***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/cap-security-operations-and-monitoring/blob/main/README.md) >

## CompTIA Cybersecurity Analyst (CySA+) - Course Material 2022
###### Topic: ``Configuration Controls``
***

Course material for the ``CompTIA Cybersecurity Analyst (CySA+)`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Configuration Controls](#a) <br/><br/>

- [Firewall Configuration Changes](#1) <br/><br/> 
    - [``ACL``](#1)  ``Rules``/``Top-down`` <br/><br/>
        - Listed in Order of Execution <br/><br/>
            - [Considerations](#1) <br/><br/>
                - [Blocking by Protocol Requests](#1) <br/><br/> 
                    - [Incoming Source / Local Network Level](#1) ``ICMP``/``DHCP`` <br/><br/>
                - [Blocking Incoming Traffic with Higher Chance of being Spoofed](#1) <br/><br/>
                    - Loopback <br/><br/>
                    - Private <br/><br/>
                    - Multicast <br/><br/>
                - [Ensuring IPv6 is either Fully Blocked or Limited](#1) ``Only those being Explicitly Used`` <br/><br/>
                - [Drop vs. Reject](#1) <br/><br/>
                    - Reject Notifies | Drop ~~Notify~~ <br/><br/>
    - [Egress Filtering](#2) <br/><br/> 
        - [Block All IP Not allowed](#2) <br/><br/> 
        - [Block Known-bad IP Ranges](#2) <br/><br/> 
        - [Restrict Subnets from Internet Access](#2) ``Access Need?`` <br/><br/> 
        - [Restrict DNS Lookups](#2) <br/><br/> 
        - [Allow Ports Needed/Active](#2) <br/><br/> 
- [IDS/IPS](#3) <br/><br/> 
    - [Configuration Changes](#3) <br/><br/> 
        - [Monitoring](#3) <br/><br/>
            - [``TAP``](#3) ``Switch`` <br/><br/> 
            - [``SPAN``](#3) ``Port Mirror`` <br/><br/> 
        - [Action / Prevention](#3) ``IPS`` <br/><br/> 
            - [Firewall Virtual Interface](#3) <br/><br/> 
                - ``AF_PACKET`` <br/><br/>
    - [Rules](#4) ``Ensure Proper Configuration to Execute`` <br/><br/> 
        - [Set Action Fields](#4) ``Snort``/``Zeek``/``Security Onion`` <br/><br/>
            - ``flow`` <br/><br/>
                - Matches TCP Connection <br/><br/>
            - ``msg`` <br/><br/>
                - Contains Rule Information <br/><br/>
            - ``flags`` <br/><br/>
                - [Checks if Flags are Set](#4) ``TCP SYN``/``FIN`` <br/><br/>
            - ``track`` <br/><br/>
                - Rate Limiting <br/><br/>
            - ``reference`` <br/><br/>
                - [Connects an Entity to a Database](#4) ``ATT&CK`` <br/><br/>
            - ``sid`` <br/><br/>
                - Give Rule a Unique ID <br/><br/>
            - ``rev`` <br/><br/>
                - Provide Revision Information <br/><br/>
            - ``classtype`` <br/><br/>
                - Categorize Type of Attack <br/><br/>
- [Port Security](#5) <br/><br/> 
    - [Configuration Changes](#5) <br/><br/> 
        - [Physically Locking Down Ports](#5) <br/><br/> 
        - [MAC Filtering](#5) ``Switch``/``AP`` <br/><br/> 
            - [Approved Clients](#5) ``ACL`` <br/><br/>
                - [Restrict MAC Filter](#5) ``Said Port`` <br/><br/> 
                    - [``NAC``](#5) ``Next Best Option`` <br/><br/>
- [Network Access Control](#6) ``NAC`` <br/><br/> 
    - [Authentication / Authorisation](#6) ``Access at Device Level`` <br/><br/>
        - [Protocols / Policies / Hardware](#6) ``General Term`` <br/><br/>
    - [Configuration Changes](#6) <br/><br/> 
        - [``IEEE 802.1X``](#6) ``Standard`` <br/><br/> 
            - [Encapsulating Extensible Authentication Protocol Communications](#6) ``LAN``/``WLAN`` <br/><br/> 
                - [Providing Port-based Authentication](#6) ``EAP`` <br/><br/>
        - [Port-Based NAC](#6) ``PNAC`` <br/><br/> 
            - [Authentication of Attached Device before Activating the Port](#6) ``Switch``/``Route`` <br/><br/> 
        - [Extensible Authentication Protocol over LAN](#6) ``EAPoL`` <br/><br/> 
            - [EAP Authentication when Host Connects to an Ethernet Switch](#6) <br/><br/> 
        - [Posture Assessment](#6) <br/><br/> 
            - [Verifying Compliance with a Health Policy](#6) ``Using Host Health Checks`` <br/><br/> 
        - [Remediation](#6) <br/><br/> 
            - [Not Meeting a Security Profile / Health Policy](#6) ``Device`` <br/><br/> 
            - [Gaining Access to a Guest / Quarantine Network](#6) <br/><br/>         
        - [Admission Control](#6) <br/><br/> 
            - [Client Devices Granted / Denied Access](#6) ``Compliance with a Health Policy`` <br/><br/> 
    - [Enforcement Policies](#6) <br/><br/> 
        - [Time-based](#6) ``Access Only for Limited Time`` <br/><br/> 
        - [Rule-based](#6) ``Logical Statements`` <br/><br/> 
        - [Role-based](#6) ``Job Function`` <br/><br/> 
- [Endpoint Detection and Response ](#7) ``EDR`` <br/><br/> 
    - [Configuration Changes](#7) <br/><br/>
        - [External Feeds](#7) ``Building Rule Sets`` <br/><br/>
            - [Custom Rule Development may be Required for Signatures / Threat Feeds](#7) <br/><br/>
                - [Resources](#7) [ [``MAEC``](https://maecproject.github.io/) ] | [ [``Yara Rules``](https://yara.readthedocs.io/en/stable/) ] <br/><br/>
- [File System Permissions](#8) <br/><br/> 
    - [Configuration Changes](#8) <br/><br/> 
        - [Windows File Permissions](#8) <br/><br/> 
            - [ [``icacls``](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls) ] ``Solution for Viewing Windows-based Permissions`` <br/><br/>
                - [Displays / Modifies Discretionary Access Control Lists](#8) ``DACL`` <br/><br/> 
        - [Linux File Permissions](#8) ``r``ead/``w``rite/e``x``ecute <br/><br/> 
            - [Applied into a Combination of 3 Groups](#8) <br/><br/> 
                - [User](#8) ``u`` <br/><br/> 
                - [Group](#8) ``g`` <br/><br/> 
                - [Others](#8) ``o`` <br/><br/> 
            - [Assign Permission](#8) <br/><br/> 
                - [``chmod``](#8) <br/><br/> 
                    - [r=4](#8) <br/><br/> 
                    - [w=2](#8) <br/><br/> 
                    - [x=1](#8) <br/><br/> 
        - [Data Loss Prevention](#9) ``DLP`` <br/><br/> 
            - Software Solution <br/><br/>
                - Detects / Prevents Sensitive Information Stored on Unauthorized Systems  <br/><br/>
                - Transmitted over Unauthorized Networks
                
<hr width=50%;>

- [Appendix](#appendix)<br/><br/>
    - Key Terms | Firewalking | Blackhole | Sinkhole <br/><br/>
    - Blacklisting / WhiteListing <br/><br/>
    - Windows - Software Restriction Policies - ``SRP``

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Configuration Controls
***

> Identify configuration controls for security appliances

> Identify configuration controls for endpoint tools

> Identify configuration controls for privacy and access

Dive deeper into specific configurations that may need to be implemented to ensure the best possible outcome for your security appliances.

![image.png](attachment:image.png)

[ [DMZ Network Configuration](https://www.techrepublic.com/article/solutionbase-strengthen-network-defenses-by-using-a-dmz/) ]

< [Table of Contents](#top) | [References](#references) >
<a id="1"></a>
***
###### Firewall - Configuration Changes
***

In most firewalls, rules (``ACL``) created should be listed in order of execution (Top-down) - whichever rule or ``ACL`` is listed first is the first one that will be enforced.

- More than likely, the last rule on the list is a default to block all other traffic that is not explicitly excluded in the other rules.

Other considerations for creating firewall rules include:

- Blocking by protocol requests that are from an incoming source and at the local network level (``ICMP``, ``DHCP``, etc.).


- Blocking incoming traffic that has a higher chance of being spoofed (loopback, private, multicast).


- Ensuring ``IPv6`` is either fully blocked or limited to only those being explicitly used.


- Drop vs. Reject (the difference is Reject notifies the recipient - Drop does not).

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="2"></a>
***
###### Egress Filtering
***

Essential to ensure your firewall is preventing outside traffic from hitting your local area networks. 

The following are some common ways to configure egress blocking:

- Block all IP not allowed in the local network.


- Block access to known-bad IP address ranges.


- If internet access is not needed, restrict subnets from accessing it completely.


- Restrict DNS lookups.


- Only allow ports that are needed and actively used.

< [Table of Contents](#top) | [References](#references) >
<a id="3"></a>
***
###### IDS/IPS - Configuration Changes
***

Most ``IDS`` solutions are placed in a network by using a:

- ``TAP`` on the network switch (plugging directly in) 

OR

- Port mirror (``SPAN``) to replicate a copy of the network without being fully coupled in

An ``IPS`` solution is set up similarly to the IDS from a monitoring standpoint.

In order to actually take action/prevent, it needs to be configured to use the virtual interface ([ [``AF_PACKET``](http://www.microhowto.info/howto/capture_ethernet_frames_using_an_af_packet_socket_in_c.html) ]) on the firewall in order to perform blocking actions.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="4"></a>
***
###### IDS/IPS - Configuration Changes - Rules
***

``IDS``/``IPS`` set up and running - then need to ensure proper rules are configured to execute. 

Depending on the solution being used (``Snort``, ``Zeek``, ``Security Onion``) there are action fields that need to be set - following are some examples of what these consist of:

> ``flow``

Matches the TCP connection.

> ``msg``

Contains information about the rule.

> ``flags``

Checks if flags are set e.g. ``TCP SYN`` or ``FIN``.

> ``track``

Rate limiting.

> ``reference``

Connects an entity to a database like ``ATT&CK``.

> ``sid``

Give a rule a unique ID.

> ``rev``

Provide revision information.

> ``classtype``

Categorize the type of attack.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="5"></a>
***
###### Port Security - Configuration Changes
***

In regards to port security, there are several options, including:

> Physically locking down the ports

Physically locking down ports involving proper access is only provisioned to allow personnel to access areas where exposed ports are in place. 

> ``MAC`` filtering on the firewall

``MAC`` filtering is applying an ``ACL`` to a switch or access point so that only clients with approved ``MAC`` addresses can connect to it.

> ``NAC`` solution

Next best option is to also restrict the ``MAC`` filter on that port from being accessible by utilizing a ``NAC`` solution. 

< [Table of Contents](#top) | [References](#references) >
<a id="6"></a>
***
###### Network Access Control - Configuration Changes
***

``NAC`` is a general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

Using a ``NAC`` is one of the best ways to control and prevent unwanted activity within a network from occurring. 

The following are some terms that you should be familiar with and how they are used within a ``NAC`` system:

> ``IEEE 802.1X``

A standard for encapsulating ``EAP`` communications over a LAN or wireless LAN and that provides port-based authentication - known as ``EAP`` (Extensible Authentication Protocol).

> Port-Based NAC (``PNAC``)

A switch or route that performs some sort of authentication of the attached device before activating the port.

> Extensible Authentication Protocol over LAN (``EAPoL``)

A port-based network access control mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.

> Posture Assessment

The process for verifying compliance with a health policy by using host health checks.

> Remediation

The result of a device not meeting a security profile or health policy, including gaining access to a guest or quarantine network.

> Admission Control

The point at which client devices are granted or denied access based on their compliance with a health policy.

``NAC`` solutions will offer several different types of enforcement policies to choose from - each can be tweaked to fit your network needs - these policies include:

- Time-based (providing access for only a limited amount of time)


- Rule-based (logical statements including ``IF``, ``AND``, ``OR``)


- Role-based (providing authorization based on a job function)

< [Table of Contents](#top) | [References](#references) >
<a id="7"></a>
***
###### Endpoint Detection and Response - ``EDR``  - Configuration Changes
***

Since EDR solutions take external feeds into account when building rule sets, it is important to understand that custom rule development may be required to account for signatures plus threat feeds. 

Some resources for these making these rule configurations are as follows:

- [ [``MAEC``](https://maecproject.github.io/) ] - Malware Attribute Enumeration and Characterization Scheme


- [ [``Yara Rules``](https://yara.readthedocs.io/en/stable/) ] - Helping malware researchers to identify and classify malware samples

Windows also comes prebuilt with several options for execution control including SRP (software restriction policies), AppLocker, and Windows Defender.

< [Table of Contents](#top) | [References](#references) >
<a id="8"></a>
***
###### File System Permissions - Configuration Changes
***

Addressing Windows and Linux file system permissions, as well as ``DLP`` configuration changes.

> Windows File Permissions

[ [``icacls``](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls) ] is a popular solution for viewing Windows-based permissions.

Displays or modifies Discretionary Access Control Lists (``DACL``) on specified files, and applies stored DACLs to files in specified directories - some common codes are as follows:

- ``D`` - Delete


- ``M`` - Modify


- ``W`` - Write


- ``RX`` - Read and Execute


- ``R`` - Read


- ``F`` - Full Access


- ``N`` - No Access

> Linux File Permissions

Use different combinations of three different basic permissions (``r``ead / ``w``rite / e``x``ecute).

The permissions are then applied into a combination of three different groups:

- ``u`` - User


- ``g`` - Group


- ``o`` - World or All Other Users

The following shows the directory for the:

- user ``u`` has ``r``ead, ``w``rite, e``x``ecute


- group ``g`` / world ``o`` permissions only have ``r``ead and e``x``ecute.


```
d rwx r-x r-x home
```

In order to assign these permissions, the command ``chmod`` can be used in the following syntaxes:

```
chmod u=rwx g=rx o=rx home
```

Short-form method can also be used as following - ``r=4``, ``w=2`` and ``x=1`` - when added together determines the number entered in the command:

```
chmod 755 home
```

< [Table of Contents](#top) | [References](#references) >
<a id="9"></a>
***
###### File System Permissions - Data Loss Prevention
***

``DLP`` is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

``DLP`` changes may need to be made at several different locations, including the policy server, as well as the endpoint/network agents. 

There are several different options that can be set on the ``DLP`` solution as part of these changes. 

Remediation changes that can be implemented, include setting the agents to alert-only mode, block mode, quarantine mode, or tombstone mode (where a note is left in place of where a file is discovered where it shouldn't be).

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cybrary, "Configuration Controls," [cybrary.it](https://web.archive.org/web/20220724081418/https://www.cybrary.it/), n.d..

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
###### Key Terms:
***

> Firewalking

Reconnaissance technique to enumerate firewall configuration and attempt to probe hosts behind it.

> Blackhole

Means of mitigating ``DoS`` or intrusion attacks by silently discarding (or ``"dropping"``), without informing the source that the data did not reach its intended recipient. 

> Sinkhole

A ``DoS`` attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.

***
###### Blacklisting/Whitelisting:
***

> Blacklisting

A security configuration where access is generally permitted to any entity unless the entity appears on a blacklist.

> Whitelisting

A security configuration where access is denied to any entity unless the entity appears on a whitelist.

> Execution Control

The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.

***
###### Windows - Software Restriction Policies - ``SRP``
***

Windows also comes prebuilt with several options for execution control including ``SRP`` (Software Restriction Policies), ``AppLocker``, and ``Windows Defender``.

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK