Lesson 13: Implementing Secure Network Applications

Question 1

HyperText Transfer Protocol (HTTP)

Answer 1

• foundation of web technology is the HyperText Transfer Protocol (HTTP)
• HTTP enables clients (typically web browsers) to request resources from an HTTP server
• client connects to the HTTP server using an appropriate TCP port (the default is port 80) and submits a request for a resource, using a uniform resource locator (URL)
• server acknowledges the request and responds with the data (or an error message)

Question 2

HTTP header

Answer 2

response and request formats are defined in an HTTP header

Question 3

HTTP payload

Answer 3

usually used to serve HTML web pages, which are plain text files with coded tags (HyperText Markup Language) describing how the page should be formatted

Question 4

HTTP (POST)

Answer 4

features a forms mechanism (POST) whereby a user can submit data from the client to the server. HTTP is a stateless protocol; this means that the server preserves no information about the client during a session

Question 5

web servers

Answer 5

• Most web servers must allow access to guests (that is, unauthenticated users)
• When a web server is leased, a secure means of uploading files and configuration changes needs to be used (SSH, for example)
• When a web server is connected to a private network, the location of the server should be carefully considered so as not to expose the private network to attack from the public one through the web server
• Use separate accounts to administer servers in the DMZ, and ensure that the accounts do not share credentials with any other accounts on the LAN
• Web servers are typically installed with sample pages (and even scripts) along with help documentation. These samples sometimes contain vulnerabilities and should be removed from a production server
• Logging provides valuable information regarding the use of the website, alerts of any unusual or suspicious behavior, and audit changes made to pages and settings

Question 6

Secure Sockets Layer (SSL)

Answer 6

developed by Netscape in the 1990s to address the problems with the lack of security in HTTP. SSL proved very popular with the industry

Question 7

Transport Layer Security (TLS)

Answer 7

developed from SSL and ratified as a standard by IETF. SSL/TLS works as a layer between the application and transport layers of the TCP/IP stack. It is usually used to encrypt TCP connections. It is typically used with the HTTP application (referred to as HTTPS or HTTP Over SSL or HTTP Secure) but can also be used to secure other TCP application protocols, such as Telnet, FTP, NNTP, SMTP, or LDAP

Question 8

HTTPS

Answer 8

to implement HTTPS, a server is assigned a digital certificate signed by some trusted certificate authority (CA). The certificate proves the identity of the server (assuming that the client trusts the Certificate Authority). The server uses the digital certificate and the SSL/TLS protocol to encrypt communications between it and the client. This means that the communications cannot be read or changed by a third party

Question 9

SSL/TLS Handshake sub-protocol

Answer 9

1. The client makes a connection request (CLIENT_HELLO) listing the highest protocol version, cipher suites, and compression algorithm(s) supported
2. The server responds with SERVER_HELLO, selecting the highest protocol version and strongest cipher suite supported by both, and its own randomly generated number (ServerRandom), along with any session information
3. If client and server support compatible versions and ciphers, the server sends its X.509 certificate to the client (CERTIFICATE command) followed by the SERVER_DONE command
4. The client checks the server’s certificate and if verified, responds with CERTIFICATE_VERIFY. It then performs key exchange or key agreement to select the secret session key for use with the confidentiality cipher, such as AES. This process can be completed using either RSA or Diffie-Hellman. If using RSA, the client generates a pre-master secret, encrypts it using the server’s public key, and sends it to the server
5. The server and client then follow the same steps to derive a shared master secret from the pre-master secret and the ClientRandom and ServerRandom values
6. Client and server then exchange the CHANGE_CIPHER_SPEC command, to indicate that subsequent communications will be encrypted, and the FINISHED command, which contains a digest of the command exchange that is used to verify that the handshake process has not been tampered with
7. Once the session is established, client and server exchange encrypted data in SSL/TLS records, which are placed into transport layer packets for delivery

Question 10

asymmetric ciphers (key exchange and authentication)

Answer 10

RSA, DSA/DSS, and Diffie-Hellmann

Question 11

symmetric ciphers (confidentiality)

Answer 11

RC4, RC2, DES, 3DES, IDEA, AES

Question 12

Hashed Message Authentication Code (HMAC) function

Answer 12

MD5 or SHA

Question 13

SSL

Answer 13

• still widely used compared to TLS

- not interoperable like TLS

Question 14

Transport Layer Security

Answer 14

• only ones that are safe to use compared to SSL

- not interoperable like SSL

Question 15

SSL/TLS accelerator

Answer 15

hardware device with a specialist chipset—Application Specific Integrated Circuit (ASIC)—dedicated to performing these calculations

Question 16

SSL decryptor, inspector, or interceptor

Answer 16

• type of proxy used to examine encrypted traffic before it enters or leaves the network
• ensures that traffic complies with data policies and that encryption is not being misused, either as a data exfiltration mechanism or to operate a Command & Control (C2) Remote Access Trojan
• SSL decryptor would be positioned at the network edge and implemented as a transparent bridge
• drawback is that the decryptor appliance will be a single point of failure, unless a load balancing and failover system is implemented. Some typical functions of SSL decryptors include:
• Block connections that use weak cipher suites or implementations.
• Block connections that cannot be inspected (for instance, they do not use a standard enterprise certificate).
• Do not inspect authorized traffic that is subject to privacy or compliance regulations.
• Integrate with IDS, DLP, and SIEM to apply security policies and provide effective monitoring and reporting.

Question 17

subscription services

Answer 17

• Market and financial intelligence and information.
• Security threat intelligence and information.
• Reference and training materials in various formats (ebook and video, for instance).
• Software applications and cloud services paid for by subscription rather than permanent licenses.

Question 18

File Transfer Protocol (FTP)

Answer 18

• typically configured with several public directories, hosting files, and user accounts. Each user account can be configured with different permissions over files and directories
• most HTTP servers also function as FTP servers, and FTP services, accounts, and directories may be installed and enabled by default when you install a web server. FTP is more efficient compared to file attachments or HTTP file transfer, but has no security mechanisms. All authentication and data transfer are communicated as plain text, meaning that credentials can easily be picked out of any intercepted FTP traffic

Question 19

Trivial File Transfer Protocol (TFTP)

Answer 19

• connectionless protocol (utilizing UDP port 69) that also provides file transfer services
• does not provide the guaranteed delivery offered by FTP and is therefore only suitable for transferring small files. Also, it only supports reading (GET) and writing (PUT) files, not directory browsing, file deletion, or any of the other features of FTP. An example of the usage for TFTP might be a switch or router automatically downloading configuration files

Question 20

SSH FTP (SFTP)

Answer 20

addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server. In SFTP, a secure link is created between the client and server using Secure Shell (SSH) over TCP port 22. Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or Man-in-the-Middle attacks. This solution requires an SSH server that supports SFTP and SFTP client software

Question 21

two means of securing FTP is to use the connection security protocol SSL/TLS:

Answer 21

• another means of securing FTP is to use the connection security protocol SSL/TLS. As with SMTP, there are two means of doing this:
• Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command).
• Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection.

Question 22

Simple Mail Transfer Protocol (SMTP)

Answer 22

specifies how mail is delivered from one system to another. It is a relatively straightforward protocol that makes the connection from the sender’s server to that of the recipient and then transfers the message. The SMTP server of the sender discovers the IP address of the recipient SMTP server using the domain name part of the email address. The SMTP server for the domain is registered in DNS using a Mail Exchanger (MX) record

Question 23

SMTP configurations use the following ports and secure services

Answer 23

• Port 25—used for message relay (between SMTP servers or Message Transfer Agents [MTA]). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.
• Port 587—used by mail clients (Message Submission Agents [MSA]) to submit messages for delivery by an SMTP server. Servers configured to support port 587 should use STARTTLS and require authentication before message submission.
• Port 465—some providers and mail clients use this port for message submission over implicit TLS (SMTPS), though this usage is now deprecated by standards documentation.

Question 24

Post Office Protocol v3 (POP3)

Answer 24

• mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient’s email client at his or her convenience
• POP3 client application, such as Microsoft Outlook® or Mozilla Thunderbird®, establishes a TCP connection to the POP3 server over port 110. The user is authenticated (by username and password) and the contents of his or her mailbox are downloaded for processing on the local PC. POP3S is the secured version of the protocol, operating over TCP port 995 by default

Question 25

Internet Message Access Protocol v4 (IMAP4)

Answer 25

IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage the mailbox on the server (to organize messages in folders and control when they are deleted, for instance) and to create multiple mailboxes. Clients connect to IMAP over TCP port 143. They authenticate themselves then retrieve messages from the designated folders. As with other email protocols, the connection can be secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993

Question 26

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Answer 26

to use S/MIME, the user is issued a digital certificate containing his or her public key, signed by a CA to establish its validity. The public key is a pair with a private key kept secret by the user

Question 27

OIDs must be specified in each certificate

Answer 27

* Signing—digital signature or non-repudiation OID. * Encryption—key agreement or data encipherment OID. - Not all email clients support the use of dual key pairs.

Question 28

Spam

Answer 28

unsolicited email

Question 29

block legitimate traffic (false positives) examples

Answer 29

* Whitelist—if an organization only deals with a limited number of correspondents, they can set up a whitelist of permitted domains or use some sort of authentication between the mail servers. * SMTP standards checking—rejecting email that is not strictly RFC-compliant can block some spam, but may also block legitimate traffic. * rDNS (reverse DNS lookup)—rejecting mail from servers where the IP address does not match the domain in the message header or is a dynamically assigned address. * Tarpitting—introducing a delayed response to the SMTP session. This makes the spammer's server less efficient; in many cases, the spamming software will simply give up. * Recipient filtering—blocking mail that is not addressed to a valid recipient email address.

Question 30

mail gateway could provide other services

Answer 30

* Data Loss Prevention (DLP)—the relay can act as an enforcer for any DLP policies, scanning messages to ensure that no data is being communicated in a way that is not compliant with policy. * Encryption—a relay can handle message encryption and decryption for all messages leaving and arriving at the company. This is an alternative to relying on individual users to set up mail security on their clients. External recipients can configure an account to authenticate with the gateway to allow them to decrypt messages sent to them and submit messages to the company securely.

Question 31

Voice over IP (VoIP), web conferencing, and Video Teleconferencing (VTC) solutions

Answer 31

- become the standard method for the provision of business communication over the last decade as the network technologies that support them have become faster, more reliable, and cheaper. The main challenges that these applications have in common is that they transfer real-time data and must create point-to-point links between hosts on different networks. Real-time services are those that require real-time playback. This type of data can be one-way, as is the case with video streams, such as Internet TV (IPTV), or two-way, as is the case with VoIP and VTC - protocols designed to support real-time services cover one or more of the following functions: * Session control—used to establish, manage, and disestablish communications sessions. They handle tasks such as user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/video), and session management and termination. * Data transport—handles the delivery of the actual video or voice information. * Quality of Service (QoS)—provides information about the connection to a QoS system, which in turn ensures that voice or video communications are free from problems such as dropped packets, delay, or jitter.

Question 32

Session Initiation Protocol (SIP)

Answer 32

- one of the most widely used session control protocols - SIP endpoints are the end-user devices (also known as User Agents), such as IP-enabled handsets or client and server web conference software. Each device, conference, or telephony user is assigned a unique SIP address known as a SIP Uniform Resource Indicator (URI) - SIP endpoints can establish communications directly in a peer-to-peer architecture, but it is more typical to use intermediary servers and directory servers - SIP network may also use gateways to provide an interface between the VoIP network and external voice networks, such as the ordinary Public Switched Telephone Network (PSTN). SIP typically runs over TCP port 5060 - Examples of SIP URIs include: * sip:bob.dobbs@comptia.org * sip:2622136227@comptia.org * sip:bob.dobbs@2622136227 * meet:sip:organizer@comptia.org;ms-app=conf;ms-conf-id=subg42

Question 33

Real-time Transport Protocol (RTP)

Answer 33

- RTP works in conjunction with the RTP Control Protocol (RTCP) - Each RTP stream uses a corresponding RTCP session to monitor the quality of the connection and to provide reports to the endpoints - These reports can then be used by the applications to modify codec parameters or by the network stacks to tune QoS parameters - RTP and RTCP use a sequential pair of UDP ports, with RTP using an even numbered port and the corresponding RTCP session using the next higher odd numbered port. - UDP ports 5004 (RTP) and 5005 (RTCP) are reserved for this purpose, although in practice RTP typically uses an even-numbered ephemeral UDP port, with RTCP again using the next higher port number

Question 34

Unified Communications (UC) solutions

Answer 34

- messaging applications that combine multiple communications channels and technologies into a single platform - communications channels can include VoIP, VTC, Instant Messaging (IM), text messaging (SMS), interactive whiteboards, data sharing, email, and social media networks, such as Twitter, LinkedIn®, and Facebook - applications allow users to establish connections with one another using any available channels, and to modify the communication method as required

Question 35

media gateway

Answer 35

- handles the job of interfacing between these different communications platforms and protocols - media gateway can be provisioned as a dedicated appliance or as software running on a server. Like email and web servers, media gateway servers must connect to untrusted networks - they should be positioned in a DMZ and configured with least privilege access controls

Question 36

virtualization

Answer 36

- multiple operating systems can be installed and run simultaneously on a single computer - virtual platform requires at least three components: * Computer(s)—the platform that will host the virtual environment. Optionally, there may be multiple computers networked together. * Hypervisor (or Virtual Machine Monitor [VMM])—manages the virtual machine environment and facilitates interaction with the computer hardware and network. * Guest operating systems (or Virtual Machines [VM])—operating systems installed under the virtual environment.

Question 37

guest OS (or host-based) system

Answer 37

hypervisor application (known as a Type II hypervisor) is itself installed onto a host operating system

Question 38

bare metal virtual platform

Answer 38

- hypervisor (Type I hypervisor) is installed directly onto the computer and manages access to the host hardware without going through a host OS

Question 39

Virtual Desktop Infrastructure (VDI)

Answer 39

- refers to using a VM as a means of provisioning corporate desktops - in a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers - when the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server infrastructure - thin client computer must only be powerful enough to display the screen image, play audio, and transfer mouse, key commands and video, and audio information over the network

Question 40

Virtual Desktop Environment (VDE)

Answer 40

workspace is performed by the server

Question 41

application virtualization

Answer 41

- more limited type of VDI - rather than run the whole client desktop as a virtual platform, the client either accesses an application hosted on a server or streams the application from the server to the client for local processing. Most application virtualization solutions are based on Citrix XenApp (formerly MetaFrame/Presentation Server), though Microsoft has developed an App-V product with its Windows Server range and VMware has the ThinApp product.

Question 42

application cell/container virtualization

Answer 42

- dispenses with the idea of a hypervisor and instead enforces resource separation at the operating system level - OS defines isolated "cells" for each user instance to run in - each cell or container is allocated CPU and memory resources, but the processes all run through the native OS kernel - these containers may run slightly different OS distributions but cannot run guest OSes of different types (you could not run Windows or Ubuntu® in a RedHat® Linux® container, for instance) - alternatively, the containers might run separate application processes, in which case the variables and libraries required by the application process are added to the container - best-known container virtualization products is Docker - containerization is also being widely used to implement corporate workspaces on mobile devices

Question 43

VM escaping

Answer 43

- refers to malware running on a guest OS jumping to another guest or to the host - malware must identify that it is running in a virtual environment, which is usually simple to do - one means of doing so is through a timing attack - classic timing attack is to send multiple usernames to an authentication server and measure the server response times - one serious implication of VM escaping is where virtualization is used for hosted applications

Question 44

system sprawl and deployment of undocumented assets

Answer 44

root of security issues

Question 45

virtual machine lifecycle management (VMLM) software

Answer 45

- software can be deployed to enforce VM sprawl avoidance - provide you with a centralized dashboard for maintaining and monitoring all the virtual environments in your organization

Question 46

cloud computing

Answer 46

- service that provides on-demand resources—server instances, data storage, databases, or applications—over a network, typically the Internet - service is a "cloud" because the end user is not aware of or responsible for any details of the procurement, implementation, or management of the infrastructure that underpins those resources. The end user is only interested and pays for the services provided by the cloud - cloud provides rapid elasticity--means that the cloud can scale quickly to meet peak demand - example: - company may operate a single web server instance for most of the year but provision additional instances for busy periods of the year - on-demand implies that the customer can initiate service requests and that the cloud provider can respond to them immediately - pay-per-use implies a measured service, so that the customer is paying for the CPU, memory, disk, and network bandwidth resources they are actually consuming rather than paying a monthly fee for a particular service level

Question 47

resource pooling

Answer 47

means that the hardware making up the cloud provider's data center is not dedicated or reserved to a particular customer account

Question 48

virtualization

Answer 48

layers of virtualization used in the cloud architecture allow the provider to provision more CPU, memory, disk, or network resource using management software, rather than (for instance) having to go to the data center floor, unplug a server, add a memory module, and reboot

Question 49

cloud deployment models

Answer 49

* Public (or multi-tenant)—hosted by a third party and shared with other subscribers. This is what many people understand by "cloud computing." As a shared resource, there are risks regarding performance and security. * Hosted Private—hosted by a third party for the exclusive use of the organization. This is more secure and can guarantee a better level of performance but is correspondingly more expensive. * Private—cloud infrastructure that is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it. With private cloud computing, organizations can exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations. This type of cloud could be on-premise or offsite relative to the other business units. An onsite link can obviously deliver better performance and is less likely to be subject to outages (loss of an Internet link, for instance). On the other hand, a dedicated offsite facility may provide better shared access for multiple users in different locations. • Community—this is where several organizations share the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies.

Question 50

Something as a Service (*aaS)

Answer 50

as well as the ownership model (public, private, hybrid, or community), cloud services are often differentiated on the level of complexity and pre-configuration provided. These models are referred to as Something as a Service (*aaS), where the something can refer to infrastructure, platform, or software

Question 51

Infrastructure as a Service (IaaS)

Answer 51

means of provisioning IT resources such as servers, load balancers, and Storage Area Network (SAN) components quickly

Question 52

Software as a Service (SaaS)

Answer 52

different model of provisioning software applications. Rather than purchasing software licenses for a given number of seats, a business would access software hosted on a supplier's servers on a pay-as-you-go or lease arrangement (on-demand)

Question 53

Platform as a Service (PaaS)

Answer 53

provides resources somewhere between SaaS and IaaS. A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top

Question 54

cloud storage

Answer 54

- particular type of Software as a Service where the vendor provides reliable data storage and backup - many cloud storage solutions are combined with content management tools with document permission, version history, and collaborative editing features

Question 55

support tiers

Answer 55

* Consultants—the experience and perspective of an outsider can be hugely useful in improving security awareness and capabilities in any type of organization (small to large) * Managed Security Services Provider (MSSP)—a means of fully outsourcing responsibility for information assurance to a third party. This type of solution is expensive but can be a good fit for an SME that has experienced rapid growth and has no in-house security capability * Security as a Service (SECaaS)—can mean lots of different things, but is typically distinguished from an MSSP as being a means of implementing a particular security control, such as virus scanning or SIEM-like functionality, in the "cloud."

Question 56

cloud access security broker (CASB)

Answer 56

- enterprise management software designed to mediate access to cloud services by users across all types of devices - some of the functions of a CASB are: * Enable single-sign on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider. * Scan for malware and rogue or non-compliant device access. * Monitor and audit user and resource activity. * Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.

Question 57

interface between the CASB software, the cloud service, and users/devices can be created in several ways

Answer 57

* Proxy—each client must be configured to contact the cloud service via a CASB proxy. The problems with this approach are that not all cloud applications have proxy support and users may be able to evade the proxy and connect directly. * API—the CASB software uses the cloud provider's Application Programming Interface (API). This depends on the API supporting the range of functions that the CASB and access and authorization policies demand.

Question 58

secure virtualized and cloud-based resources

Answer 58

* Consider using virtualization in your organization for easier management and efficiency of resources. * Recognize the differences between the virtualization types and identify which are more suitable to your needs. * Ensure that VM software as well as host and guest operating systems are patched regularly. * Enforce the principle of least privilege for access to VMs. * Ensure VMs are logging critical events. * Configure virtual networking devices to support isolated communications wherever necessary. * Take snapshots of optimal VM states. * Incorporate VM lifecycle management solutions. * Familiarize yourself with the different cloud deployment models and service types. * Consider taking advantage of SECaaS to offload some security operations to a third-party provider.