Information

Security 1
 TOPIC DISCUSSION

10 Network Design
10.1 The OSI Model 10.9 Telephony
10.2 Switches
10.3 Routers
10.4 Network Zones
10.5 Network Access Control
10.6 VLANS
10.7 Subnetting
10.8 Network Address Translation
 TOPIC DISCUSSION

11 Perimeter Security
11.1 Firewalls

11.2 Proxy Servers

11.3 Honeypots and Honeynets
11.4 Data Loss Prevention
11.5 NIDS and NIPS
11.6 Unified Threat Management
 TOPIC DISCUSSION

12 Cloud Security
12.1 Cloud Types

12.2 As a Service
12.3 Cloud Security
12.4 Defending Servers
The OSI Model
 The OSI Model

The Open System Interconnection (OSI) model defines a

networking framework to implement protocols in seven layers.
Use this handy guide to compare the different layers of the OSI
model and understand how they interact with each other.
 Switches

A switch in an Ethernet-based LAN reads incoming TCP/IP data

packets/frames containing destination information as they pass
into one or more input ports. The destination information in the
packets is used to determine which output ports will be used to
send the data on to its intended destination.
 Routers

A device that connects two or more networks and allows

packets to be transmitted and received between them. A router
determines the best path for data packets from source to
destination.
 Network Zones

A security zone is an area in a building where access is

individually monitored and controlled. A large network, such as
a large physical plant, can have many areas that require
restricted access. In a building, floors, sections of floors, and
even offices can be broken down into smaller areas.
 Network Access Control

One of the basic security objectives set forth by most

organizations is controlling access to the organization’s network.
Network access control (NAC) solutions help security
professionals achieve two cybersecurity objectives: limiting
network access to authorized individuals and ensuring that
systems accessing the organization’s network meet basic security
requirements.
 VLANS

A virtual local area network (VLAN) allows you to create

groups of users and systems and segment them on the network.
This segmentation lets you hide segments of the network from
other segments and thereby control access. You can also set up
VLANs to control the paths that data takes to get from one point
to another. A VLAN is a good way to contain network traffic to
a certain area in a network.
 Subnetting

Subnetting divides a single range of IP addresses into several

smaller ranges of IP addresses. This is often done to isolate
traffic and increase efficiency. You don’t need to know how to
subnet for the CompTIA Security+ exam, but you should be
familiar with the concept and how it can be used to isolate users
onto different subnets. Additionally, you should be able to
identify valid IP addresses for computers within a subnet.
Subnetting
 Network Address Translation

Network Address Translation (NAT) creates a unique opportunity

to assist in the security of a network. Originally, NAT extended
the number of usable Internet addresses. Now it allows an
organization to present a single address to the Internet for all
computer connections. The NAT server provides IP addresses to
the hosts or systems in the network and tracks inbound and
outbound traffic
 Telephony

IP or Internet telephony is the latest terminology related to

data/voice communication. It uses the Internet as a medium of
communication. IP telephony allows data communication in
which voice, fax or digital information can be transmitted over
the Internet.
 Firewalls

Firewalls are one of the first lines of defense in a network. There

are different types of firewalls, and they can be either stand-
alone systems or included in other devices such as routers or
servers. You can find firewall solutions that are marketed as
hardware-only and others that are software-only. Many
firewalls, however, consist of add-in software that is available
for servers or workstations.
 Firewalls
Packet Filter Firewalls

A firewall operating as a packet filter passes or blocks traffic to

specific addresses based on the type of application. The packet
filter doesn’t analyze the contents of a packet; it decides
whether to pass it based on the packet’s addressing information.
 Firewalls
Stateful Inspection Firewalls

Stateful inspection is also referred to as stateful packet filtering.

Most of the devices used in networks don’t keep track of how
information is routed or used. Once a packet is passed, the packet
and path are forgotten. In stateful inspection (or stateful packet
filtering), records are kept using a state table that tracks every
communications channel.
 Proxy Servers

A proxy firewall can be thought of as an intermediary between

your network and any other network. Proxy firewalls are used to
process requests from an outside network; the proxy firewall
examines the data and makes rules-based decisions about
whether the request should be forwarded or refused. The proxy
intercepts all the packages and reprocesses them for use
internally. This process includes hiding IP addresses.
 Honeypots and Honeynets

A honeypot is a decoy computer system for trapping hackers or

tracking unconventional or new hacking methods. Honeypots
are designed to purposely engage and deceive hackers and
identify malicious activities performed over the Internet. While
Honeynets purposely include system vulnerabilities and aid in
better understanding hacker and cracker behavior (and the
motivations behind their behaviors).
 Data Loss Prevention

DLP is a method of inspecting and keeping sensitive data from

leaving the allowed perimeter. DLP systems are only concerned
with the data passing over some kind of perimeter gateway
device, such as through emails, instant messages and Web 2.0
applications.
 NIDS and NIPS

A network-based intrusion detection system (NIDS) monitors

activity on the network. An administrator installs NIDSs sensors on
network devices such as routers and firewalls. These sensors gather
information and report to a central monitoring server hosting a
NIDS console. Network-based intrusion prevention system (NIPS).
An IPS that monitors the network. An IPS can actively monitor data
streams, detect malicious content, and stop attacks in progress.
 Unified Threat Management

The emergence of unified threat management is a relatively new

phenomenon, because the various aspects that make up these
products used to be sold separately. However, by selecting a
UTM solution, businesses and organization can deal with just
one vendor, which may be more efficient. Unified threat
management solutions may also promote easier installation and
updates for security systems, although others contend that a
single point of access and security can be a liability in some
cases.
 Cloud Types

Cloud computing is provided by cloud providers and is very

useful for heavily utilized systems and networks. Software as a
Service (SaaS) is used for web-based applications. Infrastructure
as a Service (IaaS) is also known as Hardware as a Service.
Platform as a Service (PaaS) provides easy-to-configure
operating systems.
 As a Service
Software as a Service

Software as a Service (SaaS) includes any software or

application provided to users over a network such as the
Internet. Internet users access the SaaS applications with a web
browser. It usually doesn’t matter which web browser or
operating system a SaaS customer uses. They could be using
Internet Explorer, Chrome, Firefox, or just about any web
browser.
 As a Service
Infrastructure as a Service

Infrastructure as a Service (IaaS) allows an organization to

outsource its equipment requirements, including the hardware
and all of its support operations. The IaaS service provider owns
the equipment, houses it in its datacenter, and performs all of the
required maintenance. The customer essentially rents access to
the equipment and often pays on a per-use basis.
 As a Service
Platform as a Service

Platform as a Service (Paas) provides customers with a

computing platform they can use to configure and manipulate as
needed. It provides the customer with an easy-to-configure
operating system, combined with ondemand computing.
 Cloud Security

One of the primary drawbacks to cloud computing is that you

lose physical control of your data. You often won’t even know
where the data is stored. Employees at the cloud datacenter can
easily steal your data, and you may not know it until the thief
has exploited the data. It’s also possible for employees to make
mistakes that suddenly grant access to your data to anyone.
 Cloud Security

Cloud security is the protection of data, applications, and

infrastructures involved in cloud computing. Many aspects of
security for cloud environments (whether it’s a public, private,
or hybrid cloud) are the same as for any on-premise IT
architecture.