Sy0 601 11

Lesson 11
Implementing Secure Network Protocols

Topic 11A
Implement Secure Network Operations Protocols
CompTIA Security+ Lesson 11 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered
• 1.4 Given a scenario, analyze potential indicators associated with network

attacks
• 3.1 Given a scenario, implement secure protocols
Network Address Allocation
attack rouge range
• Dynamic versus static IP

address assignment
• Dynamic Host Configuration
Protocol (DHCP)
• Prevent rogue DHCP servers
• Prevent DoS attacks
(starvation) by rogue clients
• Secure administration
interface
availability compromised ->DOS
rogue DNS server starvation
Domain Name Resolution
• System for resolving host names and

domain labels to IP addresses
• Domain hijacking -> DNS
• Gain control of domain registration
• whois
• Uniform Resource Locator (URL) ht t ps : / / t r us t ed. f oo/ l ogi n. php
redirection fully qualified domain name FQDN ?ur l =" ht t ps: / / t r u5t ed. f oo"
• Abuse of HTTP redirects and
.htaccess redirects
• Domain reputation --> opens another domain with span mails = low reputation
• Monitor blocklists/reputation lists for
abuse of your domain
DNS Poisoning
• Man in the Middle DNS port 53
• Rogue DNS server intercepts queries

• DNS client cache poisoning
• HOSTS file 1) cache->Hosts->DNS
• DNS server cache poisoning
• Corrupt cached records on DNS servers
• Spoof responses to queries by exploiting
weak transaction ID generation
• DNS authoritative name server
RUN:
impersonation
c:/windows/system32/drivers/etc cache
hosts --> Notpad
DNS Security recursive query = requires local host
M of N control
is more about controlling access
.gov = secure DNS domain name
• DNS server security

• Fault tolerance
• Authenticated recursive requests
only
• Access control
• Patch management
• Prevent footprinting
• DNS Security Extensions (DNSSEC)
• RRset
• Zone Signing Key yellow lock
Windows Server DNS services with DNSSEC enabled • Key Signing Key
Screenshot used with permission from Microsoft.
• Root of Trust
Secure Directory Services active directory
• Directory services and Lightweight Directory Access Protocol

(LDAP)
• Binding (Authentication) methods
• None user
• Simple authentication DL user name /pass kerpres
• Simple Authentication and Security Layer (SASL) start tls command integrity/sign in
to encrypt plain txt password
• LDAPS (TLS over TCP port 636) tls port 636 with digital certificate tls incrypted tunnel
• Access control policy credential

• Read-only
• Read/write
PAW :dedicated computing environment for

sensitive tasks that is protected from Internet
attacks
Time Synchronization NTP 123 = time stamp
• Time critical services

• Authentication
• Logging
• Task scheduling/backup
• ...
• Network Time Protocol (NTP)
• Stratum 1 servers
• Stratum 2 servers
• Simple NTP (clients)
• NTP works over UDP on port 123.
** UTC universal time clock **
Simple Network Management Protocol Security
remote configuration
2 ports SNMPV1,2,3
• Simple Network Management Protocol (SNMP)
1) transfer messages
2) transfer controls community name plain txt
• Agent runs on devices and maintains management information base (MIB)

• Agent notifies SNMP monitor of events (traps)
• SNMP v1 and v2 feature no or weak authentication and no privacy
• SNMP v3 encryption and authentication
- if SNMP not being used disable service
Topic 11B
Implement Secure Application Protocols
• 2.1 Explain the importance of security concepts in an enterprise

environment
HyperText Transport Protocol and Web Services
page
• HTTP headers and payload plain txt in header not secure
• Web services/applications
POST form
• Forms mechanism allows client to upload data to the server
java
• Stateless protocol but expanded with cookies and scripting
Transport Layer Security
netscape
• Secure Sockets Layer
(SSL)/Transport Layer Security
(TLS)
• Communications secured using
host certificates public certificate
• SSL/TLS versions
• Cipher suites symetric /asymetric / hash
• Key exchange – authentication
– confidentiality – HMAC
• Prior to TLS 1.3
ECDHE- RSA- AES128- GCM- SHA256
symmetric asymetric hash base method
• TLS 1.3 uses shortened suites

TLS_AES_256_GCM_SHA384
hkdf --> carries shared key symmetric Viewing the TLS handshake in a Wireshark packet capture.
API Considerations
• Application programming interface

(API) authorized
• Makes web application or service
accessible to automation by
scripting
• Passing parameters
• API keys
• Static keys
• Authentication and authorization
via SAML/OAuth authorization
authentication
Subscription Services
• News and information services

• Market and financial intelligence and information
• Security threat intelligence and information
• Reference and training materials
• Software applications and cloud services
• Provide secure access
• Web Feed (News feed security)
• Really Simple Syndication (RSS)
• Atom
• XML injection and exploits
File Transfer Services
• SSH FTP (SFTP) secureFTP
• Run FTP over SSH on port 22
• FTP over SSL (FTPS)

• Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure
connection established over port 21 to a secure one and can encrypt data
connection for the actual file transfers can also (using the PROT command).
• Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any

FTP commands (port 990 for the control connection)
Email Services
• Simple Mail Transfer Protocol (SMTP)
• Route mail between servers
• Security mechanisms
• STARTTLS—explicit TLS
• SMTPS—implicit TLS need certificate
provider/main client
• Common port configurations (25, 587 and 465)
msa/tls
• Mailbox access protocols synchronize
• Post Office Protocol (POP3) default

• Internet Message Access Protocol (IMAP) permanent message
• Better mailbox management features than POP3
• Secure ports
• POP3S TCP port 995
• IMAPS TCP port 993
Secure/Multipurpose Internet Mail Extensions
• End-to-end encryption for message contents

• Authentication and confidentiality using PKI certificates
• Correspondents must exchange and trust certificates
e.g. Apply To: Outbound Email Only important

Execute If: All rules are met
Action: Redirect to administrator Define a Policy Based Encryption
Voice and Video Protocol Security
• Voice over IP (VoIP), web conferencing,
and video teleconferencing (VTC)
• Session control
• Data transport voice/video
• Quality of service (QoS)
encrypt communication
• Session Initiation Protocol (SIP) URI client
• SIP addresses (URI)
• Integration with external networks via
gateways and private branch exchanges
(PBX) -->VoIP
• Secure port 5061 to authenticate callers
and encrypt connection setup
• Secure Real-time Transport Protocol Screenshot used with permission from 3CX.
(SRTP)
• Call data confidentiality
Topic 11C
Implement Secure Remote Access Protocols

• 3.3 Given a scenario, implement secure network designs
• 4.1 Given a scenario, use the appropriate tool to assess organizational
security (SSH only)
Remote Access Architecture (1)
encapsulate
Images ©
123RF.com.
Remote Access Architecture (2)
router decides for client/network if local
Images ©
123RF.com.
Transport Layer Security VPN
• Use TLS to negotiate a secure

connection, authenticated by
PKI certificates
• Tunnel network traffic over
TLS SSL authenticate client
• Can use TCP or UDP
• OpenVPN
• TAP/bridged mode layer2
• TUN/routed mode layer3
• Secure Sockets Tunneling
Protocol (SSTP) Microsoft
• Secure tunnel for Point-to-
Point Protocol encapsulated
local network traffic
Screenshot used with permission from Rubicon Communications, LLC
Internet Protocol Security (IPSec) by
layer network layer
defut in IPv6
• Network layer security—application-independent

• Provides confidentiality and/or integrity
• Endpoints must be configured with an IPSec policy and at least one
matching security method
• Authentication Header (AH)
• Signs packet but does not encrypt
payload no confidentiality
e.g. doesn't work in NATrouter
• Provides authentication/integrity only because nat will change it
• Encapsulation Security Payload (ESP)
• Provides confidentiality and/or
authentication/integrity
ttl time to live ttl will not include integrated = cannot predict router rout NAT wont change it
IPSec Transport and Tunnel Modes
• Transport mode for host-to-host connections on a private network

• Tunnel mode between gateways across an unsecure network
IPSec datagram using AH and ESP in transport mode.
IPSec datagram using ESP in tunnel mode.
Screenshot used with permission from Rubicon Communications, LLC.
Internet Key Exchange
shared secret without eaves drop = IKA
• Internet Key Exchange (IKE)
• Security Association (SA)
• Endpoints must communicate a
shared secret and confirm
identity
• Phase I provides authentication
deffe hilma• PKI/certificates
key exchange
• Pre-shared key
• Phase II establishes cipher suites
and key sizes and use of AH or
ESP
Screenshot used with permission from Rubicon Communications, LLC.
Layer 2 Tunneling Protocol and IKE v2 AH port 51
IKE port 4500
ipsec port 500
• Layer 2 Tunneling Protocol/IPSec (L2TP/ IPSec) VPN

• Use IPSec for secure tunneling of Point-to-Point Protocol (PPP) frames
• Allows user authentication via EAP or CHAP
• IKE v2
• Makes IPSec a standalone remote access VPN protocol
• Support for EAP user authentication methods
• Simplified setup by Reduces number of setup messages
• Reliability since it allows NAT traversal and MOBIKE Multihoming (Support
multihoming on client device and switching between Wi-Fi and cellular data)
VPN Client Configuration split tunnle
• Native VPN client or third-party software install
• Configuration
• VPN gateway address
• Security type and user credentials
• Client certificate install
• Always-on VPN
• Configure VPN to start automatically when trusted full / monitored and control
by company policy
network link is detected
• Split tunnel
• The client accesses the Internet directly using its
"native" IP configuration and DNS servers
• Full tunnel
• Internet access is mediated by the corporate
network
Remote Desktop
• GUI-based remote terminal software

• Remote Desktop Protocol (RDP)---> windows / browser HTML file (virtual lab) / client list
• Connect to physical machines browser support/gateway
• RDP gateway to virtual desktops and apps
• HTML5/clientless ->VPN / client list VPN normal browser
• Access desktops and web applications from Internet via gateway to internal
network
• Browser support for canvas element plus WebSockets
Out-of-band Management and Jump Servers
reduce attack service
• Secure admin workstations (SAWs)

• Out-of-band (OOB) management
• Serial/modem/console port -->separate console
control
access of • Virtual terminal
out band
and
inbound
• Separate cabling or VLAN isolation
• Jump servers
of cloud
• Single host accepts SSH or RDP

connections from SAWs
• Forwards connections to app servers
• App servers only accept connections
from jump server
Images © 123rf.com.
Secure Shell (SSH)
• Remote administration with public

key cryptography security
• Host key identifies server
• Client authentication
• Username/password
• Public key authentication
• Kerberos
• Key management
• SSH commands
Windows-native built-in remote management / PowerShell Screenshot used with permission from PuTTY.
ScP linux copy
Lesson 11
Summary

Sy0 601 11

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sy0 601 11

Uploaded by

Copyright:

Available Formats

Lesson 11

Implementing Secure Network Protocols

• 1.4 Given a scenario, analyze potential indicators associated with network

• Dynamic versus static IP

• System for resolving host names and

• Rogue DNS server intercepts queries

• DNS server security

• Directory services and Lightweight Directory Access Protocol

• Access control policy credential

PAW :dedicated computing environment for

• Time critical services

• Agent runs on devices and maintains management information base (MIB)

• 2.1 Explain the importance of security concepts in an enterprise

• TLS 1.3 uses shortened suites

• Application programming interface

• News and information services

• SSH FTP (SFTP) secureFTP

• Run FTP over SSH on port 22

• FTP over SSL (FTPS)

• Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any

• Post Office Protocol (POP3) default

• End-to-end encryption for message contents

e.g. Apply To: Outbound Email Only important

• 3.1 Given a scenario, implement secure protocols

router decides for client/network if local

• Use TLS to negotiate a secure

• Network layer security—application-independent

• Transport mode for host-to-host connections on a private network

IPSec datagram using AH and ESP in transport mode.

IPSec datagram using ESP in tunnel mode.

Screenshot used with permission from Rubicon Communications, LLC.

• Layer 2 Tunneling Protocol/IPSec (L2TP/ IPSec) VPN

• GUI-based remote terminal software

• Secure admin workstations (SAWs)

• Single host accepts SSH or RDP

• Remote administration with public

ScP linux copy

You might also like