Sec+ Lesson 11

Voice over IP (VoIP)

A generic name for protocols that carry voice traffic over data networks.

Jump sever

A hardened server that provides access to other hosts. A solution to providing administrative access to hosts exposed to the internet. only runs the necessary administrative port and protocol (typically SSH or RDP). Administrators connect to the ______________ then use the _______________ to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the ____________) and denies connection attempts from any other hosts.

Application Programming Interface (API)

A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system. The primary means of configuring and managing a web application. Use of these _______________ is authorized via a token or secret key. Effective management of these ______________ secrets is an essential consideration in modern networks, as they have been widely used to perpetrate various breaches and data thefts.

Secure Socket Tunneling Protocol (SSTP)

A protocol that uses the HTTP over SSL protocol and encapsulates an IP packet with a PPP header and then with an SSTP header. works by tunneling Point-to-Point Protocol (PPP) layer 2 frames over a TLS session. OpenVPN works with this.

File Transfer Protocol (FTP)

A protocol used to transfer files between network hosts. Variants include S(ecure)FTP, FTP with SSL (FTPS and FTPES) and T(rivial)FTP. FTP utilizes ports 20 and 21. Most HTTP servers also function as FTP servers, and FTP services, accounts, and directories may be installed and enabled by default when you install a web server. FTP is more efficient compared to file attachments or HTTP file transfer, but has no security mechanisms.

Transport Layer Security (TLS)

A security protocol that uses certificates for authentication and encryption to protect web communication. To implement ________, a server is assigned a digital certificate signed by some trusted certificate authority (CA). The certificate proves the identity of the server (assuming that the client trusts the CA) and validates the server's public/private key pair. The server uses its key pair and the _________ protocol to agree upon mutually supported ciphers with the client and negotiate an encrypted communications session.

Internet Protocol Security (IPSec)

A set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet. Operates at the network layer (layer 3) of the OSI model, so it can be implemented without having to configure specific application support. Can provide both confidentiality (by encrypting data packets) and integrity/anti-replay (by signing each packet). The main drawback is that it adds overhead to data communications. Can be used to secure communications on local networks and as a remote access protocol.

Out-of-band (OOB)

Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem. When using a browser-based management interface or a virtual terminal over Ethernet and IP, the link can be made ____________ by connecting the port used for management access to physically separate network infrastructure. This can be costly to implement, but ____________ management is more secure and means that access to the device is preserved when there are problems affecting the production network.

In-band

An ___________ management link is one that shares traffic with other communications on the "production" network. Better security can be implemented by using a VLAN to isolate management traffic. Still mean that access could be compromised by a system-wide network failure, however.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications. To use _____________, the user is issued a digital certificate containing his or her public key, signed by a CA to establish its validity. The public key is paired with a private key that is kept secret by the user.

Real-time Transport Protocol (RTP)

Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping).

Virtual Network Computing (VNC)

Remote access tool and protocol. VNC is the basis of macOS screen sharing.

SSH Client Authentication

SSH allows various methods for the client to authenticate to the SSH server. Each of these methods can be enabled or disabled as required on the server, using the /etc/ssh/sshd_config file: Username/password—the client submits credentials that are verified by the SSH server either against a local user database or using a RADIUS/TACACS+ server. Public key authentication—each remote user's public key is added to a list of keys authorized for each local account on the SSH server. Kerberos—the client submits a Ticket Granting Ticket (TGT) to the Ticket Granting Service (TGS) along with the Service Principal Name (SPN) of the SSH server that the client wants to access. The Key Distribution Center (KDC) verifies the TGT of the client to authorize access. The TGS then sends a valid session key to the client that can be forwarded to the SSH server to prove identity and gain access.

IKE v2

The drawbacks of the original version of IKE were addressed by an updated protocol. _________ has some additional features that have made the protocol popular for use as a standalone remote access VPN solution. _______ is mor efficient than L2TP. The main changes are: Support for EAP authentication methods, allowing, for example, user authentication against a RADIUS server. Simplified connection set up by specifying a single 4-message setup mode, reducing bandwidth without compromising security. Reliability by supporting NAT traversal and multihoming through MOBIKE. Multihoming allows a client device, like a smartphone equipped with multiple interfaces to maintain an active IPSec connection even when switching between these interfaces.

Tunnel

The practice of encapsulating data from one protocol for safe transfer over another network such as the Internet.

HyperText Transfer Protocol (HTTP)

The protocol used to provide web content to browsers. HTTP uses port 80. HTTPS(secure) provides for encrypted transfers, using SSL/TLS and port 443. A stateless protocol; this means that the server preserves no information about the client during a session. Enables clients (typically web browsers) to request resources from an HTTP server. A client connects to the HTTP server using an appropriate TCP port (the default is port 80) and submits a request for a resource, using a uniform resource locator (URL). The server acknowledges the request and responds with the data (or an error message).

Always-On VPN

Traditional remote access VPN solutions require the user to initiate the connection and enter their authentication credentials. An _____________ means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user's cached credentials to authenticate.

Session Initiation Protocol (SIP)

Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination. Each device, conference, or telephony user is assigned a unique _____ address known as a _____ Uniform Resource Indicator (URI), such as sip:[email protected] _______ endpoints can establish communications directly in a peer-to-peer architecture, but it is more typical to use intermediary servers and directory servers. A _____ network may also use gateways and private branch exchange (PBX) appliances to provide an interface between the VoIP network and external telephone and cellular networks. Uses TCP port 5061

HTML5 VPN

Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless). This solution also uses a protocol called WebSockets, which enables bidirectional messages to be sent between the server and client without requiring the overhead of separate HTTP requests.

Site-to-site VPN

VPN is configured to operate automatically. The gateways exchange security information using whichever protocol the VPN is based on. This establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data. Hosts at each site do not need to be configured with any information about the VPN. The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel.

Layer 2 Tunneling Protocol (L2TP)

VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM. Often used with IKE to make IKE more secure. Typically operates as follows: The client and VPN gateway set up a secure IPSec channel over the Internet, using either a pre-shared key or certificates for IKE. The VPN gateway uses L2TP to set up a tunnel to exchange local network data encapsulated as Point-to-Point Protocol (PPP) frames. This double encapsulation of traffic is the main drawback, as it adds overhead. The user authenticates over the PPP session using EAP or CHAP.

SRTP

Version of RTP secured using TLS.

Secure POP (POP3S)

When a recipient's email client connects to a server mailbox, POP3 downloads the email messages. A POP3 client application, such as Microsoft Outlook or Mozilla Thunderbird, establishes a TCP connection to the POP3 server over port 110. The user is authenticated (by username and password) and the contents of his or her mailbox are downloaded for processing on the local PC. POP3S is the secured version of the protocol, operating over TCP port 995 by default.

DNS Client Cache Poisoning

Before DNS was developed in the 1980s, name resolution took place using a text file named HOSTS. Each <name>:<IP address> mapping was recorded in this file and system administrators had to download the latest copy and install it on each Internet client or server manually. HOSTS file is still present and most operating systems check the file before using DNS. If an attacker is able to place a false <name>:<IP address> mapping in the HOSTS file and effectively poison the DNS cache, he or she will be able to redirect traffic.

Agent

a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device. maintains a database called a management information base (MIB) that holds statistics relating to the activity of the device (for example, the number of frames per second handled by a switch). The __________ is also capable of initiating a trap operation where it informs the management system of a notable event (port failure, for instance). The threshold for triggering traps can be set for each value. Device queries take place over port 161 (UDP); traps are communicated over port 162 (also UDP).

DHCP starvation

a type of DoS attack where a rogue client repeatedly requests new IP addresses using spoofed MAC addresses, with the aim of exhausting the IP address pool. This makes it more likely that clients seeking an address lease will use the rogue DHCP server. Enabling the DHCP snooping port security feature on a switch can mitigate rogue DHCP attacks.

Simple Network Management Protocol (SNMP)

a widely used framework for management and monitoring. Consists of an _________ monitor and agents.

SSH FTP (SFTP)

addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server. In ___________, a secure link is created between the client and server using Secure Shell (SSH) over TCP port 22. Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or man-in-the-middle attacks. This solution requires an SSH server that supports _________ and _________ client software.

DNS Server Cache Poisoning

aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers. Another attack involves getting the victim name server to respond to a recursive query from the attacking host. A recursive query compels the DNS server to query the authoritative server for the answer on behalf of the client. The attacker's DNS, masquerading as the authoritative name server, responds with the answer to the query, but also includes a lot of false domain:IP mappings for other domains that the victim DNS accepts as genuine. The nslookup or dig tool can be used to query the name records and cached records held by a server to discover whether any false records have been inserted.

Uniform Resource Locator (URL) Redirection

an address for the pages and files published on websites. A URL comprises a FQDN, file path, and often script parameters. URL redirection refers to the use of HTTP redirecting to open a page other than the one the user requested. This is often used for legitimate purposes—to send the user to a login page or to send a mobile device browser to a responsive version of the site, for instance. If the redirect is not properly validated by the web application, an attacker can craft a phishing link that might appear legitimate to a naïve user.

DNS poisoning

an attack that compromises the process by which clients query name servers to locate the IP address for a Fully Qualified Domain Name (FQDN).

Domain Hijacking

an attack where an adversary acquires a domain for a company's trading name or trademark, or perhaps some spelling variation thereof. An adversary gains control over the registration of a domain name, allowing the host records to be configured to IP addresses of the attacker's choosing. This might be accomplished by supplying false credentials to the domain registrar when applying for a new domain name or re-registering an existing one. An attacker might also be able to exploit the legitimate account used to manage the domain (via a weak password or malware installed on a client computer) or even to compromise the domain registrar's security procedures in some way. company whose domain has been hijacked is likely to find that they are locked out of the registrar's management console, or that the domain has been transferred to another registrar, often operating in a different country. The whois command can be used to lookup domain registration information to try to detect misuse in other cases.

No authentication

anonymous access is granted to the directory.

TLS 1.3

approved in 2018. One of the main features is the removal of the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions. There are also changes to the handshake protocol to reduce the number of messages and speed up connections.

Remote access VPN

clients connect to a VPN gateway on the edge of the private network. This is the "telecommuter" model, allowing home-workers and employees working in the field to connect to the corporate network. The VPN protocol establishes a secure tunnel so that the contents are kept private, even when the packets pass over ISPs' routers.

Phase 1 IKE

establishes the identity of the two hosts and performs key agreement using the Diffie-Hellman algorithm to create a secure channel. Two methods of authenticating hosts are commonly used: Digital certificates—the hosts use certificates issued by a mutually trusted certificate authority to identify one another. Pre-shared key (group authentication)—the same passphrase is configured on both hosts.

Data transport

handles the delivery of the actual video or voice information.

DNS Security Extensions (DNSSEC)

helps to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses. With ________________ enabled, the authoritative server for the zone creates a "package" of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature. The public zone signing key is itself signed with a separate Key Signing Key. Separate keys are used so that if there is some sort of compromise of the zone signing key, the domain can continue to operate securely by revoking the compromised key and issuing a new one.

DNS footprinting

means obtaining information about a private network by using its DNS server to perform a zone transfer (all the records in a domain) to a rogue DNS or simply by querying the DNS service, using a tool such as nslookup or dig. To prevent this, you can apply an Access Control List to prevent zone transfers to unauthorized hosts or domains, to prevent an external server from obtaining information about the private network architecture.

Implicit TLS (FTPS)

negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection.

Authentication Header (AH)

protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality. Also, the inclusion of IP header fields in the ICV means that the check will fail across NAT gateways, where the IP address is rewritten. Consequently, ____ is not often used.

SNMP monitor

provides a location from which network activity can be overseen. It monitors all agents by polling them at regular intervals for information from their MIBs and displays the information for review. It also displays any trap operations as alerts for the network administrator to assess and act upon as necessary.

Dynamic Host Configuration Protocol (DHCP)

provides an automatic method for network address allocation. The key point about __________ is that only one server should be offering addresses to any one group of hosts. If a rogue _____________ server is set up, it can perform DoS (as client machines will obtain an incorrect TCP/IP configuration) or be used to snoop network information.

Encapsulation Security Payload (ESP)

provides confidentiality and/or authentication and integrity. It can be used to encrypt the packet rather than simply calculating an HMAC. _______ attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value. Unlike AH, ESP excludes the IP header when calculating the ICV.

Quality of Service (QoS)

provides information about the connection to a QoS system, which in turn ensures that voice or video communications are free from problems such as dropped packets, delay, or jitter.

Post Office Protocol v3 (POP3)

receives email messages from an email server to store on a client computer.

SNMP community names

sent in plaintext and so should not be transmitted over the network if there is any risk that they could be intercepted. Use difficult to guess ____________, never leave them blank or set to default.

Port 465

some providers and mail clients use this port for message submission over implicit TLS (SMTPS), though this usage is now deprecated by standards documentation.

Secure IMAP (IMAPS)/Internet Message Access Protocol v4 (IMAP4)

supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage mail folders on the server. Clients connect to ___________ over TCP port 143. They authenticate themselves then retrieve messages from the designated folders. As with other email protocols, the connection can be secured by establishing an SSL/TLS tunnel. The default port for ___________ is TCP port 993.

Split tunnel

the client accesses the Internet directly using its "native" IP configuration and DNS servers.

Simple Authentication and Security Layer (SASL)

the client and server negotiate the use of a supported authentication mechanism, such as Kerberos. The STARTTLS command can be used to require encryption (sealing) and message integrity (signing). This is the preferred mechanism for Microsoft's Active Directory (AD) implementation of LDAP.

Simple bind

the client must supply its distinguished name (DN) and password, but these are passed as plaintext.

Cipher suite

the group of algorithms supported by both the client and server to perform the different encryption and hashing operations required by the protocol. Prior to TLS 1.3, a __________ would be written in the following form: ECDHE-RSA-AES128-GCM-SHA256 This means that the server can use Elliptic Curve Diffie-Hellman Ephemeral mode for session key agreement, RSA signatures, 128-bit AES-GCM (Galois Counter Mode) for symmetric bulk encryption, and 256-bit SHA for HMAC functions. TLS 1.3 uses simplified and shortened suites. A typical TLS 1.3 cipher suite appears as follows: TLS_AES_256_GCM_SHA384

Secure Shell (SSH)

the principal means of obtaining secure remote access to a command line terminal. The main uses of ______ are for remote administration and secure file transfer (SFTP) ______ servers are identified by a public/private key pair (the host key). A mapping of host names to public keys can be kept manually by each ______ client or there are various enterprise software products designed for _____ host key management.

LDAP Secure (LDAPS)

the server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.

Remote access

the user's device does not make a direct cabled or wireless connection to the network. The connection occurs over or through an intermediate network. most _______________ is implemented as a virtual private network (VPN), running over the Internet. Administering ________________ involves essentially the same tasks as administering the local network. Only authorized users should be allowed access to local network resources and communication channels.

Secure SMTP (SMTPS)

this establishes the secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLS.

STARTTLS

this is a command that upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS. The __________ method is generally more widely implemented than SMTPS.

Tunnel mode

this mode is used for communications between VPN gateways across an unsecure network (creating a VPN). This is also referred to as a router implementation. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in ___________________, as confidentiality will usually be required.

Transport mode

this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in _______________, the IP header for each packet is not encrypted, just the payload data. If AH is used in t_________________, it can provide integrity for the IP header.

Simple Mail Transfer Protocol (SMTP)

transmits email messages from one system to another. A sender's SMTP server discovers the IP address of the recipient's SMTP server using the domain name of the recipient's email address. The SMTP server for the domain is registered in DNS using a Mail Exchanger (MX) record. SMTP communications can be secured using TLS. This works much like HTTPS with a certificate on the SMTP server.

Explicit TLS (FTPES)

use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command).

Port 587

used by mail clients (Message Submission Agents [MSA]) to submit messages for delivery by an SMTP server. Servers configured to support port 587 should use STARTTLS and require authentication before message submission.

Port 25

used for message relay (between SMTP servers or Message Transfer Agents [MTA]). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.

Session control

used to setup and manage communications sessions. They handle tasks such as user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/video), and session management and termination.

Phase II IKE

uses the secure channel created in Phase I to establish which ciphers and key sizes will be used with AH and/or ESP in the IPSec session.

HTTP payload

usually used to serve HTML web pages, which are plaintext files with coded tags (HyperText Markup Language) describing how the page should be formatted.

Web feed

where updated articles or news items are pushed to the client or browser. Based on either the Really Simple Syndication (RSS) or Atom formats, both of which use XML to mark up each document supplied. It is possible that such _________ may be vulnerable to XML injection style attacks, allowing an attacker to show malicious links or even interact with the file system

Point-to-Point Tunneling Protocol (PPTP)

Developed by Cisco and Microsoft to support VPNs over PPP and TCP/IP. PPTP is highly vulnerable to password cracking attacks and considered obsolete. Have been deprecated because they do not offer adequate security. Legacy protocol.

The Point-to-Point Protocol (PPP)

Dial-up protocol working at layer 2 (Data Link) used to connect devices remotely to networks. a widely used remote dial-in protocol. It provides encapsulation for IP traffic plus IP address assignment and authentication via the widely supported Challenge Handshake Authentication Protocol (CHAP).

Internet Key Exchange (IKE)

Framework for creating a Security Association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree secure protocols and cipher suites to use to exchange data. protocol handles authentication and key exchange, referred to as Security Associations (SA). IKE negotiations take place over two phases.

Man in the Middle

If the threat actor has access to the same local network as the victim, the attacker can use Address Resolution Protocol (ARP) poisoning to impersonate a legitimate DNS server and respond to DNS queries from the victim with spoofed replies. This might be combined with a denial of service attack on the victim's legitimate DNS server.

Domain reputation

If your domain, website, or email servers have been hijacked, they are likely to be used for spam or distributing malware. This will lead to complaints and the likelihood of the domain being listed on a block list.

Full tunnel

Internet access is mediated by the corporate network, which will alter the client's IP address and DNS servers and may use a proxy.

Network Time Protocol (NTP)

Many applications on networks are time dependent and time critical. These include authentication and security mechanisms, scheduling applications, and backup software. ___________________ provides a transport over which to synchronize these time dependent applications. Works over UDP on port 123.

Remote Desktop Protocol (RDP)

Microsoft's protocol for operating remote connections to a Windows machine (Terminal Services) allowing specified users to log onto the Windows computer over the network and work remotely. The protocol sends screen data from the remote host to the client and transfer mouse and keyboard input from the client to the remote host. It uses TCP port 3389.

Lightweight Directory Access Protocol (LDAP)

Most directory services are based on the _________________, running over port 389. The basic protocol provides no security and all transmissions are in plaintext, making it vulnerable to sniffing and man-in-the-middle attacks. Generally two levels of access will need to be granted on the directory: read-only access (query) and read/write access (update). Unless hosting a public service, the ___________ directory server should also only be accessible from the private network.