Implementing Secure Network Protocols
Secure network protocols have places in many parts of your network and infrastructure. Security professionals need to be able to recommend the right protocol for each of the following scenarios.
Secure Network Protocols
The original implementations for many services, such as file transfer, remote shell access, email retrieval, web browsing, and others, were plain-text implementations that allowed the traffic to be easily captured, analyzed, and modified.
Alternative secure variations were needed, so InfoSec specialists got to work.
Doman Name System Security Extensions (DNSSEC)
DNSSEC focuses on ensuring that DNS information is not modified or malicious.
DNSSEC doesn’t provide Confidentiality though. DNSSEC uses digital signatures, allowing systems that query a DNSSEC-equipped server to validate that the server's signature matches the DNS record. Can be used to build a chain of trust for IPSec keys and SSH Fingerprints
Secure Shell (SSH)
SSH is a protocol used for remote console access to devices and is a secure alternative to telnet.
SSH is also often used as a tunneling protocol or to support other uses like SFTP. SSH can use SSH keys, which are used for authentication. A lack of a password or weak passwords as well as poor key handling can make SSH far less secure in use. This is common among certificate or encryption key-based authentication.
Secure Real-Time Protocol (SRTP)
SRTP is a secure version of the Real-time Protocol, a protocol designed to provide audio and video streams via networks.
SRTP uses encryption and authentication to attempt to reduce the likelihood of successful attacks, including replay and denial-of-service attempts. Regular RTP uses a pair of protocols: RTP and RTCP. SRTP is the secure version of RTCP. RTCP is the control protocol that monitors the quality of service (QoS0 and synchronization of streams.
Secure Lightweight Directory Application Protocol (LDAPS)
(LDAPS) is a TLS-protected version of LDAP that offers confidentiality and integrity protections.
Regular LDAP is used to access the network directory that contains all of your network resources, such as devices, users, and active directory.
Hypertext-Transfer Protocol
HTTPS (Hypertext-Transfer Protocol) provides secure web server traffic using TLS security.
The secure version of HTTP that gives you a bunch of security tools for keeping transactions secure between a web browser and a server.
Internet Protocol Security
IPsec (Internet Protocol Security) is two protocols used to encrypt an authenticate IP traffic.
IPsec is often used with VPNs.
Authentication Header (AH) uses hashing and a shared secret key to ensure integrity of data and validates senders by authenticating the IP packets that are sent. AH can ensure that the IP payload and headers are protected. Encapsulated Security Payload (ESP) operates in either transport mode or tunnel mode. In tunnel mode, it provides integrity and authentication for the entire packet; in transport mode, it only protects the payload of the packet. If ESP is used with an authentication header, this can cause issues for networks that need to change IP or port information. File Transfer Protocols
File Transfer Protocols Secure
FTPS (File Transfer Protocol Secure) implements FTP using TLS.
FTPS can require additional ports for allowing firewall configuration TCP 21 in Explicit Mode, TCP 990 in implicit mode. SSH File Transfer Protocol
SFTP (Secure Shell Transfer Protocol) leverages SSH as a channel to perform FTP-like file transfers.
SFTP is frequently chosen because it can be easier to get through firewalls since it uses only the SSH port Email-Related Protocols
Email protocols like Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) remain in use for mail clients.
Secure protocol options that implement TLS as a protective layer exist for both, resulting in the deployment of POPS and IMAPS.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
(S/MIME) provides the ability to encrypt and sign MIME data, the format used for email attachments.
The content and attachments for an email can be protected, while providing authentication, integrity, nonrepudiation, and confidentiality for messages sent using S/MIME. POP3S
The Post Office Protocol Secure (POP3S) is an encrypted protocol used by e-mail clients to retrieve mail from a remote server.
It only downloads email from a email server and only downloads what’s in your inbox folder (doesn’t download the sent, outbox, or draft) Also doesn’t synchronize the mail across multiple devices. The secure version of POP 110. IMAPS
Internet Message Access Protocol Secure (IMAP TCP 993) allows you to securely view your email across multiple devices, it stores local cache copies on any device your email is signed into. It does this by stores the email on a mail server.
The secure version of IMAPS 143.
Secure Protocol Use Cases
Voice and Video
Voice and video rely on a number of common protocols. Videoconferencing tools often rely on HTTPS, but secure versions of the Session Initiation Protocol (SIP) and the Real-time Transport Protocol (RTP) exist in the form of SIPS and SRTP, which are also used to ensure that communications traffic remains secure.
SIPS (Session Initiation Protocol Secure) is SIP, extended with TLS (Transport Layer Security). With this TLS, a secure connection between IP PBX and VoIP telephone can be established using a handshake approach. SRTP (Secure Real Time Transport Protocol) is an extension of Real-time Transport Protocol (RTP) that features enhanced security measures. The protocol provides encryption, confidentiality, message authentication, and replay protection to your transmitted audio and video traffic. AES (Advanced Encryption Standard) is the encryption method used
Time Synchronization
A secure version of the Network Time Protocol (NTP) exists and is called Network Time Protocol Secure (NTS); It uses authentication to make sure that the time information is from a trusted server and has not been changed in transit.
File Transfer Protocol (FTP)
File Transfer Protocol (FTP) has largely been replaced by a combination of HTTPS file transfers and SFTP or FTPS, depending on organizational preferences and needs.
Directory Services
Directory Services like LDAP can be moved to LDAPS, a secure version of LDAP.
Remote Access
Remote Access technologies—including shell access, which was once accomplished via telnet and is now almost exclusively done via SSH—can also be secured.
Microsoft's RDP is encrypted by default, but other remote access tools may use other protocols, including HTTPS, to ensure that their traffic is not exposed.
Doman Name Resolution
DNS was not originally designed with security in mind, so extensions were created to bridge the gap between unsecure and secure.
DNS SEC (DNS Security Extensions) gives us a way to validate the information we’re getting from a DNS server so that we know that it really did come from the DNS server that we were requesting it from and that the information was not changed as it went through the network. Uses public key cryptography to sign the information that we’re adding to a DNS server and then the recipient of that information can verify that information is correct based on those digital signatures It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests. Routing and Switching
Communication between routing and switching needs to be 100% secure at all times.
Connecting through a terminal using the secure protocols SSH. If you’re querying your routers or switches for information, you’ll use the secure version SNMPv3. SNMPv3 adds encryption to your queries so we can have confidentiality of the data. We also have integrity and authentication capabilities so that we know the data wasn’t changed as it went through the network and we can be assured that we’re communicating directly to that device and receiving responses from that device without anyone modifying that information in the middle of the conversation. Protocols like BP lack built-in security features, so organizations will have to design around this.
Network Address Allocation
Network address allocation using (DHCP) does not offer a secure protocol, and network protection against DHCP attacks relies on detection and response rather than a secure protocol.
We’ve added additional controls outside of the DHCP to add some layer of security. With active directory you can avoid rogue DHCP servers by authorizing what devices are able to act as DHCP devices on your network. Many switches can also be configured to monitor for DHCP communication and only allowed DHCP to come from trusted interfaces on that switch. DHCP Snooping validates DHCP messages received from untrusted sources and filters out invalid messages.
Subscription Services
Subscription Services such as cloud tools and similar services frequently leverage HTTPS but may also provide other secure protocols for their specific use cases.
Automated Services such as: Anti-virus / Anti-malware signature updates Firewall configurations need to be current The wide variety of possible subscriptions and types of services means that these services must be assessed individually with an architecture and design review, as well as data flow reviews all being part of best practices to secure subscription service traffic if options are available. Email and Web
Email and web traffic relies on a number of secure options:
IMAP SSL (TCP 993) allows IMAP traffic to travel over a secure connection. POPS3 SSL (TCP 995) is the secure version of POP3, a email protocol that only sends one local copy of an email to the first device that asks for it. Hypertext Transfer Protocol (TCP 443) Secure is the secure version of HTTP that gives you a bunch of security tools for keeping transactions secure between a web browser and a server. Domain-based Message Authentication Reporting & Conformance (DMARC) is an email authentication policy that protects against bad actors using fake email addresses disguised to look like legitimate emails from trusted sources. DMARC makes it easier for email senders and receivers to determine whether or not an email legitimately originated from the identified sender Domain Keys Identified Mail (DKIM) is a protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. DKIM record verification is made possible through cryptographic authentication. Sender Policy Framework (SPF) An SPF record added to Domain Name Service (DNS) servers tells recipient email servers that a message came from an authorized sender IP address or could be from a phishing campaign. It’s an essential component in email security and gives administrators a way to block phishing emails from reaching an intended victim.
Network Attacks
On-Path Attacks
An On-Path (sometimes also called a man-in-the-middle [MitM]) attack occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls.
Once the attacker has traffic flowing through that system, they can eavesdrop or even alter the communications as they wish. On-Path attacks can be used to conduct SSL Stripping, an attack that in modern implementations removes TLS encryption to read the contents of the traffic that is intended for the trusted endpoint. Occurs when a HTTP request occurs, redirecting the rest of the communications through a system that an attacker controls, allowing the communication to be read or possibly modified. Man-in-the-Browser attacks rely on a Trojan being inserted into a user’s browser. The Trojan browser plug-in is then able to access and modify information sent and received by the browser.
DNS Attacks
There are 3 Main DNS attack types: Domain Hijacking, DNS Poisoning, and URL Redirection.
Domain Hijacking changes the registration of a domain, either through technical means like a vulnerability with a domain registrar or control of a system belonging to an authorized user, or through nontechnical means such as social engineering.
End result of domain hijacking is that the domain's settings and configuration can be changed by an attacker, allowing them to intercept traffic, send and receive email, or otherwise take action while appearing to be the legitimate domain holder. Not renewing a domain in time is the ‘Legal’ way adversaries can hijack your domain. Be sure to stay on top of the lease agreement.
DNS Poisoning happens when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website.
During a DNS poisoning attack, a hacker substitutes the address for a valid website for an imposter. Once completed, that hacker can steal valuable information, like passwords and account numbers.
URL Redirection is used to redirect your domain's visitors to a different URL. This can be done in a number of ways, but the two main ways are to insert an alternate IP address into a system’s hosts file or have the user enter in a nearly identical URL.
The hosts file is checked when a system looks up a site via DNS and will be used first, making a modified hosts file a powerful tool for attackers who can change it. Entering in www.professormessor.com instead of www.professormesser.com
Layer-2 Attacks
There are three specific layer 2 attacks needed on the Security+ exam.
Address Resolution Protocol (ARP) poisoning attacks send malicious ARP packets to the default gateway of a network with the intent of changing the mappings of MAC addresses to IP addresses that the gateway maintains MAC Flooding works by forcing legitimate contents out of the switch and forcing a behavior potentially sending sensitive information to portions of the network where it is not normally intended to go. MAC Cloning duplicates the media access control address (hardware address) of a device, allowing attackers to spoof legitimate MAC addresses with the goal of gaining access. Adversaries spoof the address of a legitimate device recently on the network in order to bypass security measures on the network and gain access.
DDOS (Distributed Denial Of Service)
A Distributed Denial-Of-Service is conducted from multiple locations, networks, or systems, making it difficult to stop and hard to detect.
The distributed nature of the DDoS means that it may bring significant resources to bear on a targeted system or network, potentially overwhelming the target through its sheer size.
Volume-based network DDoS attacks focus on the sheer amount of traffic causing a denial-of-service condition. Some volume-based DDoS attacks rely on amplification techniques that leverage flaws or features in protocols and services to create significantly more traffic than the attacker sends. UDP Floods execute simply by sending massive amounts of traffic that the target host will receive and attempt to process. A large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond ICMP Floods also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings). Protocol-based Network DDoS attacks abuse protocols to overwhelm a specific resource, usually a server but sometimes firewalls or load balancers. These attacks will often be measured in packets per second.
Operational Technology DDoS A Denial-of-Service of operational technology means that the power grid stops operating, or the traffic lights, all turn green in all directions.
These would be significant problems that would create Denial-of-Service over a very large area, for a large number of people Examples include industrial control systems, building management systems, factories, power plants, fire control systems, and physical access control mechanisms. A key element for security practitioners to remember is that OT will typically have less reporting, less management, and fewer security capabilities built in, meaning that detecting and responding to network DDoS and other attacks against OT devices and systems will need to be handled using external devices and tools. 
3.1 Given a scenario, implement secure network protocols.
