Fortinet NSE 2 | Course Notes


In the first Fortinet associate course NSE 1 we learned about the threat landscape, the bad actors, and the issues that organizations and individuals face. The NSE 2 course "Evolution of Cybersecurity" will teach you about the different sorts of security products developed by security providers to meet those issues.

This course fulfills the requirements for the NSE 2 level certification by completing all lessons and associated quizzes.

If you have any questions about Fortinet's courses and certification program, please refer to the Network Security Expert (NSE) Program site. 

You can also join the Fortinet User Community, where you can connect and network on common topics of interest with other Fortinet users in the community.

The course involves 14 security lessons, you can find below the lessons and the notes derived from them

Lesson 1: Cloud Security

History: 

  • Companies used to buy their own computer systems to run the application software they needed to run their businesses before the cloud. 
  • These computer systems were housed in the office locally. 
  • There was often more than one computer system (or server) per important application > very expensive setup.
  • Not long ago, someone noticed that of all their computer systems, only a few were completely busy at any given moment in time. 
  • So, a new way of using server hardware was developed called virtualization. 
  • It wasn’t long until most data centers were transformed from rows of computer hardware dedicated to specific applications, into a collection of general hardware resources running virtualized applications.

The Cloud:

  • Specialized companies build enormous data centers, filled with generalized computer hardware, and offer to rent out portions of this infrastructure so that their customers can run their virtualized applications there, instead of on their own hardware.
  • many organizations operate in a hybrid world where some of their applications remain hosted on-premises, and some on different cloud platforms, This is what we call a “Multi-Cloud” environment.

IaaS & SaaS PaaS:

  • IaaS or Infrastructure as a Service is the act of offering your hardware for rent to be used as the client's proper hardware. Ex: AWS, GCP, Azure
  • SaaS: or Software as a Service is when you offer the infrastructure to run the application with managed services like databases that a customer does not need to patch and maintain, or even complete application environments themselves. Ex: Google Mail
  • This includes services where the cloud provider manages much more of the underlying infrastructure, such as OS patching, and abstracts away a lot of the work for users, who in this case acquire a stable environment to run containers
Security responsibility:

  • Security is a shared responsibility between the cloud provider and the customer utilizing the cloud services.
  • From a logistic point of view, the vendor is only responsible for securing the infrastructure it provides. 

  • As a customer, when you install one or more virtualized applications in the vendor’s cloud infrastructure, you are responsible for securing the access, the network traffic, and the data applications.
Common security issues:

Nowadays, most vendors supply some form of security tools so that various parts of the customer’s cloud application environment can be secured. However, these tools can pose a few problems

  • These tools tend to provide basic security functions, and they are the same ones used to secure the infrastructure. If an attacker were to bypass these tools at the infrastructure layer, they would be able to do the same at the customer’s application-level too
  • The “Multi-Cloud” environment means that you'll encounter multiple, independent, uncoordinated security solutions, especially with the big number of cloud vendors involved.
  • The difficulty to find highly trained personnel

Lesson 2: SD-WAN

Definition:

SD-WAN stands for software-defined wide-area network, and it leverages the corporate WAN as well as multi-cloud connectivity to deliver high-speed application performance

SD-WAN first appearance:

  • The first generation of SD-WAN consists of adding multiple dedicated carrier links and load-balancing per application traffic, based on how much bandwidth was available

  • These point products escalate complexity to the network infrastructure because adding multiple products from multiple vendors, each of which has separate management consoles and which often do not fully integrate with other products, is not an easy task
  • The need to send sensitive data to data centers for security purposes, and sometimes the need to install a sophisticated firewall solution to inspect their direct internet access

Single SD-WAN appliance:

  • Businesses needed to address these challenges by integrating security and networking functionalities into a single, secure SD-WAN appliance

  • This enabled businesses to replace their multiple point products with a powerful, single security appliance, at a reduced cost and ease of management

  • Continued network performance health checks ensured that the best available WAN link was chosen, based on user-defined application service level agreements

Overall, positive outcomes of a secure SD-WAN solution are simplification, consolidation, and cost reduction while providing much-needed optimal application performance and best user experience for the enterprise, SaaS, and Unified Communications as a Service (UCaaS) applications. Run-time analytics and telemetry help infrastructure teams coordinate and resolve issues in an accelerated manner, which reduces the number of support tickets and network outages.

Lesson 3: Endpoint Security

Definition:

  • An Endpoint is defined as any personal device used by an end-user, like a desktop computer, laptop, or handheld device (phone, tablet), in addition to IoT devices.
History:

  • Before networks, bad actors used floppy discs, CDs, DVDs, USBs to infect computers
  • Antivirus was the first endpoint security product, used to scan devices and hard drives for malware
  • Endpoints have always been an easy point of entry into a network

Endpoint security solutions:

  • AV (AntiVirus): they were signature-based at the beginning but later evolved with the appearance of Polymorphic malware (a virus designed to change by itself)
  • EPP (Endpoint Protection Platform): intended to:

    1. Prevent file-based malware (runs malicious code or a script when a simple pdf or png file is opened)
    2. use many prevention-focused services, such as anti-virus, device firewall, web filtering, data protection through encryption, and device control (we'll explain those later).

  • EDR (Endpoint Detection & Response): 
    1. software used to detect, investigate, and respond to suspicious activities on endpoints
    2. It began as a digital forensics investigation tool providing threat intelligence information and tools to analyze an attack and to identify the indicators of compromise, or IoC
    3. first-generation EDR mostly was manual-based, time-consuming, slow, needed high-level expertise
    4. MDR partly mitigated these issues by offering basic alert triage and email notification, but it remained too slow and complicated
    5. 2nd-generation EDR was designed to be policy-driven and automated, through customizable playbooks, analysts can now direct EDR to remediate problems both immediately and automatically
  • EPP + EDR: 
    1. Security professionals quickly realized the advantages of merging EDR and EPP technologies, and most EPP definitions now include both characteristics
    2. A single, integrated agent can prevent the majority of file-based malware at the pre-infection, pre-execution stage while detecting and responding to malware that evaded prevention at the post-infection stage
    3. EPP and EDR software now include other preventative controls like the use of Machine Learning, alerting when an endpoint is not up-to-date or if it uses an insecure application
    4. A combined EPP and EDR solution also removes integration concerns and simplifies configuration and management for analysts

        Lesson 4: Firewall

        Packet filter firewalls (1st Gen):

        • As networks began to grow, interconnect, the flow was controlled using packet filter firewalls that examined the lowest protocol layers, like IP addresses, protocols, and port numbers
        • Firewall rules used these attributes to define which packets were allowed through, so much like the concept of ACL
        • The drawback of it was that they took a one-size-fits-all approach to decide whether or not to allow traffic to pass > what would stop a bad actor from injecting rogue packets through acceptable protocols and ports

        Stateful firewalls (2nd Gen):

        • Designed to observe these network connections over time
        • They would watch as new network connections were made, and continuously examine the conversation between the endpoints
        • If a connection behaved improperly, the firewall blocked that connection. Any packets that didn’t belong to a known conversation were dropped
        • Still couldn’t block rogue packets if they were using an acceptable protocol such as HTTP; because all web apps use it, the firewall is not able to distinguish between the malicious and the beneficial ones
        Application layer firewalls (3rd Gen):
        • While still stateful, these firewalls understood the higher-level protocols and the applications inside them
        • In the case of HTTP, it can differentiate between the traffic to a blog, a file-sharing site, e-commerce, social media, voice-over-IP, email, and many more
        • Attacks now come from trusted users, devices, and applications that spread malware
        Next-Generation Firewall (NGFW):

        • First, it looks at packets and makes rule-based decisions on whether to allow or drop the traffic
        • Second, it performs deep packet inspection (IPS). If questionable content is found, the firewall sends malicious content over to a sandbox for further analysis
        • They have the ability to control applications, either by classification or based on who the user is
        • Next-generation firewalls also adopted various segmentation approaches that segregate users, devices, and applications, which are aligned to business needs, to avoid single point of entry problems
        • Deliver high-performance inspection and greater network visibility, with little-to-no degradation, to support and protect modern, distributed data centers and IaaS platforms

        Lesson 5: WIFI

        Definition:

        • Wi-Fi is a technology for wireless, local area networking of devices based on the IEEE 802.11 standards.
        • It started small, intended mostly for industrial use, and has grown to be the most common way that all our personal electronic devices connect at home or at the office.
        • The development of Wi-Fi leveraged many of the same protocols and technology like Ethernet, with one very large difference. All transmissions are happening over the air; meaning that, much like a verbal conversation, anyone listening can hear what is being said.

        Security improvements of WIFI:

        • Originally the authentication and privacy mechanisms for Wi-Fi were very weak, using "Wired Equivalent Privacy" or WEP encryption
        • WEP used a key to encrypt traffic using the RC4 keystream
        • After that, Wi-Fi Protected Access (WPA) was introduced. It added extra security features but retained the RC4 algorithm, so it still didn’t solve the fundamental security problem
        • A new and a lot more secured standard was introduced, (WPA2) based on the AES encryption algorithm from NIST, however, weak passphrases could still leave networks vulnerable
        • Released in 2018, (WPA3) introduced a new, more secure handshake for making connections, an easier method for adding devices to the network, increased key sizes, and other security features

        WIFI risks: 

        •  Unfortunately, security in wireless networks is a true nightmare, as hackers have found several ways to exploit human behavior and still get access to the information they want
        • "Free Wi-Fi" is a sign we all look for, yet it comes with risks. Hackers set up access points (APs) to act as honeypots in public areas. Be wary, even if a network name seems legit
        • A hacker can hear your phone looking for the legitimate hotel Wi-Fi you connected to last year, set up a fake AP broadcasting that network name, and trick your device into connecting, so remember to deactivate the WIFI's auto-connect when not in use  
        • Obsolete firmware, weak passwords, and old WIFI standard use, these are mistakes everyone falls into
        • It’s a good idea to keep your security up-to-date and pick passphrases that are complex and hard to guess. At the very least, change the service set identifier, or SSID, and admin default username and password! 
        • Also, keep an eye on your home network and make sure you recognize the devices that are accessing it


















         


        Comments

        Post a Comment

        Popular posts from this blog

        OpenVas: Vulnerability Scanning | Installation Guide

        Image
          Introduction: OpenVAS is a vulnerability scanner that analyzes endpoints and web apps to uncover and detect flaws. Corporations frequently employ it as part of their mitigation strategies to initially identify any weaknesses in their operational or testing servers and apps. This isn't an ultimate solution, but it can assist in the elimination of any common weaknesses that may have sneaked through the gaps. Installation: There are three methods to install GreenBone openVas: 1- Install from Kali/OpenVas repositories:  This way varies in difficulty because of the needed configurations, you can simply install it with apt. sudo apt-get update -y &&  sudo apt-get upgrade -y &&  sudo apt-get dist-upgrade -y sudo apt-get install openvas sudo gvm-setup sudo gvm-check-setup 2- Install from source (Manually): This way is not the best for beginners due to prerequisite installations and error handling can be challenging. github.com/greenbone/openvas-scanner 3- Run from docker:
        Read more

        Nmap | TryHackMe Walkthrough

        Image
          An in-depth look at scanning with Nmap, a powerful network scanning tool. This room was created by DarkStar  and  MuirlandOracle , as it provides a great way to learn and start practicing nmap. I encourage you to give it a try by yourself since the hands-on practice will give you more understanding of the topic (take advantage of the manual page man nmap ). Task2: What networking constructs are used to direct traffic to the right application on a server? Ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task) 1024 Task3: What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? -sS Which switch would you use for a "UDP scan"? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the
        Read more

        Azure Sentinel: Use Microsoft's SIEM to map global attacks

        Image
         in this tutorial, we will display attacks from all over the globe on a world map using Microsoft cloud SIEM (Security Information and Event Management) this is a step-by-step guided lab so it will be a long tutorial. Project steps this project needs multiple stages to be completed, when you finish this guide you will be able to: create and configure a Virtual Machine using Azure configure a cloud network security group and create firewall rules create and configure a Logs Analytics Workspace collect data from Virtual Machines into Azure get familiar with PowerShell scripting and APIs use (KQL) Kusto Query Language (the Azure data exporter language)  Let's get started First of all, go ahead and create a free Azure account at  https://azure.microsoft.com/en-us/free/   When you're done with that go to your dashboard at  https://portal.azure.com/ Ps: Just a quick note before we begin, you will notice in Azure as in GCP or AWS that the search bar is your b
        Read more