Lesson 9: Network Security Capabilities

Security Baselines

What is Baseline Configuration?

Standard, secure starting point for systems/networks/applications before deployment

Benchmarks and Guides:

• Security Baseline: Collection of standardized best-practice configurations to harden systems
• CIS Benchmarks: Community-developed, consensus-based configuration standards
• STIGs (Security Technical Implementation Guides): DoD configuration guides for federal networks
• Vendor-Provided Guidance: Security documentation from hardware/software vendors
• SCAP (Security Content Automation Protocol): NIST standards for automating vulnerability management
• OpenSCAP: Open-source framework for compliance monitoring using SCAP
• CISCAT Pro: CIS tool that scans systems and reports compliance with CIS Benchmarks
• SCC (SCAP Compliance Checker): DoD tool to assess STIG/SCAP compliance

Configuration Management Tools:

Puppet, Chef, Ansible: Automation tools to deploy and enforce baselines across large-scale environments

Switch and Router Hardening

• Change Default Credentials: Replace factory-default usernames/passwords
• Disable Unused Ports/Services: Shut down all unused physical ports and services (Telnet, FTP, SNMP)
• Use Secure Management Protocols:
  • Replace Telnet with SSH
  • Use HTTPS instead of HTTP
  • Enable SNMPv3 over SNMPv1/2
• Implement ACLs (Access Control Lists): Define traffic rules (permit/deny based on IP/port/protocol)
• Enable Logging & Monitoring: Configure syslog servers, SIEM tools, real-time alerting
• Configure Port Security: Restrict MAC addresses per port, sticky MAC, shutdown/restrict modes
• Strong Passwords: Complex passwords, regular changes, MFA where available
• Physical Security: Locked racks, server rooms, tamper-evident seals

Server Hardening

• Disable Unnecessary Services: Turn off non-essential daemons (FTP, Telnet, print services)
• Apply Regular Updates & Patches: Keep OS and apps up to date
• Enforce Least Privilege: Minimum access required
• Use Firewalls & IDS:
  • Host-based Firewalls: Restrict traffic on the server
  • IDS: Monitor suspicious activity (HIDS like OSSEC)
  • IDS behind router ensures visibility of all traffic
• Apply CIS/STIG Baselines: Standardized secure settings
• Enable Logging & Monitoring: System/security logs to SIEM
• Use Antivirus/Antimalware: Up-to-date endpoint protection
• Physically Secure Servers: Locked racks, access control, cameras/alarms

Wireless Security

Installation Considerations:

• Site Surveys & Heat Maps: Optimize WAP placement and coverage

Wireless Encryption Standards:

• Open: No encryption, insecure
• WEP (Wired Equivalent Privacy): Outdated, insecure (1990s)
• WPA/WPA2: Stronger, still in use
• WPA3: Uses SAE (Simultaneous Authentication of Equals) for secure key exchange
  • Enhanced Open: For public networks
  • DPP (Device Provisioning Protocol): Replacement for insecure WPS (Wi-Fi Protected Setup)

Authentication Methods:

• WPA2/3 Personal: Pre-Shared Key (PSK)
• WPA2/3 Enterprise: Uses 802.1X authentication with RADIUS and EAP

EAP Types:

• EAP-TLS: Uses TLS with client + server certificates, very high security (enterprise Wi-Fi)
• PEAP (Protected EAP): Server cert + tunnel with MSCHAPv2 (username/password), medium security
• EAP-TTLS: Server cert + tunnel with flexible auth (PAP, CHAP), medium-high security
• EAP-FAST: Uses PAC (pre-shared key) instead of certs, medium security (Cisco networks)
• LEAP (Lightweight EAP): Uses MSCHAPv1, very low security, deprecated, never use

Network Access Control (NAC)

Purpose: Validates users/devices before granting network access

Types:

• Agent-Based NAC: Requires software on endpoints
• Agentless NAC: Uses network scans and fingerprinting

Example tool: PacketFence (supports Nessus, OpenVAS, WMI, log parsers)

Network Controls

Access Control Lists (ACLs):

Rules defining permitted/denied traffic Applied on routers, firewalls, switches Based on: Source/Destination IP, Protocols, Ports

Screened Subnet (DMZ):

Isolated network area separating public services from internal systems

Firewalls and UTM

NGFW (Next-Generation Firewall):

• Layer 7 (application layer) filtering
• Inspect SSL/TLS, detect malware, block applications

UTM (Unified Threat Management):

Combines firewall, antivirus, IDS/IPS, content filtering into one device

IDS/IPS

Types:

• HIDS (Host-Based IDS): Monitors single devices
• NIDS (Network-Based IDS): Monitors traffic across networks
• IPS (Intrusion Prevention System): Actively blocks threats

Detection Methods:

• Signature-Based: Matches known attack patterns
• Anomaly-Based: Flags behavior outside baselines
• Behavioral-Based: Tracks typical user/system behavior
• Trend Analysis: NBAD (Network Behavior), UEBA (User/Entity Behavior)

Common Tools: Snort, Suricata, OSSEC

Web Filtering

Purpose: Restrict web access, block threats

Techniques:

• Agent-Based Filtering
• Centralized Filtering
• URL Scanning & Categorization
• Reputation-Based Filtering
• Block Rules
• HTTPS Decryption/Inspection

Use Cases: Block malware/phishing, enforce acceptable use, prevent data exfiltration