Professional Documents
Culture Documents
Sy0 601 11
Sy0 601 11
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Network Address Allocation
attack rouge range
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Domain Name Resolution
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
DNS Poisoning
• Man in the Middle DNS port 53
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
DNS Security recursive query = requires local host
M of N control
is more about controlling access
.gov = secure DNS domain name
Windows Server DNS services with DNSSEC enabled • Key Signing Key
Screenshot used with permission from Microsoft.
• Root of Trust
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Secure Directory Services active directory
• Simple Authentication and Security Layer (SASL) start tls command integrity/sign in
to encrypt plain txt password
• LDAPS (TLS over TCP port 636) tls port 636 with digital certificate tls incrypted tunnel
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Simple Network Management Protocol Security
remote configuration
2 ports SNMPV1,2,3
• Simple Network Management Protocol (SNMP)
1) transfer messages
2) transfer controls community name plain txt
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Topic 11B
Implement Secure Application Protocols
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Syllabus Objectives Covered
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
HyperText Transport Protocol and Web Services
page
• HTTP headers and payload plain txt in header not secure
• Web services/applications
POST form
• Forms mechanism allows client to upload data to the server
java
• Stateless protocol but expanded with cookies and scripting
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Transport Layer Security
netscape
• Secure Sockets Layer
(SSL)/Transport Layer Security
(TLS)
• Communications secured using
host certificates public certificate
• SSL/TLS versions
• Cipher suites symetric /asymetric / hash
• Key exchange – authentication
– confidentiality – HMAC
• Prior to TLS 1.3
ECDHE- RSA- AES128- GCM- SHA256
symmetric asymetric hash base method
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
API Considerations
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Subscription Services
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
File Transfer Services
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Email Services
• Simple Mail Transfer Protocol (SMTP)
• Route mail between servers
• Security mechanisms
• STARTTLS—explicit TLS
• SMTPS—implicit TLS need certificate
provider/main client
• Common port configurations (25, 587 and 465)
msa/tls
• Mailbox access protocols synchronize
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Secure/Multipurpose Internet Mail Extensions
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Voice and Video Protocol Security
• Voice over IP (VoIP), web conferencing,
and video teleconferencing (VTC)
• Session control
• Data transport voice/video
• Quality of service (QoS)
encrypt communication
• Session Initiation Protocol (SIP) URI client
• SIP addresses (URI)
• Integration with external networks via
gateways and private branch exchanges
(PBX) -->VoIP
• Secure port 5061 to authenticate callers
and encrypt connection setup
• Secure Real-time Transport Protocol Screenshot used with permission from 3CX.
(SRTP)
• Call data confidentiality
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Topic 11C
Implement Secure Remote Access Protocols
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Syllabus Objectives Covered
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Remote Access Architecture (1)
encapsulate
Images ©
123RF.com.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Remote Access Architecture (2)
Images ©
123RF.com.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Transport Layer Security VPN
ttl time to live ttl will not include integrated = cannot predict router rout NAT wont change it
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
IPSec Transport and Tunnel Modes
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Internet Key Exchange
shared secret without eaves drop = IKA
• Internet Key Exchange (IKE)
• Security Association (SA)
• Endpoints must communicate a
shared secret and confirm
identity
• Phase I provides authentication
deffe hilma• PKI/certificates
key exchange
• Pre-shared key
• Phase II establishes cipher suites
and key sizes and use of AH or
ESP
Screenshot used with permission from Rubicon Communications, LLC.
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Layer 2 Tunneling Protocol and IKE v2 AH port 51
IKE port 4500
ipsec port 500
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
VPN Client Configuration split tunnle
• Native VPN client or third-party software install
• Configuration
• VPN gateway address
• Security type and user credentials
• Client certificate install
• Always-on VPN
• Configure VPN to start automatically when trusted full / monitored and control
by company policy
network link is detected
• Split tunnel
• The client accesses the Internet directly using its
"native" IP configuration and DNS servers
• Full tunnel
• Internet access is mediated by the corporate
network
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Remote Desktop
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
Out-of-band Management and Jump Servers
reduce attack service
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32
Secure Shell (SSH)
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33
Lesson 11
Summary
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34