Lesson 12: Implementing Secure Network Access Protocols

Question 1

Dynamic Host Configuration Protocol (DHCP)

Answer 1

• provides an automatic method for network address allocation
• key point about DHCP is that only one server should be running
• DHCP broadcasts are typically limited to the local subnet
• more than one DHCP server may be running for fault tolerance, as long as they are all configured correctly, and address pools don’t overlap
• best defenses against attacks on DHCP are accomplished by general network security best practices:
• Use scanning and intrusion detection to pick up suspicious activity.
• Enable logging and review the logs for suspicious events.
• Disable unused ports and perform regular physical inspections to ensure that unauthorized devices are not connected via unused jacks.
• Enable DHCP snooping on switch access ports to prevent the use of unauthorized DHCP servers.

Question 2

Domain Name System (DNS)

Answer 2

resolves host names and domain labels to IP addresses

Question 3

DNS spoofing

Answer 3

• an attack that compromises the name resolution process
• one use of DNS spoofing is to facilitate a pharming attack
• in a pharming attack, the attacker compromises the process of DNS resolution in some way to replace the valid IP address for a trusted website such as mybank.com with the attacker’s IP address

Question 4

HOSTS

Answer 4

before DNS was developed (in the 1980s), name resolution took place using a text file named HOSTS. Each name:IP address mapping was recorded in this file and system administrators had to download the latest copy and install it on each Internet client or server manually. Even though all name resolution now functions through DNS, the HOSTS file is still present and most operating systems check the file before using DNS. Its contents are loaded into a cache of known name:IP mappings and the client only contacts a DNS server if the name is not cached

Question 5

DNS server cache poisoning (or pollution)

Answer 5

• another redirection attack, but instead of trying to subvert the name service used by the client, it aims to corrupt the records held by the DNS server itself
• typical attack would proceed as follows:
  1. The server in grommet.com wants to find an address in widget.com. It queries the root and .com name servers and gets an address for the name server for widget.com.
  2. The attacker spoofs the name server for widget.com. To do this, the attacker must compromise the genuine widget.com name server through some sort of DoS attack. The attacker just needs to ensure that his or her malicious DNS responds to grommet.com’s queries before the legitimate one.
  3. The attacker spoofs responses to the grommet.com server and poisons its cache, meaning that traffic for widget.com from grommet.com gets directed to the attacker’s IP address.

Question 6

DNS footprinting

Answer 6

• means obtaining information about a private network by using its DNS server to perform a zone transfer (all the records in a domain) to a rogue DNS or simply by querying the DNS service, using a tool such as nslookup or dig
• to prevent this, you can apply an Access Control List to prevent zone transfers to unauthorized hosts or domains, to prevent an external server from obtaining information about the private network architecture
• DNS is a critical service that should be configured to be fault tolerant. DoS attacks are hard to perform against the servers that perform Internet name resolution, but if an attacker can target the DNS server on a private network, it is possible to seriously disrupt the operation of that network

Question 7

DNS Security Extensions (DNSSEC)

Answer 7

• help to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses
• with DNSSEC enabled, the authoritative server for the zone creates a “package” of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature.

Question 8

cybersquatting

Answer 8

• an attack where an adversary acquires a domain for a company’s trading name or trademark, or perhaps some spelling variation thereof
• domain name must be re-registered every year
• following attacks all exploit the domain name registration process in some way:
• Domain hijacking—an adversary gains control over the registration of a domain name, allowing the host records to be configured to IP addresses of the attacker’s choosing. This might be accomplished by supplying false credentials to the domain registrar when applying for a new domain name or re-registering an existing one
• Typosquatting—misspelled domains can be profitable depending on the frequency that users enter the misspelled name (for example, visiting amazoon.com or amazun.com). This is also referred to as URL hijacking
• Kiting—a domain name can be registered for up to five days without paying for it. Kiting means that the name is continually registered, deleted, then re-registered
• Tasting—this is the registration of a domain to test how much traffic it generates within the five-day grace period; if the domain is not profitable, the registration is never completed

Question 9

Simple Network Management Protocol (SNMP)

Answer 9

• widely used framework for management and monitoring
• consists of an SNMP monitor and agents:

• The agent is a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device.

• This agent maintains a database called a Management Information Base (MIB) that holds statistics relating to the activity of the device (for example, the number of frames per second handled by a switch). The agent is also capable of initiating a trap operation where it informs the management system of a notable event (port failure, for instance). The threshold for triggering traps can be set for each value. Device queries take place over port 161 (UDP); traps are communicated over port 162 (also UDP).

• The SNMP monitor (a software program) provides a location from which network activity can be overseen

Question 10

Network Time Protocol (NTP)

Answer 10

• provides a transport over which to synchronize these time dependent applications. NTP works over UDP on port 123
• Top-level NTP servers (stratum 1) obtain the Coordinated Universal Time (UTC) from a highly accurate clock source, such as an atomic clock
• Lower tier servers then obtain the UTC from multiple stratum 1 servers and sample the results to obtain an authoritative time
• most organizations will use one of these stratum 2 servers to obtain the time for use on the LAN

Question 11

remote access

Answer 11

• means that the user’s device does not make a direct cabled or wireless connection to the network. The connection occurs over or through an intermediate network, usually a public Wide Area Network
• historically, remote access might have used analog modems connecting over the telephone system or possibly a private link (a leased line). These days, most remote access is implemented as a Virtual Private Network (VPN), running over the Internet

Question 12

tunneling

Answer 12

technology used when the source and destination computers are on the same logical network but connected via different physical networks

Question 13

VPN concentrator

Answer 13

clients connect to a VPN gateway (a VPN-enabled router, or sometimes called a VPN concentrator) on the local network. This is the “telecommuter” model, allowing home-workers and employees working in the field to connect to the corporate network. The VPN clients will connect over the Internet

Question 14

site-to-site VPN

Answer 14

connects two or more local networks, each of which runs a VPN gateway (or router/VPN concentrator). Where remote access VPN connections are typically initiated by the client, a site-to-site VPN is configured to operate automatically. The gateways exchange security information using whichever protocol the VPN is based on. This establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data. Hosts at each site do not need to be configured with any information about the VPN. The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel.

Question 15

Point-to-Point Tunneling Protocol (PPTP)

Answer 15

legacy protocols such as the Point-to-Point Tunneling Protocol (PPTP) have been deprecated because they do not offer adequate security

Question 16

TLS VPN (still more commonly referred to as an SSL VPN)

Answer 16

• requires a remote access server listening on port 443 (or any arbitrary port number)
• client makes a connection to the server using TLS so that the server is authenticated to the client (and optionally the client’s certificate must be authenticated by the server)
• creates an encrypted tunnel for the user to submit authentication credentials, which would normally be processed by a RADIUS server. Once the user is authenticated and the connection fully established, the RAS server tunnels all communications for the local network over the secure socket

Question 17

OpenVPN

Answer 17

open source example of a TLS VPN

Question 18

Internet Protocol Security (IPSec)

Answer 18

• set of open, non-proprietary standards that you can use to secure data as it travels across the network or the Internet
• connection security protocol such as Transport Layer Security is designed to protect application data
• unlike SSL/TLS, IPSec operates at the network layer (layer 3) of the OSI model, so the protocol is not application dependent. IPSec can provide both confidentiality (by encrypting data packets) and integrity/anti-replay (by signing each packet)
• can be used in two modes:
• Transport mode—the IP header for each packet is not encrypted, just the data (or payload). This mode would be used to secure communications on a private network (an end-to-end implementation)

• Tunnel mode—the whole IP packet (header and payload) is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN). This is also referred to as a router implementation

Question 19

Authentication Header (AH) protocol

Answer 19

• performs a cryptographic hash on the packet plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV)
• recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality and is consequently not often used
• AH and ESP both depend on the idea of a shared secret; that is, a key known only to the two hosts that want to communicate

Question 20

encapsulation security payload (ESP)

Answer 20

• provides confidentiality and authentication by encrypting the packet rather than simply calculating an HMAC. ESP attaches three fields to the packet (a header, a trailer [providing padding for the cryptographic function], and an Integrity Check Value)
• AH and ESP both depend on the idea of a shared secret; that is, a key known only to the two hosts that want to communicate

Question 21

Internet Key Exchange (IKE) protocol

Answer 21

• part of the IPSec protocol suite that handles authentication and key exchange, referred to as Security Associations (SA)
• also referred to as Internet Security Association and Key Management Protocol (ISAKMP)
• IKE negotiations use UDP port 500
• negotiations take place over two phases:
  • Phase I establishes the identity of the two hosts and performs key agreement using the Diffie-Hellman algorithm to create a secure channel. Phase 1 is usually initiated in Main Mode, which involves six messages (two to propose an IKE SA, two to agree on DH keys, and then two to exchange identifiers securely). The alternative is Aggressive Mode, which packs the information in these six messages into three messages. This is quicker but means that identifiers are exchanged in the clear. This may allow a snooper to perform a dictionary or brute-force password-guessing attack on the authentication information.
• Diffie-Hellman key agreement establishes the shared secret used to sign the packets for message integrity. Diffie-Hellman does not authenticate the endpoints, however. Two methods of authenticating hosts are commonly used:
• PKI—the hosts use certificates issued by a mutually trusted Certificate Authority to identify one another. This is the most secure mechanism but requires PKI architecture.
• Pre-shared Key (Group Authentication)—the same passphrase is configured on both hosts. A Pre-Shared Key (PSK) is also referred to as group authentication, as a single password or passphrase is shared between all hosts. Obviously, this is not very secure, as it is difficult to keep the pre-shared key a secret known only to valid hosts. It can also be difficult to change the key.
• Phase II uses the secure channel created in Phase 1 to establish which ciphers and key sizes will be used with AH and/or ESP in the IPSec session

Question 22

Layer 2 Tunneling Protocol (L2TP) VPN

Answer 22

for remote access VPNs, a combination of IPSec with the Layer 2 Tunneling Protocol (L2TP) VPN protocol is most often used. With L2TP/IPSec, the client and server machines can authenticate using digital certificates or a pre-shared key. The user can then authenticate to the remote access server using whatever method is supported (MS-CHAP or EAP, for instance). L2TP uses UDP port 1701 for data and connection control

Question 23

IKEv2

Answer 23

• drawbacks of the original version of IKE were addressed by an updated protocol. IKE v2 has some additional features that have made the protocol popular for use as a standalone remote access VPN solution. The main changes are:
• Support for EAP authentication methods, allowing, for example, user authentication against a RADIUS server.
• Simplified connection set up—IKE v2 specifies a single 4-message setup mode, reducing bandwidth without compromising security.
• Reliability—IKE v2 allows NAT traversal and MOBIKE multihoming. Multihoming means that a client such as a smartphone with multiple interfaces (such as Wi-Fi and cellular) can keep the IPSec connection alive when switching between them.

Question 24

Network Access Server (NAS) or Remote Access Server (RAS)

Answer 24

all the major NOS are bundled with software supporting VPNs. A server configured in this role is usually called a Network Access Server (NAS) or Remote Access Server (RAS). Where the functionality is part of a router or dedicated security appliance, it may be called a VPN concentrator. In either case, the server would be placed on the network edge, protected by a firewall configuration in a Demilitarized Zone (DMZ)

Question 25

always-on VPN

Answer 25

means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user's cached credentials to authenticate

Question 26

split tunnel

Answer 26

- when a client connected to a VPN uses the Internet, this is one of two ways to manage the connection - the client accesses the Internet directly using its "native" IP configuration and DNS servers

Question 27

full tunnel

Answer 27

- when a client connected to a VPN uses the Internet, this is one of two ways to manage the connection - Internet access is mediated by the corporate network, which will alter the client's IP address and DNS servers and may use a proxy

Question 28

VPN client security

Answer 28

- Remote access is a serious network security problem, mainly because control of the client computer often falls outside the reach of security mechanisms set up to protect the network. The integrity of the client computer presents many issues: * Malware protection—the computer may not be accessible to network systems used to update and enforce malware protection. This may have to be left to the end-user. If a worm or Trojan is installed, network security may be compromised. This is especially true as using a VPN connection will make traffic between the client and network invisible to many network firewalls. * Security information—authentication information may be stored on the client (saving a password, for instance), making the network vulnerable if the computer is stolen. * Data transfer—files copied to the client may no longer be properly secured, raising the potential that confidential information could be stolen along with the device. * Local privileges—the user of a remote computer configured with administrative privileges might have no understanding of how such privileges can be exploited or misused. He or she might install unauthorized software on the machine or make it more vulnerable to malware by browsing the web using his or her administrative account. * Weak authentication—relying on a username and password combination is simply not secure enough in a remote access scenario. Two-factor authentication using smart cards or biometric recognition in addition to a PIN or password should be enforced. If this is not an option, a strong password policy must be enforced and users made aware of the very real risks of writing down or sharing their password.

Question 29

configure secure remote access protocols

Answer 29

* Implement VPN technology to support access to your networks by remote clients over the Internet and secure communications between sites across public networks. * Select a VPN protocol that gives the most effective security while also being supported by your servers and client devices. * Install the VPN concentrator to the network edge using a secure firewall configuration to prevent compromise. * Develop a remote access policy to ensure only authorized users can connect and ensure that the network is not compromised by remote clients with weak security configurations.

Question 30

Telnet

Answer 30

- terminal emulation software to support a remote connection to another host. It does not support file transfer directly, but when you connect, your computer acts as if your keyboard is attached to the remote host and you can use the same commands as a local user. In order to support Telnet access, the remote host must run a service known as the Telnet Daemon. Telnet uses TCP port 23 by default - not secure

Question 31

Secure Shell (SSH)

Answer 31

- principal means of obtaining secure remote access to a UNIX® or Linux® server - main uses of SSH are for remote administration and secure file transfer (SFTP) - SSH servers are identified by a public/private key pair (the host key)

Question 32

Network Level Authentication (NLA)

Answer 32

requires the client to authenticate before a full remote session is started. An RDP server that does not enforce NLA can be subject to DoS attacks, as the server uses resources to prepare for each requested session. It also sends information about the server to an attacker (such as the computer and domain names) regardless of whether they have valid authentication credentials

Question 33

RDP Restricted Admin (RDPRA) mode/Remote Credential Guard

Answer 33

making an RDP connection to a compromised workstation means an adversary could obtain the password hash for the account used to connect and then use it in a Pass-the-Hash (PtH) or ticket-forging attack. RDPRA was unsuccessful in mitigating this (it was itself vulnerable to PtH). Remote Credential Guard means that any access requests are processed by the RDP client machine, not on the server