3.1 Given a scenario, implement secure protocols.
Domain Name System Security Extensions (DNSSEC)-Protocols
****DNS Security Extensions (DNSSEC) help to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses.**** With DNSSEC enabled, the authoritative server for the zone creates a "package" of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature. The public zone signing key is itself signed with a separate Key Signing Key. Separate keys are used so that if there is some sort of compromise of the zone signing key, the domain can continue to operate securely by revoking the compromised key and issuing a new one Domain name resolution • DNS had no security in the original design - Relatively easy to poison a DNS • DNSSEC - Domain Name System Security Extensions • Validate DNS responses - Origin authentication - Data integrity • Public key cryptography - DNS records are signed with a trusted third party - Signed DNS records are published in DNS
SSH (Secure Shell Protocol)
***A protocol for remote access to computers.**** -it is very likely to be used to manage devices and services. SSH uses two types of key pairs: A host key pair identifies an SSH server. The server reveals the public part when a client connects to it. The client must use some means of determining the validity of this public key. If accepted, the key pair is used to encrypt the network connection and start a session. A user key pair is a means for a client to login to an SSH server. The server stores a copy of the client's public key. The client uses the linked private key to generate an authentication request and sends the request (not the private key) to the server. The server can only validate this request if the correct public key is held for that client. There are vendor solutions for SSH key management or you can configure servers and clients to use public key infrastructure (PKI) and certificate authorities (CAs) to validate identities. A third-party credential is one used by your company to manage a vendor service or cloud app. As well as administrative logons, devices and services may be configured with a password or cryptographic keys to access hosts via SSH or via an application programming interface (API). Improper management of these secrets, such as including them in code or scripts as plaintext, has been the cause of many breaches - Encrypted terminal communication - Replaces Telnet (and FTP) - Provides secure terminal communication and file transfer features SSH keys • Secure Shell (SSH) - Secure terminal communication • Use a key instead of username and password - Public/private keys - Critical for automation • Key management is critical - Centralize, control, and audit key use • SSH key managers - Open source, Commercial SSH key-based authentication • Create a public/private key pair - ssh-keygen • Copy the public key to the SSH server - ssh-copy-id user@host • Try it out - ssh user@host - No password prompt! SSH (Secure Shell) • Encrypted console communication - tcp/22 • Looks and acts the same as Telnet!
Secure/Multipurpose Internet Mail Extensions (S/MIME) -Protocols
***Email -An email certificate can be used to sign and encrypt email messages, typically using Secure Multipart Internet Message Extensions (S/MIME) or Pretty Good Privacy (PGP). -An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications. the user is issued a digital certificate containing his or her public key, signed by a CA to establish its validity. The public key is a pair with a private key kept secret by the user. To establish the exchange of secure emails, both users must be using S/MIME and exchange certificates Email • S/MIME - Secure/Multipurpose Internet Mail Extensions - Public key encryption and digital signing of mail content - Requires a PKI or similar organization of keys • Secure POP and Secure IMAP - Use a STARTTLS extension to encrypt POP3 with SSL or use IMAP with SSL • SSL/TLS - If the mail is browser based, always encrypt with SSL
File Transfer Protocol Secure (FTPS)
***File transfer*** An FTP client can request the file transfer session be encrypted using TLS. The file server can accept or deny the request. Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection - FTP over SSL (FTP-SSL) - File Transfer Protocol Secure - This is not SFTP
Secure Real-time Transport Protocol (SRTP) - protocol
***Voice and video**** -A security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. Used to secure VoIP traffic. Has minimal effect on the IP quality of the VoIP service. Connection security for voice and video works in a similar manner to HTTPS. To initiate the call, the secure version SIPS uses digital certificates to authenticate the endpoints and establish a TLS tunnel. Where unencrypted SIP typically runs over TCP port 5060, SIPS uses TCP port 5061. The secure connection established by SIPS can also be used to generate a master key to use with the secure versions of the transport protocol (SRTP). **SRTP provides confidentiality for the actual call data. ***Version of RTP secured using TLS. Deploy certificates to VoIP gateways and endpoints to use with SIPS and SRTP • SRTP - Secure Real-Time Transport Protocol / Secure RTP • Adds security features to RTP - Keep conversations private • Encryption - Uses AES to encrypt the voice/video flow • Authentication, integrity, and replay protection - HMAC-SHA1 - Hash-based message authentication code using SHA1
Hypertext transfer protocol over SSL/TLS (HTTPS)
***Web*** ***If the mail is browser based, always encrypt with SSL/TLS*** -A protocol for transfer of material across the Internet that contains links to additional material that is carried over a secure tunnel via SSL or TLS. -The foundation of web technology is the HyperText Transfer Protocol (HTTP). HTTP enables clients (typically web browsers) to request resources from an HTTP server. A client connects to the HTTP server using an appropriate TCP port (the default is port 80) and submits a request for a resource, using a uniform resource locator (URL). The server acknowledges the request and responds with the data (or an error message ***HTTPS operates over port 443 by default HTTP communications are not secured. Secure Sockets Layer (SSL) was developed by Netscape in the 1990s to address the lack of security in HTTP. SSL proved very popular with the industry, and it was quickly adopted as a standard named Transport Layer Security (TLS). It is typically used with the HTTP application (referred to as HTTPS or HTTP Secure) but can also be used to secure other application protocols and as a virtual private networking (VPN) solution. While the acronym SSL is still used, the Transport Layer Security versions are the only ones that are safe to use Web • SSL/TLS - Secure Sockets Layer/Transport Layer Security • HTTPS - HTTP over TLS / HTTP over SSL / HTTP Secure • Uses public key encryption - Private key on the server - Symmetric session key is transferred using asymmetric encryption - Security and speed
IPSec (Internet Protocol Security) - Protocol
-A Layer 3 protocol that defines encryption, authentication, and key management for TCP/IP transmissions. IPSec is an enhancement to IPv4 and is native to IPv6. IPSec is unique among authentication methods in that it adds security information to the header of all IP packets. -A set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet. • Security for OSI Layer 3 - Authentication and encryption for every packet • Confidentiality and integrity/anti-replay - Encryption and packet signing • Very standardized - Common to use multi-vendor implementations • Two core IPSec protocols - Authentication Header (AH) - Encapsulation Security Payload (ESP)
LDAPS (Lightweight Directory Access Protocol Secure) - protocols
-A network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information. LDAPS uses port 636.**** ****Directory services • LDAP (Lightweight Directory Access Protocol) • LDAPS (LDAP Secure) - A non-standard implementation of LDAP over SSL • SASL (Simple Authentication and Security Layer) - Provides authentication using many different methods, i.e., Kerberos or client certificate
SFTP (Secure File Transfer Protocol) - Protocol
A protocol available with the proprietary version of SSH that copies files between hosts securely. Like FTP, SFTP first establishes a connection with a host and then allows a remote user to browse directories, list files, and copy files. Unlike FTP, SFTP encrypts data before transmitting it. A secure version of the File Transfer Protocol that uses a Secure Shell (SSH) tunnel as an encryption method to transfer, access, and manage files. addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server. **In SFTP, a secure link is created between the client and server using Secure Shell (SSH) over TCP port 22. ** Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or man-in-the-middle attacks. This solution requires an SSH server that supports SFTP and SFTP client software. - SSH File Transfer Protocol - Provides file system functionality - Resuming interrupted transfers, directory listings, remote file removal
SRTP (Secure Real-Time Transport Protocol) - protocols
A security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. Used to secure VoIP traffic. Has minimal effect on the IP quality of the VoIP service.
Authentication Header (AH) -IPsec-Protocol
An IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks protocol performs a cryptographic hash on the whole packet, including the IP header,plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV) IP HEADER ** AH ( ICV ) ** TCP/UDP ** PAYLOAD • Data integrity • Origin authentication • Replay attack protection • Keyed-hash mechanism • No confidentiality/encryption • Hash of the packet and a shared key - SHA-2 is common - Adds the AH to the packet header • This doesn't provide encryption - Provides data integrity (hash) - Guarantees the data origin (authentication) - Prevents replay attacks (sequence numbers)
Subscription services uses
Automated subscriptions - Anti-virus / Anti-malware signature updates - IPS updates - Malicious IP address databases / Firewall updates • Constant updates - Each subscription uses a different update method • Check for encryption and integrity checks - May require an additional public key configuration - Set up a trust relationship - Certificates, IP addresses
Domain name resolution use cases
Domain Name System (DNS) servers—host name records and perform name resolution to allow applications and users to address hosts and services using fully qualified domain names (FQDNs) rather than IP addresses. DNS works at layer 7 of the OSI mode• DNS poinsoining-network-based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker's choosing. DNS had no security in the original design - Relatively easy to poison a DNS • DNSSEC - Domain Name System Security Extensions • Validate DNS responses - Origin authentication - Data integrity • Public key cryptography - DNS records are signed with a trusted third party - Signed DNS records are published in DNS
Email and Web - use cases
Email services use two types of protocol 1.Simple mail transfer protocol - SMTP The protocol used to send mail between hosts on the Internet. Messages are sent over TCP port 25. S/MIME 2.A mailbox protocol stores messages for users and allows them to download them to client computers or manage them on the server SMTP are secured using TLS in two ways. 1.STARTTLS—this is a command that upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS 2.SMTPS—this establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLSS SMTP uses the following ports 25 - message relay 587- mail clients 465-some providers use this for message submission over implicit TLS - Secure/Multipurpose Internet Mail Extensions - Public key encryption and digital signing of mail content - Requires a PKI or similar organization of keys • Secure POP and Secure IMAP - Use a STARTTLS extension to encrypt POP3 with SSL or use IMAP with SSL • SSL/TLS - If the mail is browser based, always encrypt with SSL
Encapsulation Security Payload (ESP) -IPsec-Protocol
IPSec sub-protocol that enables encryption and authentication of the header and payload of a data packet provides confidentiality and/or authentication and integrity. It can be used to encrypt the packet rather than simply calculating an HMAC IP HEADER ** ESP ( TCP,UDP) PAYLOAD)) ,TRAILER, ICV **TCP, HEADER, PAYLOAD are encapsulating within ESP** ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value With ESP, algorithms for both confidentiality (symmetric cipher) and authentication/integrity (hash function) are usually applied together Data confidentiality (encryption) • Limited traffic flow confidentiality • Data integrity • Anti-replay protection Encrypts and authenticates the tunneled data - Commonly uses SHA-2 for hash, AES for encryption - Adds a header, a trailer, and an Integrity Check Value • Combine with Authentication Header (AH) for integrity and authentication of the outer header
Voice and video - use cases
Main challenges that these applications have in common is that they transfer real-time data and must create point-to-point links between hosts on different networks Session Initiation Protocol (SIP)-Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination. SIPS uses TCP port 5061 SIP endpoints are the end-user devices (also known as user-agents), such as IP-enabled handsets or client and server web conference software. Each device, conference, or telephony user is assigned a unique SIP address known as a SIP Uniform Resource Indicator real-time Transport Protocol (RTP)-Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping). SRTP-Version of RTP secured using TLS - Secure Real-Time Transport Protocol / Secure RTP • Adds security features to RTP - Keep conversations private • Encryption - Uses AES to encrypt the voice/video flow • Authentication, integrity, and replay protection - HMAC-SHA1 - Hash-based message authentication code using SHA1
Time synchronization - use cases
Many applications on networks are time dependent and time critical. These include authentication and security mechanisms, scheduling applications, and backup software. The Network Time Protocol (NTP) provides a transport over which to synchronize these time dependent applications. NTP works over UDP on port 123 Time synchronization • Classic NTP has no security features - Exploited as amplifiers in DDoS attacks - NTP has been around prior to 1985 • NTPsec - Secure network time protocol - Began development in June of 2015 • Cleaned up the code base - Fixed a number of vulnerabilities
SNMPv3 (Simple Network Management Protocol version 3) - Protocol
SNMP (Simple Network Management Protocol) Protocol for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default. SNMPv3 - Simple Network - Management Protocol version 3 - Confidentiality - Encrypted data - Integrity - No tampering of data - Authentication - Verifies the source The Simple Network Management Protocol (SNMP) is a widely used framework for management and monitoring. SNMP consists of an SNMP monitor and agent 1.The agent is a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device 2.This agent maintains a database called a management information base (MIB) that holds statistics relating to the activity of the device (for example, the number of frames per second handled by a switch). The agent is also capable of initiating a trap operation where it informs the management system of a notable event (port failure, for instance). The threshold for triggering traps can be set for each value. Device queries take place over port 161 (UDP); traps are communicated over port 162 (also UDP SNMP v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions. When authentication is required, the SNMP message is signed with a hash of the user's passphrase. The agent can verify the signature and authenticate the user using its own record of the passphrase.
Remote access use cases
SSH (Secure Shell) - Encrypted terminal communication - Replaces Telnet (and FTP) - Provides secure terminal communication and file transfer features
File transfer - use cases
SSH FTP (SFTP) addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and serve In SFTP, a secure link is created between the client and server using Secure Shell (SSH) over TCP port 22 Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command). Implicit TLS (FTPS)—A type of FTP using TLS for confidentiality --> -->negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection FTPS - FTP over SSL (FTP-SSL) - File Transfer Protocol Secure - This is not SFTP • SFTP - SSH File Transfer Protocol - Provides file system functionality - Resuming interrupted transfers, directory listings, remote file removal
Insecure Protocols
Some protocols aren't encrypted - All traffic sent in the clear - Telnet, FTP, SMTP, IMAP • Verify with a packet capture - View everything sent over the network • Use the encrypted versions- SSH, SFTP, IMAPS, etc.
Post Office Protocol (POP) - protocol
TCP port 110 protocol that enables a client to access email messages stored in a mailbox on a remote server. The server usually deletes messages once the client has downloaded them is a mailbox protocol designed to store the messages delivered by SMTP on a server. When the client connects to the mailbox, POP3 downloads the messages to the recipient's email client
Internet Message Access Protocol (IMAP)
TCP/IP application protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server. IMAP4 utilizes TCP port number 143 It also allows a client to manage mail folders on the server. Clients connect to IMAP over TCP port 143. They authenticate themselves then retrieve messages from the designated folders. As with other email protocols, the connection can be secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993. -A protocol used to retrieve email messages. IMAP is similar to POP3, but with some advanced features. The main difference between the two is that IMAP generally leaves the email on the mail server. -A protocol that resides on an incoming mail server. Similar to POP, but is more powerful. Allows sharing of mailboxes and multiple mail server access. The current version is IMAP4.
Network address allocation uses
The Dynamic Host Configuration Protocol (DHCP) provides an automatic method for network address allocation The key point about DHCP is that only one server should be offering addresses to any one group of hosts. If a rogue DHCP server is set up, it can perform DoS (as client machines will obtain an incorrect TCP/IP configuration) or be used to snoop network information. DHCP starvation is a type of DoS attack where a rogue client repeatedly requests new IP addresses using spoofed MAC addresses, with the aim of exhausting the IP address pool. This makes it more likely that clients seeking an address lease will use the rogue DHCP server. Securing DHCP - DHCP does not include any built-in security - There is no "secure" version of the DHCP protocol • Rogue DHCP servers - In Active Directory, DHCP servers must be authorized - Some switches can be configured with "trusted" interfaces - DHCP distribution is only allowed from trusted interfaces - Cisco calls this DHCP Snooping - DHCP client DoS - Starvation attack - Use spoofed MAC addresses to exhaust the DHCP pool - Switches can be configured to limit the number of MAC addresses per interface - Disable an interface when multiple MAC addresses are seen
Routing and switching use cases
The forwarding function takes place at two different layers: 1. Layer 2 forwarding occurs between nodes on the same local network segment that are all in the same broadcast domain. At layer 2, a broadcast domain is either all the nodes connected to the same physical unmanaged switch, or all the nodes within a virtual LAN (VLAN) configured on one or more managed switches. ***At layer 2, each node is identified by the network interface's hardware or Media Access Control (MAC) address. A MAC address is a 48-bit value written in hexadecimal notation, such as 00-15-5D-F4-83-48. 2. Layer 3 forwarding, or routing, occurs between both logically and physically defined networks. A single network divided into multiple logical broadcast domains is said to be subnetted. Multiple networks joined by routers form an internetwork. ***At layer 3, nodes are identified by an Internet Protocol (IP) address most networks use routing protocols to transmit new and updated routes between routers. Some common routing protocols include Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP). SSH - Secure Shell - Encrypted terminal communication • SNMPv3 - Simple Network - Management Protocol version 3 - Confidentiality - Encrypted data - Integrity - No tampering of data - Authentication - Verifies the source • HTTPS - Browser-based management - Encrypted communication
Tunnel/Transport-IPsec-Protocol
Transport mode—this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header Tunnel mode—this mode is used for communications between VPN gateways across an unsecure network (creating a VPN). This is also referred to as a router implementation. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in tunnel mode, as confidentiality will usually be required. Transport mode : DATA, ESP TRAILER encrypted IP HEADER, DATA, ESP TRAILER encrypted • Tunnel mode is the most common - Transport mode may not even be an option
Directory services - use cases
• Protocol for reading and writing directories over an IP network - An organized set of records, like a phone directory • X.500 specification was written by the International Telecommunications Union (ITU) - They know directories! • DAP ran on the OSI protocol stack - LDAP is lightweight, and uses TCP/IP • LDAP is the protocol used to query and update an X.500 directory - Used in Windows Active Directory, Apple OpenDirectory, OpenLDAP, etc. Directory services • LDAP (Lightweight Directory Access Protocol) • LDAPS (LDAP Secure) - A non-standard implementation of LDAP over SSL • SASL (Simple Authentication and Security Layer) - Provides authentication using many different methods, i.e., Kerberos or client certificate Generally two levels of access will need to be granted on the directory: read-only access (query) and read/write access (update). This is implemented using an access control policy, but the precise mechanism is vendor-specific and not specified by the LDAP standards documentatio Unless hosting a public service, the LDAP directory server should also only be accessible from the private network. This means that the LDAP port should be blocked by a firewall from access over the public interface. If there is integration with other services over the Internet, ideally only authorized IPs should be permitted.