Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
.
CIS 3500 1
Implementing Secure Protocols
Chapter #10:
Technologies and Tools
Chapter Objectives
n Learn to implement secure protocols for given scenarios
n Explore use cases for secure protocols
Implementing Secure Protocols2
Secure Protocols
n Protocols enable communication between components
n They are independent of vendor
n Act as a language that specifies how communications are to
be conducted, and what can be communicated
n Protocols may have both secure and non/secure versions
Implementing Secure Protocols3
DNSSEC
n T h e D o m a in N a m e S e r v ic e ( D N S ) is a p r o to c o l fo r th e t r a n s la t io n o f n a m e s in to
I P a d d r e s s e s
n T h e p r o to c o l u s e s U D P o v e r p o r t 5 3 fo r s ta n d a rd q u e r ie s
n D N S is a h ie r a r c h ic a l s y s te m o f s e r v e r s
n R e q u e s t s a n d r e p l ie s a r e s e n t in p la in te x t a n d a r e s u b je c t t o s p o o f in g
n D N S S E C ( D o m a in N a m e S y s te m S e c u r it y E x te n s io n s ) is t o u s e o f c r y p to g r a p h y ,
e n a b le s o r ig in a u th e n t ic a t io n , a u th e n t ic a te d d e n ia l o f e x is t e n c e , a n d d a ta
in te g r it y
n D N S S E C r e c o r d s a r e s ig n e d
n U D P 5 3 a r e s iz e l im it e d to 5 1 2 b y te s , a n d D N S S E C p a c k e t s c a n b e la r g e r –
D N S S E C ty p ic a l ly u s e s T C P p o r t 5 3
Implementing Secure Protocols4
.
CIS 3500 2
SSH
n The Secure Shell (SSH) protocol is an encrypted remote
terminal connection
n SSH uses asymmetric encryption
n Generally requires an independent source of trust with a
server, such as manually receiving a server key
n SSH uses TCP port 22 as its default port
Implementing Secure Protocols5
S/MIME
n MIME (Multipurpose Internet Mail Extensions) is a standard
for transmitting binary data via an e-mail
n They are sent as plaintext files, and any attachments need
to be encoded with base64 encoding – no security
n S/MIME (Secure/Multipurpose Internet Mail Extensions) is a
standard for public key encryption and signing of MIME data
n S/MIME is designed to provide cryptographic protections to
e-mails and facilitate interoperability
Implementing Secure Protocols6
SRTP
n The Secure Real-time Transport Protocol (SRTP) is a
network protocol for securely delivering audio and video
over IP networks
n It uses cryptography to provide encryption, message
authentication and integrity, and replay protection to the
RTP data
Implementing Secure Protocols7
LDAPS
n L D A P is th e p r im a ry p r o to c o l fo r t r a n s m it t in g d ir e c to r y in fo rm a t io n e .g . A c t iv e
D ir e c to r y d a ta s e t s
n L ig h tw e ig h t D ir e c to r y A c c e s s P r o to c o l ( L D A P ) t r a f f ic is t r a n s m it t e d in s e c u r e ly
n Y o u c a n m a k e L D A P t r a f f ic s e c u r e b y u s in g it w ith S S L / T L S , k n o w n a s L D A P
S e c u r e ( L D A P S )
n L D A P is e n a b le d o v e r S S L / T L S b y u s in g a c e r t i f ic a te f r o m a t r u s te d c e r t i f ic a te
a u th o r it y ( C A )
n L D A P S u s e s a T L S /S S L tu n n e l t o c o n n e c t L D A P s e r v ic e s
n T h is m e th o d w a s r e t ir e d w ith L D A P v 2 , a n d r e p la c e d w ith S im p le A u th e n t ic a t io n
a n d S e c u r it y L a y e r ( S A S L ) in L D A P v 3
Implementing Secure Protocols8
.
CIS 3500 3
FTPS
n FTPS is the implementation of FTP over an SSL/TLS secured
channel
n This supports complete FTP compatibility, yet provides the
encryption protections enabled by SSL/ TLS
n FTPS uses TCP ports 989 and 990
Implementing Secure Protocols9
SFTP
n SFTP is the use of FTP over an SSH channel
n This leverages the encryption protections of SSH to secure
FTP transfers
n Because of its reliance on SSH, it uses TCP port 22
Implementing Secure Protocols10
SNMP v3
n The Simple Network Management Protocol version 3
(SNMP v3) is a standard for managing devices on networks
n I was developed specifically to address the security
concerns and vulnerabilities of SNMP v1 and SNMP v2
n All versions of SNMP require ports 161 and 162 to be open
on a firewall
Implementing Secure Protocols11
SSL/TLS
n Secure Sockets Layer (SSL) is an encryption technology developed for
transport-layer protocols across the Web
n It uses public key encryption methods to exchange a symmetric key
for use in confidentiality and integrity
n The current version, V3, is outdated, having been replaced by the IETF
standard TLS
n Transport Layer Security (TLS) is an IETF standard for encryption and
replaces SSL –not compatible
n The standard port for SSL and TLS is undefined – it depends upon
what the protocol that is being protected usesImplementing Secure Protocols12
.
CIS 3500 4
HTTPS
n Hypertext Transfer Protocol Secure (HTTPS) is the use of
SSL or TLS to encrypt a channel over which HTTP traffic is
transmitted
n Because of issues with all versions of SSL, only TLS is
recommended for use
n This uses TCP port 443
n HTTPS is the most widely used method to secure HTTP
traffic
Implementing Secure Protocols13
Secure POP/IMAP
n Secure POP/IMAP refers to POP3 and IMAP (respectively)
over an SSL/TLS session
n Secure POP3 utilizes TCP port 995
n Secure IMAP uses TCP port 993
n Encrypted data from the e-mail client is sent to server
n TLS is the preferred protocol today
n SMTP uses port 25, and SSL/TLS encrypted SMTP uses port
465
Implementing Secure Protocols14
Use Cases
n Various IETF working groups have been working to
standardize some general-purpose security protocols
n Some can be reused over and over instead of inventing new
ones for each use case
n SASL is a standardized method of invoking a TLS tunnel to
secure a communication channel
n This method is shown to work with a wide range of
services, currently more than 15
Implementing Secure Protocols15
Voice and Video
n Voice and video are frequently streaming media and they
have their own protocols for encoding data streams
n To securely transfer this material, you can use the Secure
Real-time Transport Protocol (SRTP)
n Audio and video over IP networks. SRTP is covered in RFC
3711 (https://tools.ietf.org/html/rfc3711).
Implementing Secure Protocols16
.
CIS 3500 5
Time Synchronization
n Network Time Protocol (NTP) is the standard for time
synchronization across servers and clients
n NTP is transmitted over UDP port 123
n NTP has no assurance against a man-in-the-middle attack
n You could enclose all time communications using a TLS
tunnel, although this is not an industry practice
n Since time is very important that port is always available
and open for potential attacks
Implementing Secure Protocols17
E-mail and Web
n E-mail and the Web are native plaintext-based systems
n HTTPS relies on SSL/TLS to secure web connections
n Use of HTTPS is widespread and common (msudenver.edu)
n E-mail is a bit more complicated to secure, and the best
option is via S/MIME
n Lately there have been security issues not with the protocol
but how TLS was attached and implemented with e-mail
n There are also industry requirements to retire unsafe version
Implementing Secure Protocols18
File Transfer
n Secure file transfer can be accomplished via a wide range of
methods, ensuring the confidentiality and integrity of file
transfers across networks
n FTP is not secure but sFTP and FTPS are secure alternatives
that can be used
n Metro only allows sFTP for file transfers – otherwise the
connection will be refused
Implementing Secure Protocols19
Directory Services
n Directory services use LDAP as the primary protocol
n When security is required, LDAPS is a common option
n Directory services are frequently found behind the scenes
with respect to logon information
n Directory information is very important and needs to be
protected
n It is challenging with cloud services using SSO solution
Implementing Secure Protocols20
.
CIS 3500 6
Remote Access
n Remote access is the means by which users can access computer
resources across a network
n Securing remote access can be done via many means
n Organizations commonly use SSL/TLS
n Depending upon the device being accessed, a variety of secure
protocols exist
n networking equipment SSH is the secure alternative to Telnet
n servers and other computer connections, access via VPN, or use of
IPSec, is common
Implementing Secure Protocols21
Domain Name Resolution
n Domain name resolution is performed primarily by DNS
n DNS is a plaintext protocol and DNSSEC is not widely used
n DNSSEC has been available in Windows Active Directory
domains since 2012
n TCP and UDP port 53 can be used for DNS, with the need of
firewall protection between the Internet and TCP port 53 to
prevent attackers from accessing zone transfers
Implementing Secure Protocols22
Routing and Switching
n Routing and switching are the backbone functions of
networking in a system
n Managing the data associated with networking is the
province of SNMP v3
n It enables applications to manage data associated with
networking and devices
n Local access to the boxes may be accomplished by Telnet,
although for security reasons SSH should be used instead
Implementing Secure Protocols23
Network Address Allocation
n Managing network address allocation requires multiple
decision criteria, including the reduction of complexity and
the management of device names and locations
n SNMPv3 has many functions that can be employed to
manage the data flows
n IP addresses can be allocated either statically, or via DHCP
n IP address allocation is part of proper network design –
segmentation, traffic control
Implementing Secure Protocols24
.
CIS 3500 7
Subscription Services
n Subscription services is the management of data flows to
and from a system based on either a push (publish) or pull
(subscribe) model
n Managing data can be managed by using directory services
n Software as a Service (SaaS) model
n The actual software is hosted centrally, commonly in the
cloud, and user access is based on subscriptions
n This is becoming a common software business model
Implementing Secure Protocols25
Stay Alert!
There is no 100 percent secure system, and
there is nothing that is foolproof!