reflection 3

profiletamerrabee3
sy0-601-11v1.0.pptx

Implementing Secure Network Protocols

Lesson 11

1

Implement Secure Network Operations Protocols

Topic 11A

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

1.4 Given a scenario, analyze potential indicators associated with network attacks

3.1 Given a scenario, implement secure protocols

Syllabus Objectives Covered

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Network Address Allocation

Dynamic versus static IP address assignment

Dynamic Host Configuration Protocol (DHCP)

Prevent rogue DHCP servers

Prevent DoS attacks (starvation) by rogue clients

Secure administration interface

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Domain Name Resolution

System for resolving host names and domain labels to IP addresses

Domain hijacking

Gain control of domain registration

whois

Uniform Resource Locator (URL) redirection

Abuse of HTTP redirects and .htaccess redirects

Domain reputation

Monitor blocklists/reputation lists for abuse of your domain

https://trusted.foo/login.php?url="https://tru5ted.foo"

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

5

DNS Poisoning

Man in the Middle

Rogue DNS server intercepts queries

DNS client cache poisoning

HOSTS file

DNS server cache poisoning

Corrupt cached records on DNS servers

Spoof responses to queries by exploiting weak transaction ID generation

DNS authoritative name server impersonation

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

DNS Security

DNS server security

Fault tolerance

Authenticated recursive requests only

Access control

Patch management

Prevent footprinting

DNS Security Extensions (DNSSEC)

RRset

Zone Signing Key

Key Signing Key

Root of Trust

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Secure Directory Services

Directory services and Lightweight Directory Access Protocol (LDAP)

Binding methods

None

Simple authentication

Simple Authentication and Security Layer (SASL)

LDAPS (TLS over TCP port 636)

Access control policy

Read-only

Read/write

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Time Synchronization

Time critical services

Authentication

Logging

Task scheduling/backup

...

Network Time Protocol (NTP)

Stratum 1 servers

Stratum 2 servers

Simple NTP (clients)

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Simple Network Management Protocol (SNMP)

Agent runs on devices and maintains management information base (MIB)

Agent notifies SNMP monitor of events (traps)

SNMP v1 and v2 feature no or weak authentication and no privacy

SNMP v3 encryption and authentication

Simple Network Management Protocol Security

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Secure Network Operations Protocols

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

Review Activity

Assisted Lab

Implementing Secure Network Addressing Services

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

Lab Activity

Implement Secure Application Protocols

Topic 11B

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

13

2.1 Explain the importance of security concepts in an enterprise environment

3.1 Given a scenario, implement secure protocols

Syllabus Objectives Covered

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

HyperText Transport Protocol and Web Services

HTTP headers and payload

Web services/applications

Forms mechanism allows client to upload data to the server

Stateless protocol but expanded with cookies and scripting

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

Transport Layer Security

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

Communications secured using host certificates

SSL/TLS versions

Cipher suites

Key exchange – authentication – confidentiality - HMAC

ECDHE-RSA-AES128-GCM-SHA256

TLS 1.3 uses shortened suites

TLS_AES_256_GCM_SHA384

Screenshot used with permission from Wireshark.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

API Considerations

Application programming interface (API)

Makes web application or service accessible to automation by scripting

Passing parameters

API keys

Static keys

Authentication and authorization via SAML/OAuth

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

17

Subscription Services

News and information services

Market and financial intelligence and information

Security threat intelligence and information

Reference and training materials

Software applications and cloud services

Provide secure access

News feed security

Really Simple Syndication (RSS)

Atom

XML injection and exploits

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

File Transfer Services

SSH FTP (SFTP)

Run FTP over SSH on port 22

FTP over SSL (FTPS)

Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one

Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP commands (port 990 for the control connection)

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Email Services

Simple Mail Transfer Protocol (SMTP)

Route mail between servers

Security mechanisms

STARTTLS—explicit TLS

SMTPS—implicit TLS

Common port configurations

Mailbox access protocols

Post Office Protocol (POP3)

Internet Message Access Protocol (IMAP)

Better mailbox management features than POP3

Secure ports

POP3S TCP port 995

IMAPS TCP port 993

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

Secure/Multipurpose Internet Mail Extensions

End-to-end encryption for message contents

Authentication and confidentiality using PKI certificates

Correspondents must exchange and trust certificates

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

Voice and Video Protocol Security

Voice over IP (VoIP), web conferencing, and video teleconferencing (VTC)

Session control

Data transport

Quality of service (QoS)

Session Initiation Protocol (SIP)

SIP addresses

Integration with external networks via gateways and private branch exchanges (PBX)

Secure port 5061 to authenticate callers and encrypt connection setup

Secure Real-time Transport Protocol (SRTP)

Call data confidentiality

Screenshot used with permission from 3CX.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Secure Application Protocols

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

Review Activity

Implement Secure Remote Access Protocols

Topic 11C

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

24

3.1 Given a scenario, implement secure protocols

3.3 Given a scenario, implement secure network designs

4.1 Given a scenario, use the appropriate tool to assess organizational security (SSH only)

Syllabus Objectives Covered

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

25

25

Remote Access Architecture (1)

Images © 123RF.com.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

26

Remote Access Architecture (2)

Images © 123RF.com.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

27

Transport Layer Security VPN

Use TLS to negotiate a secure connection, authenticated by PKI certificates

Tunnel network traffic over TLS

Can use TCP or UDP

OpenVPN

TAP/bridged mode

TUN/routed mode

Secure Sockets Tunneling Protocol (SSTP)

Secure tunnel for Point-to-Point Protocol encapsulated local network traffic

Screenshot used with permission from Rubicon Communications, LLC.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

Network layer security—application-independent

Provides confidentiality and/or integrity

Endpoints must be configured with an IPSec policy and at least one matching security method

Internet Protocol Security (IPSec)

Authentication Header (AH)

Signs packet but does not encrypt payload

Provides authentication/integrity only

Encapsulation Security Payload (ESP)

Provides confidentiality and/or authentication/integrity

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

IPSec Transport and Tunnel Modes

Transport mode for host-to-host connections on a private network

Tunnel mode between gateways across an unsecure network

Screenshot used with permission from Rubicon Communications, LLC.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

30

Internet Key Exchange

Internet Key Exchange (IKE)

Security Association (SA)

Endpoints must communicate a shared secret and confirm identity

Phase I provides authentication

PKI/certificates

Pre-shared key

Phase II establishes cipher suites and key sizes and use of AH or ESP

Screenshot used with permission from Rubicon Communications, LLC.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

Layer 2 Tunneling Protocol/IPSec VPN

Use IPSec for secure tunneling of Point-to-Point Protocol (PPP) frames

Allows user authentication via EAP or CHAP

IKE v2

Makes IPSec a standalone remote access VPN protocol

Support for EAP user authentication methods

Reduces number of setup messages

Support multihoming on client device (switching between Wi-Fi and cellular data)

Layer 2 Tunneling Protocol and IKE v2

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

VPN Client Configuration

Native VPN client or third-party software install

Configuration

VPN gateway address

Security type and user credentials

Client certificate install

Always-on VPN

Configure VPN to start automatically when trusted network link is detected

Split tunnel

The client accesses the Internet directly using its "native" IP configuration and DNS servers

Full tunnel

Internet access is mediated by the corporate network

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

33

GUI-based remote terminal software

Remote Desktop Protocol (RDP)

Connect to physical machines

RDP gateway to virtual desktops and apps

HTML5/clientless

Access desktops and web applications from Internet via gateway to internal network

Browser support for canvas element plus WebSockets

Remote Desktop

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

34

Out-of-band Management and Jump Servers

Secure admin workstations (SAWs)

Out-of-band (OOB) management

Serial/modem/console port

Virtual terminal

Separate cabling or VLAN isolation

Jump servers

Single host accepts SSH or RDP connections from SAWs

Forwards connections to app servers

App servers only accept connections from jump server

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

Images © 123rf.com.

35

Secure Shell (SSH)

Remote administration with public key cryptography security

Host key identifies server

Client authentication

Username/password

Public key authentication

Kerberos

Key management

SSH commands

Screenshot used with permission from PuTTY.

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

36

36

Secure Remote Access Protocols

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

37

Review Activity

Assisted Labs

Implementing a Virtual Private Network

Implementing a Secure SSH Server

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

38

Lab Activity

Summary

Lesson 11

CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

39

39