By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Given a scenario, secure a network in a cloud environment. This guide tackles the challenge of security in a cloud network environment. You will first learn about network segmentation, including the differences between VLAN, VxLAN, and GENEVE. Microsegmentation and tiering will also be covered in this guide. Securing the protocols that are commonly used in a cloud network will also be discussed in this guide. This will include the basics of securing DNS using DoH, DoT, and DNSSEC; securing NTP with NTS; and using encryption protocols, including TLS and HTTPS. Security-based network services, such as firewalls, ADCs, IPS, IDS, DLP, and NAC, are included in this guide. You will also learn about some network hardening techniques, including disabling unnecessary ports, services, protocols, and ciphers. Topics: - Network Segmentation - Protocols - Network Services - Log and Event Monitoring - Network Flows - Hardening and Configuration Changes 1. You are limited to _____ VLANs per network. 2. Which solutions will encrypt DNS traffic? 3. A _____ firewall is one that keeps track of the network packets that are allowed to pass through the firewall and allows responses to pass back through the firewall. 4. _____ is creating a list of servers, sites, or resources that you want to permit access to.
1. 4000 2. DNS over HTTPS (DoH) and DNS over TLS (DoT) 3. Stateful 4. Whitelistin Network Segmentation The purpose of network segmentation is to divide a network into smaller networks. The primary goals of network segmentation are to improve performance and increase security. In a public cloud environment, they are critical because your organization will often be sharing the underlying network with other organizations. The cloud vendor wants to ensure that your network traffic is not viewable by other organizations. This section focuses on different methods of performing network segmentation. Virtual LAN (VLAN)/Virtual Extensible LAN (VxLAN)/Generic Network Virtualization Encapsulation (GENEVE) VLAN, VxLAN, and GENEVE are three commonly used network segmentation techniques. Each of these topics can be quite large and complex. For the CompTIA Cloud+ exam, the most important point is to understand that they are used for network segmentation and to understand some of the differences. VLAN is a well-established technology and has been around since the 1990s. The technique used to segment traffic on a network is to apply tags to the network frames. Networking devices use the tags to determine which endpoints to send broadcast messages to. VLANs apply the tag on the layer 2 frame. There is a limit of 4000 VLANs per network. VxLAN was designed to handle scaling issues in large-scale deployments (particularly cloud environments and ISPs). VxLANs are similar to VLANs, but there are some differences, including where the tag is applied (it uses a larger field in the frame), which results in more possible network segments (up to 16 million). Although VxLAN technology offers more flexibility and scalability than VLAN technology, one challenge is that it isn’t the only alternative technology to VLANs. Different network technology vendors have provided other solutions, such as Network Virtualization using Generic Routing Encapsulation (NVGRE) and Stateless Transport Tunneling (STT). These other technologies provide similar features to VxLAN, but these technologies are not compatible with each other. GENEVE is a newer network segmentation technology that is designed to support the features provided by VxLAN, NVGRE, and STT. Microsegmentation Microsegmentation is a security feature that enables administrators to logically divide virtual and physical resources into groups and apply a different set of security rules to each group. In terms of firewalls, microsegmentation is the process of creating zones within the same VLAN, for example. With a firewall zone, you can create firewall rule sets that apply to a specific logical area of the network. Zones provide more flexibility for the firewall administrator, but they can also make it more difficult to troubleshoot problems if you are not aware of how the zones are configured and which resources belong to which zones. Tiering Tiering is a network segmentation technique that considers the function of the resources on the network. For example, one popular tiering segmentation method is to place resources in one of three categories: Web, Application, or Database. Protocols There are several protocols that either provide you with the capability to secure your network or that you should consider when using a more secure practice or technique. For example, you can use encryption techniques like IPsec, TLS, or HTTPS to provide a more secure network. However, technologies like DNS and NTP are not typically secure, so you should consider either using alternatives or implementing additional security features. This section focuses on these protocols. Domain Name Service (DNS) The following sections describe security features that you should consider implementing when managing a DNS service. DNS over HTTPS (DoH)/DNS over TLS (DoT) DNS data is normally sent across the network in plaintext format. This implementation poses a security risk because the privacy of the user could be compromised. It is also more vulnerable to a man-in-the-middle attack, an attack in which a rogue DNS server replaces the DNS results from the DNS server. More secure solutions include DNS over HTTPS (DoH) and DNS over TLS (DoT). Both methods end up encrypting the network traffic. DNS Security (DNSSEC) Another potential security risk can exist in the DNS system. It is possible for a fake DNS server to provide incorrect data when a query is performed. This is known as DNS cache poisoning or DNS spoofing. The concern here is that the domain name to IP address translation of a sensitive system (like a bank’s website) could point to a rogue server designed to capture usernames and passwords. There is a way to limit the likelihood of DNS cache poisoning: use transaction signatures (TSIGs). With TSIGs, private and public digital signatures are used to ensure that DNS data is coming from the correct source. This technology can be used to verify zone transfers as well as DNS queries. The most common way to implement TSIGs for DNS is to use Domain Name System Security Extensions (DNSSEC). Network Time Protocol (NTP) Network Time Protocol (NTP) is an internet protocol used to synchronize with computer clock time sources in a network. It belongs to and is one of the oldest parts of the TCP/IP suite.
The following section describes security features that you should consider implementing when managing an NTP service. Network Time Security (NTS) When you consider how important accurate time is, you can begin to understand the importance of having accurate clocks on resources. NTP provides a great method of providing an accurate clock, but it wasn’t built to be highly secure, and there are concerns that a rogue NTP server can serve up inaccurate times to your NTP client resources. NTS provides another layer on top of NTP, a layer that makes NTP more secure. One of the biggest additions that NTS offers is a key exchange function that is designed to ensure that NTP clients are connecting to the correct NTP server. Encryption Encryption is a security control used primarily to provide confidentiality protection for data. It is a mathematical transformation to scramble data requiring protection (plaintext) into a form not easily understood by unauthorized people or machines (ciphertext). The following sections describe security features that you should consider implementing when managing a NTP service. IP Security (IPsec) IP Security is a protocol that is designed to allow the transport of data between network nodes in a secure manner. IPsec is often used to create a secure VPN connection between two nodes in different physical networks. To securely transport the data, it establishes a connection between the two nodes and sends all data in an encrypted format. IPsec can also be used to create VPNs from a single node to a remote network as well as a network-to-network VPN. Note that IPsec functions at Layer 3 (the network layer) of the OSI model. Transport Layer Security (TLS) Transport Layer Security is a cryptographic protocol used to secure data transfer and authenticate systems. Designed to replace SSL (Secure Sockets Layer), TLS is often generically called SSL. TLS is used in conjunction with several protocols, including Voice over IP (VoIP), email, and instant messaging. It is also commonly used to make communications between a web client and web server by providing a protocol that is more secure than HTTP (the HTTPS protocol). TLS provides two primary functions: preventing eavesdropping and tampering. Data sent via TLS is encrypted with a symmetric cipher after establishing a connection via an asymmetric cipher. Hypertext Transfer Protocol Secure (HTTPS) See the preceding “Transport Layer Security (TLS)” section. Tunneling Tunneling is the process of transporting data securely over a network via an encrypted connection. It is often used to implement VPN connections across multiple networks, like the Internet. This section provides some essential information about the protocols often used for tunneling: Secure Shell (SSH), Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), and generic routing encapsulation (GRE). Secure Shell (SSH) The Secure Shell is a network protocol that is used to securely transport data across a network. SSH has several functions, including - The capability to log in to a remote system via a command-line interface - The capability to remotely execute a command-line program on a remote system - The capability to transfer files between systems, either using a command-line utility or an FTP-like utility An SSH connection can also be established to create a secure tunnel between two systems through a method called port forwarding. After the tunnel is established, the client system doesn’t send the network packet directly to the remote system but rather to the local SSH service. Then the local SSH service sends the network packet via the encrypted connection to the SSH service on the remote system. The remote SSH service then sends the data to the service on the remote system that the packet was designed to be sent to. This method allows for several advantages. One advantage is that a protocol that is not normally secure can still send data across the network using an encrypted connection. A second advantage is that an SSH tunnel can be established for a brief period of time to perform the necessary operations. It doesn’t have to be running all of the time, and it is easy to set up and tear down. Additionally, an SSH tunnel communicates on port 22, which is often not blocked by firewalls, so an SSH tunnel can be used to bypass the restrictions of a very secure firewall implementation. Layer 2 Tunneling Protocol (L2TP)/ Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol performs the tunneling at Layer 2 of the OSI model. OSI Layer 2 is also referred to as the data link layer. L2TP uses 256-bit encryption keys, making it a strong encryption protocol. Point-to-Point Tunneling Protocol is a lower-level protocol, which is faster and easier to use than L2TP. However, PPTP encrypts using 128-bit encryption keys, so it is considered less secure than L2TP. Generic Routing Encapsulation (GRE) Cisco developed another protocol, called generic routing encapsulation, that is often designed to create encrypted VPN connections across the network. The method used by GRE is to encapsulate a data packet that doesn’t use encryption with a GRE packet (which does use encryption). Once the GRE packet gets to the destination, the encapsulated packet is decrypted and processed by the destination system. Network Services This section focuses on network services that are used to secure a cloud environment. Firewalls A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules. Stateful A stateful firewall is one that keeps track of the network packets that are allowed to pass through the firewall and allows responses to pass back through the firewall. For example, suppose your organization has a firewall that blocks most traffic into your network, but you have an application that queries a web server on the Internet. Normally, if the web server were to attempt to send network packets directly into your organization’s network, the packets would be blocked by the firewall. But if the firewall is stateful, it will allow packets from the web server that are in response to the internal application queries. In other words, it opens a pinhole connection. Stateless A stateless firewall does not consider any connections or communications that have been established from within the organization. A stateless firewall must have all ports manually configured to be “unblocked” for communication to enter the network. Web Application Firewall (WAF) Most standard firewall software programs are designed to protect either a network or an entire operating system. Although there are certainly situations where you will want to implement that type of firewall in your cloud environment, there is a more specialized case where you will want to implement a more specific type of firewall: the web application firewall (WAF). A WAF is designed to protect OSI layer 7 applications based on HTTP/HTTPS. This is important for cloud environments because applications can run separately from the operating system in a cloud infrastructure. A WAF is designed to filter and monitor inbound connections to applications by analyzing HTTP traffic. It helps protect your applications from attacks like SQL injections and cross-site scripting (known as XSS). Note that dozens of different WAF programs are available, including several provided by major cloud vendors. For example, Amazon has AWS WAF, and Microsoft offers Azure Application Gateway with WAF. Application Delivery Controller (ADC) An application delivery controller is a program that provides several functions, including - Acting as a web accelerator, which improves HTTP response time and reduces the load on the web servers - Acting as a simple load balancer for web servers - Providing controlled access to web servers because it is normally placed in the DMZ (between the inner and outer firewall) Intrusion Protection System (IPS)/Intrusion Detection System (IDS) The host intrusion detection system (HIDS) and host intrusion prevention system (HIPS) are host-based cousins to NIDS and NIPS. They process information within the host. They may process network traffic as it enters the host, but the focus is usually on files and processes. Data Loss Prevention (DLP) Consider how some stores attempt to limit loss through theft of inventory by using security control tags. A tag is placed on an item and is deactivated only if the item is sold. If that item isn’t sold and someone tries to remove it from the store, an alarm goes off. In simpler words, data loss prevention offers protection against data exfiltration. A similar concept is the basis of DLP software. This software actively monitors network traffic and tries to recognize the transmission of sensitive data. If discovered, the DLP should block the data from leaving the network. Network Access Control (NAC) Consider a situation in which your organization has implemented several software programs to secure your network and resources. This includes an antivirus program, a threat detection program, a device management program, data loss prevention, and others. Each program is designed to perform its function, but they all work independently, even though they are all part of the goal of endpoint security. Think about network access control as a way of unifying these disjointed programs under a single administrative umbrella. NAC makes use of policies to control multiple aspects of a network to improve the security of the network while also making the protection of the network more visible and transparent to the NAC administrator. Packet Brokers You may have used a broker in real life to facilitate a complex process. For example, if you were trying to get a loan to buy a house, you could go to an individual lender, fill out a loan application, provide all of your financial information, and so on. Then to make sure you get the best deal, you would go through this process again and again with multiple lenders. In real life a broker is an agent who provides a single point of contact instead of your having to work with multiple entities individually. Another example is a stock market broker who will handle the process of buying and selling stock for you (and hopefully provide you with sound advice on buying and selling stock). A packet broker fulfills a similar function. It will receive network traffic, analyze the traffic, and manage the flow of the traffic. It can act as a filter and also monitor the network and provide administrators a single pane-of-glass view of network traffic. It isn’t used in place of other security devices, like firewalls, DLP, or IPS/IDS devices, but rather in conjunction with these devices to provide a higher level of security. Log and Event Monitoring Logging, Monitoring, and Alerting (LMA) is a collection of tools used to guarantee the availability of your running infrastructure. Network Flows As you can probably tell by now, your organization’s network can become very complex very quickly. With multiple security devices, VPNs, and other security features, understanding the flow of your network traffic becomes critical to ensuring your security policies are implemented correctly. A network flow is a description of how packets are routed through your network. You can utilize network diagram software to generate a network map to better visualize the flow of network traffic in your cloud environment. This should also include the flow of network packets from your on-premises environment to your cloud environment (and vice versa). Hardening and Configuration Changes Improving security is often referred to as hardening. This section focuses on procedures and processes you can implement to improve the security of your cloud network. Disabling Unnecessary Ports and Services When you deploy a resource in a cloud environment, you should make sure that only necessary services are running on the resource. For example, suppose you deployed a Linux server in your cloud infrastructure and you performed an “out of the box” installation. This will likely result in many services running on the server that are not necessary, including the print service. Unnecessary services are a potential security threat to your resource. Perform an analysis of which services are running on the resource and disable all that are not needed to perform the function of the resource. Disabling Weak Protocols and Ciphers You should have a list of protocols and ciphers that your company supports and allows in your cloud environment. Anything not on this list should not be allowed in your cloud infrastructure. Note that there are many protocols and ciphers, and providing a list here that would suit your organization’s needs isn’t feasible. The following brief list provides you with an idea of commonly used weak protocols and ciphers: - FTP - Telnet - POP3 - IMAP - SNMP v1 and v2 - RC2 - RC4 - MD5 - 3DES - DES Firmware Upgrades Firmware software is the software that manages specific physical hardware devices on a system. This software is not typically installed on the file system for the resource but rather in special nonvolatile memory devices, like ROM. This software is often overlooked in a security policy because it tends to just “work” as it is, and updating the software rarely provides any new critical features. However, firmware updates often do address security concerns, such as patching security holes. As a result, a security plan should include the regular patching of firmware. Control Ingress and Egress Traffic You have already learned about tools that control traffic flow, including firewalls, packet brokers, and DLP. These tools are designed to control traffic into your network (ingress traffic) and traffic leaving your network (egress traffic). Whitelisting or Blacklisting Whitelisting is creating a list of servers, sites, or resources that you want to permit access to. Blacklisting is creating a list of servers, sites, or resources that you want to block access to. These lists are often used in conjunction with software like firewalls or DLP software to control the ingress and egress flow of network traffic. Proxy Servers A proxy server is a system that serves to facilitate the communications between a client and a server. There are different advantages depending on the design of the proxy server. There are several different types of proxy servers, including the following: - Tunneling proxy: This type of proxy is designed to act as a gateway between two networks. An example would be when an IPv4-based network needs to communicate with an IPv6-based network. See Figure 6.1 for a visual example of a tunneling proxy. Reverse Proxy
- Forward proxy: This type of proxy is designed to work on the client side of the communication. For example, a web browser can point to a proxy server instead of communicating directly with the web server. Typically, when someone calls a system the proxy server, that person is referring to a system functioning as a forward proxy. Forward Proxy A forward proxy server can provide the following key functions: - It can act as a filter by blocking access to external resources. - It can act as a buffer between the client and the server because the server “sees” the request coming from the proxy, not the original client. This can hide the original client data, such as its IP address or location. Some users prefer this because it allows for anonymous browsing. This is also useful to get around restrictions—for example, a website that only allows access from a geographic region. In this case a proxy server located in the correct geographic region could permit the required access. - Proxy servers can cache static data—for example, websites that have static web pages. When multiple proxy clients attempt to retrieve the same data, the proxy server can serve to speed up the process by returning the data directly rather than querying the web server repeatedly. - The proxy server can be used to log client activity. - Reverse proxy: A reverse proxy server is one that is configured on the server side. For example, instead of having web clients directly connect to your company web server, you have them connect to the proxy server initially. The proxy server then communicates with the web server for the required data. Reverse Proxy There are several advantages for a reverse proxy server, including: - Load balancing can be provided by the proxy server because it can send queries to multiple web servers. - The proxy server can limit the load from the server by caching static data. - For SSL-based web servers, the proxy server can perform the SSL-based operations instead of the web server. If the proxy server is equipped with SSL-accelerated hardware, this can be a tremendous advantage. - The proxy server can effectively hide the web server from the client, making the web server more secure. Without direct access to the web server, it is more difficult to exploit it. - The proxy server can optimize communication by compressing the data, increasing the speed of data transport. Distributed Denial-of-Service (DDoS) Protection A DDoS is an attack on your network or a resource within your network. Using multiple systems, a large number of network packets are sent with the goal of overwhelming systems within your network. There are many different forms of DDoS attacks, including - HTTP floods - DNS query floods - SSL abuse - SYN floods - UDP reflection floods
Because there are many different DDoS attacks, there are different approaches to protecting your resources from these attacks, including - Using DDoS mitigation software - Reducing attack areas - Preparing to scale up in the event of a successful attack - Using analytic tools to discover abnormal traffic - Utilizing WAF devices Quiz 1. _____ is a security feature that enables administrators to logically divide resources into groups and apply a different set of security rules to each group. A.VxLAN B.Microsegmentation C.GENEVE D.VLAN 2. Transport Layer Security (TLS) is a cryptographic protocol used to secure data transfer and authenticate systems. It was designed to replace SSL. A.TLS B.IPsec C.L2TP D.PPTP 3. Which of the following is not a feature of an application delivery controller? A.Can act as a web accelerator B.Can act as a simple load balancer for web servers C.Can provide controlled access to web servers D.Can authenticate users 4. Which of the following would be considered an insecure protocol? (Choose two.) A.IMAP B.SSH C.SNMP v2 D.TLS Answers: 1. Microsegmentation 2. TLS 3. Can authenticate users 4. IMAP and SNMP v2
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.