CompTIA CASP+ CAS-004 Certification: Components of Network Security

Any organization seeks to implement secure architecture for its network infrastructure. The secure design needs to have an understanding of the organization’s services and delivery components like servers, and networks to include in the secure design. To implement security features, IT teams need to account for users’ ease of use, performance cost, and security standards and principles. This guide presents the building blocks for implementing a secure architecture for enterprises and critical infrastructures, which include physical, virtual, and network devices.
- Physical and virtual network devices
- Application-aware technologies
- Secure and complex traffic flow
- Network management
- Critical infrastructure
- Security zones
- Network components
- Complex network security
- Software-defined networks
- Critical systems

A secure network design cannot be achieved without an understanding of the components that must be included and the concepts of secure design that must be followed. While it is true that many security features come at a cost of performance or ease of use, these are costs that most enterprises will be willing to incur if they understand some important security principles. This guide discusses the building blocks of a secure architecture. To implement a secure network, you need to understand the available security devices and their respective capabilities. The following sections discuss a variety of devices, both hardware, and software-based.

Structure
- Security zones
- Complex network security

Objective
Any organization seeks to implement secure architecture for its network infrastructure. The secure design needs to have an understanding of the organization’s services and delivery components like servers and networks to include in the secure design. To implement security features, IT teams need to account for the users’ ease of use, performance cost, and security standards and principles. This guide presents the building blocks for implementing a secure architecture for enterprises and critical infrastructures, which includes physical, virtual, and network devices.

UTM
Unified threat management (UTM) is a method of executing numerous security duties on a single device or appliance; these capabilities are sometimes referred to as Next-Generation Firewalls (NGFW) (refer to Figure 6.1). These combine many security features and services into a single network device or service, allowing consumers to be protected from security risks in a more straightforward manner.

NGFW may include the following functions:
- Network firewalling
- Network intrusion prevention
- Gateway antivirus
- Gateway antispam
- VPN
- Content filtering
- Load balancing
- Data leak prevention
- On-appliance reporting

UTM eliminates the need to manage several systems. Some security experts, on the other hand, believe that UTM provides a single point of failure and that establishing numerous layers of devices is a more safe method, as presented below:



Figure: Unified Threat Management deployment

IDS/IPS
An intrusion detection system is a system that monitors systems and networks for unwanted access or assaults. Threats from the outside and inside the network may be verified, itemized, and classified. In most cases, IDSs are pre-programmed to respond in specified ways in specific scenarios. An IDS relies heavily on event notification and alarms. When assaults are discovered, they notify administrators and security specialists.

An intrusion prevention system (IPS) is a system that guards against assaults. An IPS is a system that detects and prevents attacks. When an attack starts, an IPS takes steps to stop and confine it. An IPS, like an IDS, can be network or host-based.

IDS/IPS implementations are further divided into the following categories:
- Signature-based: This sort of IDS/IPS examines traffic and compares it to attack or state patterns stored in the IDS database, known as signatures. A misuse-detection system is another name for it. Despite its popularity, this form of IDS can only distinguish attacks when compared to its database and is only as effective as the signatures given. Updates are required on a regular basis. The two main types of signature-based IDSs/IPSs are as follows:
- Pattern matching: The IDS/IPS compares traffic to a database of attack patterns. The IDS carries out specific steps when it detects traffic that matches an attack pattern.
- Stateful matching: The IDS/IPS records the initial operating system state. Any changes to the system state that specifically violate the defined rules result in an alert or a notification being sent.
- Anomaly-based: This form of IDS/IPS examines traffic and compares it to typical traffic in order to determine if it is a danger. It’s also known as a profile-based or behavior-based system. The difficulty with this sort of system is that it reports any traffic that deviates from the expected norms, resulting in a higher number of false positives than signature-based systems. There are three main types of anomaly-based IDSs, which are as follows:
- Statistical anomaly-based: To record actions, the IDS/IPS takes samples from the live environment. The profile that is developed becomes more accurate, the longer the IDS/IPS is in operation. Developing a profile with a low number of false positives, on the other hand, can be challenging and time-consuming. In this ID, activity deviation thresholds are crucial. False positives occur when the threshold is set too low, whereas false negatives occur when the threshold is set too high.
- Protocol anomaly-based: The IDS/IPS has knowledge of the protocols that it will monitor. A profile of normal usage is built and compared to activity.
- Traffic anomaly-based: The IDS/IPS tracks traffic pattern changes. All future traffic patterns are compared to the sample. Changing the threshold reduces the number of false positives or negatives. This type of filter is excellent for detecting unknown attacks, but user activity might not be static enough to effectively implement this system.
- Rule or heuristic-based: An expert system with a knowledge base, an inference engine, and rule-based programming is what this form of IDS/IPS is. The knowledge is organized as a set of rules. Data and traffic are assessed, and the rules are applied to the traffic that has been studied. To learn, the inference engine employs clever software. If an attack’s criteria are satisfied, alarms or notifications are triggered. This is also known as an if/then system or an expert system.
The most common way to classify an IPS or IDS is based on its information source – network-based or host-based.

The figure below illustrates IPS vs IDS:


Figure: IDS vs IPS

HIDS/HIPS
The traffic on a single system is monitored using a host-based IDS/IPS (HIDS/HIPS). Its main function is to safeguard the system on which it is installed. The information from the operating system audit trails and system logs is used by a HIDS/HIPS. The completeness of audit logs and system logs limits the detection capabilities of a HIDS. A customized IDS/IPS that analyzes transaction log files for a specific application is known as an application-based IDS/IPS. This form of IPS/IDS is normally included with a program or can be purchased separately.

NIPS
A network intrusion prevention system (NIPS) monitors network traffic for signals of malicious activity and then takes action to avoid it. A NIPS is a network monitoring system that keeps track of the whole network. You must be cautious when using a NIPS filter to ensure that false positives and false negatives are kept to a minimum. A false positive is an alarm that is not warranted, whereas a false negative is a traffic that is bothersome but does not trigger an alarm.

NIDS
A network IDS (NIDS) is the most popular IDS, and it analyses network traffic on a local network segment. The network interface card (NIC) must be in promiscuous mode to monitor traffic on the network segment. NIDS can only monitor network traffic; it cannot monitor any internal system activity, such as an attack carried out via logging into the system’s local terminal. A switched network has an impact on NIDS since most NIDS monitor only a single network segment.

The figure below illustrates the network and host-based IDS:


Figure: NIDS vs HIDS

NAC
When initiating remote access or VPN connection to the network, network access control (NAC) is a service that goes beyond user authentication and involves a review of the status of the machine the user is introducing to the network (Figure 6.4). These services are referred to as network admission control (NAC) services by Cisco and network access protection (NAP) services by Microsoft. Regardless of the terminology used, the features’ aims are the same – to scan any device seeking network access for malware, missing security updates, and any other security vulnerabilities that the devices could contribute to the network.

The figure below illustrates NAC:


Figure: Network Access Control

SIEM
Security information and event management (SIEM) solutions collect data from crucial system log files and centralize the collection and analysis (Figure 6.5). SIEM technology combines two technologies that are closely related – security information management (SIM) and security event management (SEM).

Log sources for SIEM can include the following:
- Application logs
- Antivirus logs
- Operating system logs
- Malware detection logs

The figure below  illustrates SIEM:


Figure: SIEM

When dealing with a SIEM system, one thing to remember is to keep the quantity of data collected to a minimum. Furthermore, you must guarantee that sufficient resources are accessible to ensure that good performance is achieved.

The figure below illustrates the SIEM log flow from initial logs received to the final tickets:


Figure: SIEM Log Flow

An organization should implement a SIEM system when the following is required:
- More visibility into network events is desired
- Faster correlation of events is required
- Compliance issues require reporting to be streamlined and automated
- Needs help prioritizing security issues

Firewall
The firewall is the network equipment that is most closely associated with the concept of security. A firewall can be a piece of software that runs on top of a server or client operating system, or it can be a standalone device with its own operating system. In any scenario, a firewall’s role is to inspect and limit the types of communications that are permitted. When we look at firewalls, we pay attention to the distinctions in how they work. The following are the types of firewalls:
- Packet-filtering firewalls: These firewalls have the least impact on performance since they merely look for approved IP addresses or port numbers in the packet header. While this function delays traffic, it just requires a fast check at the beginning of the packet and a choice to allow or disallow. While packet-filtering firewalls are useful, they cannot protect against all forms of attacks. They can’t stop IP spoofing, application-specific attacks, attacks that rely on packet fragmentation, or attacks that take advantage of the TCP handshake. To thwart these assaults, more complex inspection firewall types are necessary.
- Stateful firewalls: These firewalls are aware of how the TCP handshake works, maintain track of the state of all connections in relation to it and can detect when packets attempting to join the network do not make sense in the context of the TCP handshake. A packet with both the SYN and ACK flags set should never arrive at a firewall for delivery unless it is part of an established handshake procedure; it should also be in response to a packet received from inside the network with the SYN flag set. This is the kind of packet that the stateful firewall won’t let through. A stateful firewall can also detect various forms of attacks that try to take advantage of this process. It accomplishes this by keeping track of all current connections and where they are in the process in a state table. This enables it to detect any traffic that is inconsistent with the existing status of the connections. Of course, maintaining and referring to this table has a greater performance impact on this firewall type than a packet-filtering firewall.
- Proxy firewalls: This form of firewall sits between the internal and external sides of an internal-to-external connection and connects the endpoints on their behalf. A forward proxy is a firewall that is utilized in this manner. There is no direct connection with a proxy firewall; rather, the proxy firewall functions as a relay between the two destinations. Proxy firewalls can operate at two different layers of the OSI model, which are as follows:
- Circuit-level proxies: These proxies work at the OSI model’s session layer (layer 5). The protocol header and session layer information are used by this sort of proxy to make judgments. This proxy is deemed application-agnostic and may be used for a wide range of layer 7 protocols since it does not do deep packet inspection (at layer 7, or the application layer). A circuit-level firewall is an example of a SOCKS firewall. It necessitates the installation of a SOCKS client on the machines. To make using this form of firewall easier, many companies have linked their software with SOCKS.
- Application-level proxies: Deep packet inspection is performed by these proxies (inspection up to layer 7). This form of firewall comprehends the application’s layer 7 communication mechanism in depth. Each protocol has its own proxy function in an application-level firewall. The proxy, for example, may read and filter HTTP traffic depending on HTTP instructions. Because operating at this layer necessitates the entire opening and closing of each packet, this firewall has the largest influence on performance.
- Dynamic packet filtering: Although dynamic packet filtering isn’t technically a form of firewall, it is a process that a firewall may or may not be able to manage, therefore it is worth mentioning here. When internal computers try to establish a connection with a distant computer, the packet contains both the source and destination port numbers. If a computer requests a secure web server, for example, the destination will be port 443 because HTTP uses port 443 by default.
- Kernel proxy firewalls: A fifth-generation firewall is an example of this sort of firewall. It inspects a packet at each layer of the OSI model, but because it does it at the kernel layer, it does not have the same performance hit as an application-layer firewall. It also uses the proxy paradigm, in which it acts as a middleman between two systems, establishing connections on their behalf.
- Next-generation firewalls (NGFWs) are a type of device that attempts to solve the inadequacies of a typical stateful firewall in terms of traffic inspection and application awareness without sacrificing speed. Although UTM systems strive to solve these challenges, they employ distinct internal engines to conduct various security duties.

The figure below illustrates the NGFWs:


Figure: Next-Generation Firewall

This implies that a packet may be evaluated by various engines many times before being permitted into the network. NGFWs are application-aware, meaning they can discriminate between certain apps rather than allowing all traffic to come in over standard web ports. Furthermore, during the deep packet inspection step, they only analyze packets once (which is required to detect malware and anomalies).

The following are the features provided by NGFWs:
- Non-disruptive in-line configuration – has little impact on network performance
- Standard first-generation FW capabilities – network address translation, stateful protocol inspection, and virtual private networking
- Integrated signature-based IPS engine
- Application awareness, full-stack visibility, and granular control
- Ability to incorporate information from outside the firewall, such as directory-based policy, blacklists, and whitelists
- Upgrade path to include future information feeds and security threats and SSL decryption to enable identifying undesirable encrypted applications

Switches
These are intelligent devices that function at the OSI layer 2 level. They map to this layer because MAC addresses, which are stored at layer 2, are used to make switching decisions. This is known as transparent bridging. Switches are more efficient than hubs because they prevent accidents. Each switch port has its own collision domain; however, all hub ports share one collision domain. Switches are safer from a security viewpoint since a sniffer attached to a single port can only collect communications destined for or originating from that port. Some switches, on the other hand, may function as both routers and switches. Layer 3 switches are devices that can both route and switch data. When utilizing switches, keep in mind that while redundant connections between switches are good, they can cause switching loops, which can be disastrous to the network. To avoid switching loops, most switches use the Spanning Tree Protocol (STP). You should check to see whether a switch does this and if it is turned on.

Router
If we’re only talking about the routing function, we may claim that routers work at layer 3. Some routing devices can integrate routing, switching, and layer 4 filtering into one device. Routing, on the other hand, is a layer 3 function since it makes decisions based on layer 3 information (IP addresses). Routing tables are used by routers to instruct them on which way to deliver traffic destined for a certain network. Although routers may be set to direct to specific computers, they are usually designed to route to networks rather than specific computers. When a packet arrives at a router that is directly linked to the target network, the router does an ARP broadcast to determine the computer’s MAC address before sending the packet as a frame at layer 2. Routers serve an essential security purpose by allowing access control lists (ACLs) to be established. ACLs are a collection of rules that determine which traffic is allowed or refused to utilize a certain path via the router. These rules can function at the layer 3 level, making judgments based on IP addresses, or at the layer 4 level, allowing only particular types of traffic. An ACL usually refers to a service or application’s port number that is authorized or disallowed.

The figure below illustrates the network routing and switching:



Figure: Network routing & switching

To secure a router, you need to ensure that the following settings are in place:
- Configure authentication between the routers to prevent them from performing routing updates with rogue routers.
- Secure the management interfaces with strong passwords.
- Manage routers with SSH rather than Telnet.

Proxy
Proxy servers can be hardware or software that runs on a server’s operating system. These servers work in the same way as proxy firewalls, in that, they establish web connections between computers on their behalf; however, they can usually accept and restrict traffic on a more detailed level. A proxy server, for example, may allow the sales group to access particular websites while denying the data entry group access to the same sites. The capability goes beyond HTTP to include other forms of communication, such as FTP. Proxy servers can also perform a useful service known as web caching. When a proxy server is set up to enable web caching, it keeps a copy of every web page served to an internal computer in a web cache. If another user requests the same page later, the proxy server already has a local copy and does not need to go to the trouble of retrieving it from the Internet. This significantly enhances the performance of frequently visited pages on the web.

Load balancer
Load balancers are hardware or software solutions that balance network traffic. The same methods are supported by application delivery controllers (ADCs), but they additionally utilize complicated number-crunching procedures to balance the load, such as per-server CPU and memory usage, quickest response times, and so on.

Server farms or pools are terms used to describe load-balancing technologies, as shown below:


Figure: Load Balancer locations

HSM
A hardware security module (HSM) is an appliance that safeguards and manages digital keys used with strong authentication and provides crypto processing. The following are among the functions of an HSM:
- Onboard secure cryptographic key generation
- Onboard secure cryptographic key storage and management
- Use of cryptographic and sensitive data material
- Offloading of application servers for complete asymmetric and symmetric cryptography
 

The figure below illustrates the connections directly to a computer or server:


Figure: Hardware Security Module in Infrastructure

HSM devices can be used in a variety of scenarios, like the following:
- PKI environment to generate, store, and manage key pairs in card payment systems to encrypt PINs and to load keys into protected memory
- To perform the processing for applications that use SSL
- In Domain Name System Security Extensions (DNSSEC); a secure form of DNS that protects the integrity of zone files to store the keys used to sign the zone file

The figure below illustrates HSM key storage and acceleration:


Figure: HSM Key Storage & Acceleration

Application and protocol-aware technologies
Technologies that are application- and protocol-aware keep track of current information about apps and the protocols that link to them. These intelligent technologies make use of this data to improve the protocols, and consequently, the application’s performance.

WAF
An HTTP interaction is routed through a web application firewall (WAF), which applies rule sets to it (Figure 6.12). These rule sets address the most prevalent forms of attacks that these session types are vulnerable to. Cross-site scripting and SQL injections are two of the most prevalent attacks they handle. WAF can be installed as a standalone device or as a server plug-in. While most solutions route all traffic in-line via the device, others monitor a port and work out-of-band, allowing them to be deployed directly on web servers.

The figure below illustrates the web application firewall:





Figure: Web Application Firewall

Passive vulnerability scanners
Vulnerability scanners are programs or utilities that are used to investigate and disclose security flaws in a network. To detect topology, services, and vulnerabilities, a passive vulnerability scanner (PVS) examines network traffic at the packet layer (Figure 6.13). By actively scanning for vulnerabilities, it eliminates the instability that can be caused to a system. PVS tools examine the packet stream and conduct direct analysis to check for vulnerabilities. They’re used in the same way as the network intrusion detection systems or packet analyzers are used. A PVS can choose a network session that is directed towards a protected server and monitor it as needed. The capacity of a PVS to do this without affecting the monitored network is its most significant advantage.

The figure below illustrates PVS:



Figure: Passive Vulnerability Scanner

Active vulnerability scanners
Active scanners, as opposed to passive scanners, can take action to prevent attacks, such as banning problematic IP addresses. They can also be used to test readiness by simulating an assault. They function by sending signals to nodes and analyzing the answers, which might cause network traffic to be disrupted.

VPN
The information is protected by robust authentication procedures and encryption techniques over a Virtual Private Network (VPN) connection that uses an untrusted carrier network. While we usually pick the most untrustworthy network—the Internet—VPNs do travel over the Internet.

A VPN may also be used to safeguard traffic on an internal network. In VPN operations, entire protocols wrap around other protocols which include the following:
- Required: LAN & remote access or line protocol
- Optional: Authentication & encryption protocol

The figure below illustrates VPN:


Figure: Virtual Private Network

VPN concentrators are devices that terminate numerous VPN connections and use the most powerful encryption and authentication procedures available. If the ISP also uses VLANs in their internal network, VLANs in a VPN solution may not be supported by the ISP in some cases. Customers can create VLANs to other sites by choosing a supplier that offers Multiprotocol Label Switching (MPLS) connections. VPN services with address and route isolation between VPNs are provided by MPLS. VPN connections come in the following two flavors:
- Remote access VPNs: A remote-access VPN can be used to provide remote access to teleworkers or traveling users. The tunnel that is created has, as its endpoints, the user’s computer and the VPN concentrator. In this case, only the traffic traveling from the user’s computer to the VPN concentrator uses this tunnel.
- Site-to-site VPNs: VPN connections can be used to securely connect two locations. In this type of VPN, called a site-to-site VPN, the tunnel endpoints are the two VPN routers, one in each office. With this configuration, all traffic that goes between the offices will use the tunnel, regardless of the source or destination. The endpoints are defined during the creation of the VPN connection and thus must be set correctly, according to the type of remote access link being used.

IPsec
Several remote access or line protocols (tunneling protocols) are used to create VPN connections, which include the following:
- Point-to-Point Tunneling Protocol (PPTP): PPTP is a Microsoft protocol based on PPP. It uses built-in Microsoft Point-to-Point encryption and can use several authentication methods, including CHAP, MS-CHAP, and EAP-TLS. One shortcoming of PPTP is that it only works on IP-based networks, as illustrated in Figure 6.15 and Figure 6.16. If a WAN connection that is not IP-based is in use, L2TP must be used. When using PPTP, the encryption is included, and the only remaining choice to be made is the authentication protocol.
- Layer 2 Tunneling Protocol (L2TP): L2TP is a newer protocol that operates at layer 2 of the OSI model. Like PPTP, L2TP can use various authentication mechanisms; however, L2TP does not provide any encryption. It is typically used with Internet Protocol Security (IPsec), which is a very strong encryption mechanism. When using L2TP, both encryption and authentication protocols, if desired, must be added. IPsec can provide encryption, data integrity, and system-based authentication, which makes it a flexible and capable option.
 

The figure below  illustrates the IPsec in Tunnel mode:


Figure: IPsec in Tunnel Mode
By implementing certain parts of the IPsec suite, you can choose or not choose to use these features. IPsec is actually a suite of protocols, much like TCP/IP. It includes the following components:

- Authentication Header (AH): AH provides data integrity, data origin authentication, and protection from replay attacks.
- Encapsulating Security Payload (ESP): ESP provides all that AH does, as well as data confidentiality.
- Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP handles the creation of a security association for the session and the exchange of keys.
- Internet Key Exchange (IKE): Also sometimes referred to as IPsec Key Exchange, IKE provides the authentication material used to create the keys exchanged by ISAKMP during peer authentication.
 

The figure below illustrates IPsec in transport mode:


Figure: IPsec in Transport Mode

IPsec is a framework, which means it does not specify many of the components used with it. These components must be identified in the configuration, and they must match in order for the two ends to successfully create the required security association that must be in place before any data is transferred.

SSL/TLS
Another alternative for establishing secure connections to servers is Secure Sockets Layer (SSL). It operates at the OSI model’s application layer. It is mostly used to secure HTTP traffic and web servers. Most browsers have it built-in, and using it usually doesn’t need any activity on the user’s behalf.

The figure below illustrates SSL Communication:



Figure: SSL Communication

SSL is widely and frequently used to secure other protocols. For example, the Secure Copy Protocol (SCP) employs SSL to encrypt file transfers between servers. When deciding where to install the SSL gateway, you must weigh the following factors – the closer the gateway is to the network edge, the less encryption is required in the LAN (and the less performance loss), but the closer it is to the network edge, the more traffic flows in the clear through the LAN. It all boils down to how much faith you have in your own network.

This is used to secure Internet transactions and can be implemented in the following two ways:
- SSL portal VPN: In this case, a user has a single SSL connection for accessing multiple services on the web server. Once authenticated, the user is provided a page that acts as a portal to other services.
- SSL tunnel VPN: A user may use an SSL tunnel to access services on a server that is not a web server. This solution uses custom programming to provide access to non-web services through a web browser.
TLS and SSL are very similar but not the same. When configuring SSL, a session key length must be designated. The two options are 40-bit and 128-bit keys. Using self-signed certificates to authenticate the server’s public key prevents man-in-the-middle attacks.

TLS
The current version of the Transport Layer Security (TLS) protocol, version 1.3, provides an encrypted connection between two computers connected to the Internet. It confirms the server’s identity and protects data from being intercepted by hackers. When a user attempts to connect to a server, the server provides its TLS certificate to the user. To create a secure connection, the user checks the server’s certificate using CA certificates on the user’s device. To confirm the CA signed the certificate, this verification method employs public-key cryptography such as RSA or ECC. As long as you trust the CA, this demonstrates you are communicating with the server certificate’s subject.

The figure below illustrates this TLS 1.3 process:


Figure: TLS 1.3 Process

This maintains data integrity while also providing anonymity between the various data transfer destinations. Digital certificates are also used to validate the validity of servers. TLS certificates are the most frequent name for these certificates. The public key cryptography is used to authenticate these certificates. This is based on key pairs, which are made up of a public and private key. Only when both the public and private keys are present, can the encrypted data be decrypted. TLS certificates employ public key authentication to ensure that only the intended receiver has access to the contents.

SSH
Administrators or network professionals are frequently required to manage and configure network devices remotely. Technicians can use protocols like Telnet to connect to equipment like routers, switches, and wireless access points and administer them from the command line. Telnet, on the other hand, sends data in cleartext, which is a security risk. To offer an encrypted means of executing these tasks, Secure Shell (SSH) was invented. It links a server and a client running SSH server and SSH client applications, respectively, over a secure channel and an unsafe network. It’s a popular alternative to Telnet and should be taken into account while doing remote management from the command line.

Several steps can be taken to enhance the security of an SSH implementation, which are as follows:
- Change the port number in use from the default 22 to something above 1024.
- Use only version 2, which corrects many vulnerabilities that exist in earlier versions.
- Disable root login to devices that have a root account (in Linux or UNIX).
- Control access to any SSH-enabled devices by using ACLs, IP tables, or TCP wrappers.

RDP
Remote Desktop Protocol (RDP) is a Microsoft-developed proprietary protocol that allows you to connect to another computer through a network connection using a graphical interface. RDP allows you to operate on a remote computer as if you were sitting at its terminal, unlike Telnet and SSH, which only allow you to work from the command line. RDP sessions employ native RDP encryption; however, the session host server is not authenticated. SSL can be used for server authentication and to encrypt RDP session host server interactions to help prevent this. This necessitates the use of a certificate. You can use an existing certificate or the self-signed certificate that comes with Windows. RDP may be used to connect users to a virtual desktop infrastructure (VDI) as well as remote access to a workstation. This allows the user to operate from a virtual desktop from any location. Each user may have their own virtual machine (VM) image, or several users may share the same VM image.

Reverse proxy
A reverse proxy is a sort of proxy server that receives resources from one or more internal servers on behalf of external clients. The client is then given these resources as though they came directly from the web server. Unlike a forward proxy, which allows internal clients to communicate with external servers, a reverse proxy allows external clients to communicate with inside servers. Popular web servers frequently employ reverse proxy capability to protect application frameworks from HTTP limitations.

Network authentication methods
One of the protocol choices that must be made in creating a remote access solution is the authentication protocol.

The following are some of the most important of those protocols:
- Password Authentication Protocol (PAP): PAP provides authentication, but the credentials are sent in cleartext and can be read with a sniffer.
- Challenge Handshake Authentication Protocol (CHAP): CHAP solves the clear text problem by operating without sending the credentials across the link. The server sends the client a set of random text called a challenge. The client encrypts the text with the password and sends it back. The server then decrypts it with the same password and compares the result with what was sent originally. If the results match, the server can be assured that the user or system possesses the correct password without ever needing to send it across the untrusted network.

Microsoft has created its own variant of CHAP, as follows:
- MS-CHAP v1: This is the first version of a variant of CHAP by Microsoft. This protocol works only with Microsoft devices, and while it stores the password more securely than CHAP, like any other password-based system, it is susceptible to brute-force and dictionary attacks.
- MS-CHAP v2: This update to MS-CHAP provides stronger encryption keys and mutual authentication, and it uses different keys for sending and receiving.
- Extensible Authentication Protocol (EAP): EAP is not a single protocol but a framework for port-based access control that uses the same three components that are used in RADIUS. A wide variety of EAP implementations can use all sorts of authentication mechanisms, including certificates, a PKI, and even simple passwords, as follows:
- EAP-MD5-CHAP: This variant of EAP uses the CHAP challenge process, but the challenges and responses are sent as EAP messages. It allows the use of passwords.
- EAP-TLS: This form of EAP requires a PKI because it requires certificates on both the server and clients. It is, however, immune to password-based attacks as it does not use passwords.
- EAP-TTLS: This form of EAP requires a certificate on the server only. The client uses a password, but the password is sent within a protected EAP message. It is, however, susceptible to password-based attacks.

802.1x

802.1x is a standard that defines a framework for centralized port-based authentication (Figure 6.19). It can be applied to both wireless and wired networks and uses the following three components:
- Supplicant: The user or device requesting access to the network.
- Authenticator: The device through which the supplicant is attempting to access the network.
- Authentication server: The centralized device that performs authentication.

A wide range of network access devices, including remote access servers (both dial-up and VPN), switches, and wireless access points, can function as authenticators. A Remote Authentication Dial-in User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) server can function as the authentication server. The authenticator obtains credentials from the supplicant and sends them to the authentication server for validation. The authenticator is told that the supplicant’s port has been successfully verified, allowing network access.

The figure below illustrates 802.1x components:


Figure: 802.1x Components

RADIUS and TACACS+ both perform the same functions; however, they have distinct properties. These distinctions must be taken into account while selecting a method. Remember that, whereas RADIUS is a standard, TACACS+ is a Cisco-only product. Many security experts believe that activating 802.1x authentication on all devices is the finest network security you can give.

Software-defined networking
The separation of the control plane from the data plane in networking is what software-defined networking (SDN) is traditionally characterized as. These planes are implemented in the firmware of routers and switches in a traditional network. The control plane is implemented in software in SDN, allowing programmatic access to it. It has the advantage of allowing highly precise access to and control over network parts. It enables IT businesses to replace manual interfaces with programmatic ones, allowing configuration and policy administration to be automated. The use of software to centralize the control planes of several switches that would otherwise function independently is an example of SDN in action. Normally, the control plane is implemented in hardware; however, with SDN, it is implemented in software. SDN provides variety, speed, and agility in deployment, as well as the ability to mix and match solutions from various suppliers. SDN has a number of drawbacks. When the controller loses connectivity, the entire network goes down, and SDN might theoretically allow assaults on the controller.

The figure below illustrates the SDN architecture:


Figure: SDN Architecture

Conclusion
This guide discussed security and network devices such as UTM, IDS/IPD, NIDS, NIPS, NAC, SIEM, routers, switches, load balancers, and HSM. Hardware and software firewalls, WAF, and Vulnerability Scanners were also discussed. Identifying secure methods with an emphasis on baselining was also covered.