Topic 11A

Question 1

How are HTTP and Telnet insecure protocols

Answer 1

They transmit data in clear text format

In contrast, secure protocols, like HTTPS and SSH (as alternatives to HTTP and TELNET), use encryption to protect transmitted data and improve security.

Question 2

Why are secure protocols sometimes difficult to work with?

Answer 2

They are more complex to implement and manage.

HTTPS requires obtaining a valid SSL/TLS certificate from a certificate authority (CA). After obtaining the appropriate certificate, it must be correctly installed and configured on a server, which requires more skill, time, and planning than simply enabling and using HTTP.

the correct handling of cryptographic keys, including processes regarding how they are created, stored, distributed, and revoked.

Troubleshooting issues come as administrators cannot easily inspect the content of data packets when troubleshooting issues, and the configuration of secure software and operating systems is more complicated and prone to misconfiguration

Question 3

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol)

Answer 3

TCP is connection-oriented and provides reliability, ordering, and error-checking, making it suitable for applications requiring high levels of reliability.

UDP is connectionless, making it faster than TCP and more suitable for real-time applications like video streaming, telephony, and gaming, where occasional packet loss is less impactful.

Question 4

Secure Sockets Layer (SSL)

Answer 4

developed by Netscape in the 1990s to address the lack of security in HTTP.

SSL proved very popular with the industry and was quickly adopted as a standard named Transport Layer Security (TLS)

Secures network apps and can be used as a VPN

Question 5

Transport Layer Security (TLS)

Answer 5

Security protocol that uses certificates for authentication and encryption to protect web communications and other application protocols.

To implement TLS, a server is assigned a digital certificate signed by some trusted certificate authority (CA). The certificate proves the server’s identity (assuming that the client trusts the CA) and validates the server’s public/private key pair.

The server uses its key pair and the TLS protocol to agree on mutually supported ciphers with the client and negotiate an encrypted communications session.

Still safe to use. Newer than SSL.

TLS version 1.3 was approved in 2018. One of the main features of TLS 1.3 is the removing the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions.

Question 6

cipher suite

Answer 6

the algorithms supported by both the client and server to perform the different encryption and hashing operations required by the protocol.

Question 7

hash key derivation function (HKDF)

Answer 7

HKDF is the mechanism by which the shared secret established by D-H key agreement is used to derive symmetric session keys.

Question 8

network directory

Answer 8

lists the subjects (principally users, computers, and services) and objects (such as directories and files) available on the network plus the permissions that subjects have over objects.

Facilitates authentication and authorization, and it is critical that it be maintained as a highly secure service. Most directory services are based on the Lightweight Directory Access Protocol (LDAP)

Generally two levels of access will need to be granted on the directory: read-only access (query) and read/write access (update).

Question 9

LDAP (Lightweight Directory Access Protocol) and ways to authenticate it.

Answer 9

The basic protocol provides no security and all transmissions are in plaintext

No Authentication—means anonymous access is granted to the directory
.
Simple Bind—means the client must supply its distinguished name (DN) and password, but these are passed as plaintext.

Simple Authentication and Security Layer (SASL)—means the client and server negotiate the use of a supported authentication mechanism, such as Kerberos. The STARTTLS command can be used to require encryption (sealing) and message integrity (signing). This is the preferred mechanism for Microsoft’s Active Directory (AD) implementation of LDAP.

LDAP Secure (LDAPS)—means the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.

Question 10

Simple Network Management Protocol (SNMP)

Answer 10

framework for management and monitoring

SNMP consists of an SNMP monitor and agents.

The agent is a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device.

This agent maintains a database called a management information base (MIB) that holds statistics relating to the activity of the device. Can initiate a trap operation where it informs management systems of a notable event

The SNMP monitor (a software program) provides a location from which network activity can be overseen. It monitors all agents by polling them at regular intervals for information from their MIBs and displays the information for review. Displays trap alerts

Question 11

SNMP guidelines to follow

Answer 11

SNMP community names are sent in plaintext and so should not be transmitted over the network if there is any risk that they could be intercepted.

Use difficult-to-guess community names; never leave the community name blank or set to the default.

Use access control lists to restrict management operations to known hosts (that is, restrict to one or two host IP addresses).

Use SNMP v3 whenever possible, and disable older versions of SNMP. SNMP v3 supports encryption and strong user-based authentication.

Disable SNMP if not in use

Question 12

File Transfer Protocol (FTP)

Answer 12

typically configured with several public directories, hosting files, and user accounts. Most HTTP servers also function as FTP servers, and FTP services, accounts, and directories may be installed and enabled by default when you install a web server.

Is plaintext. Can be secured with SSH that supports SFTP

Question 13

Secure File Transfer Protocol (SFTP)

Answer 13

encrypting the authentication and data transfer between client and server. In SFTP, a secure link is created between the client and server using Secure Shell (SSH) over TCP port 22.

Hard to configure with firewalls between server and client

Question 14

Other means to secure FTP

Answer 14

Explicit TLS (FTPES)—uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the file transfers can also be encrypted (using the PROT command).

Implicit TLS (FTPS)—negotiates an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection.

Question 15

Simple Mail Transfer Protocol (SMTP)

Answer 15

specifies how mail is sent from one system to another.

Question 16

There are two ways for SMTP to use TLS:

Answer 16

STARTTLS—is a command that upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS.

SMTPS—establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLS.

Question 17

Typical SMTP configurations use the following ports and secure services:

Answer 17

Port 25—is used for message relay (between SMTP servers or message transfer agents [MTA]). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.

Port 587—is used by mail clients (message submission agents [MSA]) to submit messages for delivery by an SMTP server. Servers configured to support port 587 should use STARTTLS and require authentication before message submission.

Port 465—is used by some providers and mail clients for message submission over implicit TLS (SMTPS), though this usage is now deprecated by standards documentation.

Question 18

Post Office Protocol v3 (POP3)

Answer 18

is a mailbox protocol designed to store the messages delivered by SMTP on a server. When the client connects to the mailbox, POP3 downloads the messages to the recipient’s email client.

Question 19

Internet Message Access Protocol (IMAP)

Answer 19

supports permanent connections to a server and connects multiple clients to the same mailbox simultaneously. It also allows a client to manage mail folders on the server.

Clients connect to IMAP over TCP port 143.

The default port for IMAPS is TCP port 993.

Question 20

Three technologies have emerged as essential for verifying the authenticity of emails and preventing phishing and spam

Answer 20

Sender Policy Framework (SPF),
DomainKeys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting & Conformance (DMARC).

Question 21

Sender Policy Framework (SPF)

Answer 21

is an email authentication method that helps detect and prevent sender address forgery commonly used in phishing and spam emails.

SPF works by verifying the sender’s IP address against a list of authorized sending IP addresses published in the DNS TXT records of the email sender’s domain.

Question 22

DomainKeys Identified Mail (DKIM)

Answer 22

leverages encryption features to enable email verification by allowing the sender to sign emails using a digital signature.

The receiving email server uses a DKIM record in the sender’s DNS record to verify the signature and the email’s integrity.

Question 23

Domain-based Message Authentication, Reporting & Conformance (DMARC)

Answer 23

uses the results of SPF and DKIM checks to define rules for handling messages, such as moving messages to quarantine or spam, rejecting them outright, or tagging the message.

DMARC also provides reporting capabilities, including unauthorized activity

Question 24

email gateway

Answer 24

is the control point for all incoming and outgoing email traffic. It acts as a gatekeeper, scrutinizing all emails to remove potential threats before they reach inboxes.

Use anit spam, antivirus threat detections algorithms to detect phishing and malicious URLs.

Question 25

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Answer 25

is a protocol for securing email communications. It encrypts emails and enables sender authentication to ensure the confidentiality and integrity of email communications.

Uses public key encryption

Question 26

Domain Name System (DNS) filtering

Answer 26

a technique that blocks or allows access to specific websites by controlling the resolution of domain names into IP addresses.

It operates on the principle that for a device to access a website, it must first resolve its domain name into its associated IP address, a process managed by DNS.

Cisco’s OpenDNS, Quad9, CleanBrowsing

Question 27

Why is DNS filtering highly effective

Answer 27

It provides a proactive defense mechanism, blocking access to known phishing sites, malware distribution sites, and other malicious online destinations.

It can help enforce an organization’s acceptable use policies (AUPs) by blocking access to inappropriate or distracting websites and ensuring that the Internet is used responsibly and productively.

It can protect all devices connected to a network, including IoT devices, providing an extra layer of security.

It is a simple solution that is easy to implement and presents minimal risk, making it a cost-effective security control suitable for networks of any size.

Question 28

DNS firewall

Answer 28

intercept DNS queries at the network level and apply filtering rules accordingly. Some endpoint protection tools and antivirus software provide DNS filtering capabilities to provide device-level protection ideal for laptops and other mobile devices

Question 29

DNS security

Answer 29

should only accept recursive queries from local hosts (preferably authenticated local hosts) and not from the Internet.

You also need to implement access control measures on the server to prevent a malicious user from altering records manually

Attacks on DNS may also target the server application and/or configuration. Many DNS services run on BIND. BIND has known vulnerabilities

Question 30

DNS footprinting

Answer 30

obtaining information about a private network by using its DNS server to perform a zone transfer (all the records in a domain) to a rogue DNS or simply by querying the DNS service, using a tool such as nslookup or dig

You can apply access controls

Question 31

DNS Security Extensions (DNSSEC)

Answer 31

mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses.

With DNSSEC enabled, the authoritative server for the zone creates a “package” of resource records (called an RRset) signed with a private key