All CompTIA CASP+ CAS-004 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the CAS-004 CompTIA Advanced Security Practitioner (CASP+) CAS-004 practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Securing Networks (Domain 1)

1. Securing Networks (OBJ 1.1)

In this section of the course, we're going to discuss the fundamentals of creating a secure network architecture by ensuring that we understand exactly what each type of device in a network is going to be used for, and then we're going to learn how these devices and their functionality can be used to secure our enterprise network services. So in this section, we're going to be focused on domain one security architecture, specifically objective one. Given a scenario, we'll analyse the security requirements and objectives to ensure appropriate secure network architecture for a new or existing network.

Now, as we design our networks, it's important to remember to build in security from the beginning. If you're using a small network, it may not have a lot of complex security architectures built right into it upfront, but as your organisation and the network grow, the network gains more and more complexity. If we design our network from the beginning with security in mind, it's going to be cheaper and easier to implement than trying to bolt on security after the fact. The challenge that we're going to face here is that sometimes adding security solutions to your network can actually hamper our own ability to understand our network and its traffic flows as well. For example, if we implement TLS and SSL to secure our users' web browsing, those same technologies can actually blind our intrusion detection and intrusion protection systems from seeing that data as it flows across our network.

On top of all of this, we have the migration towards software-defined networking and cloud-based networks, which further complicates the challenges associated with securing our enterprise networks. Now, while these can provide us with exceptional levels of service, they can also introduce numerous security vulnerabilities that must be considered as part of our larger network architecture and our approach to security. Now, each choice we make in our networks is either going to help strengthen the security of our networks or it's going to reduce that security. Many security solution providers brag about their particular solutions and how they're going to solve all of our problems, but this is almost never the case. Therefore, we have to really consider each solution in terms of our own network architecture, our unique use cases, and the future of our network's design to ensure that the best security at the right price is being used on our networks.

So as we move through this section, we're going to start out by discussing some fundamental components of networks such as switches, routers, firewalls, proxies, intrusion detection and prevention systems, and things like that. Then we're going to move into some features and use cases of these different devices, such as network access control, different types of remote access methods to secure our communications, DNS SEC, and various gateways that we configure within our networks. Finally, we're going to discuss the concepts of load balancing and how distributed denial-of-service attacks can quickly overwhelm our networks, as well as what we can do to stop these attacks. As we cover these topics, I'm going to provide you with not only the theoretical perspective but also an operational one by discussing how to implement different security controls in real-world networks to secure your organization's information technology systems.

After all, when we talk about securing enterprise architecture, if a security professional doesn't understand the underlying components of the network, like the switches, routers, and other key devices, they can never truly create a secure design. So a network has to be designed with security from the beginning because the acquisition of our organization's network architecture is both costly and time-consuming. and it's important to remember that. Let's pretend for a minute that you're the lead network architect for a college, and you're going to service over 200 students every single day. Now, you've created the architecture on paper, and you've chosen all the equipment and software that you're going to need to run it. You petition your college for the money to implement your brilliant plan. You receive millions of dollars and you purchase all the equipment, but now it all has to be installed, configured, and operated. This is a time-consuming process, and it might take a year or more for this to progress from the idea to procurement to installation to actual operations.

Now, let's pretend that you just found out that one of those underlying systems was deemed to be insecure because you neglected to consider the rapidly changing technology landscape, and that device is now end of life. Well, you now have to wait another year before you can fix that mistake because your organisation has this long acquisition timeline. And even worse, it's now going to cost you even more money because you need to reengineer large portions of your network to account for the new security technology that you now need to start implementing. This is the challenge for us as security practitioners in the security architecture realm. How do we even keep up with this ever-changing landscape of technology, especially when acquisition and fielding cycles can be so long and drawn out? Well, for this reason, it is really imperative that we consider security in our initial designs, because otherwise, we're going to go months or years without it because we simply haven't asked for it upfront. Simply put, it's going to be a lot cheaper and easier to build security into our initial designs than to try to bolt it on after the fact.

Now, if you work for a smaller organization, you may not be subject to these large delays caused by the bureaucratic procurement process of some of these large organizations, like the government, colleges, and big companies. But let me tell you, these things do exist out there, and they can be extremely painful to deal with. For example, if you work for the United States military as part of the Department of Defense, you're probably familiar with what they call the Palm cycle. Now. The palm is pomegranate. It stands for the programme objective memorandum, and it's the recommendation that is provided by the different military services, such as the army, the air force, the Navy, and the Marines, to the office of the Secretary of Defense, documenting how the services plan to allocate resources, like funding, for all the different programmes that they want to implement in the coming years. So if you're working for one of these services and you realise you want to buy a new piece of security technology that's going to cost you $15 million to field, you need to budget for that by requesting that it be included in your branch of service requests to the Secretary of Defense.

Well, this palm cycle is actually submitted three years in advance. That's right, three years. So if something is going to cost a lot of money, you really have to plan ahead if you're working for the Department of Defense. Now, enterprise networks like those fielded by the army, the air force, the navy, and the Marines cost a lot of money, like tens and hundreds of millions of dollars. And so they have to be palmed off in order to get funded. Most large organisations work on a yearly budgeting cycle, and this means you don't have to deal with a three-year cycle like the military does, but it's still important for you to plan ahead in your businesses. All right, so now that we understand a bit more about our need to plan ahead, let's start by discussing some really basic networking equipment. This should be a review for most of us because we've already taken our lower-level certifications, like Network Plus or Security Plus. But for the sake of thoroughness and covering all the exam objectives, we're going to COVID them here as well. So let's get started. In this section on securing networks.

2. Switches (OBJ 1.1)

In this lesson, we're going to discuss one of our most common network devices, switches. Now, switches are networking devices that operate at layer 2 of the OSI model, and these devices make traffic switching decisions based upon the Mac addresses of the sending and receiving devices through a process called transparent bridging. Unlike hubs, which are considered an older type of networking device, switches are going to use intelligence to prevent collisions on our network. Each port on a switch is going to reside in its own collision domain, and this allows the switch ports to operate in full duplex mode, speeding up our network.

This means that a port can both send and receive data at the same time without having a negative effect on the traffic being carried. This also increases the security of the traffic being carried because only the devices addressed by that traffic are going to receive a copy of the data. Now, a switch remembers which devices are connected to which switch port based upon their Mac addresses, and therefore, it can forward traffic only to the ports involved in a particular conversation. In the past, hubs would simply rebroadcast every piece of traffic out to every single port. But switches are only going to broadcast traffic to the intended receiver, making switches much more efficient and secure than using a hub.

Now, all these Mac addresses and all the ports with which they're going to be associated are going to be stored in something known as the cam table. The CAM table is the content addressable memory table, and it's going to be used to store this information about the Mac addresses that are available on any given port of the switch. However, attackers have learned a technique called Macflooding, which essentially causes a Mac address overflow to occur inside this cam table by flooding that switch with random Mac addresses. If this happens and it overfills the cache table, the switch can then fail open and simply begin acting like a hub, sending traffic to all the different switch ports. Therefore, this switch will start rebroadcasting all of its traffic to every single port on the switch, and it will lose its security advantage. To prevent this type of attack, we should enable port security, or Mac filtering, on our switch ports.

Now, switch ports are also known by the term "interface." Now, by default, Cisco switches have all of their interfaces, or switch ports, turned on. This makes it easy and convenient to add a switch to our network, but it's not very secure. For example, if we have a network jack sitting in a common room in our office building, like the lobby, how can we prevent unknown devices from simply plugging in a network cable and gaining immediate access to all the things on our network? Well, to solve this problem, manufacturers provide us with a security feature known as port security. Port security allows a network administrator to associate specific Mac addresses from different devices with specific interfaces. For example, we can restrict the network jack in the lobby to only accept Mac addresses from laptops that have been preapproved by the network administrator for use in that area. Any other network device that attempts to connect to that switch port is going to be rejected and not given logical access to the network, even though there's a cable plugged into that jack. Now, port security can be a lengthy process to set up because we have to know each and every Mac address that we want to allow to connect to an individual switch port.

To make it a bit easier, most manufacturers allow us to set up something known as Sticky Macs, or properly termed Persistent Mac Learning. Now, this feature enables an interface to dynamically associate the first Mac address that's connected to that switchport as the authorised Mac address in terms of port security, and then it's going to prevent access to any other Mac addresses on that particular interface. While these port security features are great, they're not a silver bullet that's going to stop all attacks. To overcome them, attackers have created easy ways to bypass this Mac filtering that's being used in port security. By resetting the Mac address of their own network interface cards to a known good Mac address on the preapproved list, this Mac spoofing will allow them to easily connect to the network and bypass this port security.

For this reason, an organisation should have a more in-depth defensive plan, such as one that includes 802 one-time authentication or other security measures for network access beyond simple port security. That said, enabling port security and Mac filtering does provide some, although limited, protection, so it's still considered a good thing to do in most organizations, and most companies will implement these on their switches. Now, switches are also designed to allow for redundancy in a network because you can connect them to each other over redundant paths. When you connect switches in this manner to create redundancy, you do need to ensure that you don't create a switching loop. To prevent a switching loop, you need to enable and configure the spanning tree protocol, or STP, on your switches.

If you don't configure STP properly, your redundant links could cause a flood of network traffic to go over your network, causing your switches to become nonresponsive. And essentially, you'll be creating your own denial-of-service attack on your own network. For this course, you don't need to know how to configure STP on a switch specifically, but you should be aware that it does need to be configured when you're setting up redundant links to prevent these switching loops. Another security issue that occurs at layer two of the OSI model is known as ARP poisoning, or ARP spoofing. This is a type of cyber attack that involves sending malicious ARP packets to a default gateway on the network in order to change the IP and Mac address pairings inside the ARP table.

If it's successful, this can be used to conduct a man in the middle or on-path attack by answering the ARP request for another machine, effectively pretending that they are the victim computer by allowing the attacker's machine to utilise the victim's Mac address. To mitigate this type of attack, we can use one of two methods. The first is known as dynamic ARP inspection, or Dai, and this can be implemented on a Cisco switch. Dai is going to intercept all ARP requests and responses, and then it's going to compare each one of those to a Mac IP binding that's listed inside its own trusted binding table inside that Cisco switch. Now, if an incorrect mapping is attempted, the switch is going to reject the packet and not forward it to the default gateway. The second mitigation is to use DHCP snooping, which prevents a poisoning attack on the DHCP database itself.

This isn't an attack on the switch necessarily, but instead it uses DHCP snooping to help increase the efficiency of the dynamic ARP inspection capability. Switches can also provide the ability to create virtual local area networks, or VLANs. Now, this adds a layer of separation to our networks without requiring additional hardware switches to be purchased, configured, and installed. Unfortunately, attackers have also discovered two ways to break out of VLANs as well. The first method is known as "switch spoofing," which focuses on exploiting the automatic configuration protocol known as Dynamic Trunking Protocol, or DTP. The attacker is essentially going to configure their device to pretend that it's a switch, connect to switch ports, negotiate a trunk link, and then break out of the VLAN using it. We can prevent this by disabling DTP on all of our switch ports.

The second method is known as "double tagging." Now, as traffic goes across a switch, it reads the outermost VLAN tag, strips it off, and then routes the traffic to the proper VLAN. In double tagging, the attacker is going to add two VLAN tags—an outer tag and an inner tag. When traffic goes through the first switch, it's going to remove the outer tag, and then it's going to forward it to the destination of the inner tag, which is that second VLAN. Now, we can prevent this by moving all of the ports out of the default VLAN group as well. and this will help secure our networks.

3. Routers (OBJ 1.1)

This lesson, we're going to discuss another one of our common network devices: routers. While switches operate at layer 2 of the OSI model, routers move up to layer 3, and we're going to use these inside our networks to make routing decisions. Using IP addresses To make these routing decisions, routers maintain a routing table that helps the device determine in which direction to send network traffic based upon its destination IP address. These layer 3 IP addresses are going to be used to determine what network a particular host is located on and what path the traffic should take across the wide area network until it reaches its destination network.

Once the traffic reaches its destination network or the final router involved in this process, that particular router will conduct an address broadcast to locate the correct host on its local area network and then pass the traffic to the host using its Mac address, which is a layer 2 address and used by the switches on the local area network. Now, the great thing about routing is that it has become significantly easier to set up over the years. In the early days of routing, routes were actually manually configured on every single device.

But as our networks grew larger and larger and became more complicated, it became easier for us to rely on dynamic routing protocols to keep all this routing information in the tables up to date to ensure the efficient routing of our network traffic. Now, unfortunately, attackers have also found ways to capture this routing data by introducing new routers into the system. Because of this dynamic nature, the new router will then be updated with all the routing tables from the existing routers, and these routes can be edited and used as part of future attacks.

To prevent this type of reconnaissance, manufacturers include authentication mechanisms as part of the router information exchange. This can occur by configuring the routers to require single-factor authentication, something like a password that has to be used prior to exchanging data, or they can use a hash-based authentication key, something like an MD-5 or Shaw-1 hash, to be able to do this type of authentication. Now, to ensure the highest level of security for this exchange, it is considered a best practise to use a hash-based authentication key and a hash of the router information itself before and after the transfer to ensure the integrity of the data as it's been transferred. When configuring the authentication, both routers mainly use the hash-based algorithm or password to function as a shared, secret, or symmetric key. In addition to providing their important routing functions, routers also provide some security functions for us through the use of ACLs. Now, ACLs, or access control lists, are configured on router interfaces to control the flow of traffic into or out of a certain part of the network.

ACLs are an ordered set of rules that are going to permit or deny traffic based on certain characteristics, like the source or destination IP address or the source or destination port number associated with a particular application or service. Actions in the ACL are going to be performed from the top to the bottom in a top-down manner. When traffic reaches an interface on a router and there's an ACL on it, it's going to perform a check of that traffic against the ACL line by line. Now, first it's going to go against the first rule in the ACL at the top, and if it matches the conditions for the action to be performed for that rule, that action will be performed, and then no other part of the ACL will be checked because it's going to stop there. Now, if it wasn't there on the first rule, it's going to go down to the second rule and then the third and the fourth, and it'll keep working its way down the list. For this reason, we want to make sure our most specific rules are placed at the top of the list and the more generic rules are placed at the bottom of the list.

In order to secure our routers in our network, we also want to ensure that authentication is used between the routers whenever they startup their routing tables, like we talked about using hash-based authentication. Also, the management of the router should be conducted using strong authentication and complex passwords. Finally, our management connection to a router should always be performed over SSH, which is encrypted, and never using Telnet, which is sent in plain text over the network. As you know, network architectures are ever evolving, not only in terms of the devices that are being used to run our networks but also the Internet Protocol addressing technologies themselves. For decades, we used IPV4, or Internet Protocol Version 4, and this has dominated our networks. But IPV6, or Internet Protocol version 6, has finally started to take root in many organisational networks.

There are several different technologies that can help us during the transition period going from IPV 4 to IPV 6 that you may run across out in the field. This includes things that allow us to do both versions at once, such as six four-Torto, dual-Stack, and GRE tunnels. Six-four is a transitional technology that provides the ability for IP version six packets to be transmitted over a standard IP version four network without the need to create explicit tunnels. This provides IP version 6-based sites with the ability to communicate with other native IP version 6-based domains over relay routers. And effectively, it's going to treat the entire Internet, which is based on IP version 4, as a single point-to-point link layer endpoint. Now, Torredo is going to provide full IP version six connectivity for hosts, even if they don't have a connection to a native IP version six network. Instead, Tardo is going to use a form of network address translation to encapsulate the IP version six datagrams within IP version four User Datagram Protocol (UDP) packets and then send that over the network.

Dual Stack is another transitional technology used in our routers, and this allows network administrators to configure their devices to support both IP version 4 and IP version 6 simultaneously. This effectively creates two native networks but only uses a single layer of hardware devices. It's called "Dual Stack" because we're running two stacks or variants of IP addressing on a single piece of technology. GRE tunnels, or generic routing encapsulation tunnels, are going to be used to carry IP version six packets across an IP version four network by encapsulating the inside of a GRE IP version four packet. This effectively creates an IP version six tunnel inside of an IP version four network. But it does require an explicit tunnel to be created first, unlike the six-four solution that I mentioned earlier. Now, why would we want to move away from our standard IP version 4 networks anyway and move into IP version 6? Well, there are a couple of reasons for this shift.

The first reason is that we need a larger address space because IP version 4 started running out of space, even though there were 4 billion public IP addresses. And this simply isn't enough for the current needs of all the varying networks deployed across the globe. Now, 4 billion IP sounds like a lot, but we'll soon start figuring out all the laptops, desktops, cell phones, servers, TVs, refrigerators, and other smart devices out there. It really isn't enough in our modern world. I mean, just at my house, I have at least 20 to 30 devices, and I'm just one person with billions of people on the planet. There simply isn't enough public IPS to go around if everybody has one, with only 4 billion IPS. So IPV6, on the other hand, gives us a lot more space inside the public address area. IPV6, on the other hand, provides us with two to the 128 IPS, ensuring we won't run out any time soon. This is 340,000,000,000,000 trillions of dollars.

No, I didn't repeat myself because I stutter. That number is 340 with 36 zeroes after it. This is enough IP addresses for every man, woman, and child on the planet, with plenty left over to spare. Now, another reason to transition to IP version 6 is that it provides increased security by incorporating IPsec into the protocol itself by default. Now, IPV6's header has also been simplified, which increases the performance of IPV6 networks over a standard IPV4 network. Finally, IP version six provides stateless autoconfiguration of devices on your networks. Each device can create its own IP version six address as either a link local or global unicastaddress without the need for an in-depth configuration. This again simplifies the creation of networks and the ability to route traffic across wide-area networks. All in all, we're going to continue to see a large migration from IP version 4 into IP version 6. So we definitely need to consider how to best support IP version 6 as we begin to construct our organizations' networks.

4. Wireless and Mesh (OBJ 1.1)

In this lesson, we're going to discuss the infrastructure that supports one of the fastest-growing parts of our networks, the wireless domain. Now that wireless connections are becoming more and more prevalent in our network architectures these days, when installing and configuring numerous access points across our enterprise to provide full coverage for our wireless users, it is extremely important to have a wireless controller that acts as a centralised appliance or software package to monitor, manage, and control them.

Wireless controllers provide many additional security features over a standard wireless access point, and they allow for an enterprise approach to wireless coverage. For example, with a wireless controller, we can adjust the channel assignment of various access points and the radio frequency transmission power in real time to avoid interference with other wireless signals. Additionally, we can use these controllers to implement load balancing, in which a user can connect to different access points and increase their data transmission rate or achieve better coverage. These devices can also detect coverage gaps and increase the transmission power of an access point to fill in an uncovered area of your building. Authentication over wireless networks is another important feature to consider when implementing these controllers.

Authentication schemes like 802 Onex Protected Extensible Authentication Protocol, PEAP Lightweight Extensible Authentication Protocol, or Lea the Extensible Authentication Protocol transport Layer Security Protocol Eaptls, WiFi Protected Access, and 800 and 211 and Layer Two Tunneling Protocol l 2TP can all be used to secure your wireless domain. Even though using wireless controllers does add some cost and complexity to your network, it does have a lot of benefits that easily outweigh the distractions for large-scale enterprises. Finally, before we end this discussion of wireless infrastructure, we need to touch on the concept of mesh networks because they're continuing to grow in popularity. Now, mesh networks are a form of network topology in which each node cooperates to relay data in an effort to ensure that all nodes maintain connectivity to one another. Traditional mesh networks were made up of wired connections that created an exceptional level of redundancy for any single connection inside the network. As wireless networks have become more popular, mesh networks have begun to change. In modern mesh networks, we find a myriad of different networking devices all cooperating together to form a redundant and highly available network.

These include wired connections such as Ethernet and fibre connections, as well as wireless networking technologies like WiFi, cellular, microwave, and satellite connectivity options. These networks ensure that availability is continuously maintained by utilising a self-healing algorithm to route traffic around broken or blocked communication paths. Wireless mesh networks have numerous uses, but one of the best use cases is in places where traditional networks become unavailable.

For example, after a hurricane or a typhoon, disaster relief personnel are able to bring in networking equipment such as satellite connectivity, mobile cellular towers, and other means to help restore some level of connectivity during the recovery efforts. By using mesh technologies, mesh networks use three different types of protocols to accomplish their self-healing and rerouting functions, including an ad hoc configuration protocol, a proactive auto configuration protocol (PAA), and a dynamic WMN configuration protocol (DWCP).

CompTIA CASP+ CAS-004 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass CAS-004 CompTIA Advanced Security Practitioner (CASP+) CAS-004 certification exam dumps & practice test questions and answers are to help students.