CompTIA® Security+ Exam Notes : Given A Scenario,Implenent Secure Protocols

2. Technologies and Tools

2.6 Given a scenario, implement secure protocols

The following port numbers are important from Sec+ exam:

Description IP protocol Port
FTP - File Transport Protocol  TCP  20, 21 
SSH - Secure Shell  SCTP,TCP  22 
SFTP - Secure File Transport Protocol (uses SSH)  SCTP,TCP  22 
SCP - Secure Copy (uses SSH)  SCTP,TCP  22 
Telnet  TCP  23 
SMTP - Simple Mail Transport Protocol  TCP  25 
TACACS - Terminal Access Controller Access-Control System  TCP/UDP  49 
DNS - Domain Name System  UDP  53 
TFTP - Trivial File Transport Protocol  UDP 
HTTP - Hypertext Transfer Protocol  TCP 80 
HTTPS - Hypertext Transfer Protocol Secure  TCP  443 
Kerberos  UDP  88 
POP3 - Post Office Protocol version 3  TCP 110 
NNTP - Network News Transfer Protocol  TCP  119 
IMAP4 - Internet message access protocol version 4  TCP  143 
SNMP - Simple Network Management Protocol  TCP,UDP  161 
SNMP Trap - Simple Network Management Protocol Trap  TCP,UDP  162 
ISAKMP (VPN) - Internet Security Association and Key Management Protocol (virtual private network)  UDP  500 
Syslog  TCP/UDP  514 
L2TP - Layer 2 Tunneling Protocol  UDP  1701 
PPTP - Point-to-Point Tunneling Protocol  TCP  1723 
RDP - Remote Desktop Protocol  TCP/UDP 

DNS server uses UDP for name resolution uses port 53. Web server uses port 80. DHCP uses port 67 by default. FTP uses port 21.

A MAC address filter works at the Physical layer of OSI model.

FTP: File Transfer Protocol (FTP) transfers files in unencrypted form. Even the authentication occurs in clear text for FTP and Telnet. A hacker may gain access to an FTP server by exploiting this weakness. FTP can also be secured with TLS to become FTPS. If you are transferring files with sensitive information, then you should use FTPS rather than FTP. As an alternative to FTPS there is SFTP, and SCP. Secure File Transfer Protocol and Secure Copy both secure file transfer but they secure with SSH (Secure Shell) rather than SSL/TLS. The use of SFTP, SCP, or FTPS is always recommended if any sensitive files are being transferred.

FTP transfers authentication information in clear text. The security concerns while using FTP also include buffer overflow, and anonymous access. However, the cache mining does not occur while using FTP .

Simple Mail Transfer Protocol (SMTP): The main protocol used when sending email, does not include a way to authenticate where the email message originated. However, the mail server inserts a header at the top of every email message. This gives us a message's route, making it possible to determine the origin of the message.

Email attachments from spammers usually contain malware, and one should never open such attachments.

SMTP relay: SMTP relay enables an email server to forward incoming e-mail (originating in some other domain) to other e-mail servers. This feature, if not disabled is used by many spammers to send unsolicited emails. In some cases, it is also possible that the email server IP is blocked by other ISPs from sending emails. It is important that the SMTP relay feature is disabled if not used. If relay function is required, then the domains that use the server may be specified so that spammers can't misuse the email servers

L2TP: The Layer 2 Tunnel Protocol (L2TP) is a standard that combines the best features of Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP).

L2TP does not provide information confidentiality by itself. IPSec is normally used in combination with L2Tp for providing confidentiality of communication. L2TP cannot traverse NAT at it uses encrypted checksum that are not readable by NAT device. One possible solution is to terminate L2TP at the firewall itself or to provide NAT pass-through, which some NAT devices offer.

ISAKMP: ISAKMP Short for Internet Security Association and Key Management Protocol defines payloads for exchanging key generation and authentication data.

Domain Name System Security Extensions (DNSSEC): DNSSEC are security specifications for secure DNS. DNSSEC involves many security features such as digitally signed DNS responses. These mechanisms are meant to mitigate the risk of DNS attacks such as DNS poisoning. Also, when the DNS resolution process is sent in clear text, that leaves it vulnerable to packet sniffing. Therefore, DNS resolution should also be secured/encrypted.

SNMP (Simple Network Management Protocol): SNMP is used to manage networks. Each managed device has a software agent installed that reports issues and problems to a centralized SNMP management server. Versions 1 and 2 of SNMP sent all data as clear text. SNMP v3 encrypts all data. In all cases, SNMPv3 should be used. The detailed network information being sent by SNMP is sensitive enough that it should never be sent in clear text. SNMP is based on the manager/agent model. The manager runs on the server, and the agent runs on the client computers. Three important constituents of SNMP are a manager, an agent, and a database of management information. The manager provides the interface between the human network manager and the management system. The agent provides the interface between the manager and the physical device(s) being managed. The manager and agent use a Management Information Base (MIB) and a set of commands to exchange information.

Lightweight Directory Access Protocol (LDAP): LDAP is a directory protocol that contains literally all the information about your network. It lists all directory services, servers,workstations, users, etc. An attacker would find this information very useful. Therefore, it is recommended that you encrypt this traffic with TLS. Anytime you have a concern about any attacker enumerating your network, you should use LDAPS.

Syslog stands for System Logging Protocol and is a standard protocol used in Linux systems to send system log or event messages to a specific server, called a syslog server. Journalctl is the command that is used to view these logs.

NXLog: This tool suite is capable of handling syslog-type data as well as other log formats, including Microsoft Windows.

Syslog, rsyslog, and syslog-ng all move data into log files on a log server. Rsyslog and syslog-ng both extend the original syslog standard by adding capabilities such as content filtering, log enrichment, and correlation of data elements into higher-level events.

IPFIX works like NetFlow, identifying which machines are communicating with each other. The primary purpose of IPFIX is to provide a central monitoring station with information about the state of the network. IPFIX is a push-based protocol,where the sender sends the reports and receives no response from the receiver.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad