Lesson 11 - Implementing Secure Network Protocols Flashcards
provides an automatic method for network address allocation.
Dynamic Host Configuration Protocol (DHCP)
is a type of DoS attack where a rogue client repeatedly requests new IP addresses using spoofed MAC addresses, with the aim of exhausting the IP address pool.
DHCP starvation
This makes it more likely that clients seeking an address lease will use the rogue DHCP server.
resolves fully qualified domain names (FQDNs) to IP addresses.
Domain Name System (DNS)
The name servers work over port 53.
A type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.
Domain Hijacking
A network-based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker’s choosing.
DNS poisoning
Several DNS poisoning attack can be perpetrated:
Man in the Middle
DNS Client Cache Poisoning
DNS Server Cache Poisoning
obtaining information about a private network by using its DNS server to perform a zone transfer (all the records in a domain) to a rogue DNS or simply by querying the DNS service, using a tool such as nslookup or dig.
DNS Footprinting
A security protocol that provides authentication of DNS data and upholds DNS data integrity.
DNS Security Extensions (DNSSEC)
Helps to mitigate spoofing and poisoning attacks by providing a validation process for DNS responses.
The Key Signing Key for a particular domain is validated by the parent domain or host ISP. The top-level domain trusts are validated by the Regional Internet Registries and the DNS root servers are self-validated, using a type of M-of-N control group key signing. This establishes a chain of trust from the root servers down to any particular subdomain.
A network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
Lightweight Directory Access Protocol (LDAP)
Pot 389
A network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
LDAP Secure (LDAPS)
LDAPS (TLS over TCP port 636)
Protocol for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default.
Simple Network Management Protocol (SNMP)
Widely framework for management and monitoring.
Device queries take place over port 161 (UDP); traps are communicated over port 162 (also UDP).
SNMP v3 supports encryption and strong user-based authentication.
Provides a transport over which to synchronize these time dependent applications.
Network Time Protocol (NTP)
NTP works over UDP on port 123.
Top-level NTP servers (stratum 1) obtain the Coordinated Universal Time (UTC) from a highly accurate clock source, such as an atomic clock.
The protocol used to provide web content to browsers. HTTP uses port 80. HTTPS(ecure) provides for encrypted transfers, using SSL/TLS and port 443.
HyperText Transfer Protocol (HTTP)
HTTP also features a forms mechanism (POST) whereby a user can submit data from the client to the server.
HTTP is nominally a stateless protocol; this means that the server preserves no information about the client during a session.
A security protocol that uses certificates for authentication and encryption to protect web communication.
Transport Layer Security (TLS)
Secure Socket Layer (SSL)
An attack where a man-in-the-middle tries to force the use of a weak cipher suite and SSL/TLS version.
Downgrade Attack
the algorithms supported by both the client and server to perform the different encryption and hashing operations required by the protocol.
A cipher suite
Prior to TLS 1.3, a cipher suite would be written in the following form:
ECDHE-RSA-AES128-GCM-SHA256
This means that the server can use Elliptic Curve Diffie-Hellman Ephemeral mode for session key agreement, RSA signatures, 128-bit AES-GCM (Galois Counter Mode) for symmetric bulk encryption, and 256-bit SHA for HMAC functions. Suites the server prefers are listed earlier in its supported cipher list.
TLS 1.3 uses simplified and shortened suites. A typical TLS 1.3 cipher suite appears as follows:
TLS_AES_256_GCM_SHA384
Only ephemeral key agreement is supported in 1.3 and the signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384) used within the new hash key derivation function (HKDF). HKDF is the mechanism by which the shared secret established by D-H key agreement is used to derive symmetric session keys.
A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.
application programming interface (API)
Use of these APIs is authorized via a token or secret key.
Attack method where malicious XML is passed as input to exploit a vulnerability in the target app.
XML injection
A protocol used to transfer files between network hosts.
File Transfer Protocol (FTP)
Variants include S(ecure)FTP, FTP with SSL (FTPS and FTPES) and T(rivial)FTP. FTP utilizes ports 20 and 21.
All authentication and data transfer are communicated as plaintext, meaning that credentials can easily be picked out of any intercepted FTP traffic.
A secure version of the File Transfer Protocol that uses a Secure Shell (SSH) tunnel as an encryption method to transfer, access, and manage files.
SSH FTP (SFTP)
Secure Shell (SSH) over TCP port 22
Another means of securing FTP is to use the connection security protocol SSL/TLS. There are two means of doing this:
Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command).
Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection. A type of FTP using TLS for confidentiality.
FTPS is tricky to configure when there are firewalls between the client and server. Consequently, FTPES is usually the preferred method.
The protocol used to send mail between hosts on the Internet.
Simple Mail Transfer Protocol (SMTP)
Messages are sent over TCP port 25.
SMTP communications can be secured using TLS. This works much like HTTPS with a certificate on the SMTP server. There are two ways for SMTP to use TLS:
STARTTLS—this is a command that upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS.
SMTPS—this establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLS.
The STARTTLS method is generally more widely implemented than SMTPS. Typical SMTP configurations use the following ports and secure services:
TCP port 110 protocol that enables a client to access email messages stored in a mailbox on a remote server. The server usually deletes messages once the client has downloaded them.
Post Office Protocol v3 (POP3)
POP3S is the secured version of the protocol, operating over TCP port 995 by default.
TCP/IP application protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server.
Internet Message Access Protocol v4 (IMAP4)
IMAP4 utilizes TCP port number 143.
The default port for IMAPS is TCP port 993.
