3.1 - Given a scenario, implement secure protocols. Flashcards
DNSSEC
-Domain Name System Security Extensions
-provides validation path 4 records thru use of a key + signature
-must be implemented at each domain level
-follows chain of trust from lowest level domain to top level domain -> validates keys at each level
-developed to to strengthen DNS thru use of digital signatures + public key cryptography
-BUT doesn’t provide confidentiality
-uses digital signatures, allowing systems that query a DNSSEC equipped server to validate that the servers signature matches DNS record
-can also be used to build chain of trust for IPSec keys, SSH fingerprints, etc
-can help prevent DNS poisoning + other DNS attacks by validating both the origin of DNS info and ensuring that the DNS responses haven’t been modified
-focuses on ensuring DNS info isn’t modified/malicious
SSH
-secure shell
-encrypted terminal comm
-used 4 remote console access to devices
-secure alt to TELNET
-often used as tunneling protocol, support uses like SFTP
-can use SSH keys which r used 4 auth
->like many cert/key based auth, lack of a pswd or weak pswds + poor key handling can make it less secure
Chapple 386
Weiss 288-289
Gibson 75
S/MIME
-Secure/Multipurpose Internet
Mail Extensions
-sending digitally signed + encrypted msgs
-provides auth, msg integrity, nonrepudiation
-verifies msg received is exact msg sent
-public key encryption
-digital signing of mail content
-require PKI/similar org of keys
SRTP
-Secure Real-time Transport
Protocol
-VOICE and VIDEO
-uses encryption + auth to reduce attacks (replay, DoS)
-adds sec features to RTP
-uses AES to encrypt voice/vid flow
-auth, integrity, replay protection
-HMAC/SHA1 hash based msg auth code using SHA1
-og RTP port = UDP 16384-32767
-SRTP secure port = UDP 5004
LDAPS
-Lightweight Directory Access
Protocol Over SSL
-TLS protected version of LDAP
-offers confidentiality + integrity protections
-OG port = LDAP - UDP + TCP 389
-secure port = TCP 636
Chapple 148, 236-237
Gibson 77
Weiss 289-290, 298
FTPS
-File Transfer Protocol, Secure
-implements FTP using TLS
-can require additional ports depending on the config (338)
SFTP
-SSH File Transfer Protocol
-easier to implement (FTPS) in regards to firewalls b/c only Port 22 needs to be opened
-leverages SSH as a channel to perform FTP like file transfers
-can be easier to get through firewalls since only uses the SSH port (388)
-laws such as HIPPA, PCI DSS, SOX, etc. require secure file transfers to protect confidential data
Chapple
Weiss
Gibson
SNMPv3
-Simple Network Management Protocol, version 3
-improves on prev SNMP version
provides;
->auth of msg sources
->msg integrity validation
->confidentiality via encryption
-only the authPriv level uses encryption = insecure implementations r still possible
-simply using this doesn’t automatically make SNMP info sec
-OG SNMP port = UDP 161, 162
-SNMPv3 secure port = UDP 161,162
Chapple 386
Weiss 290-291, 298
Gibson 98
HTTPS
-Hypertext transfer protocol over SSL/TLS
-OG HTTP port: TCP 80
-Secure Port: TCP 443
-encrypts comm btwn client + web server
-DOES NOT guarantee that merchant is trustworthy
-relies on TLS (but often called SSL) to provide sec in HTTPS implementations
-browser based mgmt
Chapple 385-386
Weiss 282, 293-294
Gibson 77
IPSec
-internet protocol security
-establish secure VPN connections
-provide auth + encapsulation of data thru support of IKE protocol (internet key exchange)
-secure transmissions btwn critical servers + clients
-helps prevent net based attcks
-functions within net layer
-can be run in tunnel (default) or transport mode
-sec 4 OSI level 3 -> auth + encryption 4 every packet
-confidentiality + integrity/anti replay
->encryption + packet signing
-common to use multi vendor implementations
-two core IPSec protocols = AH + ESP
ESP
Encapsulating Security
Payloads
IPSec security services (1/2)
-Protocol 50
-if used with auth header = can cause issues 4 nets that need to change IP or port info
-Data confidentiality (encryption)
-Limited traffic flow confidentiality
-Data integrity
-Anti-replay protection
-Encrypts + authenticates tunneled data
->Commonly uses SHA-2 for hash
->AES 4 encryption
->Adds a header, a trailer, and an Integrity Check Value
-Combine with Authentication Header (AH) 4 integrity + authentication of the outer header
IPSec - Tunnel/transport
-transport mode: used btwn endpoints (client + server). ONLY protects the payload of the packet
tunnel mode: default. often used btwn gateways (router + firewall). AH or ESP header used. provides integrity + auth for the ENTIRE packet
*Security for OSI Layer 3
– authent + encryption 4 every packet
*Confidentiality + integrity /anti-replay
– Encryption + packet signing
*Very standardized
– Common to use multi-vendor implementations
*Two core IPSec protocols
– Authentication Header (AH)
– Encapsulation Security Payload (ESP)
POP
Post Office Protocol
OG POP3 port: 110
POP3S Secure port: 995
-POP/IMAP used 4 retrieving email
-issue = login creds r transmitted in plaintext over unencrypted connections
Voice and video
NTP/NTPsec
Secure network time protocol (Time synchronization)
NTPSec typically uses the same ports as the original NTP (Network Time Protocol).
-Default port for both NTP and NTPSec: UDP 123.
->This is the port where NTP and NTPSec servers listen 4 incoming time synchronization requests + respond to client queries.
Classic NTP has no security features
-UDP protocol used to synch devices wth network time server
-accurate time necessary 4 net ops
– Exploitation can result in time alterations + DoS attcks that shut down the server
-NTS relies on TLS, doesn’t protect the time data
-focuses on auth to make sure time info is from trusted server + hasn’t been changed in transit (383)
