3.1 - Given a scenario, implement secure protocols. Flashcards
DNSSEC
-Domain Name System Security Extensions
-provides validation path 4 records thru use of a key + signature
-must be implemented at each domain level
-follows chain of trust from lowest level domain to top level domain -> validates keys at each level
-developed to to strengthen DNS thru use of digital signatures + public key cryptography
-BUT doesn’t provide confidentiality
-uses digital signatures, allowing systems that query a DNSSEC equipped server to validate that the servers signature matches DNS record
-can also be used to build chain of trust for IPSec keys, SSH fingerprints, etc
-can help prevent DNS poisoning + other DNS attacks by validating both the origin of DNS info and ensuring that the DNS responses haven’t been modified
-focuses on ensuring DNS info isn’t modified/malicious
SSH
-secure shell
-encrypted terminal comm
-used 4 remote console access to devices
-secure alt to TELNET
-often used as tunneling protocol, support uses like SFTP
-can use SSH keys which r used 4 auth
->like many cert/key based auth, lack of a pswd or weak pswds + poor key handling can make it less secure
Chapple 386
Weiss 288-289
Gibson 75
S/MIME
-Secure/Multipurpose Internet
Mail Extensions
-sending digitally signed + encrypted msgs
-provides auth, msg integrity, nonrepudiation
-verifies msg received is exact msg sent
-public key encryption
-digital signing of mail content
-require PKI/similar org of keys
SRTP
-Secure Real-time Transport
Protocol
-VOICE and VIDEO
-uses encryption + auth to reduce attacks (replay, DoS)
-adds sec features to RTP
-uses AES to encrypt voice/vid flow
-auth, integrity, replay protection
-HMAC/SHA1 hash based msg auth code using SHA1
-og RTP port = UDP 16384-32767
-SRTP secure port = UDP 5004
LDAPS
-Lightweight Directory Access
Protocol Over SSL
-TLS protected version of LDAP
-offers confidentiality + integrity protections
-OG port = LDAP - UDP + TCP 389
-secure port = TCP 636
Chapple 148, 236-237
Gibson 77
Weiss 289-290, 298
FTPS
-File Transfer Protocol, Secure
-implements FTP using TLS
-can require additional ports depending on the config (338)
SFTP
-SSH File Transfer Protocol
-easier to implement (FTPS) in regards to firewalls b/c only Port 22 needs to be opened
-leverages SSH as a channel to perform FTP like file transfers
-can be easier to get through firewalls since only uses the SSH port (388)
-laws such as HIPPA, PCI DSS, SOX, etc. require secure file transfers to protect confidential data
Chapple
Weiss
Gibson
SNMPv3
-Simple Network Management Protocol, version 3
-improves on prev SNMP version
provides;
->auth of msg sources
->msg integrity validation
->confidentiality via encryption
-only the authPriv level uses encryption = insecure implementations r still possible
-simply using this doesn’t automatically make SNMP info sec
-OG SNMP port = UDP 161, 162
-SNMPv3 secure port = UDP 161,162
Chapple 386
Weiss 290-291, 298
Gibson 98
HTTPS
-Hypertext transfer protocol over SSL/TLS
-OG HTTP port: TCP 80
-Secure Port: TCP 443
-encrypts comm btwn client + web server
-DOES NOT guarantee that merchant is trustworthy
-relies on TLS (but often called SSL) to provide sec in HTTPS implementations
-browser based mgmt
Chapple 385-386
Weiss 282, 293-294
Gibson 77
IPSec
-internet protocol security
-establish secure VPN connections
-provide auth + encapsulation of data thru support of IKE protocol (internet key exchange)
-secure transmissions btwn critical servers + clients
-helps prevent net based attcks
-functions within net layer
-can be run in tunnel (default) or transport mode
-sec 4 OSI level 3 -> auth + encryption 4 every packet
-confidentiality + integrity/anti replay
->encryption + packet signing
-common to use multi vendor implementations
-two core IPSec protocols = AH + ESP
ESP
Encapsulating Security
Payloads
IPSec security services (1/2)
-Protocol 50
-if used with auth header = can cause issues 4 nets that need to change IP or port info
-Data confidentiality (encryption)
-Limited traffic flow confidentiality
-Data integrity
-Anti-replay protection
-Encrypts + authenticates tunneled data
->Commonly uses SHA-2 for hash
->AES 4 encryption
->Adds a header, a trailer, and an Integrity Check Value
-Combine with Authentication Header (AH) 4 integrity + authentication of the outer header
IPSec - Tunnel/transport
-transport mode: used btwn endpoints (client + server). ONLY protects the payload of the packet
tunnel mode: default. often used btwn gateways (router + firewall). AH or ESP header used. provides integrity + auth for the ENTIRE packet
*Security for OSI Layer 3
– authent + encryption 4 every packet
*Confidentiality + integrity /anti-replay
– Encryption + packet signing
*Very standardized
– Common to use multi-vendor implementations
*Two core IPSec protocols
– Authentication Header (AH)
– Encapsulation Security Payload (ESP)
POP
Post Office Protocol
OG POP3 port: 110
POP3S Secure port: 995
-POP/IMAP used 4 retrieving email
-issue = login creds r transmitted in plaintext over unencrypted connections
Voice and video
NTP/NTPsec
Secure network time protocol (Time synchronization)
NTPSec typically uses the same ports as the original NTP (Network Time Protocol).
-Default port for both NTP and NTPSec: UDP 123.
->This is the port where NTP and NTPSec servers listen 4 incoming time synchronization requests + respond to client queries.
Classic NTP has no security features
-UDP protocol used to synch devices wth network time server
-accurate time necessary 4 net ops
– Exploitation can result in time alterations + DoS attcks that shut down the server
-NTS relies on TLS, doesn’t protect the time data
-focuses on auth to make sure time info is from trusted server + hasn’t been changed in transit (383)
Email and web
Email
-S/MIME
->Public key encryption and digital signing
of mail content
->Requires a PKI or similar organization of keys
-Secure POP and Secure IMAP
-SSL/TLS
Web
-SSL/TLS
->Secure Sockets Layer/Transport Layer Security
-Uses public key encryption
->Private key on the server
->Symmetric session key is transferred using asymmetric encryption
->Security + speed
SFTP
SSH File Transfer Protocol
-port 22, which is the default port for SSH. The communication between the client and the server is encrypted, providing a secure method for file transfer.
-uses SSH to transfer files
-encryptes both cmds + data
-prevents pswds + sensitive info from being transmitted in plaintext
-uses dif protocol than FTP + standard FTP client can’t talk to an SFTP server
->Provides file system functionality
->Resuming interrupted transfers, directory listings,
remote file removal
Directory services
-LDAP
-LDAPS
->non-standard implementation of LDAP over SSL
-SASL
-> simple authentication and security layer
-> Provides authentication using different methods (kerberos or client certificate)
Remote access
-SSH
->Encrypted terminal comm
->Replaces Telnet + FTP
->Provides sec terminal comm + file transfer features
Domain name resolution
*DNS had no sec in the OG design
->Relatively easy to poison a DNS
*DNSSEC
->Domain Name System Security Extensions
*Validate DNS responses
->Origin authentication
->Data integrity
*Public key cryptography
->DNS records signed wth trusted 3rd party
->Signed DNS records r published in DNS
Routing and switching
-SSH
-encrypted terminal comm
-SNMPv3
->confidentiality (encrypted data)
->integrity (no data tampering)
->authentication (verifies source)
-HTTPS
->browser based mgmt
->encrypted comm
Network address allocation
*Securing DHCP
– DHCP does not include any built-in security
– There is no “secure” version of the DHCP protocol
*Rogue DHCP servers
– In AD, DHCP servers must be authorized
– Some switches can be configured wth
“trusted” interfaces
– DHCP distribution is only allowed from
trusted interfaces
– DHCP client DoS - Starvation attack
– Use spoofed MAC addresses to exhaust the DHCP pool
– Switches can be configured to limit the number of MAC addresses per interface
– Disable an interface when multiple MAC addresses
are seen
Subscription services
*Automated subscriptions
->Anti-virus / Anti-malware signature updates
->IPS updates
->Malicious IP address databases / Firewall updates
*Constant updates
->Each subscription uses a different update method
*Check for encryption and integrity checks
->May require an additional public key configuration
->Set up a trust relationship
->Certificates, IP addresses
AH
authentication header
IPSec security services (1/2)
-Protocol 51
-uses hashing + shared secret key to ensure data integrity
-validates senders by authentication the IP packets that r sent
-can ensure IP payload + headers r protected
-Data integrity
-Origin authentication
-Replay attack protection
-Keyed-hash mechanism
-No confidentiality/encryption
-Hash of the packet + shared key
->SHA-2 = common
->Adds the AH to packet header
-doesn’t provide encryption
->Provides data integrity (hash)
->Guarantees data origin (auth)
->Prevents replay attacks (sequence numbers)
FTPS
File Transfer Protocol Secure
-FTP over SSL (FTP-SSL)
-FTP extension that adds full support for TLS and SSL
-supports ciphers (AES, RC4, RC2, etc)
-supports hash functions (SHA1, MD5, MD4, MD2)
-Supports channel encryption
-data transfers take place so parties can authenticate each other
-prevents eavesdropping, tampering, forgery
- Implicit FTPS: TCP Port 990. for cmds and uses passive ports for data.
- Explicit FTPS: TCP Port 21. for cmds and uses passive ports for data.
Chapple 111-112
Weiss 286, 295-296
Gibson 76
IMAP
Internet Message Access Protocol
-OG Port: 143
-IMAPS Secure Port: 993
-POP/IMAP used 4 retrieving email
-IMAP issue = login creds r transmitted in plaintext over unencrypted connections
Time synchronization
use cases;
-time synchronized encryption + protocols (Kerberos)
-timestamps in logs to track sec breaches
-modification times in shared filesystems
-billing services + apps
-reulgatory mandates that require accurate time stamping
-channel based audio
-surgical ops that r run simultaneously
-digital certs
File transfer use cases
-publishing files on internal web portal
-performing transparent FTP tunneling
-downloading files from servers that r located on internet thru a DMZ
-reducing risks during data exchanges
-meeting compliance reqs
-performing server to server file transfer
-conducting large/bulk file transfers
