WIXLIB

CompTIASecurity SY0-401Fourth EditionDiane Barrett,Kalani K. Hausman,Martin Weiss800 East 96th Street, Indianapolis, Indiana 46240 USA

CompTIA Security SY0-401 Exam Cram, Fourth EditionCopyright 2015 by Pearson Education, Inc.Editor-in-ChiefDave DusthimerAll rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permission fromthe publisher. No patent liability is assumed with respect to the use ofthe information contained herein. Although every precaution has beentaken in the preparation of this book, the publisher and author assumeno responsibility for errors or omissions. Nor is any liability assumed fordamages resulting from the use of the information contained herein.ISBN-13: 978-0-7897-5334-2ISBN-10: 0-7897-5334-0Library of Congress Control Number: 2015930248Printed in the United States of AmericaFirst Printing: February 2015AcquisitionsEditorBetsy BrownTrademarksCopy EditorKeith ClineAll terms mentioned in this book that are known to be trademarks or servicemarks have been appropriately capitalized. Que Publishing cannot attest tothe accuracy of this information. Use of a term in this book should not beregarded as affecting the validity of any trademark or service mark.Warning and DisclaimerEvery effort has been made to make this book as complete and as accurateas possible, but no warranty or fitness is implied. The information providedis on an “as is” basis. The authors and the publisher shall have neitherliability nor responsibility to any person or entity with respect to any loss ordamages arising from the information contained in this book or from the useof the CD or programs accompanying it.Special SalesFor information about buying this title in bulk quantities, or for special salesopportunities (which may include electronic versions; custom cover designs;and content particular to your business, training goals, marketing focus,or branding interests), please contact our corporate sales department atcorpsales@pearsoned.com or (800) 382-3419.For government sales inquiries, please contactgovernmentsales@pearsoned.com.For questions about sales outside the U.S., please orEllie BruManaging EditorSandra SchroederSenior ProjectEditorTonya SimpsonIndexerErika MillenProofreaderMeganWade-TaxterTechnical EditorChris CraytonPublishingCoordinatorVanessa EvansMedia ProducerLisa MatthewsCover DesignerAlan ClementsCompositorStudio Galou

Contents at a GlanceIntroductionxxiiPart I: Network SecurityCHAPTER 1Secure Network Design1CHAPTER 2Network Implementation49Part II: Compliance and Operational SecurityCHAPTER 3Risk ManagementCHAPTER 4Response and Recovery83143Part III: Threats and VulnerabilitiesCHAPTER 5Attacks203CHAPTER 6Deterrents261Part IV: Application, Data, and Host SecurityCHAPTER 7Application Security291CHAPTER 8Host Security311CHAPTER 9Data SecurityPart V: Access Control and Identity ManagementCHAPTER 10Authentication, Authorization, and Access Control391CHAPTER 11Account Management421Part VI: CryptographyCHAPTER 12Cryptography Tools and Techniques439CHAPTER 13Public Key Infrastructure473Practice Exam 1491Index533On the CD:Practice Exam 2Glossary

ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiPart I: Network SecurityCHAPTER 1Secure Network Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Implement Security Configuration Parameters on Network Devicesand Other Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Load Balancers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Web Security Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7VPN Concentrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8NIDS and NIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Spam Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12UTM Security Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Web Application Firewall Versus Network Firewall . . . . . . . . . . 14Application-Aware Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Cram Quiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Cram Quiz Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Given a Scenario, Use Secure Network Administration Principles. . . . . 19Rule-Based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20VLAN Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Secure Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 22Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Flood Guards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Loop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Implicit Deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Network Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Log Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Unified Threat Management . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Cram Quiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Cram Quiz Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Explain Network Design Elements and Components . . . . . . . . . . . . . 30DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Subnetting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Layered Security/Defense in Depth . . . . . . . . . . . . . . . . . . . . . 44Cram Quiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Cram Quiz Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46What Next? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47CHAPTER 2Network Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . 49Given a Scenario, Implement Common Protocols and Services . . . . . . 50Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65OSI Relevance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Cram Quiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Cram Quiz Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Given a Scenario, Troubleshoot Security Issues Related toWireless Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71WPA2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73PEAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73LEAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74MAC Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Disable SSID Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75CCMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Antenna Placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76