If you’re planning to take the SY0-601 version of the Security+ exam, you should understand basic networking concepts, devices, and network topologies used within secure networks. For example, you may have spent a lot of time troubleshooting connectivity but rarely manipulated access control lists (ACLs) on a router or modified firewall rules.
For example, can you answer this question?
Q. Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with only the following two rules in the ACL:
PERMIT TCP ANY ANY 443 PERMIT TCP ANY ANY 80
You have detected DNS requests and DNS zone transfer requests coming through the firewall and you need to block them. Which of the following would meet this goal? (Select TWO. Each answer is a full solution.)
A. Add the following rule to the firewall: DENY TCP ALL ALL
B. Add the following rule to the firewall: DENY UDP ALL ALL
C. Add the following rule to the firewall: DENY TCP ALL ALL 25.
D. Add the following rule to the firewall: DENY IP ALL ALL 53.
E. Add an implicit deny rule at the end of the ACL.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Routers
A router connects multiple network segments together into a single network and routes traffic between the segments. As an example, the Internet is effectively a single network hosting billions of computers. Routers route the traffic from segment to segment.
Because routers don’t pass broadcasts, they effectively reduce traffic on any single segment. Segments separated by routers are sometimes referred to as broadcast domains. If a network has too many computers on a single segment, broadcasts can result in excessive collisions and reduce network performance. Moving computers to a different segment separated by a router can significantly improve overall performance. Similarly, subnetting networks creates separate broadcast domains.
Cisco routers are popular, but many other brands exist. Most routers are physical devices, and physical routers are the most efficient. However, it’s also possible to add routing software to computers with more than one NIC. For example, Windows Server products can function as routers by adding additional services to the server.
Routers and ACLs
Access control lists (ACLs) are rules implemented on a router (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within an ACL provide rule-based management for the router and control inbound and outbound traffic.
Router ACLs provide basic packet filtering. They filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers:
• IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address. If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the Sales department may be in the 192.168.1.0/24 network and the Accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router.
• Ports. You can filter traffic based on logical ports. For example, if you want to block HTTP traffic, you can create a rule to block traffic on port 80. Note that you can choose to block incoming traffic, outgoing traffic, or both. In other words, it’s possible to allow outgoing HTTP traffic while blocking incoming HTTP traffic.
• Protocol numbers. Many protocols are identified by their protocol numbers. For example, ICMP uses a protocol number of 1 and many DoS attacks use ICMP. You can block all ICMP traffic (and the attacks that use it) by blocking traffic using this protocol number. Many automated intrusion prevention systems (IPSs) dynamically block ICMP traffic in response to attacks. Similarly, you can restrict traffic to only packets encrypted with IPsec ESP using a rule that allows traffic using protocol number 50, but blocks all other traffic. PPTP uses protocol number 47 and can be allowed by allowing traffic using protocol ID 47.
Implicit Deny
Implicit deny is an important concept to understand, especially in the context of ACLs. It indicates that all traffic that isn’t explicitly allowed is implicitly denied. For example, imagine you configure a router to allow Hypertext Transfer Protocol (HTTP) to a web server. The router now has an explicit rule defined to allow this traffic to the server. If you don’t define any other rules, the implicit deny rule blocks all other traffic. Firewalls also use an implicit deny rule.
The implicit deny rule is the last rule in an ACL. Some devices automatically apply the implicit deny rule as the last rule. Other devices require an administrator to place the rule at the end of the ACL manually. Syntax of an implicit deny rule varies on different systems, but it might be something like DENY ANY ANY, or DENY ALL ALL, where both ANY and ALL refer to any type of traffic.
The Route Command and Route Security
The route command is used to display or modify a system’s routing table on both Windows and Linux systems. Using route print, you can see all the paths known by the computer to other networks. If the routing table doesn’t include an entry to a specific network, the system uses the default gateway. The default gateway is the IP address of a router on a network and typically provides a path to the Internet. If you need to add a path to a different network, you can use the route add command.
You can also use the route command to verify route security. For example, the route table should point to a known default gateway. If malicious actors modify routing tables for systems, they can reroute traffic to a different router and use it to capture traffic in a man-in-the-middle (MITM) attack.
Q. Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with only the following two rules in the ACL:
PERMIT TCP ANY ANY 443 PERMIT TCP ANY ANY 80
You have detected DNS requests and DNS zone transfer requests coming through the firewall and you need to block them. Which of the following would meet this goal? (Select TWO. Each answer is a full solution.)
A. Add the following rule to the firewall: DENY TCP ALL ALL
B. Add the following rule to the firewall: DENY UDP ALL ALL
C. Add the following rule to the firewall: DENY TCP ALL ALL 25.
D. Add the following rule to the firewall: DENY IP ALL ALL 53.
E. Add an implicit deny rule at the end of the ACL.
Answers are D and E are correct. The easiest way is to add an implicit deny rule at the end of the access control list (ACL) and all firewalls should have this to block all unwanted traffic. You can also deny all IP traffic using port 53 with DENY IP ALL ALL 53.
Domain Name System (DNS) requests use UDP port 53, and DNS zone transfers use TCP port 53, so blocking only TCP 53 or UDP 53 does not block all DNS traffic.
Port 25 is for Simple Mail Transfer Protocol (SMTP) and unrelated to this question.
See Chapter 3 of the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide for more information on basic network devices.