reflection 3
Implementing Secure Network Protocols
Lesson 11
1
Implement Secure Network Operations Protocols
Topic 11A
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
1.4 Given a scenario, analyze potential indicators associated with network attacks
3.1 Given a scenario, implement secure protocols
Syllabus Objectives Covered
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Network Address Allocation
Dynamic versus static IP address assignment
Dynamic Host Configuration Protocol (DHCP)
Prevent rogue DHCP servers
Prevent DoS attacks (starvation) by rogue clients
Secure administration interface
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Domain Name Resolution
System for resolving host names and domain labels to IP addresses
Domain hijacking
Gain control of domain registration
whois
Uniform Resource Locator (URL) redirection
Abuse of HTTP redirects and .htaccess redirects
Domain reputation
Monitor blocklists/reputation lists for abuse of your domain
https://trusted.foo/login.php?url="https://tru5ted.foo"
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
5
DNS Poisoning
Man in the Middle
Rogue DNS server intercepts queries
DNS client cache poisoning
HOSTS file
DNS server cache poisoning
Corrupt cached records on DNS servers
Spoof responses to queries by exploiting weak transaction ID generation
DNS authoritative name server impersonation
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
DNS Security
DNS server security
Fault tolerance
Authenticated recursive requests only
Access control
Patch management
Prevent footprinting
DNS Security Extensions (DNSSEC)
RRset
Zone Signing Key
Key Signing Key
Root of Trust
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Secure Directory Services
Directory services and Lightweight Directory Access Protocol (LDAP)
Binding methods
None
Simple authentication
Simple Authentication and Security Layer (SASL)
LDAPS (TLS over TCP port 636)
Access control policy
Read-only
Read/write
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Time Synchronization
Time critical services
Authentication
Logging
Task scheduling/backup
...
Network Time Protocol (NTP)
Stratum 1 servers
Stratum 2 servers
Simple NTP (clients)
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Simple Network Management Protocol (SNMP)
Agent runs on devices and maintains management information base (MIB)
Agent notifies SNMP monitor of events (traps)
SNMP v1 and v2 feature no or weak authentication and no privacy
SNMP v3 encryption and authentication
Simple Network Management Protocol Security
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Secure Network Operations Protocols
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Review Activity
Assisted Lab
Implementing Secure Network Addressing Services
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Lab Activity
Implement Secure Application Protocols
Topic 11B
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
13
2.1 Explain the importance of security concepts in an enterprise environment
3.1 Given a scenario, implement secure protocols
Syllabus Objectives Covered
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
HyperText Transport Protocol and Web Services
HTTP headers and payload
Web services/applications
Forms mechanism allows client to upload data to the server
Stateless protocol but expanded with cookies and scripting
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Transport Layer Security
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Communications secured using host certificates
SSL/TLS versions
Cipher suites
Key exchange – authentication – confidentiality - HMAC
ECDHE-RSA-AES128-GCM-SHA256
TLS 1.3 uses shortened suites
TLS_AES_256_GCM_SHA384
Screenshot used with permission from Wireshark.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
API Considerations
Application programming interface (API)
Makes web application or service accessible to automation by scripting
Passing parameters
API keys
Static keys
Authentication and authorization via SAML/OAuth
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
17
Subscription Services
News and information services
Market and financial intelligence and information
Security threat intelligence and information
Reference and training materials
Software applications and cloud services
Provide secure access
News feed security
Really Simple Syndication (RSS)
Atom
XML injection and exploits
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
File Transfer Services
SSH FTP (SFTP)
Run FTP over SSH on port 22
FTP over SSL (FTPS)
Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one
Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP commands (port 990 for the control connection)
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Email Services
Simple Mail Transfer Protocol (SMTP)
Route mail between servers
Security mechanisms
STARTTLS—explicit TLS
SMTPS—implicit TLS
Common port configurations
Mailbox access protocols
Post Office Protocol (POP3)
Internet Message Access Protocol (IMAP)
Better mailbox management features than POP3
Secure ports
POP3S TCP port 995
IMAPS TCP port 993
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Secure/Multipurpose Internet Mail Extensions
End-to-end encryption for message contents
Authentication and confidentiality using PKI certificates
Correspondents must exchange and trust certificates
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Voice and Video Protocol Security
Voice over IP (VoIP), web conferencing, and video teleconferencing (VTC)
Session control
Data transport
Quality of service (QoS)
Session Initiation Protocol (SIP)
SIP addresses
Integration with external networks via gateways and private branch exchanges (PBX)
Secure port 5061 to authenticate callers and encrypt connection setup
Secure Real-time Transport Protocol (SRTP)
Call data confidentiality
Screenshot used with permission from 3CX.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Secure Application Protocols
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Review Activity
Implement Secure Remote Access Protocols
Topic 11C
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
24
3.1 Given a scenario, implement secure protocols
3.3 Given a scenario, implement secure network designs
4.1 Given a scenario, use the appropriate tool to assess organizational security (SSH only)
Syllabus Objectives Covered
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
25
Remote Access Architecture (1)
Images © 123RF.com.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
26
Remote Access Architecture (2)
Images © 123RF.com.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
Transport Layer Security VPN
Use TLS to negotiate a secure connection, authenticated by PKI certificates
Tunnel network traffic over TLS
Can use TCP or UDP
OpenVPN
TAP/bridged mode
TUN/routed mode
Secure Sockets Tunneling Protocol (SSTP)
Secure tunnel for Point-to-Point Protocol encapsulated local network traffic
Screenshot used with permission from Rubicon Communications, LLC.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
Network layer security—application-independent
Provides confidentiality and/or integrity
Endpoints must be configured with an IPSec policy and at least one matching security method
Internet Protocol Security (IPSec)
Authentication Header (AH)
Signs packet but does not encrypt payload
Provides authentication/integrity only
Encapsulation Security Payload (ESP)
Provides confidentiality and/or authentication/integrity
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
IPSec Transport and Tunnel Modes
Transport mode for host-to-host connections on a private network
Tunnel mode between gateways across an unsecure network
Screenshot used with permission from Rubicon Communications, LLC.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
30
Internet Key Exchange
Internet Key Exchange (IKE)
Security Association (SA)
Endpoints must communicate a shared secret and confirm identity
Phase I provides authentication
PKI/certificates
Pre-shared key
Phase II establishes cipher suites and key sizes and use of AH or ESP
Screenshot used with permission from Rubicon Communications, LLC.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
Layer 2 Tunneling Protocol/IPSec VPN
Use IPSec for secure tunneling of Point-to-Point Protocol (PPP) frames
Allows user authentication via EAP or CHAP
IKE v2
Makes IPSec a standalone remote access VPN protocol
Support for EAP user authentication methods
Reduces number of setup messages
Support multihoming on client device (switching between Wi-Fi and cellular data)
Layer 2 Tunneling Protocol and IKE v2
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
VPN Client Configuration
Native VPN client or third-party software install
Configuration
VPN gateway address
Security type and user credentials
Client certificate install
Always-on VPN
Configure VPN to start automatically when trusted network link is detected
Split tunnel
The client accesses the Internet directly using its "native" IP configuration and DNS servers
Full tunnel
Internet access is mediated by the corporate network
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
GUI-based remote terminal software
Remote Desktop Protocol (RDP)
Connect to physical machines
RDP gateway to virtual desktops and apps
HTML5/clientless
Access desktops and web applications from Internet via gateway to internal network
Browser support for canvas element plus WebSockets
Remote Desktop
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
34
Out-of-band Management and Jump Servers
Secure admin workstations (SAWs)
Out-of-band (OOB) management
Serial/modem/console port
Virtual terminal
Separate cabling or VLAN isolation
Jump servers
Single host accepts SSH or RDP connections from SAWs
Forwards connections to app servers
App servers only accept connections from jump server
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
Images © 123rf.com.
35
Secure Shell (SSH)
Remote administration with public key cryptography security
Host key identifies server
Client authentication
Username/password
Public key authentication
Kerberos
Key management
SSH commands
Screenshot used with permission from PuTTY.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
36
36
Secure Remote Access Protocols
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
Review Activity
Assisted Labs
Implementing a Virtual Private Network
Implementing a Secure SSH Server
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
38
Lab Activity
Summary
Lesson 11
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
39
39