CompTIA Security+® All-in-One Exam Guide, Fifth Edition (Exam SY0-501)

CHAPTER 10 Implementing Secure Protocols

In this chapter, you will

• Learn to implement secure protocols for given scenarios

• Explore use cases for secure protocols

Protocols enable communication between components, independent of vendor, and act as a language that specifies how communications are to be conducted, and what can be communicated. As is true of many communications technologies, protocols have both secure and nonsecure versions. This chapter examines common protocols that can be secured and their use cases.

Certification Objective This chapter covers CompTIA Security+ exam objective 2.6, Given a scenario, implement secure protocols. This exam objective is a good candidate for performance-based questions, which means you should expect questions in which you must apply your knowledge of the topic to a scenario. The best answer to a question will depend upon specific details in the scenario preceding the question, not just the question. The question may also involve tasks other than just picking the best answer from a list. Instead, it may involve actual simulation of steps to take to solve a problem.

Secure Protocols

Protocols act as common language allowing different components to talk using a common, known set of commands. Secure protocols are those that have built-in security mechanisms, so that by default security can be enforced via the protocol. Many different protocols exist, all of which are used to achieve specific communication goals.

Images

EXAM TIP During the exam, you should expect to be asked to implement common protocols and services when given a basic scenario. Pay very close attention to the protocol details and port numbers covered throughout this chapter!

DNSSEC

The Domain Name Service (DNS) is a protocol for the translation of names into IP addresses. When users enter a name such as www.example.com, the DNS system converts this name into the actual numerical IP address. DNS records are also used for e-mail delivery. The DNS protocol uses UDP over port 53 for standard queries, although TCP can be used for large transfers such as zone transfers. DNS is a hierarchical system of servers, from local copies of records, up through Internet providers to root-level servers. DNS is one of the primary underlying protocols used on the Internet and is involved in almost all addressing lookups. The problem with DNS is that requests and replies are sent in plaintext and are subject to spoofing.

DNSSEC (Domain Name System Security Extensions) is a set of extensions to the DNS protocol that, through the use of cryptography, enables origin authentication of DNS data, authenticated denial of existence, and data integrity, but does not extend to availability or confidentiality. DNSSEC records are signed so that all DNSSEC responses are authenticated but not encrypted. This prevents unauthorized DNS responses from being interpreted as correct. Authenticated denial of existence also allows a resolver to validate that a certain domain name does not exist.

Data transfers over UDP 53 are size limited to 512 bytes, and DNSSEC packets can be larger. For this reason, DNSSEC typically uses TCP port 53 for its work. It is possible to extend UDP packet size to 4096 to cope with DNSSEC, and this is covered in RFC 2671.

SSH

The Secure Shell (SSH) protocol is an encrypted remote terminal connection program used for remote connections to a server. SSH uses asymmetric encryption but generally requires an independent source of trust with a server, such as manually receiving a server key, to operate. SSH uses TCP port 22 as its default port.

Images

EXAM TIP SSH uses public-key cryptography for secure remote terminal access and was designed as a secure replacement for Telnet.

S/MIME

MIME (Multipurpose Internet Mail Extensions) is a standard for transmitting binary data via an e-mail. E-mails are sent as plaintext files, and any attachments need to be encoded so as to fit the plaintext format, and MIME specifies how this is done with base64 encoding. Because it is plaintext, there is no security associated with the attachments; they can be seen by any machine between sender and receiver. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data in e-mails. S/MIME is designed to provide cryptographic protections to e-mails and is built into the majority of modern e-mail software to facilitate interoperability.

SRTP

The Secure Real-time Transport Protocol (SRTP) is a network protocol for securely delivering audio and video over IP networks. SRTP uses cryptography to provide encryption, message authentication and integrity, and replay protection to the RTP data.

LDAPS

LDAP is the primary protocol for transmitting directory information. Directory services may provide any organized set of records, often with a hierarchical structure, and are used in a wide variety of situations including Active Directory datasets. By default, Lightweight Directory Access Protocol (LDAP) traffic is transmitted insecurely. You can make LDAP traffic secure by using it with SSL/TLS, known as LDAP Secure (LDAPS). Commonly, LDAP is enabled over SSL/TLS by using a certificate from a trusted certificate authority (CA).

LDAPS uses a TLS/SSL tunnel to connect LDAP services. Technically, this method was retired with LDAPv2, and replaced with Simple Authentication and Security Layer (SASL) in LDAPv3. SASL (which is not listed in the exam objectives) is a standard method of using TLS to secure services across the Internet.

Images

EXAM TIP LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.

FTPS

FTPS is the implementation of FTP over an SSL/TLS secured channel. This supports complete FTP compatibility, yet provides the encryption protections enabled by SSL/TLS. FTPS uses TCP ports 989 and 990.

SFTP

SFTP is the use of FTP over an SSH channel. This leverages the encryption protections of SSH to secure FTP transfers. Because of its reliance on SSH, it uses TCP port 22.

SNMPv3

The Simple Network Management Protocol version 3 (SNMPv3) is a standard for managing devices on IP-based networks. SNMPv3 was developed specifically to address the security concerns and vulnerabilities of SNMPv1 and SNMPv2. SNMP is an application layer protocol, part of the IP suite of protocols, and can be used to manage and monitor devices, including network devices, computers, and other devices connected to the IP network. All versions of SNMP require ports 161 and 162 to be open on a firewall.

SSL/TLS

Secure Sockets Layer (SSL) is an application of encryption technology developed for transport-layer protocols across the Web. This protocol uses public key encryption methods to exchange a symmetric key for use in confidentiality and integrity protection as well as authentication. The current version, V3, is outdated, having been replaced by the IETF standard TLS. All versions of SSL have been deprecated due to security issues, and in the vast majority of commercial servers employing SSL/TLS, SSL has been retired. Because of the ubiquity of the usage of the term, the term SSL will last for quite a while, but in function, it is now done via TLS.

Transport Layer Security (TLS) is an IETF standard for the employment of encryption technology and replaces SSL. Using the same basic principles, TLS updates the mechanisms employed by SSL. Although sometimes referred to as SSL, it is a separate standard. The standard port for SSL and TLS is undefined, for it depends upon what the protocol that is being protected uses; for example, port 80 for HTTP becomes port 443 when it is for HTTPS.

HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is the use of SSL or TLS to encrypt a channel over which HTTP traffic is transmitted. Because of issues with all versions of SSL, only TLS is recommended for use. This uses TCP port 443. HTTPS is the most widely used method to secure HTTP traffic.

Secure POP/IMAP

Secure POP/IMAP listed under exam objective 2.6 basically refers to POP3 and IMAP (respectively) over an SSL/TLS session. Secure POP3 utilizes TCP port 995 and Secure IMAP uses TCP port 993. Encrypted data from the e-mail client is sent to the e-mail server over a SSL/TLS session. With the deprecation of SSL, TLS is the preferred protocol today. If e-mail connections are started in nonsecure mode, the STARTTLS directive tells the clients to change to the secure ports. The other mail protocol, SMTP uses port 25, and SSL/TLS encrypted SMTP uses port 465.

Images

EXAM TIP IMAP uses port 143, but secure IMAP uses port 993. POP uses port 110, but secure POP uses port 995.

Use Cases

Protocols enable parties to have a common understanding of how communications will be handled and they define the expectations for each party. Since different use cases have different communication needs, different protocols are used in different use cases. Various IETF working groups have been working to standardize some general-purpose security protocols, ones that can be reused over and over instead of inventing new ones for each use case. SASL, introduced earlier in the chapter, is an example of such an effort; SASL is a standardized method of invoking a TLS tunnel to secure a communication channel. This method is shown to work with a wide range of services, currently more than 15 and increasing.

This section examines some common use cases and the associated secure protocols used in them.

Images

EXAM TIP This section covers how the various protocols are used in different use cases. Given a use case on the exam, you need to be able to identify the correct protocol(s), as well as be able to do the same in reverse, identify use cases for a given protocol.

Voice and Video

Voice and video are frequently streaming media and, as such, have their own protocols for the encoding of the data streams. To securely transfer this material, you can use the Secure Real-time Transport Protocol (SRTP), which securely delivers audio and video over IP networks. SRTP is covered in RFC 3711 (https://tools.ietf.org/html/rfc3711).

Time Synchronization

Network Time Protocol (NTP) is the standard for time synchronization across servers and clients. NTP is transmitted over UDP port 123. NTP has no assurance against a man-in-the-middle attack, and although this has raised concerns over the implications, to date, nothing has been done to secure NTP directly, or to engineer an out-of-band security check. If you are hypersensitive to this risk, you could enclose all time communications using a TLS tunnel, although this is not an industry practice.

E-mail and Web

E-mail and the Web are both native plaintext-based systems. As discussed previously in this chapter, HTTPS, which relies on SSL/TLS, is used to secure web connections. Use of HTTPS is widespread and common. Keep in mind that SSL is no longer considered secure. E-mail is a bit more complicated to secure, and the best option is via S/MIME, also discussed previously in this chapter.

File Transfer

Secure file transfer can be accomplished via a wide range of methods, ensuring the confidentiality and integrity of file transfers across networks. FTP is not secure, but as previously discussed, SFTP and FTPS are secure alternatives that can be used.

Directory Services

Directory services use LDAP as the primary protocol. When security is required, LDAPS is a common option, as described previously. Directory services are frequently found behind the scenes with respect to logon information.

Remote Access

Remote access is the means by which users can access computer resources across a network. Securing remote access can be done via many means, some for securing the authentication process and others for the actual data access itself. As with many situations that require securing communication channels or data in transit, organizations commonly use SSL/TLS to secure remote access. Depending upon the device being accessed, a variety of secure protocols exist. For networking equipment, such as routers and switches, SSH is the secure alternative to Telnet. For servers and other computer connections, access via VPN, or use of IPSec, is common.

Domain Name Resolution

Domain name resolution is performed primarily by the DNS protocol. DNS is a plaintext protocol and the secure version, DNSSEC, is not widely deployed as yet. For local deployments, DNSSEC has been available in Windows Active Directory domains since 2012. From an operational perspective, both TCP and UDP port 53 can be used for DNS, with the need of firewall protection between the Internet and TCP port 53 to prevent attackers from accessing zone transfers.

Routing and Switching

Routing and switching are the backbone functions of networking in a system. Managing the data associated with networking is the province of SNMPv3. SNMPv3 enables applications to manage data associated with networking and devices. Local access to the boxes may be accomplished by Telnet, although for security reasons SSH should be used instead.

Network Address Allocation

Managing network address allocation functions in a network requires multiple decision criteria, including the reduction of complexity and the management of device names and locations. SNMPv3 has many functions that can be employed to manage the data flows of this information to management applications that can assist administrators in network assignments.

IP addresses can be allocated either statically, which means manually configuring a fixed IP address for each device, or via DHCP, which allows the automation of assigning IP addresses. In some cases, a mix of static and DHCP is used. IP address allocation is part of proper network design, which is crucial to the performance and expandability of a network. Learn how to properly allocate IP addresses for a new network—and know your options if you run out of IP addresses.

Images

EXAM TIP The past several use cases are related but different. Pay careful attention to the exact wording of the question being asked when you have to choose among options such as domain name resolution, routing, and address allocation. These are all associated with IP networking, but they perform separate functions.

Subscription Services

Subscription services is the management of data flows to and from a system based on either a push (publish) or pull (subscribe) model. Managing what data elements are needed by which nodes is a problem that you can tackle by using directory services, such as LDAP.

Another use of subscription services is the Software as a Service (SaaS) model, where software is licensed on a subscription basis. The actual software is hosted centrally, commonly in the cloud, and user access is based on subscriptions. This is becoming a common software business model.

Chapter Review

In this chapter, you became acquainted with secure protocols used in an enterprise and the use cases to which they apply. Specifically, you examined DNSSEC, SSH, S/MIME, SRTP, LDAPS, FTPS, SFTP, SNMPv3, SSL/TLS, HTTPS, and Secure POP3/IMAP and then learned which protocols apply in use cases involving voice and video, time synchronization, e-mail, the Web, file transfer, directory services, remote access, domain name resolution, routing and switching, network address allocation, and subscription services. The key element of this chapter is that it prepared you to choose the correct secure protocols for use cases when given a scenario on the CompTIA Security+ exam.

Questions

To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the correct answers at the end of the chapter.

1. Which of the following accurately describes the purpose of computer protocols?

A. They provide security and scalability.

B. They allow developers to use any programming language on any platform.

C. They define the state of a virtual machine at a point in time.

D. They act as a common language to allow different components to communicate.

2. What is the purpose of the DNS protocol?

A. It provides a function for charging SaaS on a per-use basis.

B. It translates names into IP addresses.

C. It supports the networking infrastructure.

D. It defines tenants in a public cloud.

3. A user reports to the help desk that he is getting “cannot resolve address” error messages from his browser. Which port is likely a problem on his firewall?

A. 22

B. 53

C. 440

D. 553

4. What is a weakness of the DNS protocol?

A. Requests and replies are sent in plaintext.

B. It doesn’t provide billing standardization in cloud infrastructures.

C. TCP can be used for large transfers such as zone transfers.

D. Its encryption capabilities are slow.

5. Which of the following is a benefit of DNSSEC?

A. Scalability

B. Lower expenditures from operations capital (OpsCap) expenditures

C. Enables origin authentication, authenticated denial of existence, and data integrity

D. Availability and confidentiality

6. What is the Secure Shell (SSH) protocol?

A. It is an encrypted remote terminal connection program used for remote connections to a server.

B. It provides dynamic network address translation.

C. It provides Software as a Service (SaaS).

D. It provides snapshots of physical machines at a point in time.

7. What is the purpose of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol?

A. It is used in audio encryption.

B. It optimizes the use of ports 80 and 443.

C. It encrypts HTTP traffic.

D. It provides cryptographic protections to e-mails.

8. What is the purpose of Secure Real-time Transport Protocol (SRTP)?

A. It encrypts SMTP traffic.

B. It encrypts port 22.

C. It securely delivers audio and video over IP networks.

D. It encrypts e-mails with a public key.

9. What is the purpose of Lightweight Directory Access Protocol Secure (LDAPS)?

A. It leverages encryption protections of SSH to secure FTP transfers.

B. It uses an SSL/TLS tunnel to connect LDAP services.

C. It digitally signs DNS records.

D. It provides both symmetric and asymmetric encryption.

10. Which port does FTPS use?

A. 53

B. 83

C. 990

D. 991

11. You are a security admin for XYZ company. You suspect that company e-mails using default POP and IMAP e-mail protocols and ports are getting intercepted while in transit. Which of the following ports should you consider using?

A. Port 995 and 993

B. Port 53 and 22

C. Port 110 and 143

D. Port 161 and 16240

12. What is the purpose of the Simple Network Management Protocol (SNMP)?

A. It provides asymmetric encryption values.

B. It achieves specific communication goals.

C. It provides a common language for developers.

D. It is used to manage devices on IP-based networks.

13. What is the purpose of the Secure Sockets Layer (SSL) protocol?

A. It provides monitoring capabilities on IP networks.

B. It provides static network address translation.

C. It supports the implementation of a private cloud.

D. It provides encryption for transport-layer protocols across the Web.

14. Which of the following correctly describes Transport Layer Security (TLS)?

A. It replaces SSL.

B. It extends SNMP.

C. It provides Port Address Translation.

D. It uses port 22 for encryption.

15. What is the purpose of HTTPS?

A. To allow enumeration and monitoring of network resources

B. To use SSL or TLS to encrypt a channel over which HTTP traffic is transmitted

C. To implement single sign-on

D. To enhance communication protocols

Answers

1. D. Computer protocols act as a common language to allow different components to communicate.

2. B. Domain Name Service (DNS) translates names into IP addresses.

3. B. Domain Name Service (DNS) uses TCP and UDP port 53 for standard queries and responses.

4. A. A major weakness of the DNS protocol is that requests and replies are sent in plaintext.

5. C. A major benefit of DNSSEC is that it enables origin authentication, authenticated denial of existence, and data integrity.

6. A. The SSH protocol is an encrypted remote terminal connection program used for remote connections to a server.

7. D. The purpose of the S/MIME protocol is to provide cryptographic protections to e-mail attachments

8. C. The purpose of SRTP is to deliver audio and video securely over IP networks.

9. B. LDAPS uses an SSL/TLS tunnel to connect LDAP services.

10. C. FTPS uses port 990.

11. A. The default POP3 and IMAP ports are 110 and 143 respectively. These are not secure. As a security admin, you should consider using secure POP using port 995 and secure IMAP using port 993.

12. D. The purpose of SNMP is to manage devices on IP-based networks.

13. D. The purpose of SSL is to provide encryption for transport-layer protocols across the Web.

14. A. TLS replaces SSL.

15. B. HTTPS uses SSL or TLS to encrypt a channel over which HTTP traffic is transmitted.