Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Study CompTia SY0-601 > Lesson 11 Implementing Secure Networks > Flashcards

Lesson 11 Implementing Secure Networks Flashcards

1
Q

DHCP

A

Dynamic Host Configuration Protocol

  • great time saver allowing users to access the network without real knowledge of network
  • provides a method for network address allocation

-prevent rogue DHCP hosts by enabling DHCP snooping Protocols security feature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

DHCP Starvation

A

Type of DoS attack using a rogue client to repeatedly request new IP addresses based on spoofed MAC addresses
This starves the IP address pool available for DHCP
Makes it more likely for clients to then use the rogue DHCP server
Attacks then can redirect users to a rogue DNS or to the attackers machine as default gateway to snoop all network traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

DNS

A

Domain Name System

  • resolves FQDNs to IP addresses
  • uses a distributed database system
  • works over UDP port 53
  • target of many types of attacks
    • domain hijaking
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Domain Hijacking

A

Attackers acquire a domain for a company’s trading name or trademark or some spelling variation of it
In an attack, the attackers gain control over the registration of a domain name, configuring the host records to IP addresses to their needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

URL Redirection

A

Refers to the use of HTTP redirects to open a page other than the one the user requested
Can be legit if used to direct users to proper newer pages
Attacks use typo spoofing to trick users into going to a illegitimate site
this would be link in a phishing attack
A compromised Server could have the link in .htaccess files or in a JavaScript
A server could have poorly validated form allowing for the script to be uploaded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

DNS Poisoning

A

An attack which changes or modifies the way a client queries the DNS to locate IP address for a domain name (FQDN)

Utilized by:
Man in the Middle
DNS Client Cache Poisoning
DNS Server Cache Poisoning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Man in the Middle

A

An attack where the attacker changes the queries returned from a DNS or changes the redirects queries to a rogue DNS server.
Can use ARP Poisoning to respond to DNS queries with spoofed replies
Can use DoS and a rogue DHCP to resolve the location of the DNS server to the rogue DNS server
Attacker must be on the same network as the victim(s)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DNS client Cache Poisoning

A

Attacker utilizes the fact the domain name resolution first checks a local host file (/etc/hosts) before attempting to contact the DNS server.
The file is changed to redirect traffic to the rogue host/server of their choosing
Requires access to the host and Admin Privileges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DNS Server Cache Poisoning

A

An attack where the attacker corrupts the records used by the DNS server

Attackers can use a DoS to spoof replies to requests from other name servers

Attackers can use a recursive query, which forces the local DNS server to query the authoritative DNS. The authoritative DNS is compromised by the attacker allowing the attacker to provide false domain to IP mappings of their choosing. The local DNS server then added these to their mapping as legit mappings.

Identify by using nslookup or dig tools to determine the inconsistencies in the mappings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DNS footprinting attack

A

An attack which performs a DNS zone transfer (all the records in a domain) to a rogue DNS.
Prevent by implementing an ACL to prevent zone transfers to unauthorized hosts or domains. This will prevent external users from gaining knowledge about the private network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

DNS Security

A

On a private network, only allow recursive queries from local hosts not the internet
On the server, implement access controls measures to prevent malicious record updates
Clients should be restricted from using unauthorized DNS servers
DNS servers should be kept patched to the latest versions
Apply ACL entry to prevent zone transfers to unauthorized hosts or domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DNSSEC

A

DNS Security Extension
Uses signing keys and top-level domain of trust
DNS root servers are self validated using a M of N type of control group key signing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Network Directory

A

Is a list of subjects (principle users, computers, and services) and objects(directories and files) which are available on the network.

  • has the permissions subjects have over objects.
  • facilitates authentication and authorization of subjects allowed on the system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Network Directory Services

A

Utilizes Lightweight Directory Access Protocol (LDAP) and
Lightweight Directory Access Protocol Secure (LDAPS)

Authentication, or binding to the server, can be implemented in the following ways:

  • no authentication for the directory - it is has anonymous access
  • simple bind - clients supply distringushed name (DN) and password, as plain text
  • Simple Authentication and Security Layer (SASL) - client and server decide which support authentication mechanism to use, such as Kerberos
  • LDAP Secure (LDAPS port 636) - sets up a secure tunnel using a digital certificate for user credential exchange
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Network Directory Services Security

A

For secure access, disable the anonymous and simple authentication access methods on the server

Use an access control policy to properly control query (read-only) and update (read/write) access.

For private implementations, block the LDAP ports from public access via ACL in the firewall. If internet access is required, permit only authorized IPs access to the directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Time Synchronization - NTS

A

Network Time Synchronization (NTS UDP over port 123)

  • used in time dependent applications such as authentication and security mechanisms, scheduling apps and backup sw
  • there are no security mechanisms provided by this protocol
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

SNMP Security

A

Simple Network Management Protocol

  • uses monitor and agents
  • agents are sw running on network devices (switches, routers, servers,)
  • agents maintain a management information base (MIB)
  • agents initiate traps on events and transmit information on UDP port 162
  • agents listen for queries on UDP port 161
  • monitors are sw to allow users to monitor the MIBs of agents or display trap events

Security:

  • disable the default configuration if it is not used on the system
  • change the default passwords
  • remember to do this for any devices you add to the system
  • community names are transmitted in plain text, don’t transmit if there is risk to interception
  • use difficult to guess community names
  • restrict via ACL management operations to known hosts
  • use SNMP v3 as it support encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

HTTP and Web Services

A

HyperText Transfer Protocol uses TCP over port 80

  • submits a request for a resource using a uniform resource locator (URL)
  • users can POST data to the server
  • integrated with databases on server
  • supports scripting and programable features (web applications)
  • uses cookies to preserve session information

Security: All of these features increase the attack surface for attacks and expose more vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

TLS

A

Transport Layer Security
- a standard used for sending secure data
- used with HTTP Secure (HTTPS) but also other app protocols and VPN
Implementation:
- server is assigned a Digital certificate signed by a trusted cert authority (CA)
- the cert proves the id of the server
- this validates the servers public and private key pair
- the server uses the key pair and the TLS protocol to agree upon a cipher to use with the client
- the server negotiates an encrypted communications session
- client can also install certificates so the server trusts the client
- usually used for VPN and enterprise networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Downgrade Attack and TLS versions

A

A man in the middle tries to force the use of a weaker cipher suite and SSL/TLS version

This utilizes the fact TLS 1.2 can be configured to down grade to a lower version lever of TLS or even SSL 3.0 if the client can not support TLS 1.2

TLS 1.3 is the latest version and removed the use of unsecured features when downgrading to previous versions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Cipher Suites

A

The algorithms supported by the client and server to perform encryption and hashing operations required by the protocol.
Example:
Prior to TLS 1.3 written as:
ECDHE-RSA-AES128-GCM-SAH256
session key agreement: ECDHE - Elliptical Curve Diffie-Hellman Ephemeral mode
RSA signatures
sym bulk encrypt: 128-bit AES-GCM (Galois counter mode)
HMAC function: 256-bit SHA

TLS 1.3 uses shorten form: TLS_AES_256_GCM_SHA384

22
Q

HKDF - Hash Key Derivation Function

A

Hash Key Derivation Function

mechanism to establish shared secret by D-H key agreement to derive symmetrical session keys

23
Q

API Considerations

A

Application Programming Interface (API)

  • utilized by web applications as way to interface with the application
  • uses post, get, etc.
  • authorization to use is via a token or secret key

Security considerations:

  • management of the token or secret key is very important to avoid data breaches and data thefts
  • use SAML or OAuth as a more secure means of authentication and authorization
  • monitor usage to ensure only authorized endpoints are making transactions
24
Q

Subscription Services and Feeds security concerns

A

These are web and/or cloud apps which provide information and should be secured.

They are vulnerable to XML injection attacks
Allows attackers to:
- show malicious links
- interact with the file system

25
Q

FTP

A

File Transfer Protocol

  • uses public directories, hosting files and user accounts
  • more efficient than HTTP but unsecure

Should use SFTP or FTPS

26
Q

SFTP

A

SSH FTP

  • encrypts the authentication and data transfer between client server
  • uses SSH TCP over port 22
  • mitigates eavesdropping or man in the middle attacks
  • requires SSH server support SFTP and SFTP client sw
27
Q

FTPS

A

FTP over SSL uses SSL/TLS protocols via two means:

  • Explicit TLS (FTPES) - use the AUTH TLS cmd to upgrade the connection over port 21 to a secure one. Use PROT to encrypt the data transfer.
  • Implicit TLS (FTPS) - creates a SSL/TLS tunnel prior to the exchange of any FTP commands. Uses secure port 990 for the control connection.

FTPS is tricky to configure the firewall
thus FTPES is usually preferred

28
Q

SMTP

A

Simple Mail Transfer Protocol (SMTP)

  • how mail is sent from one system to another
  • uses the Mail Exchanger (MX) record found in DNS to obtain the IP address of the recipient
  • uses TCP over port 25 for unsecure message relay

Explicit TLS or opportunistic TLS uses STARTTLS to upgrade the connection to TLS and uses TCP port 587

Implicit TLS uses SMTPS (TCP over port 465) to establish a secure connection priotto message exchange

29
Q

POP3

A

Post Office Protocol v3 is used to store messages delivered via SMTP on a server.

  • downloads the messages from the server
  • user is authenticated prior to download via user name and password
  • uses TDP over port 110
  • uses secure connection over TCP port 995
30
Q

IMAP

A

Internet Message Access Protocol v4

  • mailbox service supporting permanent connection to the server and connecting multiple clients to the same mailbox simultaneously
  • allows client management of mail folders on the server
  • users authentication themselves prior to retrieval
  • uses TCP over port 143 for unsecure connection
  • uses TCP over port 993 for secure connection
31
Q

S/MIME

A

Secure/Multipurpose Internet Mail Extensions provides needed end to end security of email encryption

  • provides authentication and confidentiality on a per message basis
  • allows two users to exchange secure emails
  • user is issued a cert containing users public key signed by the CA
  • user has the private key
  • both users must exchange certs and be using S/MIME
  • sender signs the email with a hash of the message using it’s private key
  • sender encrypts the message, hash, and it’s public key and sends to recipient
  • recipient the decrypts the message using it’s public key
  • recipient decrypts the signature using the public key of sender
  • recipient creates hash of the message
  • validation occurs by comparing the recipient hash to the hash sent by the sender
32
Q

Voice and Video Secure Services

A

Voice over IP (VoIP) and Video transport real-time data and create point to point connections between hosts
- provide session control, data transport, and QoS

Data Transport utilizes the Real-time Transport Protocol (RTP)

Session Control utilizes the Session Initiation Protocol (SIP)
- creates a SIP Unique Resource Indictor (URI) fro each device
- utilize Private Branch Exchange (PBX)
- unencrypted runs TCP over port 5060
SIP Secure (SIPS)
- similar to HTTPS, SIPS uses digital certs to authenticate endpoints and establish TLS tunnel
- generates a master key to interface with Secure RTP (SRTP) to provide confidentiality for the data
- encrypted run TCP over port 5061

33
Q

Remote Access

A

Connection of a device from a network outside of the local network
Usually implemented via a Virtual Private Network (VPN) running over the internet

34
Q

VPN

A

Virtual Private Network

- establishes a private secure tunnel through the networks

35
Q

Remote VPN vs Site to Site VPN

A

Remote VPN is a secure tunnel from a remote device to corporate network

  • Client directly connects to a Remote Access Screened Subnet containing a VPN Gateway to a router or firewall
  • Client and VPN Gateway create the secure VPN tunnel
  • VPN Screened Subnet’s router/firewall connects to the local network’s access point, router/firewall to access authorized servers, etc.

Site to Site VPN is a secure tunnel from a private network to a private network

  • Client connects through the local Router/Firewall/VPN Gateway
  • the local VPN Gateway then negotiates the setup of the secure VPN tunnel with the distant VPN Gateway on the distant VPN Screened Subnet
  • the routing protocols on each end determine which traffic uses the VPN tunnel
36
Q

VPN Security

A

Utilizes TLS and IPSec to configure VPN access
TLS VPN or SSL VPN requires a listening port on the remote access server, usually 443
the client creates a connection using TLS so the server is authenticated to the client and a secure tunnel is created
The client then can send credentials to authenticate with the server usually via a RADIUS server
Once authenticated, the VPN will tunnel all traffic to the remote network via the secure socket

Examples:
OpenVPN - open source example of TLS VPN
Socket Secure Tunneling Protocol (SSTP) - MicroSoft version of tunneling via Point-to-Point Protocol (PPP) layer 2 frames over TLS session
PPP provides encapsulation for IP traffic push IP assignment and authentication via the Challenge Handshake Authentication Protocol (CHAP)

37
Q

IPSec

A

Internet Protocol Security

  • operates at the Network Layer (layer 3 of the OSI model)
  • provides encrypted data packets (confidentiality)
  • provides anti-replay by signing each packet (integrity)
  • adds overhead to do this though
  • each device must be assigned an IPSec policy to define which authentication mechanism to use, Authentication Header (AH) or Encapsulation Security Protocol (ESP)
38
Q

HMAC

A

Hash-based Message Authentication Code
a method used to verify both the integrity and authenticity of a message by combining the cryptographic hash of a the message with a secret key

39
Q

IPSec AH

A

Internet Protocol Security Authentication Header (AH) protocol

  • performs a cryptographic hash of the whole packet (includes the IP header, plus shared secret key)
  • Adds the hash (HMAC) into the header as an Integrity Check Value (ICV)
  • The recipient performs the same function on the packet and key to match to the hash value to show the packet was not modified (integrity)
  • However the payload is not encrypted
  • Does not work when crossing network gateways, where the IP is re-written
  • for this reason AH is not used very often
40
Q

IPSec ESP

A

Internet Protocol Security Encapsulation Security Payload (ESP)

  • provides confidentiality, authentication and integrity
  • encrypts the packet rather than just the HMAC
  • attaches a header, padding/trailer, and an Integrity Check Value (ICV)
  • the ICV excludes the IP header when calculating the ICV
41
Q

IPSec Tranport mode

A

Used to secure communications between hosts on a private network

can utilize either AH or ESP

  • use AH for integrity of the IP header
  • use ESP to encrypt the payload, the IP header is not encrypted
42
Q

IPSec Tunnel Mode

A

Used for communications between VPN gateways across an unsecure network

  • referred to as router implementation
  • only uses ESP
  • AH has no use case
  • ESP encrypts the whole packet (header and payload) and encapsulated as a datagram with a new IP header
43
Q

IKE

A

Internet Key Exchange (IKE) protocol

  • handles authentication and key exchange, referred to as Security Associations (SA)
  • utilized by IPSec to provide a means to provide shared secret between hosts which is critical to IPSec framework (mutual authentication)
  • uses two phases to negotiate authentication
  • Phase 1 establishes identity of the 2 hosts and performs key agreement to create a secure channel
    • uses either Digital Certificates or Pre-Shared Key (PSK)
  • Phase 2 uses the secure channel to establish which ciphers and key sizes two be used
    • AH and/or ESP
44
Q

L2TP/IPSec VPN

A

Layer 2 Tunneling Protocol (L2TP)/IPSec VPN
- utilized for remote client user account authentication to a remote networks directory
- main draw back is the overhead of double encapsulation of the traffic
Process:
- client and VPN gateway create a secure IPSec channel via the Internet using pre-shared key or certificates for IKE
- VPN gateway uses L2TP to exchange local network data encapsulated as PPP frames
- client authenticates over the PPP session using EAP or CHAP

45
Q

IKE v2

A

Fixes drawbacks of earlier Internet Key Exchange (IKE)

  • support for EAP authentication
  • simplified connection setup wit a single 4-messages setup to reduce bandwidth
  • reliability allowing NAT traversal and MOBIKE multihoming

Multihoming allows a client with multiple interfaces (wifi and cellular - smartphone) to keep the IPSec connection alive during the switch between the interfaces (wifi and cellular)

46
Q

VPN Client Configuration

A

May need to configure the client VPN settings if not natively supported by the OS

Always-On VPN
- utilized cached credentials to authenticate
- VPN is setup when ever an internet connection over a trusted node is detected
Split-Tunnel
- LAN traffic to/from the client utilizes the VPN tunnel
- other traffic utilizes the internet
Full-Tunnel
- internet traffic is mediated at the customers Screened Subnet via the DNS Server and a content filter
- could use a proxy to do this as well

47
Q

Remote Desktop

A

Another model for remote networking connecting a host in the local network over a remote administration protocol. This is used for GUI rather than CLI like SSH.
Examples:
Remote Desktop Protocol (RDP)
Virtual Network Computing (VNC)
HTML5 VPN - utilizes WebSockets allowing for bidirectional messages

48
Q

SAW

A

Secure Admin Workstations

  • provides a secure means for admins to perform management functions of a network appliance or server
  • must be tightly locked down, ideally installed with only needed SW to do the job
  • should be denied internet access or only a handful of approved vendors for patching
  • should have stringent access controls
49
Q

OOB Management

A

Out-of-Band Management
A remote management method similar to using a serial console or modem port on a router, but is virtual instead. This method creates a separate network infrastructure

50
Q

Jump server

A

A server used by admins to manage application servers and network appliances located on the DMZ to permit tighter access control.

Only runs the required protocols, like SSH or RDP

The application servers admin interface has a single ACL entry, that of being the jump server to be allowed while all other being denied

51
Q

SSH

A

Secure Shell allows a user to obtain remote access to a command line terminal

SSH servers are identified by a public/private key pair (the host key) and are used to setup a secure channel to allow client to submit authentication credentials

Client Authentication
Username/password - SSH authenticates user against RADIUS/TACACS+ or database
Public Key - remote users public key is in a list of authorized users for server access
Kerberos - client submits Kerberos credentials (TGT) to the SSH server, who then contacts the Ticketing Granting Service (TGS) to validate the client credentials. The TGT is obtained when user logged onto the Workstation to the server using GSSAPI (Generic Security Services API)

Generate SSH keys:
ssh-keygen -t -rsa

Copy SSH keys to server:
ssh-copy-id bobby@10.1.0.10

Study CompTia SY0-601 (24 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions