Impending Security+ test

Del3dDel3d Registered Users Posts: 4 ■□□□□□□□□□
Hello everyone. I have been watching the forums for quite some time and am impressed by the overwhelming support by the members of this forum. Kudos to each and everyone of you for that support. I especially liked the detailed posts on the use of IDS/IPS in February.

I am retired USAF and haven't worked in the IT field before. That being said, I've always wanted to be involved in the network engineer field, but cross training isn't that easy career military. This is a career move into a distinctly different field. One thing I have found is that a Master's in Management of Information Systems is too broad of a degree for a decent job. So, I have been studying for the Security+ cert and will hopefully be taking it this week (availability dependent) or the next. The tips so far in this forum have helped me groom my study habits in a hopefully productive plan.

Based on the forum, I purchased Darril's book (Kindel version) and found it quite comprehensive. I have also been through the SYBEX version (study guide and review guides). I can say, that it is a lot of material to learn. Darril's book presented the material in a way I could understand it better than SYBEX though. But, again with the comments about the test, I am feeling fairly confident on success or a passing grade depending on one's perspective.

I do have one question. It concerns the configuring of ACL that has been referernced a few times. Of course, I am not looking for the question and answer from the test. That would teach me nothing. But I am unsure how to actually configure an ACL.
I seen that the command based option is beyond the scope of the test and I can appreciate that.

I have read in the books about reassigning ports for security. i.e., port 80 to port 8080 to fool port sniffers.
Would the configuration simply be something like the following in an ACL?

Assigned ports | Protocol
80 | HTTP

Sorry, about the very basic question for all of you, but I know a lot in theory, but not so much in practice.
Thanks again, everyone for their patience.


  • ToomsTooms Member Posts: 36 ■■□□□□□□□□
    Not sure if you're talking about the router config, but if so here is what Cisco and Juniper ACL would be. Basically the packet would have to match the destination IP and port to be accepted.

    ip access-list extended ALLOW-HTTP-HTTPS
    permit tcp any host eq www
    permit tcp any host eq 443
    deny ip any any is the IP of your web server. This out be applied as an outbound ACL on the layer 3 interface for the web server subnet in most cases (or further up the line as a border ACL).

    Juniper router firewall filter (ACL) would be the following.

    from {
    destination-address {;
    protocol tcp;
    destination-port [80 443];
    then {

    Again that would be applied as an outbound ACL.
  • Del3dDel3d Registered Users Posts: 4 ■□□□□□□□□□
    Tooms. Thanks. At first a bit mind numbing, but it makes sense if you break it down. I like the implicit deny as the last rule. It prevents some of the unwanted traffic from coming through. I hadn't seen any Juniper commands before. Interesting different format.
  • ToomsTooms Member Posts: 36 ■■□□□□□□□□
    At the most basic form you're dealing with these elements

    Source Address or addresses
    Source port(s)
    Destination address or addresses
    Destination port(s)
    Protocol type (tcp, udp, icmp, etc)
    Action - accept or deny

    One thing to point out is that most router ACL's are stateless whereas this same rule in a firewall would be stateful. NTP is a good example. Its UDP based so if I let it through in one direction and not the other, the return traffic would be blocked. In a stateful firewall, the return traffic for an exception in one direction is allowed.

    In an ACL you can address TCP return traffic with this by letting all tcp-established traffic back in. You can't do that for UDP though.

    Cisco command for allowing TCP-established traffic through an ACL:

    permit tcp any any established

    Example of using this would be an interface for a set of computers that I didnt want people to be able to establish an inbound connection too, but I wanted all tcp connections they initiated themselves to be allowed through.
  • Del3dDel3d Registered Users Posts: 4 ■□□□□□□□□□
    Thanks Tooms. This helped a lot.
  • ToomsTooms Member Posts: 36 ■■□□□□□□□□
    No problem. IM me if you need anymore help.

    Brush up on directions too - Inbound vs Outbound ACLs. It is always from the perspective of the router too. I generally end up using outbound ACL's about 80%+ of the time when protecting certain subnets on the network. When dealing with ACL's at the "border" of your network you deal a lot more doing inbound or inbound + outbound ACLs.
  • lsud00dlsud00d Member Posts: 1,571
    Tooms gave a lot of good info but TBH it's overkill for the Sec+ exam.

    Watch this Professor Messer video-- CompTIA Security+ SY0-301: 1.2 - Access Control Lists | Professor Messer - CompTIA A+, Network+, Security+, Linux, Microsoft Technology Training

    The Sec+ ACL stuff is very basic.
  • bub9001bub9001 Member Posts: 229 ■■■□□□□□□□
    I took the Security+ a few years back, and don't remember a lot of Port questions on it. The test seemed to be more about what would you do stuff. I felt like Darril Gibson's book was all I needed to pass. Keep in mind I did Network+ 6 weeks before taking the Security+, so network stuff was really fresh in my mind.
    “You were born to win, but to be a winner you must plan to win, prepare to win, and expect to win.” - Zig Ziglar

    Goals for 2019: CEH, and CND
    Goals for 2019: CCNA or ECSA
Sign In or Register to comment.