- By Michael Gregg
- Objective 1.1: Explain the security function and purpose of network devices and technologies
- Objective 1.2: Apply and implement secure network administration principles
- Objective 1.3: Distinguish and differentiate network design elements and compounds
- Objective 1.4: Implement and use common protocols
- Objective 1.5: Identify commonly used default network ports
- Objective 1.6: Implement wireless networks in a secure manner
Objective 1.4: Implement and use common protocols
In this exam Objective, you might be tested on how to implement and use common protocols. These can include IPsec, TLS, SSL, IPv4, and IPv6. It is critical for a security professional to understand how these protocols work and what level of security, if any, they provide.
Exam need to know…
Define what IPsec is used for and what its benefits are
For example: Do you know that IPsec can be used to protect data in transit?
The security issues of Simple Network Management Protocol
For example: Do you know that Simple Network Management Protocol versions 1 and 2 send the community strings via clear text?
The purpose of Domain Name System and how it is configured
For example: Do you know that Domain Name System has security vulnerabilities and can be replaced with Domain Name System Security Extensions (DNSSEC)?
Explain how to use secure solutions such as FTPS, HTTPS, and SFTP to secure network traffic
For example: Do you know that protection of data in transit is an important concern of security professionals?
The role of ICMP and how it can be misused
For example: Do you know that the most common ICMP is ping?
How IPv4 and IPv6 are used and implemented
For example: Do you know that IPv6 has integrated IPsec?
IPsec is a mandatory part of any IPv6 implementation; with IPv4, it is optional. IPsec can be defined as a solution to the problem of Internet security. IPsec is a suite of protocols used for encrypting data so that you can transmit messages securely over the Internet or private network, send encrypted communications between two network devices, and secure VPN communications. You can configure IPsec by using either of the following modes:
Transport mode Encrypts only the data portion of the encapsulated packet
Tunnel mode Encrypts both the data and the header portions of the encapsulated packet, hiding more information about the underlying communication
The IPsec protocols comprise four separate security protocols, which can be applied alone or in combination. They include the following:
Authentication Header (AH) The AH protects against malicious modification without providing privacy.
Encapsulating Security Payload (ESP) The ESP header provides privacy and protects against malicious modification.
IP Payload Compression Protocol (IPComp) IPComp reduces the size of IP datagrams by compressing the datagrams to increase the communication performance between two parties.
Internet Key Exchange (IKE) The IKE protocol is a mechanism by which secret keys and other protection-related parameters are exchanged prior to a communication, without the intervention of the user.
True or false? IPsec can be deployed in one of four different modes.
Answer: False. IPsec can be deployed in one of two modes: tunnel or transport. Tunnel mode is commonly used to protect traffic between gateways, whereas transport mode is used between end stations that support IPsec.
True or false? IPsec tunnel mode encrypts only the data portion of the IP packet.
Answer: False. Tunnel mode encrypts both the data and header portions of the IP packets.
Simple Network Management Protocol (SNMP) is a network management protocol based on client/server architecture. SNMP is designed to monitor and manage devices. The agent collects information from the device and holds it in a table while the managers poll agents to gather this data, which they use to present a centralized view of the network to administrators.
SNMP stores all values in a Management Information Base (MIB) table on the managed device. Values are referenced by using a series of dotted integers. The manager uses the MIBs to define the dotted integers so that data can be reported back by the agent.
Security professionals should be aware of SNMP because it might be installed or running by default or without the security administrator’s knowledge. SNMPv1 and SNMPv2 send all information in clear text and use the default community strings, public and private. SNMP can be spoofed and sniffed to extract all sorts of information. SNMPv3 offers encryption, but it is not supported on all devices.
True or false? SNMPv2 offers encryption.
Answer: False. SNMPv1 and v2 do not offer encryption. Only SNMPv3 offers encryption.
True or false? SNMP v1 community strings can be sniffed.
Answer: True. SNMPv1 and v2 use clear-text community strings, which default to public and private.
True or false? SNMP uses port 389.
Answer: False. SNMP uses UDP port 161 and 162.
Secure Shell (SSH) is a replacement for the Berkeley “r” utilities and for applications such as FTP and Telnet. SSH can be used to securely access a remote computer. It operates on TCP port 22.
True or false? SSH uses port 21 by default.
Answer: False. The default port for SSH is TCP port 22.
Domain Name System (DNS) serves the critical function of address translation by converting fully-qualified domain names (FQDNs) into a numeric IP address, and vice versa. This application operates on port 53 (TCP and UDP). If the DNS were to fail, the Internet would continue to function, but it would require that Internet users knew the IP address of every site to which they want to visit. Of course, this means that for all practical purposes, the Internet would not be useable without the DNS. The DNS database consists of one or more zone files. Each zone is a collection of structured resource records. Common record types include the Start of Authority (SOA) record, A record, CNAME record, NS record, PTR record, and the MX record. There is only one SOA record in each zone database file; it describes the zone name space. The A record is the most common because it contains IP addresses and names of specific hosts. The CNAME record is an alias. The NS record lists the IP address of other name servers. An MX record is a Mail Exchange record. This record has the IP address of the server where email should be delivered. Hackers can target DNS for many types of attacks. One such attack is DNS cache poisoning. This type of attack sends fake entries to a DNS server to corrupt the information stored there. DNS can also be susceptible to DoS attacks and to unauthorized zone transfers. DNS uses UDP for DNS queries and TCP for zone transfers.
True or false? DNS can use both TCP and UDP.
Answer: True. DNS is one of the few protocols that can use both TCP and UDP. DNS typically uses UDP for record lookups and TCP for zone transfers.
True or false? An MX record is used for replication.
Answer: False. An MX record is associated with the mail server. The MX records specifies how email should be routed by using the Simple Mail Transfer Protocol.
Transport Layer Security (TLS) is the updated version of SSL. Although SSL and TLS do basically the same thing, they are implemented slightly different. What both share in common is their use of both symmetric and asymmetric algorithms. TLS uses more secure cryptographic protocols and algorithms.
True or false? TLS make use of both symmetric and asymmetric encryption.
Answer: True. TLS uses hybrid encryption, which means that it uses symmetric encryption for data and asymmetric encryption for key exchange of the symmetric key.
Secure Sockets Layer (SSL) was developed to secure application data as it travels over the Internet. It was developed by Netscape, and at the time of its release, it set the standard for Internet security. SSL uses hybrid encryption. It operates in a 40-bit and 128-bit mode, and follows these steps during the communication process:
The client requests the use of SSL.
The server responds to the request with its X.509 certificate, the name of its certificate authority, and the public key.
The server’s certificate is verified by the client and a symmetric session is generated. This key is encrypted with the server’s public key and sent to the server.
The server decrypts the session key and sends a report of the session details to the client, encrypted with the session key.
The client reviews the summary and sends its own summary back to the server, likewise encrypted with the session key.
After both entities receive a matching session summary, secured SSL communications are initiated.
True or false? SSL has been replaced with TLS.
Answer: True. Although both protocols basically serve the same purpose, TLS is the updated version. TLS 1.0 and SSL 3.0 are not interchangeable.
TCP/IP is the foundation of all modern networks. In many ways, you could say that it has grown up along with the development of the Internet. Originally, the TCP/IP model was developed as a flexible, fault-tolerant set of protocols that were robust enough to avoid interruption in the event that one or more nodes fail. After all, the forerunner to the Internet, the ARPANET, was designed to withstand a nuclear strike (which would likely destroy key routing nodes). The designers of this original network never envisioned the Internet as we know it today. Because TCP/IP was designed to work in a trusted environment, many TCP/IP protocols are now no longer considered secure. Little concern was ever given to the fact that an untrusted party might have access to the wire and be able to sniff the clear-text password. Most networks today, run TCP/IPv4. Many security mechanisms in TCP/IPv4 are add-ons to the original protocol suite.
True or false? TCP/IP was designed with security in mind.
Answer: False. TCP/IP was designed with functionality in mind; it was not originally focused on security. Many security features to TCP/IP have been added on, such as IPsec.
FTP Secure (FTPS) is a secure version of FTP that integrates SSL. FTPS is not the same as SSH File Transfer Protocol (SFTP). These two protocols are incompatible because the latter uses the Secure Shell (SSH) protocol. FTPS supports two basic modes, Explicit and Implicit, that were developed to invoke client security for use with FTP clients.
Implicit mode suggests that the client must specifically challenge the FTPS server with a TLS/SSL Client Hello message. This assumes that only FTPS clients will connect. Explicit mode (FTPES) requires that an FTPS client must explicitly request security from an FTPS server and then step up to a mutually agreed encryption method.
True or false? FTPS is interchangeable with FTP.
Answer: False. FTP and FTPS are different protocols. Each requires unique ports and applications with which to interact.
Although HTTP (port 80) is the standard of the Internet, it does not use encryption or offer anything in the way of security. Luckily, there are some add-ons to HTTP that can be used to increase security. One of the primary add-ons is Hypertext Transfer Protocol Secured (HTTPS). HTTPS (port 443) strengthens HTTP by incorporating SSL or TLS. Some Microsoft products remap port 443 to 4443 on the internal side. These security protocols allow for the use of encryption. You can see when they are in use because the URL begins with HTTPS and a padlock icon appears in the status bar or browser bar in the browser window. HTTPS is the worldwide standard that is used for payment transactions and for other data-sensitive Internet transactions.
True or false? HTTP is sufficient for sensitive transactions.
Answer: False. HTTP sends all information in clear text; HTTPS should be used for secure communication.
Secure FTP (SFTP) should be used because of the inherent insecurities of FTP. FTP sends all data in the clear and offers no protection from password sniffing or data interception. FTP uses TCP ports 20 and 21. SFTP addresses the FTP security issues by encrypting both logon and data communications, which prevents passwords and sensitive data from being transmitted in the clear. Although SFTP is similar to FTP, it uses a different command set and cannot be used with standard FTP client software.
True or false? SFTP and FTP share the same command set.
Answer: False. Even though SFTP and FTP can use the same ports, they use a different set of commands and are incompatible.
Secure Copy Protocol (SCP) is another example of a secure file transfer protocol that can be used as a replacement for FTP. Linux systems commonly use SCP, although Windows versions are available. SCP is based on SSH, and SSH is commonly used as a command-line tool; however, there are some Windows GUI file transfer clients available.
True or false? SCP is similar to SSH.
Answer: True. Both SSH and SCP use the same command set and are very similar. SCP can be used as a replacement for FTP because it offers much greater security.
Internet Control Message Protocol (ICMP) provides feedback that you can use for diagnostics or to report logical errors. The most common ICMP type is the ping. The designers of ICMP envisioned a protocol that would be helpful and informative. Unfortunately, hackers have a different vision; they use ICMP to send the ping of death, craft Smurf DoS packets, query the timestamp of a system or its netmask, or even send ICMP type 5 packets to redirect traffic. Loki is an ICMP attack tool that uses ICMP as an encapsulation or tunnel protocol. Some common ICMP types and codes are shown in Table 1-2.
Table 1-2. ICMP Codes
Echo response/request (Ping)
Subnet mask request/response
True or false? A source quench is one of the most common ICMP message types.
Answer: False. One of the most common ICMP types is a ping. Ping is a common tool that is used to verify connectivity.
True or false? Oversized pings can be used to launch DoS attacks.
Answer: True. Several DoS attacks have been developed that use ping, such as the ping of death and Smurf.
IPv4 vs. IPv6
Internet Protocol (IP) is really the engine of the Internet. IP is a routable protocol that is used for addressing and transporting data across a network or the Internet. There are two versions of IP that Security+ candidates should understand: IPv4 and IPv6. IPv4 uses a 32-bit addressing scheme to make “a best effort at delivery.” IPv4 composes addresses in a four-decimal–number format. Each of these decimal numbers is one byte in length to allow numbers to range from 0–255. IPv6 uses a 128-bit address, has a simpler header format, eliminates broadcast traffic, and has built-in support for IPsec. IPv6 is the replacement for IPv4 because the IPv4 address space has been depleted. However, it will probably still be a few years before IPv6 makes a significant impact on the Internet.
True or false? IPv4 uses an 8-bit address.
Answer: False. IPv4 uses a 32-bit address and IPv6 uses a 128-bit address. The move to IPv6 will accommodate many more usable addresses in the years to come.
Can you answer these questions?
You can find the answers to these questions at the end of this chapter.
Which component of IPsec provides privacy and protects against malicious modification?
Which version of IP uses a 32-bit address?
What is another name for an ICMP 0/8 message?
Which security service was originally developed by Netscape and is application independent?
Which DNS record acts as an alias?