Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...

More documents

Recommendations

Info

126 CHAPTER 8 Security Standards and Services DMZ Mail Server Web Server FIGURE 8.1 A multiple interface firewall DMZ implementation Internet (External Network) Firewall Internal Network ■ File Transfer Protocol (FTP) services FTP file servers provide public and private downloading and uploading of files. EXAM WARNING Remember that FTP has significant security issues in which username and password information is passed in clear text and can easily be sniffed. ■ ■ ■ E-mail relaying E-mail relaying is a special e-mail server that acts as a middleman by accepting messages and passing them through to their destination. E-mail relays are typically disabled on all publicly accessible e-mail servers. Domain name system (DNS) services A DNS server might be placed in the DMZ to point incoming access requests to the appropriate server within the DMZ. It is important to be careful and ensure that DNS servers in the DMZ cannot be made to conduct a zone transfer to any server. Intrusion detection IDSes placed in the DMZ will tend to give more false positive results than those inside the private internal network, due to the nature of Internet traffic. To reduce the larger number of false positives, you must perform IDS tuning, which is the process of adjusting the settings on your IDS so that it is more appropriately configured to recognize normal traffic patterns in your environment. Many organizations choose to implement a multiple segment structure to better manage and secure their different types of business information. The two segments that are widely accepted are as follows:
Security Zones 127 ■ A segment dedicated to information storage. ■ A segment specifically for the processing of business information. Each of these two new segments has special security and operability concerns above and beyond those of the rest of the organizational network. Considerations when defining segments are as follows: ■ ■ ■ ■ Creation of multiple segments changes a network structure. As a site grows and offers new features, new zones may have to be created. It is best to start with deny-all strategies and permit only the services and the network transactions required to make the network function. Access controls regulate the way network communications are initiated. EXAM WARNING A deny-all strategy means that there is a firewall rule which blocks all traffic. Additional rules are created to allow only the minimum level of service required for the network to function. Any traffic that does not match these rules permitting traffic is then handled by the default block rule and the traffic is dropped. Virtual Private Networks Virtual private networks (VPNs) allow a remote user to behave as if attached to a local network. The traffic shared among devices on the VPN must be protected so as to provide confidentiality, integrity, and authentication (see Figure 8.2). Crunch Time Point-to-Point Tunneling Protocol (PPTP) is a VPN protocol that is a relatively simple encapsulation of the Pointto-Point Protocol (PPP) over an existing Transmission Control Protocol/Internet Protocol (TCP/IP) connection. Characteristics of PPTP include the following: ■ Consists of two connections: ■ The control connection is a TCP connection to port 1723. ■ The IP tunnel connection and user data is implemented via PPP in conjunction with the Generic Routing Encapsulation (GRE) protocol. ■ PPTP connections can be established in either direction. ■ Security requirements of PPTP, such as authentication and encryption, are left to the PPP portion of the traffic. ■ PPTP connections can be authenticated through the PPP layer using Microsoft’s Challenge Handshake Authentication Protocol (MS-CHAP) or the Extensible Authentication Protocol–Transport Layer Security (EAP–TLS) protocol. ■ Encryption can be provided by the Microsoft Pointto-Point Encryption (MPPE) protocol, which is based on RC4 with session keys of 40-bit, 56-bit, or 128-bit length. ■ Because of the need for two connections to maintain a single PPTP tunnel, making sure PPTP traffic can traverse firewalls can be problematic. Also, owing to the use of GRE, traffic originating from or sent to a host that sits behind a device performing Network Address Translation (NAT).
Page 2 and 3:
Syngress is an imprint of Elsevier
Page 4 and 5:
xii About the Authors Technical Edi
Page 6 and 7:
2 CHAPTER 1 Network Fundamentals Ne
Page 8 and 9:
4 CHAPTER 1 Network Fundamentals re
Page 10 and 11:
6 CHAPTER 1 Network Fundamentals
Page 12 and 13:
8 CHAPTER 1 Network Fundamentals Wh
Page 14 and 15:
10 CHAPTER 1 Network Fundamentals d
Page 16 and 17:
12 CHAPTER 1 Network Fundamentals
Page 18 and 19:
14 CHAPTER 1 Network Fundamentals T
Page 20 and 21:
16 CHAPTER 1 Network Fundamentals T
Page 22 and 23:
18 CHAPTER 1 Network Fundamentals I
Page 24 and 25:
20 CHAPTER 2 Network Media DID YOU
Page 26 and 27:
22 CHAPTER 2 Network Media Table 2.
Page 28 and 29:
24 CHAPTER 2 Network Media ■ Perf
Page 30 and 31:
26 CHAPTER 2 Network Media Table 2.
Page 32 and 33:
28 CHAPTER 2 Network Media LAN TECH
Page 34 and 35:
30 CHAPTER 2 Network Media CONNECTO
Page 36 and 37:
32 CHAPTER 2 Network Media EXAM WAR
Page 38 and 39:
34 CHAPTER 2 Network Media problems
Page 40 and 41:
36 CHAPTER 2 Network Media electrom
Page 42 and 43:
38 CHAPTER 3 Network Devices Table
Page 44 and 45:
40 CHAPTER 3 Network Devices some o
Page 46 and 47:
42 CHAPTER 3 Network Devices ■
Page 48 and 49:
44 CHAPTER 3 Network Devices ■
Page 50 and 51:
46 CHAPTER 3 Network Devices EXAM W
Page 52 and 53:
48 CHAPTER 3 Network Devices ■ Du
Page 54 and 55:
50 CHAPTER 3 Network Devices Proxy
Page 56 and 57:
52 CHAPTER 3 Network Devices Top Fi
Page 58 and 59:
54 CHAPTER 3 Network Devices the co
Page 60 and 61:
56 CHAPTER 4 Wireless Networking
Page 62 and 63:
Page 64 and 65:
60 CHAPTER 4 Wireless Networking Ta
Page 66 and 67:
62 CHAPTER 4 Wireless Networking WE
Page 68 and 69:
64 CHAPTER 4 Wireless Networking Th
Page 70 and 71:
66 CHAPTER 4 Wireless Networking us
Page 72 and 73:
Page 74 and 75:
70 CHAPTER 4 Wireless Networking si
Page 76 and 77:
72 CHAPTER 4 Wireless Networking co
Page 78 and 79: 74 CHAPTER 5 The OSI Model and Netw
Page 94 and 95: 90 CHAPTER 6 TCP/IP and Routing ■
Page 96 and 97: 92 CHAPTER 6 TCP/IP and Routing For
Page 98 and 99: 94 CHAPTER 6 TCP/IP and Routing UND
Page 100 and 101: 96 CHAPTER 6 TCP/IP and Routing ■
Page 102 and 103: 98 CHAPTER 6 TCP/IP and Routing Sub
Page 104 and 105: 100 CHAPTER 6 TCP/IP and Routing co
Page 106 and 107: 102 CHAPTER 6 TCP/IP and Routing
Page 108 and 109: 104 CHAPTER 6 TCP/IP and Routing al
Page 110 and 111: CHAPTER 7 Wide Area Networking 107
Page 112 and 113: WAN Protocols and Properties 109 In
Page 114 and 115: WAN Protocols and Properties 111 Cr
Page 116 and 117: Internet Access Methods 113 EXAM WA
Page 118 and 119: Internet Access Methods 115 Wireles
Page 120 and 121: Internet Access Methods 117 Top Fiv
Page 122 and 123: Internet Access Methods 119 with th
Page 124 and 125: 122 CHAPTER 8 Security Standards an
Page 146 and 147: 144 CHAPTER 9 Network Management
Page 148 and 149: 146 CHAPTER 9 Network Management Wi
Page 150 and 151: 148 CHAPTER 9 Network Management Cr
Page 152 and 153: 150 CHAPTER 9 Network Management
Page 154 and 155: 152 CHAPTER 9 Network Management An
Page 156 and 157: 154 CHAPTER 9 Network Management Lo
Page 158 and 159: 156 CHAPTER 10 Network Troubleshoot
Page 178 and 179:
Glossary 177 Access Determines who
Page 180 and 181:
Glossary 179 Extensible Authenticat
Page 182 and 183:
Glossary 181 Oscilloscope A cable t
Page 184 and 185:
Glossary 183 Wireless Network A net
Page 186 and 187:
186 Index Data link layer, 74-75 fu
Page 188 and 189:
188 Index Network troubleshooting,
show all

Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...

Create successful ePaper yourself

Delete template?

Save as template?