Implementing Secure Network Protocols

# Implement Secure Network Operations Protocols ## Network Address Allocation - Dynamic vs static IP address allocation - Dynamic host configuration protocol (DHCP) - **PORTS 67,68** - Must prevent rogue DHCP attacks as an attack could tell all computers to send traffic to a their own gateway - Prevent DoS attacks (starvation) by rogue clients - Secure administration interface ## Domain Name Resolution - System for resolving host names and domain labels to IP addresses - IP -> host file -> asks DNS servers - `ipconfig /displaydns` - Domain hijacking - DNS can be manipulated on host machine (DNS cache) - Gain control of domain registration, could direct to any fake website - whois - Uniform Resource Locator (URL) redirection - Abuse of HTTP redirects and .htaccess redirects - Domain Reputation - Monitor blocklists/reputation lists for abuse of your domains ## DNS Poisoning - MITM - Rogue DNS server intercepts queries - DNS client cache poisoning - HOSTS file - DNS server cache poisoning - Corrupt cached records on DNS servers - Spoof responses to queries by exploiting weak transaction ID generation - DNS authoritative name server impersonation ## DNS Security - DNS server security - Fault tolerance - Authenticated recursive request only - Access control - Patch management - Prevent foot printing - DNS Security Extentions (DNSSEC) - RRset - Zone signing key - Key signing key - Root of trust ## Secure Directory Services - Lightweight Directory Access Protocol (LDAP) - Binding methods - None - Simple authentication - Simple authentication and security layer (SASL) - LDAPS (TLS over TCP port 636) -> LDAP Secure - LDAP port 389 -> insecure - Access control policy - Read-only - Read/write ## Time Synchronization - NTP (UDP 123) - Stratum 1 servers - Stratum 2 servers - Simple NTP (clients) - Time critical services - Authentication - Logging - Task scheduling/backup ## Simple Network Management Protocol Security - Simple network management protocol (SNMP) - managing servers, network devices, workstations. These machines will be pointed to the SNMP server - provides a dashboard to see all needed information about systems managed - SNMP - ports 161/162 - Agent runs on devices and maintains management information base (MIB) - Agent notifies SNMP monitor of events (TRAPS) - SNMP v1 and v2 feature or no weak authentication and no privacy - SNMP v3 encryption and authentication # Implement Secure Application Protocols ## HTTP and Web Services - HTTP headers and payload - Web services/applications - Forms mechanism allows client to upload data to the server - Stateless protocol but expanded with cookies and scripting ## Transport Layer Security - Secure Sockets Layer (SSL) / Transport layer Security (TLS) - Communications secured using host certificates - HTTPS uses TLS - anything less then TLS 1.2 is considered insecure -> don't allow backward compatibility - SSL/TLS versions - Cipher suites - Key exchange - authentication - confidentiality - HMAC - TLS 1.3 uses shortened suites ## API Considerations - Application programming interface (API) - Makes web application or service accessible to automation by scripting - Passing parameters - API keys - Static keys - Authentication and authorization via SAML/OAuth ## Subscription Services - News and information services - Markey and financial intelligence and information - Security threat intelligence and information - Reference and training materials - Software applications and cloud services - Provide secure access - News feed security - Really simple syndication (RSS) - Atom - XML injection and exploits ## File Transfer Services - SSH FTP (SFTP) - Run FTP over SSH on port 22 - FTP over SSL (FTPS) - Explicit TLS (FTPES) -> Use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one - Implicit TLS (FTPS) -> negotiate an SSL/TLS tunnel before the exchange of any FTP commands (port 990 for the control connection) ## Email Services - Simple Mail Transfer Protocol (SMTP) - EMAIL OUT - port 25 (non secure) - SMTP - 587 -> SMTPS -> most common - 465 - SMTPS -> not as commin - Route between servers - Incoming mail - POP - 110 - not scure - IMAP - better mailbox management features then POP3 - port 143 - Secure ports - POP3S TCP 995 - IMAPS TCP 993 ## Secure/Multipurpose Internet Mail Extensions S/MIME - End to end encryption for message contents - Authentication and confidentiality using PKI certificates - Correspondents must exchange and trust certificates ## Voice and Video Protocol Security - VoIP, web conferencing and video teleconferencing - Session initiation Protocol (SIP) - ports 5060 and 5061 # Implement Secure Remote Access Protocols ## Remote Access Architecture ![[Pasted image 20230705082727.png]] ![[Pasted image 20230705082946.png]] ## Transport Layer Security VPN - Use TLS to negotiate a secure connection, authenticated by PKI certificates - Tunnel network traffic over TLS - Can use TCP or UDP - OpenVPN - TAP/bridged mode - TUN/routed mode - Secure Sockets Tunneling Protocol - Secure tunneling for point to point protocol encapsulated local network traffic ## Internet Protocol Security (IPSec) - Encrypting traffic (ESP mode) - Encapsulation Security Payload (ESP) - Asymmetric encryption -> key exchange and authentication - symmetric encryption -> data confidentiality - confidentiality and/or authentication/integrity - Authentication Header (AH) mode - Digitally signs the packet so the recipient knows the sender actually sent it - AUTHENTICATION AND INTEGRITY ONLY ## IPSec Transport and Tunnel Modes - Transport mode for host-to-host connections of a private network - Tunnel mode between gateways across an unsecure network ## Internet Key Exchange ![[Pasted image 20230705084008.png]] - both sides must agree on parameters ## Layer 2 Tunneling Protocol and IKE v2 ![[Pasted image 20230705084036.png]] ## VPN Client Configuration - Native VPN or 3rd party software install - Configuration - VPN gateway address - Security type and use credentials - client certificate install - Always-on VPN - Configure VPN to start automatically when trust network link is detected - Split tunnel - Client access the internet directly using its "native" IP configuration and DNS servers - Full Tunnel - Internet access is mediated by the corporate network ## Remote Desktop - GUI-based remote terminal software - RDP - port 3389 - Connect to physical machines - RDP gateway to virtual desktops and apps - HTML5/clientless - Access desktops and web apps from internet via gateway to internal network - Browser support for canvas element plus WebSockets ## Out-of-band Management and Jump servers - Secure admin workstations (SAWs) - Out-of-Band (OOB) management - Serial/modem/console port - Virtual terminal - Separate cabling or VLAN isolation - Jump servers - Single host accepts SSH or RDP connections from SAWs - Forwards connections to app servers - App servers only accept connections from jump server ![[Pasted image 20230705084531.png]] ## SSH - Remote administration with public key crypto security - Host key identifies server - Client authentication - Username/password - Public key authentication - Kerberos - Key management - SSH commands