CySA+ : Security Architecture
Network Segmentation - ANS--determining which bits of the network are accessible to other bits
-highly secure network or single host computer may have to be physically separated from any
other network
-also referred to as system isolation or as an air gap
-Air gapping creates many management issues, done rarely
Network Segmentation (Zones and Access Control Lists (ACL)) - ANS--main unit of a logically
segmented network is a zone
-zone is area of a netowrk where security config. is the same for all hosts within it
-Network traffic between zones is strictly controlled, using a security device - typically a firewall
-firewall enforces an ACL that records IP addresses and ports that are allowed/ denied access
to the segment
Network Segmentation (Demilitarized Zones (DMZ)) - ANS--distinction between different
security zones is whether a host is Internet facing, accepts inbound connections from the
internet
-Internet facing hosts are placed in a DMZ aka perimeter network
-traffic should not be able to pass through it directly
-everything behind the DMZ is invisible to outside network
-includes web servers, mail servers, proxy servers, remote access servers
-should not be configured w/ services running on a local network i.e. authentication services
-aka bastion hosts
Network Segmentation (Jump Box) - ANS--administration server in the DMZ
-only runs the necessary admin port and protocol, typically SSH
-admins can connect to the box and then connect from there to admin interface on app server
-app server would have a single entry in its ACL, the jump box, and deny all other connections
-can be a separate server or VM
-must be tightly locked down w/ no software other than what is required to access admin
channel
Blackholes - ANS--attacker will often look for what the network is not using, unused network
ports or IP space
-these resources should be made unusable by directing them to a black hole (unable to reach
other parts of the network)
-DDoS/ flooding attacks can be directed to blackholes
Sinkhole - ANS--route traffic to an area of the network to be analyzed
-ID source of attack and filter it w/ rules
,-may be used to attract malicious traffic to honeypot/net for analysis to analyze attack and trace
their source
System Hardening - ANS--securing a PC, operating system, or application
-usually be a fairly standard series of steps to follow to configure it to perform securely in a
specific role
System Hardening (Attack Surface) - ANS--a system should run only the protocols and services
required by legitimate users and no more to reduce attack surface
-Interfaces = connection to network, if any are not required, they should be explicitly disable
-Services = provide a library of functions for different apps, should be disabled if unused
-Application service ports = allow client software to connect to application, should be disabled if
unused
-Any service or interface enabled through default installation and unconfigured is a vulnerability
Host Software Base Lining - ANS--a system in the minimum working configuration that is also
secure
-if a device deviates from the baseline, this should be investigated
Host Software Baselining Security Checklist - ANS--remove devices that have no authorized
function
-install OS and app patches/ drivers/ firmware updates
-uninstall all but necessary network protocols
-uninstall/ disable unused services
-remove/ secure any shared folders
-enforce ACLs on all files/ folders/ printers
-restrict user accounts to least privilege
-secure local admin/ root by renaming + strong pw
-disable default user/ group accounts i.e. guest
-verify permissions of system accounts/ groups i.e. removing "everyone" group from folders ACL
-install AV software and configure to update regularly
System Hardening (Compensating Controls) - ANS--mitigates for the lack of or failure of other
controls
-i.e. isolating an unpatchable system from the network or data and system backups
Group Policy Objects (GPO) - ANS--means of applying security settings (as well as other
administrative settings) across a range of computers
-configure software deployment, windows settings, custom registry settings
-can be configured on a per computer basis
Policy Security Templates - ANS--windows ships with default templates to simplify configuration
-can be modified w/ GP editor or GP management console
, Discretionary Access Control (DAC) - ANS--stresses the importance of the owner
-owner is originally the creator of the resource, though ownership can be assigned to another
user
-owner is granted full control over the resource, meaning that he can modify its ACL
-easiest model to compromise by insider threats
Mandatory Access Control (MAC) - ANS--based on the idea of security clearance levels
-each object is granted a clearance level or label
-subjects are generally allowed to access their clearance level and below
-alternatively, users can only access resources on a "need to know" basis by
compartmentalizing in groups
Endpoint Security - ANS--security procedures and technologies designed to restrict network
access at a device level
-does not replace perimeter security (DMZ/ firewalls_ but adds defense in depth
Physical Port Security - ANS--access to the physical switch ports and switch hardware should
be restricted to authorized staff,
-use a secure server room and / or lockable hardware cabinets
MAC filtering - ANS--specifying which MAC addresses are allowed to connect to a particular
port
-switches tend to operate as a hub (failopen) when the cache table becomes overloaded
Port-based Network Access Control (PNAC) - ANS--means that the switch (or router) performs
some sort of authentication of the attached device before activating the port
-device requesting access is the supplicant
-switch/ router is authenticator, enables extensible authentication protocol over LAN (EAPoL)
and waits for authentication data
-authenticator passes data to an authenticating server (typically RADIUS protocol) where it is
checked and access is granted/ denied
Network Access Control (NAC) - ANS--allows administrators to devise policies or profiles
describing a minimum security configuration that devices must meet to be granted network
access, aka health policy
-typical policies check for malware, firware/ OS patch level, personal firewall status, up to date
AV definitions, may also scan registry and perform file signature verification
NAC Features - ANS--Gather data = install and agent or poll the device
-Remediation = non-compliant devices may be refused connection or quarantined
-Management = defining policies/ reporting/ logging
-Post Admission Control = device must continue to meet policy to maintain access
-Integration = integrate w/ other client software like AV and IDS
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller modockochieng06. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.