers to what happens when a device or system fails. There are two primary failure modes, fail-open and fail-closed.

Fail-Open

When the failure mode is set to fail-open, all traffic is allowed through.

Fail-Closed

When the failure mode is set to fail-closed, all traffic is blocked and not allowed through.

Device Attribute

A device attribute is the properties that are associated with a device, such as how and when the device interacts with the network.

Active vs. Passive

An active device is continuously powered and able to interact with the network. A passive device may not be continuously powered and can only receive and collect data.

Inline vs. Tap/Monitor

An inline device is an active device that sits directly in the network data stream. A network tap or monitor is a passive device located outside of the network data stream and used only as a data collection point.

Network Appliances

A network appliance is any device, hardware, or software that is integrated into the network configuration, such as load balancers, switches, jump boxes, or proxy servers. Implementing secure networking practices on network appliances adds another layer of security to a network.

Jump Server

A jump server is a server that provides access to authorized users between security zones. Jump servers should be secured, monitored, and configured to create a complete audit trail of activity. The audit trail should be stored in a separate location from the jump server in case an incident occurs.

Proxy Server

A proxy server accepts and forwards requests through a central location and can filter, modify, or cache data. A forward proxy sits between the client and the server, collecting requests and sending them on to the server. Forward proxies can be used for anonymization of the client to the server, potentially bypassing IP or geographic restrictions. A reverse proxy sits between the server and the client and is used in load balancing and content caching.

Intrusion Detection System (IDS)/Intrusion Prevention System (IPS)

An IDS is a security device that monitors a connected network for possible anomalies and threats. It is a passive form of detection that sits outside of the primary traffic stream and creates alerts to potential threats without the ability to take action against the threat. An IPS is a security device similar to an IDS device. However, it sits within the primary traffic stream and has the ability to take action on potential threats.

Load Balancer

A load balancer is a device, either hardware or software, that connects multiple resources in a network and directs traffic through the system. The load balancer shuffles traffic throughout the system to reduce the likelihood of failure. This increases reliability by distributing the load throughout the system, avoiding overloading a single resource and moving traffic off of a failed resource.

Sensors

In the network setting, a sensor is any device or appliance that can be used to collect data about a network, such as physical environment data or network traffic data.

Port Security

Port security, as a concept, is the process of hardening logical or physical switch ports against threats by managing port access and port protocols. Port security, as a technical term, limits the number of media access control (MAC) addresses that can be used on a single port on a physical or logical switch.

802.1X

The Institute of Electrical and Electronics Engineers (IEEE) is the organization that produces the standards for communications between both wired and wireless devices. The 802.1x standard is the authentication standard wired and wireless devices must meet for communications.

Extensible Authentication Protocol (EAP)

The 802.1x standard uses the EAP framework to authenticate devices to a Remote Authentication Dial-In User Service (RADIUS) server. Various versions of the EAP protocol offer differing levels of security and functionality. For example, EAP-FAST is a Cisco protocol designed for primary use by roaming devices that need fast re-authentication. EAP-FAST uses a symmetric shared secret key rather than a public key for re-authentication after the initial authentication. EAP-TLS creates a certificate-based authentication on the device and network as well as mutual authentication between devices for key generation. EAP-TLS is harder to manage on large networks due to the need for certificate management. EAP-TTLS improves on EAP-TLS by not requiring a certificate on the client device, which reduces management overhead. However, EAP-TTLS may require additional software to be installed on the client device.

Firewall Types

Firewalls are widely used security devices and can be used on multiple network devices, services, and systems. Placing firewalls on multiple networking devices bolsters the network by facilitating defense in depth (DiD).

Web Application Firewall (WAF)

A WAF is a firewall designed to intercept and analyze all aspects of web traffic, from database queries to application programming interfaces (APIs). It is also capable of acting as an IPS device, blocking potentially malicious traffic.

Unified Threat Management (UTM)

UTM devices are security devices that offer firewall protection, IPS, IDS, anti-malware, filtering, data loss prevention (DLP), virtual private network (VPNs), and analytic capabilities in a single device. They are often deployed at endpoints. UTMs can also gather data from multiple UTMs and compile that data into a centrally managed interface.

Next-Generation Firewall (NGFW)

An NGFW is a conglomeration of different security devices and capabilities well beyond a simple firewall. An NGFW provides packet inspection, IPS, IDS, firewalls, and antivirus and anti-malware protection to a network.

Layer4/Layer 7

According to the OSI model, a Layer 4 networking device functions at the transport layer, directing traffic between devices within the network. A Layer 7 networking device functions at the application layer and provides communications between the internet and the primary network.

Secure Communication/Access

A network’s primary function is to provide communications between devices and systems within the network as well as with external networks. To secure a network, access and communications need to be protected, which can be achieved using multiple methods and techniques.

Virtual Private Network (VPN)

A VPN is a logical method by which a network link can be securely established by endpoints through public methods, such as the internet. The data is transmitted as if the two endpoints are secure without being visible to public traffic. There are two primary types of VPNs based on different security technologies: IPSec VPNs and SSL VPNs.

Remote Access

VPNs can be either designed for remote access or site-to-site access. A remote access VPN is used on an as-needed basis and is not always on. Site-to-site access connects different locations or sites to the network and is always on.

Tunneling

VPNs can use either a split-tunnel or full-tunnel implementation for traffic. A split-tunnel VPN will send only the traffic directed to the predefined secure network through a VPN tunnel while allowing all other traffic to travel over public transmissions. A full-tunnel VPN sends all traffic, no matter the destination or origination, through the VPN tunnel. A split-tunnel is more efficient but less secure. A full-tunnel requires more bandwidth but is more secure. IPSec and the SSL/TLS protocol are commonly used in tunnel mode to create a secure VPN.

Internet Protocol Security (IPSec)

An IPSec VPN operates at the network layer using IPSec protocols. IPSec VPNs are commonly used in site-to-site VPN configurations. IPSec VPNs can be configured to send in either tunnel mode, which encrypts the entire packet, or transport mode, which only encrypts the payload.

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

An SSL/TLS VPN operates at Layer 6 (the presentation layer) instead of Layer 3 (the network layer), which allows for greater access as well as more granular control. SSL/TLS VPNs can provide either portal-based access, which provides access via a web page, or tunnel-based access.

Software-Defined Wide Area Network (SD-WAN)

An SD-WAN is a network design that uses numerous connection methods to create a network capable of providing high availability by routing traffic based on need.

Secure Access Service Edge (SASE)

A SASE is a network design that combines the use of multiple communication methods and security services to create a secure zone for network communications regardless of geographical location. SASE may employ the use of SD-WANs, VPNs, cloud access security brokers (CASBs), and firewalls, among others, to create the secure area.

Selection of Effective Controls

A network’s architecture is only as secure as the controls implemented within it. Security controls should be layered throughout the network for maximum security and minimization of impact if a breach occurs. However, implementing excessive controls may impede the network’s functionality, which is why proper selection of effective controls is important.