Impending Security+ test
Hello everyone. I have been watching the forums for quite some time and am impressed by the overwhelming support by the members of this forum. Kudos to each and everyone of you for that support. I especially liked the detailed posts on the use of IDS/IPS in February.
I am retired USAF and haven't worked in the IT field before. That being said, I've always wanted to be involved in the network engineer field, but cross training isn't that easy career military. This is a career move into a distinctly different field. One thing I have found is that a Master's in Management of Information Systems is too broad of a degree for a decent job. So, I have been studying for the Security+ cert and will hopefully be taking it this week (availability dependent) or the next. The tips so far in this forum have helped me groom my study habits in a hopefully productive plan.
Based on the forum, I purchased Darril's book (Kindel version) and found it quite comprehensive. I have also been through the SYBEX version (study guide and review guides). I can say, that it is a lot of material to learn. Darril's book presented the material in a way I could understand it better than SYBEX though. But, again with the comments about the test, I am feeling fairly confident on success or a passing grade depending on one's perspective.
I do have one question. It concerns the configuring of ACL that has been referernced a few times. Of course, I am not looking for the question and answer from the test. That would teach me nothing. But I am unsure how to actually configure an ACL.
I seen that the command based option is beyond the scope of the test and I can appreciate that.
I have read in the books about reassigning ports for security. i.e., port 80 to port 8080 to fool port sniffers.
Would the configuration simply be something like the following in an ACL?
Assigned ports | Protocol
80 | HTTP
110|POP3
443|HTTPS
Sorry, about the very basic question for all of you, but I know a lot in theory, but not so much in practice.
Thanks again, everyone for their patience.
I am retired USAF and haven't worked in the IT field before. That being said, I've always wanted to be involved in the network engineer field, but cross training isn't that easy career military. This is a career move into a distinctly different field. One thing I have found is that a Master's in Management of Information Systems is too broad of a degree for a decent job. So, I have been studying for the Security+ cert and will hopefully be taking it this week (availability dependent) or the next. The tips so far in this forum have helped me groom my study habits in a hopefully productive plan.
Based on the forum, I purchased Darril's book (Kindel version) and found it quite comprehensive. I have also been through the SYBEX version (study guide and review guides). I can say, that it is a lot of material to learn. Darril's book presented the material in a way I could understand it better than SYBEX though. But, again with the comments about the test, I am feeling fairly confident on success or a passing grade depending on one's perspective.
I do have one question. It concerns the configuring of ACL that has been referernced a few times. Of course, I am not looking for the question and answer from the test. That would teach me nothing. But I am unsure how to actually configure an ACL.
I seen that the command based option is beyond the scope of the test and I can appreciate that.
I have read in the books about reassigning ports for security. i.e., port 80 to port 8080 to fool port sniffers.
Would the configuration simply be something like the following in an ACL?
Assigned ports | Protocol
80 | HTTP
110|POP3
443|HTTPS
Sorry, about the very basic question for all of you, but I know a lot in theory, but not so much in practice.
Thanks again, everyone for their patience.
Comments
-
Tooms Member Posts: 36 ■■□□□□□□□□Not sure if you're talking about the router config, but if so here is what Cisco and Juniper ACL would be. Basically the packet would have to match the destination IP and port to be accepted.
ip access-list extended ALLOW-HTTP-HTTPS
permit tcp any host 1.1.1.1 eq www
permit tcp any host 1.1.1.1 eq 443
deny ip any any
1.1.1.1 is the IP of your web server. This out be applied as an outbound ACL on the layer 3 interface for the web server subnet in most cases (or further up the line as a border ACL).
Juniper router firewall filter (ACL) would be the following.
term PERMIT-ALL-TO-HTTP-HTTPS {
from {
destination-address { 1.1.1.1/32;
}
protocol tcp;
destination-port [80 443];
}
then {
accept;
}
Again that would be applied as an outbound ACL. -
Del3d Registered Users Posts: 4 ■□□□□□□□□□Tooms. Thanks. At first a bit mind numbing, but it makes sense if you break it down. I like the implicit deny as the last rule. It prevents some of the unwanted traffic from coming through. I hadn't seen any Juniper commands before. Interesting different format.
-
Tooms Member Posts: 36 ■■□□□□□□□□At the most basic form you're dealing with these elements
Source Address or addresses
Source port(s)
Destination address or addresses
Destination port(s)
Protocol type (tcp, udp, icmp, etc)
Action - accept or deny
One thing to point out is that most router ACL's are stateless whereas this same rule in a firewall would be stateful. NTP is a good example. Its UDP based so if I let it through in one direction and not the other, the return traffic would be blocked. In a stateful firewall, the return traffic for an exception in one direction is allowed.
In an ACL you can address TCP return traffic with this by letting all tcp-established traffic back in. You can't do that for UDP though.
Cisco command for allowing TCP-established traffic through an ACL:
permit tcp any any established
Example of using this would be an interface for a set of computers that I didnt want people to be able to establish an inbound connection too, but I wanted all tcp connections they initiated themselves to be allowed through. -
Tooms Member Posts: 36 ■■□□□□□□□□No problem. IM me if you need anymore help.
Brush up on directions too - Inbound vs Outbound ACLs. It is always from the perspective of the router too. I generally end up using outbound ACL's about 80%+ of the time when protecting certain subnets on the network. When dealing with ACL's at the "border" of your network you deal a lot more doing inbound or inbound + outbound ACLs. -
lsud00d Member Posts: 1,571Tooms gave a lot of good info but TBH it's overkill for the Sec+ exam.
Watch this Professor Messer video-- CompTIA Security+ SY0-301: 1.2 - Access Control Lists | Professor Messer - CompTIA A+, Network+, Security+, Linux, Microsoft Technology Training
The Sec+ ACL stuff is very basic. -
bub9001 Member Posts: 229 ■■■□□□□□□□I took the Security+ a few years back, and don't remember a lot of Port questions on it. The test seemed to be more about what would you do stuff. I felt like Darril Gibson's book was all I needed to pass. Keep in mind I did Network+ 6 weeks before taking the Security+, so network stuff was really fresh in my mind.“You were born to win, but to be a winner you must plan to win, prepare to win, and expect to win.” - Zig Ziglar
Goals for 2019: CEH, and CND
Goals for 2019: CCNA or ECSA