CyberPathCompTIA Security+ Study Guide3.2 Securing Enterprise Infrastructure

Domain 3

3.2 Securing Enterprise Infrastructure

Apply security principles to secure enterprise infrastructure.

0% Complete

1

3.2.1 Infrastructure Considerations

Placement, zones, attack surface, failure modes.

Infrastructure considerations involve the strategic placement of security controls and the architectural design of zones to minimize attack surfaces and ensure resilient failure modes.

Placement and Zones Physical and logical placement determines the visibility and effectiveness of security appliances. - DMZ (Demilitarized Zone): A subnetwork that buffers the internal private network from the untrusted public internet; typically hosts web, mail, and DNS servers. - WAP Placement: Wireless Access Points should be positioned to provide necessary coverage while minimizing signal leakage outside building perimeters to prevent unauthorized wardriving. - NIDS/NIPS Position: A NIDS (Network Intrusion Detection System) is often placed behind a firewall to monitor traffic, while a NIPS (Network Intrusion Prevention System) must be placed in-line to actively block malicious packets. - Air Gaps: Physical isolation of a network from any other network to protect highly sensitive data (e.g., SCADA systems).

Managing the Attack Surface Reducing the attack surface involves limiting the total number of entry points available to unauthorized users. - Protocol Security: Disabling deprecated versions of TLS or SSL to prevent Downgrade Attacks, where an attacker forces a server to use weak, crackable encryption. - Authenticated Encryption (AE): Utilizing modes like GCM (Galois/Counter Mode) to provide both confidentiality and authenticity, preventing chosen ciphertext attacks. - Service Minimization: Disabling unused ports and services on endpoints and servers to close potential backdoors. - Wireless Hardening: Moving from weak implementations like WEP to WPA3 to mitigate implementation-based cryptographic attacks.

Failure Modes and Resiliency Infrastructure must be configured to behave predictably when a security component fails. - Fail-Open: A configuration where a device allows all traffic to pass if it fails (common for exit doors during fires or non-critical filters). - Fail-Closed: A configuration where a device blocks all traffic if it fails, prioritizing security over availability (common for firewalls). - Endpoint Detection and Response (EDR): Provides continuous monitoring and response capabilities at the host level to catch threats that bypass perimeter defenses.

Cryptographic Infrastructure Attacks - Implementation Attack: Exploiting a specific weakness in how a protocol is coded or deployed rather than the algorithm itself (e.g., WEP weaknesses). - Password Crackers: Tools like Hashcat, John the Ripper, and Cain & Abel are used to conduct offline attacks against captured hashes. - Replay Attack: Intercepting a valid data transmission and retransmitting it later to gain unauthorized access.

Exam Tips - GCM (Galois/Counter Mode) is the "gold standard" for authenticated encryption because it is fast and secure. - NIPS must be in-line to be effective; NIDS is "out-of-band" via a spanning port. - If a question mentions "forcing a weaker version of a protocol," the answer is a Downgrade Attack. - Air gapping is the most extreme form of network isolation.

2

3.2.2 Network Appliances

Jump server, proxy, IPS/IDS, load balancer.

3

3.2.3 Port Security

802.1X, EAP.

4

3.2.4 Firewall Types

WAF, UTM, NGFW, Layer 4/7.

5

3.2.5 Secure Communication & Access

VPN, TLS, IPSec, SD-WAN, SASE.