98-367 Chapter Seven

Chapter 7: Protecting a Network

Topics Covered:

  • Identifying common attack methods
  • Exploring firewalls
  • Exploring Network Access Protection
  • Identifying protocol security methods
Identifying Common Attack Methods

Attackers use several well known methods to attempt to breach networks. Attacks are evolving, but usually fall into the category
of a common attack method. Many organizations use IDS to detect and mitigate attacks.

Denial of Service

Any attack designed to prevent a sustem from providing a service. Usually attacks involve consuming resources to exhaustion
such as SYN flood.


Flood with traffic from a botnet etc.

Sniffing Attack

Capture data in transit over a network, works well with plaintext protocols such as ftp, telnet etc.

Network cards can be put into promiscious mode (capture all traffic on network that reaches interface, regardless of destination)

Spoofing Attack

Attacker attempts to impersonate someone or something they are not. Local Area Network Denial changes soure IP so its same as destination causing system
to keep replying to itself.

Port Scan

Attempt to discover what ports are listening on a system, ports can be switched but some services use standardized ports
which can give attackers hint of whats running.

####### Exploring Firewalls

Types of firewalls:

  • Stateless: Examines each packet individually, does not take TCP session into account etc
  • Stateful: Able to examine connections as sessions
  • Content Filtering: Block traffic based on content (often used to block mail attachments etc)
  • Application Layer Filtering: Has component for each application protocol, example allowing HTTP GET but blocking HTTP PUT. CPU intensive, should be used sparingly or
    with dedicated hardware appliances
Comparing Hardware-Based and Software Based Firewalls

Hardware Firewalls: dedicated devices that provides security and helps isolate network from unwanted traffic.
Hardware devices can be designed as appliances, things you plug in and just use it. Defense in depth would dictate the use of
multiple layers of firewalls such as a hardware appliance on boundry and on client workstations.

####### UTM vs SCM

Bundle multiple capabilities in a firewall

Unified Threat Management: UTM includes email and web and also adds:

* basic routing
* packet filtering
* anti malware
* content filtering
* stateful filtering
* application layer filtering, 
* Intrusion Detection can block port scans and SYN flood and others
* Network Performance: Proxy can cache data to respond faster
* Remote Access: VPN component

Secure Content Management: Focused on filtering email and web based traffic, can also work as proxy servers

UTM is much more broad in scope, components are well integrated as it is a single product

Isolating Servers on Perimeter Networks

If placed directly on internet, face public threats. If placed on private internal network no one can access.
Perimeter network is protected from internet somewhat and also not directly connected to internal private network.
These Perimeter networks usually contain web servers, mail servers etc that need to get traffic from public internet.
Perimeter networks usually have an External and Internal Firewall (Three Pronged/Three legged Firewall) but sometimes just have an external (cheaper but single point of failure).

Using Honeypots

Server that is set up to entice attackers, appears to be holding actual data. Provides two primary benefits:

  • Lure attackers away from real systems
  • Learn more about attack methods and trends etc.
Isolating a Network with NAT

Private IP ranges as defined in RFC 1918

  • -
  • -
  • -

NAT translates public IPs into private IPs so computers are not directly accessible via the internet.

Exploring Network Access Protection

NAP is a part of the Network Policy and Access Services server role, can inspect clients attempting to connect to network
to determine if it meets requirements to connect. If it does not pass checks can be placed on isolated/restricted network or denied access.

Admins decide what is healthy such as updates intalled, anti virus software installed etc. Restricted clients have access to remediation servers
where resources on how to fix issue are found. NAP checks can also periodically validate healthy clients, example: firewall must be enabled. If firewall is disabled
NAP can place client on restricted network etc.

Understanding NAP Components
  • System Health Agents: run in background and check status of client. Server 2008 has no SHAs but 2008 R2 does.
  • System Health Validators: Where healthy state is defined on a NAP server.
  • Health Policy: Created on a health server, ideitify what SHVs to use for the different clients in the environment, also define
    how to respond to non healthy clients.
  • System Statement of Health: NAP server collects statements of health from clients and compares against the health policy. These statements are compiled into
    a single statement of health for each client. This System Statement of Health identifies if client is in compliance with health policy
  • Health Registration Authority: If healthy HRA retrieves a health certificate for the client
  • Health Certificate: Used by client to gain access to network resources
  • Restricted Network: Includes remediation server which can deploy updates to OS or AV software to make client healthy
Evaluation Client Health with VPN Enforcement

VPN clients can connect and also be validated by NAP

NAP can also validate the following:

  • DHCP: Health can be validated before any TCP/IP configuration is assigned
  • IPSec: Ensure IPSec policy is compliant
  • 802.1x Enforcement: Can check health before allowed to connect to wireless network
Identifying NAP Requirements

Some clients only support certain checks and features, servers must also be running 2008+ to support NAP

Here is a list of components and the required Roles/Services:

  • Network Access Protection health policy server requires Network Policy And Access Services, Network Access Protection
  • HRA server requires Network Policy and Access Services, HRA service, web server (IIS)
  • Virtual Private Network (VPN) enforcement server requires Network Policy and Access Service, Routing and Remote Access Services
  • DHCP enforcement server requires network Policy and Access Services, DHCP role

HRA can include a CA or can be issued by CA running on different OS. Remediation servers can be running whatever is required
to provide the remediation service. 802.1x requires managed switches.

Identifying Protocol Security Methods

######## IPSec

Encrypt data before transmitted on network to prevent sniffing, includes two primary mechanisms:

  • Authentication Header: Provides Authentication and Integrity, packets are hashed and hash is placed in AH field and sent. Recipient can hash packet and check
    against stored hash in AH and if they match can be sure packet was not altered in transit.

  • Encapsulating Security Protocol (ESP): Encrypts data

IPSec can be set on individual computers or multiple with Group Policy.

Three IPSec Policies:

  • Client (Respond Only): Computers can establish IPsec sessions but never initiate
  • Secure Server (Require Security): always require IPsec sessions, if other computer cant do IPsec connection is terminated
  • Server (Request Security): Attempt to establish IPsec, if unable continue to communicate unencrypted

IPSec can also be configured for specific traffic such as FTP to ensure it is always encrypted.

Comparing Tunneling Protocols
  • Point to Point Tunneling Protocol (PPTP): Older, vulnerable but still used by many applications. Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data in tunnel.
  • Layer 2 Tunneling Protocol (L2TP): Commonly uses IPSec, problem is that it cant pass through NAT because NAT corrupts IPsec traffic.
  • Secure Socket Tunneling Protocol (SSTP): Uses SSL and introduced in Server 2008

DNS does not have much built in security, DNSsec adds extra security. Provides three main benefits:

  • Origination Authentication of DNS Data: DNS records are digitally signed, signatures provide authentication between DNS servers
  • Data Integrity: Hashing used with DNS record to ensure was not modified, helps prevent cache poision attacks
  • Authenticated Denial of Existence: Protects against zone enumeration by encrypting the specific record for no match found (NSEC3)

Chapter Review Questions:

  1. True or false. A DDoS attack comes from a single computer
  2. An attacker is capture and analyzing network tarffic with a protocol analuzer. What type of attack is this?
  3. A __ attack is a specific type of spoofing attack. It spoofs the source address witin a TCP SYN packet and causes the system to repeatedly reply to itself
  4. You want to allow both LDAP and secure LDAP traffic through a firewall. What ports need to be opened?
    a. 161 and 162
    b. 389 and 3389
    c. 389 and 636
    d. 80 and 443
  5. True or false: A hardware based firewall is typically more efficient that a software based firewall
  6. An organization plans to host a web server accessible from the Internet. Where should the web sever be placed to provide the best protection?
    a. In the Intranet
    b. On the internet
    c. On a firewall
    d. In a perimeter network
  7. What type of firewall provides combined protection for multiple threats and can include firewall security features, routing features, and VPN components?
    a. SCM
    b. UTM
    c. Stateful Firewall
    d. Packet-Filtering Firewall
  8. Of the following choices, which client(s) can NAP inspect and isolate (Choose all that apply)
    a. Linux
    b. Windows XP SP3
    c. Windows Vista
    d. Windows 7
  9. Sensitive data is transmitted on your network from a server. You want to ensure that this data is encrypted. What would you use?
    a. SSTP
    b. PPTP
    c. IPsec
    d. L2TP
  10. What is used to digitally sign DNS records?


  1. False
  2. Sniffing Attack
  3. LAND (Local Area Network Denial)
  4. C (initially guessed A. LDAP uses 389 and secure LDAP uses 636)
  5. True
  6. D
  7. B
  8. B,C,D (I initially guessed C,D only)
  9. C
  10. DNS SEC (I initially put digital certificates)

Relevant sections of Certification Exam


Need to review table on page 152 (Commonly Used Ports)