Chapter 12 - Secure Comms Flashcards
Simple Key Management for Internet Protocol (SKIP)
• Encryption tool to protect sessionless datagram protocols.
• Designed ot integrate with IPSec
• Layer 3
Replaced by IKE in 1998.
Software IP Encryption (swIPe)
- Layer 3
* Provides authentication, integrity, and confidentiality using encapsulation protocol
Secure Remote Procedure Call (S-RPC)
- Authentication service
* Prevents unauthorized execution of code on remote systems
Secure Sockets Layer (SSL)
- Encryption protocol to protect comms between web server and web browser.
- Can be used for secure web, email, FTP, or Telnet traffic.
- Session-oriented
- Provides confidentiality and integrity
- 4-bit key or 128-bit key.
- Superceded by TLS.
TLS
• Same as SSL but uses stronger authentication and encryption protocols
• Both SSL and TLS
○ Support secure client-server comms while preventing tampering, spoofing, and eavesdropping
○ Support one-way authentication
○ Support two-way authentication using digital certificates
○ Often implemented as initial payload of TCP package, allowing encapsulation of all higher protocols
○ Can be implemented at lower layers (3 for VPN). Known as OpenVPN.
• TLS can
○ Encrypt UDP and Session Initiation Protocol (SIP) connections.
Secure Electronic Transaction (SET)
Protocol for transmission of transactions over the internet
Based on RSA and DES
Supported by credit card companies
Challenge Handshake Authentication Protocol (CHAP)
• Used over PPP links
• Encrypts usernames and passwords.
• Uses challenge-response dialogue that can’t be replayed.
Periodically reauthenticates throughout session to verify.
Password Authentication Protocol (PAP)
• Standardized authentication protocol for PPP.
• Transmits usernames and passwords in clear
• No encryption.
Simply transports credentials
Extensible Authentication Protocol (EAP)
- Framework for authentication
* Allows customized authentication security solutions - support for smart cards, tokens, biometrics, etc.
PEAP
- Protected Extensible Authentication Protocol (PEAP) encapsulates EAP in a TLS tunnel. PEAP is preferred to EAP because EAP assumes channel is already protected.
- Can be employed by WPA and WPA-2
- PEAP preferred over LEAP.
- LEAP supported frequent reauthentication and changing of WEP keys - crackable.
Common Ports
i. FTP 21 SSH 22 Telnet 23 SMTP 25 DNS 53 HTTP 80 POP3 110 NTP 123 HTTPS 443 SQL 1433 ORACLE 1521 H.323 1720 PPTP 1723 RDP 3389
DRP Tests
- Read through tests/Checklist tests - paperwork exercise
- Structured walk throughs - involve project team meeting
- Simulation tests - may shut down non-critical business units
- Parallel tests - relocates personnel but doesn’t affect day to day operations
Full-interruption tests - shuts down primary systems and shifts responsibility to recovery facility
Redundant Array of Disks (RAID)
• RAID-0 - striping. Uses two or more disks and improves disk subsystem performance, no fault tolerance
• RAID-1 - mirroring. Two disk hold the same data.
• RAID-5 - striping with parity. Uses 3 or more disks with equivalent of one disk holding parity info. If any disk fails, it will continue to operate, but slowly.
RAID-10 - aka RAID 1+0 or Stripe of Mirrors. Two or more mirrors configured in striped config. Multiple disks can fail as long as 1 drive in each mirror continues.
Code of ethics
• Code of Ethics preamble
○ Safety and welfare of society and the common good, duty to our principals, and to each other require that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
○ Therefore, strict adherence to this Code is a condition of certification.
• Canons:
○ Protect society, the common good, necessary public trust and confidence, and the infrastructure
○ Act honorably, honestly, justly, responsibly, and legally
○ Provide diligent and competent service to principals
○ Advance and protect the profession
• RFC 1087 unethicals:
○ Seek to gain unauthorized access to resources of the internet
○ Disrupts the intended use of the internet
○ Wastes resources through such actions
○ Destroys integrity of computer-based info
Compromises privacy of users
SDLC
- Conceptual Definition
a. Create basic concept statement for a system
b. Agreed on by all interested stakeholders
c. Very high level statement of purpose no more than couple paragraphs- Functional Requirements Determination
a. Specific functionalities listed, how they interoperate
b. Ensure all stakeholders agree - Control Specifications pDevelopment
a. Analyze the system from a number of security perspectives
b. Adequate controls must be built in
c. System must maintain confidentiality
d. System should provide audit trail
e. Availability and fault-tolerance should be addressed - Design Review
a. Designers determine exactly how the various parts will interoperate - Code review Walk-through
a. Actual coding.
b. Several code review meetings throughout development. - System Test Review/User Acceptance Testing
- Maintenance and Change Management
a. Have team ready to handle routine or unexpected maintenance
- Functional Requirements Determination
