If you’re planning to take the SY0-601 version of the Security+ exam, you should understand basic networking concepts, devices, and network topologies used within secure networks. For example, you may have spent a lot of time troubleshooting connectivity but rarely manipulated access control lists (ACLs) on a router or modified firewall rules.
For example, can you answer this question?
Q. Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with only the following two rules in the ACL:
PERMIT TCP ANY ANY 443 PERMIT TCP ANY ANY 80
You have detected DNS requests and DNS zone transfer requests coming through the firewall and you need to block them. Which of the following would meet this goal? (Select TWO. Each answer is a full solution.)
A. Add the following rule to the firewall: DENY TCP ALL ALL
B. Add the following rule to the firewall: DENY UDP ALL ALL
C. Add the following rule to the firewall: DENY TCP ALL ALL 25.
D. Add the following rule to the firewall: DENY IP ALL ALL 53.
E. Add an implicit deny rule at the end of the ACL.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Routers
A router connects multiple network segments together into a single network and routes traffic between the segments. As an example, the Internet is effectively a single network hosting billions of computers. Routers route the traffic from segment to segment.
Because routers don’t pass broadcasts, they effectively reduce traffic on any single segment. Segments separated by routers are sometimes referred to as broadcast domains. If a network has too many computers on a single segment, broadcasts can result in excessive collisions and reduce network performance. Moving computers to a different segment separated by a router can significantly improve overall performance. Similarly, subnetting networks creates separate broadcast domains.
Cisco routers are popular, but many other brands exist. Most routers are physical devices, and physical routers are the most efficient. However, it’s also possible to add routing software to computers with more than one NIC. For example, Windows Server products can function as routers by adding additional services to the server.
Routers and ACLs
Access control lists (ACLs) are rules implemented on a router (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within an ACL provide rule-based management for the router and control inbound and outbound traffic.
Router ACLs provide basic packet filtering. They filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers:
• IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address. If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the Sales department may be in the 192.168.1.0/24 network and the Accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router.
• Ports. You can filter traffic based on logical ports. For example, if you want to block HTTP traffic, you can create a rule to block traffic on port 80. Note that you can choose to block incoming traffic, outgoing traffic, or both. In other words, it’s possible to allow outgoing HTTP traffic while blocking incoming HTTP traffic.
• Protocol numbers. Many protocols are identified by their protocol numbers. For example, ICMP uses a protocol number of 1 and many DoS attacks use ICMP. You can block all ICMP traffic (and the attacks that use it) by blocking traffic using this protocol number. Many automated intrusion prevention systems (IPSs) dynamically block ICMP traffic in response to attacks. Similarly, you can restrict traffic to only packets encrypted with IPsec ESP using a rule that allows traffic using protocol number 50, but blocks all other traffic. PPTP uses protocol number 47 and can be allowed by allowing traffic using protocol ID 47.
Implicit Deny
Implicit deny is an important concept to understand, especially in the context of ACLs. It indicates that all traffic that isn’t explicitly allowed is implicitly denied. For example, imagine you configure a router to allow Hypertext Transfer Protocol (HTTP) to a web server. The router now has an explicit rule defined to allow this traffic to the server. If you don’t define any other rules, the implicit deny rule blocks all other traffic. Firewalls also use an implicit deny rule.
The implicit deny rule is the last rule in an ACL. Some devices automatically apply the implicit deny rule as the last rule. Other devices require an administrator to place the rule at the end of the ACL manually. Syntax of an implicit deny rule varies on different systems, but it might be something like DENY ANY ANY, or DENY ALL ALL, where both ANY and ALL refer to any type of traffic.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
The Route Command and Route Security
The route command is used to display or modify a system’s routing table on both Windows and Linux systems. Using route print, you can see all the paths known by the computer to other networks. If the routing table doesn’t include an entry to a specific network, the system uses the default gateway. The default gateway is the IP address of a router on a network and typically provides a path to the Internet. If you need to add a path to a different network, you can use the route add command.
You can also use the route command to verify route security. For example, the route table should point to a known default gateway. If malicious actors modify routing tables for systems, they can reroute traffic to a different router and use it to capture traffic in a man-in-the-middle (MITM) attack.
Q. Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with only the following two rules in the ACL:
PERMIT TCP ANY ANY 443 PERMIT TCP ANY ANY 80
You have detected DNS requests and DNS zone transfer requests coming through the firewall and you need to block them. Which of the following would meet this goal? (Select TWO. Each answer is a full solution.)
A. Add the following rule to the firewall: DENY TCP ALL ALL
B. Add the following rule to the firewall: DENY UDP ALL ALL
C. Add the following rule to the firewall: DENY TCP ALL ALL 25.
D. Add the following rule to the firewall: DENY IP ALL ALL 53.
E. Add an implicit deny rule at the end of the ACL.
Answers are D and E are correct. The easiest way is to add an implicit deny rule at the end of the access control list (ACL) and all firewalls should have this to block all unwanted traffic. You can also deny all IP traffic using port 53 with DENY IP ALL ALL 53.
Domain Name System (DNS) requests use UDP port 53, and DNS zone transfers use TCP port 53, so blocking only TCP 53 or UDP 53 does not block all DNS traffic.
Port 25 is for Simple Mail Transfer Protocol (SMTP) and unrelated to this question.
See Chapter 3 of the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide for more information on basic network devices.
