Chapter 3b - Protocols

Question 1

RTP and SRTP

Answer 1

RTP stands for Real-time Transfer Protocol and is used to deliver audio and video over IP networks. This include VoIP (Voice over Internet Protocol), streaming media, video teleconferencing and more.

SRTP stands for Secure Real-Time Transfer Protocol and provides secure transmissions by using encryption, authentication and integrity for RTP.

STRP protects against replay attacks, where an attacker intercept data between two parties, modifies it and attempt to impersonate of the parties by replaying the data.

Note: Session Initiation Protocol (SIP) is used initiate, maintain and terminate voice, video and messaging sessions. Their request and response messages don’t contain any data, just metadata.

Question 2

FTP

Answer 2

FTP stands for File Transfer Protocol and is used to upload and download large files to and from an FTP server. It is one of the oldest protocols used to transfer files between computers over a network.

It transmits data in cleartext by default and is easy to read if captured by using a protocol analyzer.

FTP active mode uses TCP port 21 for control signals and TCP port 20 for data. FTP passive mode (PASV) uses TCP port 21 for control signals but a random TCP port for data, which can be blocked if going through a firewall, so it’s best to disable PASV in FTP clients.

Question 3

SSH

Answer 3

SSH stands for Secure Shell and is a protocol that encrypts traffic in transit over TCP port 22. It can be used to encrypt other protocols such as FTP.

Question 4

SSL

Answer 4

SSL stands for Secure Sockets Layer, is a protocol that was previously the primary method used to secure HTTP traffic as HTTPS.

It can also be used to encrypt other types of traffic such as SMTP and LDAP.

However, SSL has been compromised and is no longer recommend for use.

TLS has since been used as a replacement for SSL and is used to encrypt many different protocols, including browser-based connections using TLS.

Question 5

TLS

Answer 5

TLS stands for Transport Layer Security. It is a protocol used as the designated replacement for SSL. Many protocols that use TLS use the STARTTLS command to upgrade an unencrypted connection to an encrypted connection on the same port.

Question 6

What is the difference between SSH and TLS?

Answer 6

SSH (Secure Shell) and TLS (Transport Layer Security) are both cryptographic protocols used to provide secure communication over a network, but they serve different purposes and operate at different layers of the networking stack.

SSH (Secure Shell):
-Encrypts traffic in transit and can be used to encrypt other protocols such as FTP
-Primarily used for secure remote access to a computer or server over a network
-Provides encrypted communication between the client and the server, protecting sensitive information such as passwords, commands, and data transferred over the network.
-SSH operates at the application layer (Layer 7) of the OSI model.
-Typically uses port 22 for communication.
-SSH can also be used for secure file transfer (SFTP) and secure tunneling (SSH tunneling), among other purposes

*SSH tunneling works by forwarding network traffic from a local port on your computer to a specific destination port on a remote server through an encrypted SSH connection. This enables you to securely access services, resources, or devices on a remote network as if they were local to your computer.

2. TLS (Transport Layer Security):

-TLS is a cryptographic protocol used to secure communication between two endpoints, such as a web browser and a web server, over a network.
-It ensures the confidentiality and integrity of data transmitted between the client and the server, protecting against eavesdropping, tampering, and forgery.
-TLS operates at the transport layer (Layer 4) of the OSI model.
-It is commonly used to secure HTTP connections (HTTPS) for secure web browsing, as well as other protocols such as SMTP (for secure email transmission), IMAP, and POP3.
-TLS typically uses port 443 for communication (for HTTPS), but it can also use other ports depending on the application.

In summary, SSH is primarily used for secure remote access and secure file transfer, while TLS is used for securing communication between client-server applications, particularly over the web. They are complementary technologies that provide encryption and security for different types of network communication.

Question 7

SFTP

Answer 7

SFTP is secure implementation of FTP and is an extension of SSH, using SSH to transfer files in an encrypted format. SFTP transfers data using port 22.

Question 8

FTPS

Answer 8

FTPS is a secure implementation of FTP using TLS to encrypt FTP traffic.

Some implementations of FTPS use TCP ports 989 and 990, though TLS can also encrypt traffic over the FTP ports of 20 and 21.

Question 9

SMTP

Answer 9

SMTP stands for Simple Mail Transfer protocol. It is used to transfer email between clients and SMTP servers.

SMTP uses port 25 for unencrypted email and port 587 email encrypted using TLS. It can also use the STARTTLS command to initialize a secure connection. It used to use port 465 for emails encrypted with SSL but that has been reassigned by IANA (Internet Assigned Number Authority).

Question 10

IMAP4 And Secure IMAPnt

Answer 10

IMAP stands for Internet Message Access Protocol and is used to store email in an email server. It allows users to organize and manage email folders on the server.

Gmail for example uses IMAP4 via TCP port 143 for unencrypted connections and TCP port 993 for encrypted connections with Secure IMAP.

Question 11

POP3 and Secure POP

Answer 11

POP3 stands for Post Office Protocol v3 and is used to transfer emails from servers down to clients. POP3 uses TCP port 110 for unencrypted connections and TCP port 995 for encrypted connections using Secure POP.

Question 12

HTTP and HTTPS

Answer 12

HTTP stands for Hypertext Transfer Protocol, and transmits web traffic over the internet and in intranets. Web servers use HTTP to transmit web pages to clients’ web browsers, and Hypertext Markup Language (HTML) is the common language used to display web pages. HTTP uses port 80.

HTTPS uses SSL/TLS to encrypt web traffic to ensure it is secure while in transit. Web browsers often now display “not secure” next to the URL if not using HTTPS. HTTPS uses TCP port 443.

Question 13

LDAP

Answer 13

LDAP stands for Lightweight Directory Access Protocol and represents the formats and methods to query directories such as Microsoft AD DS (Active Directory Domain Services). LDAP uses TCP port 389, and LDAP Secure (LDAPS) encrypts data with TLS using TCP port 636.

Note: Directory services like AD DS provide authentication services for a network.

Question 14

RDP

Answer 14

RDP stands for Remote Desktop Protocol to connect to other systems from remote locations (they also use SSH). RDP typically uses TCP port 3389 or same UDP port.

Port 3389 is commonly blocked on firewalls, and another use case for remote access can be within a VPN.

Question 15

OpenSSH

Answer 15

OpenSSH is a suite of tools that simplifies the use of SSH to connect to remoter servers securely.

You can use the ssh-keygen command to create a public/private key pair, and the ssh-copy-id command to copy the public key to the remote server in order to authenticate a passwordless SSH login.

Question 16

NTP and SNTP

Answer 16

Network Time Protocol is the most commonly used protocol for time synchronization, allowing systems to synchronize their time within tens of milliseconds.

Simple NTP (SNTP) can be used for time synchronization but does not use the same complex algorithms and may not be as accurate as NTP.

Question 17

DHCPex

Answer 17

Dynamic Host Configuration Protocol dynamically assigns IP addresses to hosts within a network. It also assigns other TCP/IP information such as subnet masks, default gateways, DNS server addresses and more.

Question 18

IPv4

Answer 18

Uses 32 bit IP addresses (4 octets) expressed in dotted decimal format.

Public IP addresses are tightly controlled and you can’t just use any public address. They are purchased or rented from ISPs (Internet Service Providers), who purchase entire ranges of IP addresses and issue them to customers.

Private IP addresses are commonly 10.x.y.z, 172.16.y.z and 192.168.y.z. These are the only IPv4 addresses that should be allocated within a private network.

Question 19

IPv6

Answer 19

IPv6 provides significantly larger address space than IPv4, and uses 128 bit IP addresses expressed in hexadecimal format, ie. 0-9 + A-F.

Instead of private IP addresses it used unique local addresses beginning with fc00, and not assigned to systems on the public internet.

Question 20

DHCP snooping

Answer 20

This is a preventative measure designed to prevent unauthorized DHCP servers (rogue DHCP servers) from operating on a network. You enable it on Layer 2 switch ports.

DHCP clients and servers normally send 4 packets back and forth:
- DHCP Discover (DHCP client sends broadcast message asking a DHCP server for a lease)
- DHCP Offer (DHCP server answers and offers a lease, including an IP address, subnet mask, default gateway + more)
- DHCP Request (DHCP client responds by requesting the offered lease)
- DHCP Acknowledge (DHCP allocates the offered IP address to the DHCP client who sends back an Acknowledge).

Normally a switch will send all broadcast traffic it receives to all ports, but with DHCP snooping enabled the switch will only send DHCP broadcast traffic (the DHCP discover message) to trusted ports.

Question 21

DNS

Answer 21

DNS stands for Domain Name System and is used for resolving host names to IP addresses. Systems are constantly querying DNS servers, which either knows the response or queries other DNS servers for a site’s IP address. Both the DNS server and the client will both put the answers in their cache so they don’t have to repeat the query.

DNS servers host data in zones, which you can think of as databases. Zones include multiple records including:

-A. Also called a host record, it records the hostname and the IPv4 address and is the most commonly used record in a DNS server. DNS client queries DNS using a forward lookup request.

-AAAA. This record holds the hostname and IPv6 addresses.

-MX records identity mail servers and if there is more than one mail server, the one with the lowest preference number in the MX record is the primary mail server. The higher number is the backup server.

*DNS uses TCP port 53 for zone transfers (when DNS servers share information with each other) and UDP port 53 for DNS client queries

**DNSSEC adds Resource Record Signature (RRSIG) which provides validation for DNS responses. It adds data integrity and authentication to DNS replies and helps prevent DNS poisoning attacks. If a DNS server receives a DNSSEC-enabled response with digitally signed records the DNS server knows the response is valid.

Question 22

DNS Poisoning

Answer 22

Also known as DNS cache poisoning, this is when attackers modify the DNS cache with a bogus IP address. For example, an attacker could send users to a malicious site every time they want to go to espn.com.

One way is to modify the A or AAAA record in the DNS cache for espn.com, which will send users to the IP address used by the malicious site instead.

Question 23

nslookup

Answer 23

Short for name server lookup, this Microsoft command is used by technicians to troubleshoot problems related to DNS, and can verify that a DNS server can resolve specific hostnames or fully qualified domain names (FQDNs) to IP addresses.

FQDNs include hostnames and the domain name.

You can also use the tools to query specific records, ie. querying the domain for MX records to identify mail servers for a domain:

nslookup -querytype=mx espn.com

Question 24

dig

Answer 24

Short for Domain Information Groper, this command has replaced nslookup on Linux systems and can be used to query DNS servers to verify that the DNS server is reachable and verify that a DNS server can resolve hostnames to IP addresses. Like nslookup it verifies a record exists and verifies that the server responds.

Question 25

QoS

Answer 25

QoS stands for Quality of Service, which are technologies running on a network that measure and control different traffic types. They allow administrators to prioritize certain types of traffic over others.

Example: if a bunch of employees are stream large amount of video over a network, it could consume too much bandwidth and other traffic would suffer. QoS solutions allow administrators to prioritize certain types of traffic and lower priority of others.

Question 26

Switch

Answer 26

A switch is a device that connects multiple hosts together within a network.

Switches can learn which computers are attachedto each of its physical ports, and then use that knowledge to create internal switched connections when two computer communicate with each other.

Data packets are transmitted via unicast instead of broadcast between hosts once the switch captures the MAC addresses of each device on its various ports.

Question 27

Router

Answer 27

A router is a device that connects multiple networks together to create large and larger networks and routes traffic between segments.

Question 28

Port security and MAC filtering

Answer 28

Limits the computers that can connect to physical ports on a switch.

At a basic level, administrators should disable unused switch ports so no one can plug a laptop or computer into an office wall jack and connect to the network.

MAC filtering is a component of port security and involves the switch remembering the first 1 or 2 MAC addresses that connect to a port, and then blocking access to systems for any other MAC addresses. You can also manually configure each port to only accept traffic from a specific MAC address, which is more labor intensive but a higher level of security.

Question 29

STP and RSTP

Answer 29

STP stands for Spanning Tree Protocol which provides broadcast storm prevention and loop prevention for switches. RSTP = Rapid Spanning Tree Protocol.

A switching loop or loop bridge can flood a network with traffic and effectively disable a switch if you say connect one cable to two ports.

STP also protects networks from potential attackers attempting to slow network performance down by say connecting two wall jacks together.

Question 30

BPDU

Answer 30

STP sends Bridge Protocol Data Unit (BPDU) messages in a network to detect loops, and then shuts down or blocks traffic from switch ports sending redundant traffic.

-Switches are meant to exchange BPDU messages with each other using non-edge ports.

-An edge port is a switch port connected to a device like a computer, server or printer. These devices should not generate BPDU messages, and if they do, it indicates a problem such as a bad actor sending false BPDU messages. Many switches support a BPDU guard feature that is enabled on edge ports, monitoring the ports for any BPDU messages and disabling the ports if they receive any, effectively blocking the BPDU attack.

Question 31

ACLs

Answer 31

Access Control Lists are rules implemented on a router (or firewall) to identify what traffic is allowed and what is denied. Rules with an ACL provide rule-based management of inbound and outbound traffic.

Router ACLs provide basic packet filtering, filtering packets based on networks, subnets, IP addresses, ports (ie. 443) and some protocols, such as ICMP or IPsec, based on protocol identifiers.

*Many protocols are identified by their protocol numbers, ex: ICMP uses protocol number of 1, and many DoS attacks use IMCP. You can thus block all ICMP traffic by blocking traffic using this protocol number. You can similarly only allow IPsec traffic via protocol 50.

Question 32

Implicit Deny

Answer 32

A concept that all traffic that isn’t explicitly allowed is automatically/implicitly denied. For example, if you configure a router to only allow HTTPS to a web server, then all other traffic is blocked. Firewalls also use an implicit deny rule.

The implicit deny rule is often the last rule in an ACL, i.e. “DENY ANY ANY or DENY ALL ALL”. Also referred to as default deny, the early rules in an ACL generally specific the allowed traffic with the last rule blocking all other traffic by default.

Question 33

route (command)

Answer 33

Used to display or modify a system’s routing table on Windows and Linux systems.

“route print” shows all the paths known by the computer to other networks.

• If the routing table doesn’t include an entry to a specific network the system uses the default gateway, which is the IP address of a router on a network and typically provides a path to the internet.

*You can use the “route add” command to add a different path to a network.

You can also use the route command to
verify route security and ensure an attacker hasn’t manipulated the routing tables to drive traffic to another router in a MITM attack.

Question 34

Firewalls

Answer 34

Firewalls filter incoming and outgoing traffic for a single host or between networks, and can ensure that specific types of traffic are allowed into a network or host, and only specific types of traffic are allowed out of a network or host.

Stateless firewalls do basic packet filtering while advanced firewalls can include advanced content filtering.

Question 35

Host-based firewall

Answer 35

Monitors traffic going in and out of a single host, such as a server or workstation. It monitors traffic passing through the NIC and can prevent intrusions into the computer via the NIC.

Many OS’s include software-based firewalls used as host-based firewalls such as Microsoft Defender.

Question 36

Network-based firewalls

Answer 36

Network-based firewalls are usually a dedicated hardware system with additional software installed to monitor, filter and log traffic. A network-based firewall would have 2 or more network interface cards (NICs) and all traffic passes through the firewall, which controls what goes in and out of a network by filtering traffic based on firewall rules.

Network-based firewalls are often dedicated servers and provide protection for the network.

*There are open source Linux firewalls with tools like iptables, arpstables and so on, known as xtables. You can configure firewall rules within the different tables and they function like an ACL. You can also configure a virtual system as a firewall.

Question 37

Stateless firewalls

Answer 37

Use rules implemented in ACLs to identify allowed and blocked traffic, using an implicit deny strategy.

-Permission: PERMIT/ALLOW or DENY
-Protocol: usually TCP or UDP here, especially when blocking TCP or UDP ports. Can also be ICMP.
-Source: traffic from a source IP address.
-Destination
-Port or protocol

“deny any any” or “drop all” statements are used as an implicit deny at the end of an ACL.

Misconfigured ACLs (ie no implicit deny) are a security issue and can allow almost all traffic into the network.

Question 38

Stateful firewall

Answer 38

Inspects traffic and makes a decision based on the traffic content or state.

-Keeps track of established sessions, inspects traffic based on its state within a session, and blocks traffic that isn’t part of an established session.

EX: TCP traffic starts with a three-way handshake, so if a stateful firewall detect TCP traffic without a corresponding three way handshake, it recognizes the suspicious traffic and can block it.

Stateless firewall blocks traffic using an ACL while a stateful firewall blocks traffic based on the contents of the packet within the session

Question 39

WAF

Answer 39

Web Application Firewall is a firewall specifically designed to protect a web application, and is placed between the web server hosting the application and the web server clients. Designed to protect against common web application attacks such as cross-site scripting (XSS). It is an added layer used IN ADDITION to a network-based firewall.

Question 40

NGFW

Answer 40

Next-Generation Firewall. An advanced firewall that adds capabilities not included in first/second gen firewalls (stateless and stateful).

Includes deep-packet inspection, adding application-level inspection as a core feature.

The NGFW is aware of common application protocols on used on the Internet like FTP and HTTP - by doing deep packet inspection the NGFW can identify application commands and detect potentially malicious traffic. This allows it to apply content filtering and URL filtering.

Question 41

Intranet vs Extranet

Answer 41

Intranet = internal network. People use intranet to communicatr and share content with each other. An intranet often includes web servers but this isn’t a requirement.

Extranet = part of a network that can be accessed by authorized entities from outside the example. EX: it’s common for organizations to allow limited access to authorized business partners, customers or vendors.

Most networks are divided into different zones using different topologies.

Question 42

Screened subnet

Answer 42

Also known as a demilitarized zone (DMZ). It’s a buffered zone between a private internal network and the internet. It allows access to services while segmenting access to the internal network.

Since attackers seek out servers on the internet, any server placed directly on the internet has the highest amount of risk. However, the screened subnet provides a layer of protection for these internet-facing servers while also allowing clients to connect to them.

The screened subnet provides access to the services hosted in the screened subnet while segmenting access to the internal network.

Typically one firewall separates the screened subnet from the internet, and a second firewall separates the screened subnet from the internal network.

Question 43

NAT

Answer 43

Network Address Translation. A protocol that translates public IP addresses to private IP addresses and private IP addresses back to public.

A network address translation gateway hosts NAT and provides internal clients with private IP addresses a path to the internet. Can also use internet-facing firewall as a NAT gateway.

*One drawback is it is not compatible with IPsec.

Question 44

Static vs Dynamic NAT

Answer 44

Static NAT: uses a single public IP address in a one to one mapping. It maps private IP addresses with a single public IP address.

Dynamic NAT: uses multiple public IP addresses in a one to many mapping, and decides which public IP address to use based on load.
-EX: if several users are connected to the internet on one public IP address, NAT maps the next request to a less-used public IP address.

Question 45

SCADA

Answer 45

Supervisory Control and Data Acquisition systems. These are typically industrial control systems within large facilities such as power plants or water treatment facilities.

While SCADA systems operate within their own networks, meaning without internet connectivity, it’s common to ensure that they are physically isolated from any other network including their own internal networks.

Question 46

Air gap

Answer 46

An air gap provides physical isolation between networks, with a gap of air between an isolated system and other systems and their relevant cables.

An air-gapped system is literally not connected to any other systems, ie red (classified) and black (unclassified) networks within an organization. Strict rules can ensure they are not connected to each other, including requiring physical separation between red network cables and black network cables.

Question 47

VLAN

Answer 47

Virtual Local Area Network. A VLAN provides logical separation and is a way to segment traffic between logical groups of users or computers.

-Separate or segment traffic on physical networks, and you can create multiple VLANs with a single Layer 3 switch.

-Uses a switch to group several different computers into a virtual network. Often grouped by department, job function, or any other administrative need.

Question 48

East-west

Answer 48

Refers to traffic between servers, ie configured horizontally on a network diagram of servers within a network, with clients above or below the servers

Question 49

Zero trust

Answer 49

A zero trust network is a network that doesn’t trust any device by default, even if it was previously verified. This helps reduce attacks from compromised internal clients.

Zero trust isn’t a technology but rather a model based on the principle of zero trust.

One way to implement it is to require MFA. This could block an attacker from accessing a server using an employee’s credentials after infecting their device with malware.

Question 50

Proxy Server

Answer 50

Also known as forward proxy servers. They forward requests for services (such as HTTPS) from clients.

Can improve performance by caching content, and some proxy servers can restrict users’ access to inappropriate websites by filtering content.

A proxy server is located on the edge of the network bordering the internet and the intranet (LAN).

*An administrator configures internal clients to use the proxy servers for specific protocols, and the proxy accepts their requests, retrieves the content from the internet, then returns the data to the client. Many proxy servers only act as a proxy for HTTP and HTTPS, but can also be used for other protocols such as FTP.

Proxy servers also improve the performance of internet requests by caching each result received from the internet into a dedicated area in RAM or on a high performing disk subsystem. Any data in its cache doesn’t need to be retrieved from the internet again to fulfill another client’s request.

Question 51

transparent proxy vs. non-transparent proxy

Answer 51

A transparent proxy accepts and forwards requests without modifying them, while a non-transparent proxy server can modify or filter requests, and are often used by organizations to restrict what users can access with the use of URL filters, which examines the requested URL and chooses to allow the request or deny the request.

Many third-party companies sell subscription lists for URL filtering which can be loaded into the proxy server.

Question 52

Reverse Proxy

Answer 52

A reverse proxy accepts requests from the internet, typically for a single web server. It appears to clients as a web server but is forwarding requests to the web server and serving the web pages it retrieves that are returned by the web server, with the web server often located behind a second firewall.

They also cache the webpages and can improve overall website performance.

-Can be used for a single web server or a farm of multiple servers. When used with a web farm it can act as a LOAD BALANCER.

Question 53

Load Balancer

Answer 53

A load balancer is placed in a screened subnet to accept requests and forward the requests to the different servers in the web farm using a load balancing algorithm.

Question 54

UTM

Answer 54

Unified Threat Management is a single solution that combines multiple security controls. The overall goal of a UTM is to provide better security while also simplifying management requirements.

UTM security appliances combine features of multiple security solutions in a single appliance including URL filtering, malware inspection and content inspection, and DDoS mitigators.

*One common security issue is the miconfiguration of the content filter such as the spam filter sensitivity.

**UTM appliances are often placed at the network border between the internet and intranet/LAN, or within a screened subnet if being used a proxy server.

Question 55

Jump Server

Answer 55

A jump server (or jump box) is a hardened server used to access and manage devices in another network with a different security zone. It shouldn’t be used for anything else.

EX: if an admin wanted to administer servers in the screened subnet from the internal network, they could use a jump server and connect to the jump server then access servers in the screened subnet through the jump server.

-It’s common to connect to a jump server using a passwordless SSH login, and then connect to a remote server via the jump server. An admin will often have elevated privileges on the jump server and a CA server in the screened subnet.

Question 56

SNMP

Answer 56

Simple Network Management Protocol (v3) monitors and manages network devices, such as routers and switches, and can have them report back to the central network management system.

Administrators use SNMPv3 to manage and monitor network devices, and SNMP uses UDP ports 161 and 162. SNMPv3 encrypts credentials before sending them over the network and is considered more secure than earlier versions.