Modify enterprise capabilities to enhance security

Firewalls (rules, ACLs, ports, protocols), IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive)/IPSIntrusion Prevention System — Detects and blocks suspicious activity (inline) (trends, signatures), web filtering, OSOperating System — System software managing hardware and applications security (GPOGroup Policy Object — Windows policy enforcement mechanism, SELinuxSecurity-Enhanced Linux — Linux kernel MAC implementation, patching), secure protocols, DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses filtering, email security (DMARCDomain-based Message Authentication, Reporting & Conformance — Email auth: policy for SPF/DKIM failures, DKIMDomainKeys Identified Mail — Email auth: cryptographic signature on messages, SPFSender Policy Framework — Email auth: specifies authorized sending IPs), file integrity monitoring, DLPData Loss Prevention — Prevents unauthorized data exfiltration, NACNetwork Access Control — Enforces security policy on devices connecting to network, and EDREndpoint Detection and Response — Monitors endpoints for threats and enables response/XDRExtended Detection and Response — EDR extended across network, cloud, email, identity.

Exam approach: “Given a scenario” — expect to configure or tune enterprise security controls. Writing firewall rules, tuning IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive) signatures to reduce false positives, configuring email authentication stack (SPFSender Policy Framework — Email auth: specifies authorized sending IPs + DKIMDomainKeys Identified Mail — Email auth: cryptographic signature on messages + DMARCDomain-based Message Authentication, Reporting & Conformance — Email auth: policy for SPF/DKIM failures), and setting up DLPData Loss Prevention — Prevents unauthorized data exfiltration policies.

Offensive context: IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive) signature tuning hits different when you understand JA3JA3 TLS Fingerprint — Client TLS fingerprinting method for threat detection/JA4 TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit fingerprinting as a detection technique — and when you know how attackers reformulate payloads (re-encoding, chunking, case alternation) to bypass signatures. Writing resilient detection rules requires thinking like the attacker trying to break them. DLPData Loss Prevention — Prevents unauthorized data exfiltration makes more sense when you understand how data actually gets exfiltrated.

Firewalls

Rule Structure

Every firewall rule has the same core components:

• Source: Where the traffic originates (IPInternet Protocol — Network layer addressing and routing, subnet, zone, “any”)
• Destination: Where it’s going
• Port/Protocol: What service (TCPTransmission Control Protocol — Reliable, connection-oriented transport/443, UDPUser Datagram Protocol — Fast, connectionless transport/53, ICMPInternet Control Message Protocol — Network diagnostics (ping, traceroute), etc.)
• Action: Allow or Deny
• Direction: Inbound, outbound, or both

Rule Processing

Rules are evaluated top-to-bottom, first match wins. This makes ordering critical:

1. Explicit deny rules for known threats (block known-bad IPs, block specific attack patterns)
2. Explicit allow rules for authorized traffic (allow web traffic on 443, allow DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses on 53)
3. Implicit deny at the bottom — anything not explicitly allowed is dropped

Common mistake: Placing a broad allow rule above a specific deny rule. The allow matches first and the deny never triggers.

Firewall Types

Type	Layer	What It Sees
Packet filter	L3/L4	Source/dest IPInternet Protocol — Network layer addressing and routing, port, protocol. Fast but no context.
Stateful	L3/L4	Same as packet filter + connection state. Knows if a packet belongs to an established connection.
NGFWNext-Generation Firewall — Stateful firewall with app awareness and DPI (Next-Gen)	L3–L7	Full application awareness. Can filter by application (block BitTorrent regardless of port), inspect SSLSecure Sockets Layer — Deprecated predecessor to TLS/TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit, integrate threat intelligence.
WAFWeb Application Firewall — Layer 7 firewall protecting web applications	L7	HTTPHypertext Transfer Protocol — Port 80. Web protocol (unencrypted)/HTTPSHypertext Transfer Protocol Secure — Port 443. HTTP encrypted with TLS only. Inspects request content — blocks SQLStructured Query Language — Language for database queries injection, XSSCross-Site Scripting — Injection of malicious scripts into web pages, directory traversal at the application layer.

ACLs (Access Control Lists)

ACLs on routers and switches function like simple firewalls:

• Standard ACLAccess Control List — Rules defining permitted/denied access: Filters by source IPInternet Protocol — Network layer addressing and routing only. Placed close to destination.
• Extended ACLAccess Control List — Rules defining permitted/denied access: Filters by source, destination, port, protocol. Placed close to source.
• Applied to interfaces as inbound or outbound.

IDS/IPS

IDS (Intrusion Detection System)

Monitors traffic and alerts on suspicious activity. Does not block — passive monitoring.

• Deployed as a sensor on a SPAN/mirror port or network tap.
• Generates alerts for analyst review.

IPS (Intrusion Prevention System)

Monitors AND blocks. Sits inline with traffic — every packet passes through it.

• Can drop malicious packets in real time.
• Risk: false positives block legitimate traffic. Tuning is critical.

Detection Methods

Signature-Based:

• Pattern matching against known attack signatures (like antivirus for network traffic).
• Fast, low false positive rate for known attacks.
• Cannot detect novel/zero-day attacks. Signatures must be updated.
• Example: Snort/Suricata rules matching specific byte patterns in packets.

Anomaly-Based (Behavioral):

• Establishes a baseline of “normal” traffic, alerts on deviations.
• Can detect unknown attacks.
• Higher false positive rate — legitimate behavior changes trigger alerts.
• Requires training period to establish baseline.

Trend Analysis:

• Looks at patterns over time rather than individual events.
• Gradual increase in outbound data transfer might indicate slow data exfiltration.
• Seasonal patterns — traffic that’s normal during business hours is suspicious at 3 AM.

Tuning

The difference between a useful IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive) and a noise machine is tuning:

• Suppress alerts for known-benign activity (vulnerability scanners, monitoring systems)
• Threshold tuning — one failed SSHSecure Shell — Port 22. Encrypted remote administration protocol login isn’t an alert, ten in a minute is
• Custom signatures for your environment — specific application patterns, internal protocols
• Regular review and pruning of rule sets

Web Filtering

• URLUniform Resource Locator — Web address for accessing resources filtering: block/allow based on URLUniform Resource Locator — Web address for accessing resources categories (gambling, malware, social media)
• Content filtering: inspect page content for prohibited material or malware
• SSLSecure Sockets Layer — Deprecated predecessor to TLS/TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit inspection: decrypt HTTPSHypertext Transfer Protocol Secure — Port 443. HTTP encrypted with TLS to inspect content (requires deploying a trusted CACertificate Authority — Entity that issues and signs digital certificates cert to endpoints — privacy implications)
• Agent-based (runs on endpoint) or proxy-based (traffic routes through proxy)
• DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses-based filtering: block at the DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses resolution level — fast, lightweight, but easy to bypass if user changes DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses settings

Operating System Security

Group Policy Objects (GPO) — Windows

• Centralized configuration management for domain-joined Windows systems
• Enforce password policies, software restrictions, firewall settings, audit policies, desktop lockdown
• Applied at site, domain, or OUOrganizational Unit — Container in Active Directory for organizing objects level. Inheritance and precedence rules matter.

SELinux — Linux

• Mandatory Access Control enforcement on Linux
• Processes and files get security labels (contexts). Access requires matching labels, regardless of standard file permissions.
• Modes: Enforcing (blocks violations), Permissive (logs violations but allows), Disabled
• Common mistake: disabling SELinuxSecurity-Enhanced Linux — Linux kernel MAC implementation because it breaks something. The correct response is to create a policy exception, not turn it off.

Patch Management

• Regular cadence for applying security updates. Don’t wait for a breach.
• Test patches before production deployment (especially for servers and critical systems)
• Emergency patching process for critical CVEs (Log4Shell, EternalBlue-class vulnerabilities)
• Track patch compliance — which systems are up to date, which are behind

Secure Protocols

Use the secure version. Always.

Insecure	Secure Replacement	Why
HTTPHypertext Transfer Protocol — Port 80. Web protocol (unencrypted)	HTTPSHypertext Transfer Protocol Secure — Port 443. HTTP encrypted with TLS (TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit)	Encryption, integrity, authentication
FTPFile Transfer Protocol — Port 20/21. Unencrypted file transfer (insecure)	SFTPSSH File Transfer Protocol — Port 22. Secure file transfer over SSH or FTPSFTP Secure — Port 990. FTP with TLS encryption	Credentials and data in cleartext
Telnet	SSHSecure Shell — Port 22. Encrypted remote administration protocol	Credentials in cleartext
SNMPv1/v2c	SNMPv3Simple Network Management Protocol version 3 — Port 161/162. SNMP with encryption and authentication	Community strings in cleartext, no encryption
LDAPLightweight Directory Access Protocol — Port 389. Protocol for accessing directory services	LDAPSLightweight Directory Access Protocol over SSL — Port 636. LDAP encrypted with TLS (LDAPLightweight Directory Access Protocol — Port 389. Protocol for accessing directory services over TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit)	Credentials and directory data in cleartext
IMAPInternet Message Access Protocol — Port 143 (993 TLS). Email retrieval (keeps mail on server)/POP3Post Office Protocol 3 — Port 110 (995 TLS). Email retrieval (downloads and removes)	IMAPS/POP3S	Email credentials in cleartext
DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses	DoH (DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses over HTTPSHypertext Transfer Protocol Secure — Port 443. HTTP encrypted with TLS) or DoT (DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses over TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit)	DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses queries in cleartext, visible to observers
NTPNetwork Time Protocol — Port 123 (UDP). Synchronizes clocks across a network	NTPsec or authenticated NTPNetwork Time Protocol — Port 123 (UDP). Synchronizes clocks across a network	Time manipulation enables replay attacks

DNS Filtering

DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses-level security blocks malicious domains before the connection is established.

• Query goes to DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses resolver → resolver checks against threat intelligence feeds → known-malicious domains return NXDOMAIN or redirect to block page
• Fast: blocks at the lookup stage, before any TCPTransmission Control Protocol — Reliable, connection-oriented transport connection
• Lightweight: no deep packet inspection needed
• Limitations: bypass by using alternative DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses (IPInternet Protocol — Network layer addressing and routing-based blocks or forced DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses via firewall rules mitigate this)
• Products: Cloudflare Gateway, Cisco Umbrella, Infoblox

Email Security

SPF (Sender Policy Framework)

• DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses TXT record that lists authorized mail servers for your domain
• Receiving server checks: “Is this email coming from a server that example.com authorized?”
• v=spf1 include:_spf.google.com -all means “Google’s servers can send mail for us, reject everything else”
• ~all (soft fail) vs. -all (hard fail) — hard fail is stronger but can break legitimate mail if misconfigured

DKIM (DomainKeys Identified Mail)

• Cryptographic signature on outbound email. Sending server signs with private key, public key published in DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses.
• Receiving server validates: “Was this email actually sent by someone with the private key for example.com?”
• Proves integrity (email wasn’t modified in transit) and authenticity (came from authorized sender)

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

• Policy that tells receiving servers what to do when SPFSender Policy Framework — Email auth: specifies authorized sending IPs and DKIMDomainKeys Identified Mail — Email auth: cryptographic signature on messages fail
• Policies: none (monitor only), quarantine (spam folder), reject (don’t deliver)
• Includes reporting — rua and ruf tags send aggregate and forensic reports back to the domain owner
• A domain without DMARCDomain-based Message Authentication, Reporting & Conformance — Email auth: policy for SPF/DKIM failures reject can be spoofed, even if it has no MX records

The Stack

SPFSender Policy Framework — Email auth: specifies authorized sending IPs, DKIMDomainKeys Identified Mail — Email auth: cryptographic signature on messages, and DMARCDomain-based Message Authentication, Reporting & Conformance — Email auth: policy for SPF/DKIM failures work together:

1. SPFSender Policy Framework — Email auth: specifies authorized sending IPs validates the sending server
2. DKIMDomainKeys Identified Mail — Email auth: cryptographic signature on messages validates the message integrity and sender authenticity
3. DMARCDomain-based Message Authentication, Reporting & Conformance — Email auth: policy for SPF/DKIM failures tells the receiver what to do when either fails and reports results back

All three are required for a properly secured email domain.

File Integrity Monitoring (FIM)

• Baseline hash of critical system files (OSOperating System — System software managing hardware and applications binaries, configuration files, application executables)
• Continuous or scheduled comparison against baseline
• Change detected = alert. Either it’s an authorized change (correlate with change management) or a compromise.
• Tools: OSSEC, AIDE, Tripwire, Wazuh
• Key targets: /etc/passwd, /etc/shadow, system binaries, web server config, application config

Data Loss Prevention (DLP)

Prevents sensitive data from leaving the organization through unauthorized channels.

DLP Components

• Content inspection: Pattern matching for sensitive data (SSN patterns, credit card numbers, classification labels)
• Context analysis: Who is sending, where is it going, what channel (email, USBUniversal Serial Bus — Standard connector for peripherals, cloud upload, print)
• Policy enforcement: Block, quarantine, encrypt, or alert based on rules

DLP Deployment Points

• Endpoint: Agent on workstations monitors file copies, USBUniversal Serial Bus — Standard connector for peripherals transfers, print jobs, clipboard
• Network: Monitors traffic at the perimeter for sensitive data in transit
• Cloud: Monitors SaaSSoftware as a Service — Cloud: provider manages everything, you configure uploads, cloud storage, email attachments (CASBCloud Access Security Broker — Enforces security policies for cloud services integration)

Common Pitfalls

• Over-aggressive rules block legitimate business processes. Sales can’t send proposals because they contain dollar figures that match credit card patterns.
• False positives create alert fatigue. Tune rules with business context.
• Encrypted traffic bypasses network DLPData Loss Prevention — Prevents unauthorized data exfiltration unless you’re doing SSLSecure Sockets Layer — Deprecated predecessor to TLS inspection.

Network Access Control (NAC)

Controls which devices can connect to the network based on identity and compliance posture.

802.1X

• Port-based access control. Device must authenticate before getting network access.
• Supplicant (client) → Authenticator (switch/APAccess Point — Device providing wireless network connectivity) → Authentication server (RADIUSRemote Authentication Dial-In User Service — Port 1812/1813 (UDP). Protocol for centralized authentication (AAA))
• Unauthenticated devices get no network access (or redirected to a remediation VLANVirtual Local Area Network — Logical network segmentation at Layer 2)

Posture Assessment

• NACNetwork Access Control — Enforces security policy on devices connecting to network agent checks device health before granting access: antivirus up to date? OSOperating System — System software managing hardware and applications patched? Disk encryption enabled? Firewall running?
• Non-compliant devices quarantined to a remediation network until they meet requirements.
• Agentless options: fingerprinting device type by MACMandatory Access Control — System-enforced access based on security labels, DHCPDynamic Host Configuration Protocol — Port 67/68 (UDP). Automatically assigns IP addresses to devices behavior, traffic patterns.

Common Scenarios

• Rogue device → quarantine VLANVirtual Local Area Network — Logical network segmentation at Layer 2: Unknown device connects, no 802.1X credentials, isolated
• Expired certificate → graceful failure: Device had valid cert, cert expired, moved to remediation with instructions to renew
• Printer without 802.1X → MABMAC Authentication Bypass — 802.1X fallback for devices that can't authenticate fallback: MACMandatory Access Control — System-enforced access based on security labels Authentication Bypass — authenticate by known MACMandatory Access Control — System-enforced access based on security labels address for devices that can’t run a supplicant

EDR / XDR

EDR (Endpoint Detection and Response)

• Agent on endpoints that monitors process execution, file changes, network connections, registry changes
• Goes beyond antivirus: behavioral detection, threat hunting, forensic data collection
• Can isolate compromised endpoints from the network in real time
• Products: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black

XDR (Extended Detection and Response)

• Extends EDREndpoint Detection and Response — Monitors endpoints for threats and enables response concept beyond endpoints to network, cloud, email, identity
• Correlates signals across all sources — endpoint alert + suspicious email + unusual cloud APIApplication Programming Interface — Interface for software-to-software communication call = one incident
• Reduces the “pivot between five consoles” problem
• The distinction between XDRExtended Detection and Response — EDR extended across network, cloud, email, identity and a good SIEMSecurity Information and Event Management — Centralized log collection, correlation, and alerting is getting blurry. XDRExtended Detection and Response — EDR extended across network, cloud, email, identity tends to be more automated response, SIEMSecurity Information and Event Management — Centralized log collection, correlation, and alerting tends to be more analysis.