implementing secure protocolsrowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter10.pdfn dns is a...

.

CIS 3500 1

Implementing Secure Protocols

Chapter #10:

Technologies and Tools

Chapter Objectives

n Learn to implement secure protocols for given scenarios

n Explore use cases for secure protocols

Implementing Secure Protocols2

Secure Protocols

n Protocols enable communication between components

n They are independent of vendor

n Act as a language that specifies how communications are to

be conducted, and what can be communicated

n Protocols may have both secure and non/secure versions


DNSSEC

n T h e D o m a in N a m e S e r v ic e ( D N S ) is a p r o to c o l fo r th e t r a n s la t io n o f n a m e s in to

I P a d d r e s s e s

n T h e p r o to c o l u s e s U D P o v e r p o r t 5 3 fo r s ta n d a rd q u e r ie s

n D N S is a h ie r a r c h ic a l s y s te m o f s e r v e r s

n R e q u e s t s a n d r e p l ie s a r e s e n t in p la in te x t a n d a r e s u b je c t t o s p o o f in g

n D N S S E C ( D o m a in N a m e S y s te m S e c u r it y E x te n s io n s ) is t o u s e o f c r y p to g r a p h y ,

e n a b le s o r ig in a u th e n t ic a t io n , a u th e n t ic a te d d e n ia l o f e x is t e n c e , a n d d a ta

in te g r it y

n D N S S E C r e c o r d s a r e s ig n e d

n U D P 5 3 a r e s iz e l im it e d to 5 1 2 b y te s , a n d D N S S E C p a c k e t s c a n b e la r g e r –

D N S S E C ty p ic a l ly u s e s T C P p o r t 5 3


.

CIS 3500 2

SSH

n The Secure Shell (SSH) protocol is an encrypted remote

terminal connection

n SSH uses asymmetric encryption

n Generally requires an independent source of trust with a

server, such as manually receiving a server key

n SSH uses TCP port 22 as its default port


S/MIME

n MIME (Multipurpose Internet Mail Extensions) is a standard

for transmitting binary data via an e-mail

n They are sent as plaintext files, and any attachments need

to be encoded with base64 encoding – no security

n S/MIME (Secure/Multipurpose Internet Mail Extensions) is a

standard for public key encryption and signing of MIME data

n S/MIME is designed to provide cryptographic protections to

e-mails and facilitate interoperability


SRTP

n The Secure Real-time Transport Protocol (SRTP) is a

network protocol for securely delivering audio and video

over IP networks

n It uses cryptography to provide encryption, message

authentication and integrity, and replay protection to the

RTP data


LDAPS

n L D A P is th e p r im a ry p r o to c o l fo r t r a n s m it t in g d ir e c to r y in fo rm a t io n e .g . A c t iv e

D ir e c to r y d a ta s e t s

n L ig h tw e ig h t D ir e c to r y A c c e s s P r o to c o l ( L D A P ) t r a f f ic is t r a n s m it t e d in s e c u r e ly

n Y o u c a n m a k e L D A P t r a f f ic s e c u r e b y u s in g it w ith S S L / T L S , k n o w n a s L D A P

S e c u r e ( L D A P S )

n L D A P is e n a b le d o v e r S S L / T L S b y u s in g a c e r t i f ic a te f r o m a t r u s te d c e r t i f ic a te

a u th o r it y ( C A )

n L D A P S u s e s a T L S /S S L tu n n e l t o c o n n e c t L D A P s e r v ic e s

n T h is m e th o d w a s r e t ir e d w ith L D A P v 2 , a n d r e p la c e d w ith S im p le A u th e n t ic a t io n

a n d S e c u r it y L a y e r ( S A S L ) in L D A P v 3


.

CIS 3500 3

FTPS

n FTPS is the implementation of FTP over an SSL/TLS secured

channel

n This supports complete FTP compatibility, yet provides the

encryption protections enabled by SSL/ TLS

n FTPS uses TCP ports 989 and 990


SFTP

n SFTP is the use of FTP over an SSH channel

n This leverages the encryption protections of SSH to secure

FTP transfers

n Because of its reliance on SSH, it uses TCP port 22


SNMP v3

n The Simple Network Management Protocol version 3

(SNMP v3) is a standard for managing devices on networks

n I was developed specifically to address the security

concerns and vulnerabilities of SNMP v1 and SNMP v2

n All versions of SNMP require ports 161 and 162 to be open

on a firewall


SSL/TLS

n Secure Sockets Layer (SSL) is an encryption technology developed for

transport-layer protocols across the Web

n It uses public key encryption methods to exchange a symmetric key

for use in confidentiality and integrity

n The current version, V3, is outdated, having been replaced by the IETF

standard TLS

n Transport Layer Security (TLS) is an IETF standard for encryption and

replaces SSL –not compatible

n The standard port for SSL and TLS is undefined – it depends upon

what the protocol that is being protected usesImplementing Secure Protocols12

.

CIS 3500 4

HTTPS

n Hypertext Transfer Protocol Secure (HTTPS) is the use of

SSL or TLS to encrypt a channel over which HTTP traffic is

transmitted

n Because of issues with all versions of SSL, only TLS is

recommended for use

n This uses TCP port 443

n HTTPS is the most widely used method to secure HTTP

traffic


Secure POP/IMAP

n Secure POP/IMAP refers to POP3 and IMAP (respectively)

over an SSL/TLS session

n Secure POP3 utilizes TCP port 995

n Secure IMAP uses TCP port 993

n Encrypted data from the e-mail client is sent to server

n TLS is the preferred protocol today

n SMTP uses port 25, and SSL/TLS encrypted SMTP uses port

465


Use Cases

n Various IETF working groups have been working to

standardize some general-purpose security protocols

n Some can be reused over and over instead of inventing new

ones for each use case

n SASL is a standardized method of invoking a TLS tunnel to

secure a communication channel

n This method is shown to work with a wide range of

services, currently more than 15


Voice and Video

n Voice and video are frequently streaming media and they

have their own protocols for encoding data streams

n To securely transfer this material, you can use the Secure

Real-time Transport Protocol (SRTP)

n Audio and video over IP networks. SRTP is covered in RFC

3711 (https://tools.ietf.org/html/rfc3711).


.

CIS 3500 5

Time Synchronization

n Network Time Protocol (NTP) is the standard for time

synchronization across servers and clients

n NTP is transmitted over UDP port 123

n NTP has no assurance against a man-in-the-middle attack

n You could enclose all time communications using a TLS

tunnel, although this is not an industry practice

n Since time is very important that port is always available

and open for potential attacks


E-mail and Web

n E-mail and the Web are native plaintext-based systems

n HTTPS relies on SSL/TLS to secure web connections

n Use of HTTPS is widespread and common (msudenver.edu)

n E-mail is a bit more complicated to secure, and the best

option is via S/MIME

n Lately there have been security issues not with the protocol

but how TLS was attached and implemented with e-mail

n There are also industry requirements to retire unsafe version


File Transfer

n Secure file transfer can be accomplished via a wide range of

methods, ensuring the confidentiality and integrity of file

transfers across networks

n FTP is not secure but sFTP and FTPS are secure alternatives

that can be used

n Metro only allows sFTP for file transfers – otherwise the

connection will be refused


Directory Services

n Directory services use LDAP as the primary protocol

n When security is required, LDAPS is a common option

n Directory services are frequently found behind the scenes

with respect to logon information

n Directory information is very important and needs to be

protected

n It is challenging with cloud services using SSO solution


.

CIS 3500 6

Remote Access

n Remote access is the means by which users can access computer

resources across a network

n Securing remote access can be done via many means

n Organizations commonly use SSL/TLS

n Depending upon the device being accessed, a variety of secure

protocols exist

n networking equipment SSH is the secure alternative to Telnet

n servers and other computer connections, access via VPN, or use of

IPSec, is common


Domain Name Resolution

n Domain name resolution is performed primarily by DNS

n DNS is a plaintext protocol and DNSSEC is not widely used

n DNSSEC has been available in Windows Active Directory

domains since 2012

n TCP and UDP port 53 can be used for DNS, with the need of

firewall protection between the Internet and TCP port 53 to

prevent attackers from accessing zone transfers


Routing and Switching

n Routing and switching are the backbone functions of

networking in a system

n Managing the data associated with networking is the

province of SNMP v3

n It enables applications to manage data associated with

networking and devices

n Local access to the boxes may be accomplished by Telnet,

although for security reasons SSH should be used instead


Network Address Allocation

n Managing network address allocation requires multiple

decision criteria, including the reduction of complexity and

the management of device names and locations

n SNMPv3 has many functions that can be employed to

manage the data flows

n IP addresses can be allocated either statically, or via DHCP

n IP address allocation is part of proper network design –

segmentation, traffic control


.

CIS 3500 7

Subscription Services

n Subscription services is the management of data flows to

and from a system based on either a push (publish) or pull

(subscribe) model

n Managing data can be managed by using directory services

n Software as a Service (SaaS) model

n The actual software is hosted centrally, commonly in the

cloud, and user access is based on subscriptions

n This is becoming a common software business model


Stay Alert!

There is no 100 percent secure system, and

there is nothing that is foolproof!

implementing secure protocolsrowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter10.pdfn dns is a...

Documents