Security+ Series Part 2: Security Admin Principles

Continuing with the Security+ fast track. This article will cover some basic security principles that are universal, well known truths in security world.

Random Trivia: Rise Against played during article creation.

Rule-based management

Rules, rules and more rules. Will it end someday? The first thing you must realize is that rules are created form security policy. Security policy is a document that defines what is allowed and what is not allowed. For example Internet Usage during business hours. An example of security policy can be found at SANS.

Firewall rules

Firewall rules are what makes firewall. They defined what is allowed to pass through the firewall and what is not. Firewall rule can match various fields in IP packet. Source/Destination IP address, source/destination port or even application level data. Depending on deployment size, rule database can sit on the firewall it self or on a centralized management server such as Checkpoint Management Add-on – CMA.

Checkpoint SmartDashboard All rights reserved.

VLAN management

Virtual Local Area Network, a good buddy of ours, can help increase security at L2. The primary purpose of VLANs is to help us segment our network at switch level. For example you could have IP telephony infrastructure managed by 3rd party company, and you need to isolate this traffic at your office, you could use VLANs.

Secure router configuration

This particular area focus on management plane security of our puppies. The important thing to remember that Telnet is bad and SSH is good. Add a little ACL on VTY lines and you will be golden. Besides that, if you are hard core go for Control Plane Protection. And one more thing a service password encryption does not hurt either.

Access Control List

ACL reminds me of my network beginnings with Wendell Odom and his famous CCNA Routing & Switching Exam certification guide. From security perspective ACL are used for stateless traffic inspection. They can allow or deny traffic based on certain fields found in IP header. They are also used in other places, for example QoS classification, or to identify interesting traffic for VPN tunnels.

Port Security

This feature is usually found residing at access switches. Port security has ability to allow only certain MAC address or number of MAC address to communicate through switch port. It can trigger several actions when violation happens. For example it can disallow new hosts or it can shutdown the port. You can define a timer to re-evaluate condition to not be bothered every time someone plugs in their own switch for a LAN party.

Port Security in real world.


Our good old buddy is back. 801.x defines a security framework. It can be found in many enterprise wireless implementation. It defines three parties. The supplicant, authenticator and authentication server. The supplicant, you guest it, is usually end host requiring access to network . The authenticator is the middle man, a switch, VPN gateway or wireless LAN controller. And authentication server is the king of the hill who devices whether you are invited or not. This model is very extendable, you can select from various types of flavors used for authentication, you can use passwords, tokens, or even certificates.

Flood guards

To limit the amount of unicast/multicast/broadcast traffic on a switched network, a feature called storm control can be used. It limited the amount of particular traffic passing through a port. This may be useful if you encounter a broadcast storm. Multiple vendors can call this feature differently, but the idea stays the same.

Loop protection

Sometimes, it happens that you may have unidirectional links. For example one fiber strand gone bad but other works just fine. These links may impose an issue for protocols such as Spanning Tree that rely on bidirectional communication. To identify this issue a feature called Unidirectional Link Detection (UDLD) can be used. It sends a small hello packets back and forth to make sure link is forwarding in both directions. Other historical feature that provided the similar solution was Loop Guard for Spanning Tree.

Dog chasing his tail, does not have a loop protection enabled.

Implicit deny

This term relates to firewalls in general. Usually when you deploy firewall it will deny all traffic passing through it until you define what is allowed. By default they usually do not log dropped traffic, but it is a vital thing to to, at least to identify if the traffic was really blocked by firewall policy.

Default Firewall Behavior

Network separation

In our networks we may have multiple areas with different security requirements. For example we trust our internal network, but not the Internet. The same is true for services residing in DMZ or connections to suppliers via extranet. All these zones require a separation which is usually done with firewall.

Log analysis

In security world, reporting is essential feature to keep track of what happens on the network. For example firewall reporting may include number of rule hit, number of concurrent connections, number of active attacks. All this data can be collected and used for trending or attack correlation.

Checkpoint SmartLog. All right reserved.

Well, and that is all for this post. Good job if you made it into finals. In the next post in this series we will dive into Network Security Design.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s