Lesson 11 Flashcards
Network Address Allocation
Most networks use a mixture of static and dynamic address allocation.
Dynamic Host Configuration Protocol (DHCP)
provides an automatic method for network address allocation. - The key point about DHCP is that only one server should be offering addresses to any one group of hosts. If a rogue DHCP server is set up, it can perform DoS (as client machines will obtain an incorrect TCP/IP configuration) or be used to snoop network information.
DHCP starvation
type of DoS attack where a rogue client repeatedly requests new IP addresses using spoofed MAC addresses, with
the aim of exhausting the IP address pool.
Enabling the DHCP snooping port security feature on a switch can mitigate rogue DHCP
attacks.
DNS
Domain Name System (DNS) - esolves fully qualified domain names (FQDNs) to IP
addresses.
port 53
Domain hijacking
Domain hijacking is an attack where an adversary acquires a domain for a company’s
trading name or trademark, or perhaps some spelling variation thereof.
whois
(can help defend domain hijacking) The whois command can be
used to lookup domain registration information to try to detect misuse in other cases.
Uniform Resource Locator (URL) redirection
URLredirection refers to the use of HTTP redirects to open a page other than the one
the user requested. This is often used for legitimate purposes—to send the user to a
login page or to send a mobile device browser to a responsive version of the site, for
instance. If the redirect is not properly validated by the web application, an attacker
can craft a phishing link that might appear legitimate to a naïve user, such as:
https: //trusted.foo/login.php?url=”https://
tru5ted. foo”
Domain reputation
If your domain, website, or email servers have been hijacked, they are likely to be used
for spam or distributing malware. This will lead to complaints and the likelihood of the
domain being listed on a blacklist. You should set up monitoring using a site such as
talosintelligence.com/reputation_center to detect misuse early.
DNS Poisoning
DNS poisoning is an attack that compromises the process by which clients query
name servers to locate the IP address for a FQDN.
These are ways to do dns poisoning. i didn’t really look into these:
•Man in the Middle
•Rogue DNS server intercepts queries
•DNS client cache poisoning
•HOSTS file
•DNS server cache poisoning
•Corrupt cached records on DNS servers
•Spoof responses to queries by exploiting weak transaction ID generation
•DNS authoritative name server impersonation
DNS Security
- DNS server security
- Fault tolerance
- Authenticated recursive requests only
- Access control
- Patch management
- Prevent footprinting
- DNS Security Extensions (DNSSEC)
•DNS Security Extensions (DNSSEC)
help to mitigate against spoofing and poisoning
attacks by providing a validation process for DNS responses.
I left out some of the technical details
network directory
lists the subjects (principally users, computers, and services) and
objects (such as directories and files) available on the network plus the permissions
that subjects have over objects. A directory facilitates authentication and authorization,
and it is critical that it be maintained as a highly secure service.
LDAP
Most directory services
are based on the Lightweight Directory Access Protocol (LDAP), running over port
389. The basic protocol provides no security and all transmissions are in plaintext,
making it vulnerable to sniffing and man-in-the-middle attacks.
Authentication
(referred to as binding to the server) can be implemented in the following ways:
• No authentication—anonymous access is granted to the directory.
• Simple bind—the client must supply its distinguished name (DN) and password, but
these are passed as plaintext.
• Simple Authentication and Security Layer (SASL)—the client and server negotiate
the use of a supported authentication mechanism, such as Kerberos. The STARTTLS
command can be used to require encryption (sealing) and message integrity
(signing). This is the preferred mechanism for Microsoft’s Active Directory (AD)
implementation of LDAP.
LDAPS
LDAP Secure (LDAPS)—the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.
Two levels of access on LDAP
read-onlyaccess (query) and
read/write access (update).
This is implemented using an access
control policy, but the precise mechanism is vendor-specific and not specified by the
LDAP standards documentation.
Time Synchonization
Many applications on networks are time dependent and time critical.
Time critical services
•Authentication
•Logging
•Task scheduling/backup
•...
Network Time Protocol (NTP) [i have a seperate card for this
•Stratum 1 servers
•Stratum 2 servers
•Simple NTP (clients)
NTP
Network Time Protocol (NTP)
* Stratum 1 servers - taken from an atomic clock (top level) * Stratum 2 servers - most org will get ntp from stratum 2 servers - lower level * Simple NTP (clients) - Clients themselves usually obtain the time using modified form of the protocol (Simple NTP).
Simple Network Management Protocol (SNMP)
is a widely used framework for
management and monitoring. SNMP consists of an SNMP monitor and agents
- Agent runs on devices (switches, routers, servers) and maintains management information base (MIB)
- Monitor - Agent notifies SNMP monitor of events (traps)
- SNMP v1 and v2 feature no or weak authentication and no privacy
- SNMP v3 encryption and authentication
SNMP Versions
- SNMP v1 and v2 feature no or weak authentication and no privacy
- SNMP v3 encryption and authentication
Web server
=http server
HTTP
HTTP enables clients (typically web browsers) to request resources from an HTTP server.
how does a client connect to an HTTP server
TCP - using a TCP port
Http header and payload
Header - The response and request formats are defined in an HTTP header.
The HTTP payload - is usually used to serve HTML web pages, which are plain text files with coded tags
(HyperText Markup Language) describing how the page should be formatted.
http forms mechanism and stateless
- Forms mechanism allows client to upload data to the server
* Stateless protocol (does not record sessions) but expandedwith cookies and scripting
https
http used with ssl/tls
SSL/TLS
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Communications secured using host certificates (CA)
typically used with http servers but can be used with other stuff like a VPN
SSL/TLS versions
While the acronym SSL is still used, the Transport Layer Security versions are the onlyones that are safe to use.
- *TLS 1.3 is the latest version.
- 1.3 can prevent against downgrade attackes.
How to implement TLS on a web server
To implement TLS, a server is assigned a digital certificate signed by some trusted
certificate authority (CA). The certificate proves the identity of the server (assuming that
the client trusts the CA) and validates the server’s public/private key pair. The server
uses its key pair and the TLS protocol to agree mutually supported ciphers with the
client and negotiate an encrypted communications session.
Cipher Suites (TLS)
A cipher suite is the algorithms supported by both the client and server to perform thedifferent encryption and hashing operations required by the protocol.
TLS 1.3 uses simplified and shortened suites. somehow this is more secure…and prevents downgrading?
API authentication
APIs can use more secure authentication
and authorization methods, such as SAML and OAuth
Thre was more on api considerartions but I didn’t understand. see slide 15,
subscription services
susceptile to xml injection
News and information services
•Market and financial intelligence and information
•Security threat intelligence and information
•Reference and training materials
•Software applications and cloud services
•Provide secure access
•News feed security
•Really Simple Syndication (RSS)
•Atom
SFTP
SSH FTP (SFTP) - Run FTP over SSH on port 22
FTPS
FTP over SSL (FTPS)
Do I need this?
•Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one
•Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP commands (port 990 for the control connection)
two types of email protocols
• The Simple Mail Transfer Protocol (SMTP) specifies how mail is sent from one
system to another.
• (IMAP or POP3) A mailbox access protocol stores messages for users and allows them to download them to
client computers or manage them on the server.
Secure SMTP
• STARTTLS—this is a command that upgrades an existing unsecure connection to use
TLS. This is also referred to as explicit TLS or opportunistic TLS.
• SMTPS—this establishes the secure connection before any SMTP commands (HELO,
for instance) are exchanged. This is also referred to as implicit TLS.
STARTTLS is more widley used
Mailbox access protocols
- Post Office Protocol (POP3)
- Internet Message Access Protocol (IMAP)
- Better mailbox management features than POP3
- Secure ports
- POP3S TCP port 995
- IMAPS TCP port 993
Secure/Multipurpose Internet Mail Extensions (S/MIME).
Consequently, there is still a need for authentication and confidentiality
to be applied on a per-message basis. One means of doing this is called Secure/
Multipurpose Internet Mail Extensions (S/MIME).
- End-to-end encryption for message contents
- Authentication and confidentiality using PKI certificates
- Correspondents must exchange and trust certificates
VTC and VOIP
Voice over IP (VoIP), web conferencing, and video teleconferencing (VTC)
Protocols handle these three areas
session control, data transport and QoS
Probably don’t spend a lot of time on this one
• Session control—used to establish, manage, and disestablish communications
sessions. They handle tasks such as user discovery (locating a user on the network),
availability advertising (whether a user is prepared to receive calls), negotiating session
parameters (such as use of audio/video), and session management and termination.
• Data transport—handles the delivery of the actual video or voice information.
• Quality of Service (QoS)—provides information about the connection to a QoS
system, which in turn ensures that voice or video communications are free from
problems such as dropped packets, delay, or jitter.
Session Initiation Protocol (SIP)
used to handle session control (VOIP, VTC)
• Session control—used to establish, manage, and disestablish communications
sessions. They handle tasks such as user discovery (locating a user on the network),
availability advertising (whether a user is prepared to receive calls), negotiating session
parameters (such as use of audio/video), and session management and termination.
SRTP and RTP
RTP (Real-time Transport Protocol (RTP). - provides the actual delivery of real time data (VOIP, VTC)
SRTP - provides Call data confidentiality
two models of remote acceess architeecture (using vpn)
remote using the internet
branch office
VPN
The VPN protocol establishes
a secure tunnel so that the contents are kept private, even when the packets pass over
ISPs’ routers.
Point-to-Point Tunneling Protocol (PPTP)
Legacy. does not provide enough security
Transport Layer Security (TLS) VPN (more commonly known as ssl vpn)
Good (not legacy) vpn protocol
- Use TLS to negotiate a secure connection, authenticated by PKI certificates
- Tunnel network traffic over TLS
VPN examples
Open VPN
Microsoft’s Secure Sockets Tunneling Protocol (SSTP),
The Point-to-Point Protocol (PPP)
Internet Protocol Security (IPSec)
Provides confidentiality and/or integrity
operates at the network layer (layer
3) of the OSI model, so it can be implemented without having to configure specific application support. (TLS operates at the application level
two protocols of IPSec
Authentication Header (AH) •Signs packet but does not encrypt payload •Provides authentication/integrity only
Encapsulation Security Payload (ESP)
•Provides confidentiality and/or authentication/integrity
IPSec Transport and Tunnel Modes
- Transport mode for host-to-host connections on a private network. Integrity only
- Tunnel mode between gateways across an unsecure network. Integrity and confidentiality
Internet Key Exchange and Security Associations (SA)
IPSec’s encryption and hashing functions depend on a shared secret. The secretmust be communicated to both hosts and the hosts must confirm one another’s
identity (mutual authentication). Otherwise, the connection is vulnerable to man-inthe-middle and spoofing attacks.
The Internet Key Exchange (IKE) protocol handles
authentication and key exchange, referred to as Security Associations (SA).
Layer 2 Tunneling Protocol and IKE v2
I didn’t fully get this. was tired
Layer 2 Tunneling Protocol/IPSec VPN
•Use IPSec for secure tunneling of Point-to-Point Protocol (PPP) frames
•Allows user authentication via EAP or CHAP
IKE v2
•Makes IPSec a standalone remote access VPN protocol
•Support for EAP user authentication methods
•Reduces number of setup messages
•Support multihoming on client device (switching between Wi-Fi and cellular data)
Layer 2 Tunneling Protocol and IKE v2
CompTIA
Layer 2 Tunneling Protocol
This first version of IKE is optimized to ensure the mutual authentication of two peer
hosts, such as in a site-to-site VPN. On its own, it does not provide a simple means for
a client user account to authenticate to a remote network directory. Consequently,
for remote access VPNs, a combination of IPSec with the Layer 2 Tunneling Protocol
(L2TP) VPN protocol is often used.
IKE v2
The drawbacks of the original version of IKE were addressed by an updated protocol.
IKE v2 has some additional features that have made the protocol popular for use as a
standalone remote access VPN solution.
Compared to L2TP/IPSec, using IKE v2 is more efficient.
VPN Client Configuration
To configure a VPN client, you may need
- to install the client software if the VPN type is
not natively supported by the OS.
-You may
also need to deploy a client certificate that is trusted by the VPN concentrator to the
machine and make that available to the VPN client.
-In addition, you might need to
configure settings for how the VPN connection operates.
Always-On VPN
Traditional remote access VPN solutions require the user to initiate the connection and
enter their authentication credentials. An always-on VPN means that the computer
establishes the VPN whenever an Internet connection over a trusted network is
detected, using the user’s cached credentials to authenticate. Microsoft has an Always-
On VPN solution for Windows Server and Windows 10 clients
Split Tunnel versus Full Tunnel
The guide has a diagram that shows this better
Split tunnel—the client accesses the Internet directly using its “native” IP
configuration and DNS servers.
Full tunnel—Internet access is mediated by the corporate network, which will alter
the client’s IP address and DNS servers and may use a proxy.
Remote Desktop
A remote access VPN joins the user’s PC or smartphone to the local network, via the
secure tunnel.
Another model for remote networking involves connecting to a host
within the local network over a remote administration protocol. A protocol such as
Secure Shell (SSH) only supports terminal access, but there are many other tools that
can connect to a graphical desktop.
A GUI remote administration tool sends screen and
audio data from the remote host to the client and transfers mouse and keyboard input
from the client to the remote host.
GUI based remote desktop
A GUI remote administration tool sends screen and
audio data from the remote host to the client and transfers mouse and keyboard input
from the client to the remote host.
Remote Desktop Protocol (RDP)
Microsoft’s Remote Desktop Protocol (RDP) can be used to access a physical machine
on a one-to-one basis. Alternatively, the site can operate a remote desktop gateway
that facilitates access to virtual desktops or individual apps running on the network
servers
- Connect to physical machines
- RDP gateway to virtual desktops and apps
HTML5/clientless
- Access desktops and web applications from Internet via gateway to internal network
- Browser support for canvas element plus WebSockets
Traditionally, these remote desktop products require a client app. The canvas element
introduced in HTML5 allows a browser to draw and update a desktop with relatively
little lag. It can also handle audio. This is referred to as an HTML5 VPN or as a clientless
remote desktop gateway (guacamole.apache.org). This solution also uses a protocol
called WebSockets, which enables bidirectional messages to be sent between the
server and client without requiring the overhead of separate HTTP requests.
REmote access management and secure admin workstation (SAWS)
Remote access management refers to the specific use case of using a secure channel to administer a network appliance or server.
The secure admin workstations (SAWs) used
to perform management functions must be tightly locked down, ideally installed with
no software other than that required to access the administrative channel—minimal
web browser, remote desktop client, or SSH virtual terminal, for instance. SAWs should
be denied Internet access or be restricted to a handful of approved vendor sites (for
patches, drivers, and support). The devices must also be subject to stringent access
control and auditing so that any misuse is detected at the earliest opportunity.
Out-of-Band Management
Remote management methods can be described as either in-band or out-ofband
(OOB). An in-band management link is one that shares traffic with other
communications on the “production” network. A serial console or modem port on a
router is a physically out-of-band management method. When using a browser-based
management interface or a virtual terminal over Ethernet and IP, the link can be
made out-of-band by connecting the port used for management access to physically
separate network infrastructure. This can be costly to implement, but out-of-band
management is more secure and means that access to the device is preserved when
there are problems affecting the production network. With an in-band connection,
better security can be implemented by using a VLAN to isolate management traffic.
This makes it harder for potential eavesdroppers to view or modify traffic passing over
the management interface. This sort of virtual OOB does still mean that access could
be compromised by a system-wide network failure, however.
Jump servers
One of the challenges of managing hosts that are exposed to the Internet, such as in
a DMZ or cloud virtual network, is to provide administrative access to the servers and
appliances located within it. On the one hand, a link is necessary; on the other, the administrative interface could be compromised and exploited as a pivot point into the rest of the network. Consequently, the management hosts permitted to access
administrative interfaces on hosts in the secure zone must be tightly controlled.
Configuring and auditing this type of control when there are many different servers
operating in the zone is complex.
One solution to this complexity is to add a single administration server, or jump
server, to the secure zone. The jump server only runs the necessary administrative
port and protocol (typically SSH or RDP). Administrators connect to the jump server
then use the jump server to connect to the admin interface on the application server.
The application server’s admin interface has a single entry in its ACL (the jump server)
and denies connection attempts from any other hosts.
SSH
Secure Shell (SSH) is the principal means of obtaining secure remote access to a
command-line terminal. The main uses of SSH are for remote administration and
secure file transfer (SFTP).
