CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide

by Darril Gibson

Internet Protocol security (IPsec) is used to encrypt IP traffic. It is native to IPv6 but also works with IPv4. IPsec encapsulates and encrypts IP packet payloads and uses Tunnel mode to protect virtual private network (VPN) traffic.

Secure Shell (SSH) encrypts traffic over TCP port 22. Transport Layer Security (TLS) is a replacement for SSL and is used to encrypt many different protocols. Secure FTP (SFTP) uses SSH to encrypt traffic. FTP Secure

uses TLS to encrypt traffic.

SSL has been compromised and is not recommended for use.

Many of these protocols support the use of STARTTLS. Instead of using one port to transmit data in cleartext and a second port to transmit data in ciphertext, the STARTTLS command allows the protocol to use the same port for both.

SMTP sends email on TCP port 25, POP3 receives email on port 110, and IMAP4 uses port 143. STARTTLS allows an encrypted version of the protocol to use the same port as the unencrypted version. HTTP and HTTPS use ports 80 and 443 and transmit data over the Internet in unencrypted and encrypted formats, respectively.

Network operating systems commonly use a directory service to streamline management and implement security.

Administrators then use various methods within the directory service to enforce identification, authentication, and authorization methods.

many Linux administrators use Netcat when connecting to remote systems for administration, and secure the Netcat transmissions with SSH.

Administrators and clients often use Remote Desktop Protocol (RDP) to connect to other systems from remote locations.

Administrators connect to servers remotely using protocols such as Secure Shell (SSH) and the Remote Desktop Protocol (RDP). In some cases, administrators use virtual private networks to connect to remote systems.

NTP is the most commonly used protocol for time synchronization, allowing systems to synchronize their time to within tens of milliseconds.

Private networks should only have private IP addresses. These are formally defined in RFC 1918.

Instead of private IP addresses, IPv6 uses unique local addresses.

DNS resolves host names to IP addresses.

DNS uses UDP port 53 for these types of queries.

When the DNS server queries other DNS servers, it puts the answer in its cache so that it doesn’t have to do the same query again. Similarly, when clients receive answers from DNS servers, they store the answer in their cache so that they don’t have to repeat the query.

When successful, attackers modify the DNS cache with a bogus IP address. For example, imagine an attacker wants to send users to a malicious web site each time they want to go to msn.com. One way is to modify the A or AAAA record in the DNS cache for msn.com. Instead of sending users to the IP address used by msn.com, it will send users to the IP address of the malicious web site. One of the primary methods of preventing DNS cache poisoning is with Domain Name System Security Extensions (DNSSEC). DNSSEC is a suite of extensions to DNS that provides validation for DNS responses. It adds a digital signature to each record that provides data integrity. If a DNS server receives a DNSSEC-enabled response with digitally signed records, the DNS server knows that the response is valid.

DNS zones include records such as A records for IPv4 addresses and AAAA records for IPv6 addresses. DNS uses TCP port 53 for zone transfers and UDP port 53 for DNS client queries. Most Internet-based DNS servers run BIND software on Unix or Linux servers, and it’s common to configure DNS servers to only use secure zone transfers. DNSSEC helps prevent DNS poisoning attacks. Nslookup and dig are two command-line tools used to test DNS. Microsoft systems include nslookup; Linux systems include dig.

Technicians use the nslookup command (short for name server lookup) to troubleshoot problems related to DNS.

Some versions of both commands support the @ symbol to identify a specific DNS server you want to query. This is useful if you want to pull all the records from a DNS zone. When doing this, you would use the any switch (indicating all records) or the axfr switch (short for all transfer). However, most DNS servers

Additionally, administrators disable unnecessary ports and services as part of a basic security practice.

Although ports are second nature to router and firewall administrators, they might not be so familiar to you. If you don’t work with the ports often, you’ll need to spend some extra time studying to ensure you’re ready for the exam.

When you use your web browser to request a page from a site, your system will record an unused client port number such as 49,152 in an internal table to handle the return traffic. When the web server returns the web page, it includes the client port as a destination port. When the client receives web page packets with a destination port of 49,152, it sends these

packets to the web browser application. The browser processes the packets and displays the page.

Ports and protocol numbers are not the same thing, though they are often confused. Well-known ports identify many services or protocols, as discussed previously. However, many protocols aren’t identified by the port, but instead by the protocol numbers. For example, within IPsec, protocol number 50 indicates the packet is an Encapsulating Security Payload (ESP) packet, and protocol number 51 indicates it’s an Authentication Header (AH) packet. Similarly, ICMP has a protocol number of 1, TCP is 6, and UDP is 17. You can use a protocol number to block or allow traffic on routers and firewalls just as you can block or allow traffic based on the port. Note that it is not accurate to say that you can allow IPsec ESP traffic by opening port 50. IANA lists port 50 as a Remote Mail Checking Protocol. However, you can allow IPsec traffic by allowing traffic using protocol number 50. Protocol analyzers can capture and examine IP headers to determine the protocol number and the port, as well as read any unencrypted data. Note that you might see the protocol number listed as the protocol ID or a protocol identifier.

Firewalls automatically determine the client ports used for return traffic, and if they allow the outgoing traffic, they allow the return traffic.

Note that the client firewall doesn’t need to allow incoming traffic on port 80 for this to work. The web client isn’t hosting a web server with HTTP, so the client firewall would block incoming traffic on port 80. However, the firewall that is filtering traffic to the web server needs to allow incoming traffic on port 80. You can apply this same principle for any protocol and port. For example, if you want to allow SMTP traffic, you create a rule on the firewall to allow traffic on port 25. IT professionals modifying access control lists (ACLs) on routers and firewalls commonly refer to this as opening a port to allow traffic or closing a port to block traffic.

Most other hosts will see the packet, but because it isn’t addressed to them, they will not process it.

Switches pass broadcast traffic between their ports, but routers do not pass broadcast traffic.

Switches will internally switch unicast traffic. However, they pass broadcast traffic to all ports.

the protocol analyzer would not capture unicast traffic going through the switch to other ports.

This is the main security reason why organizations replace hubs with switches. The switch reduces the risk of an attacker capturing data with a protocol analyzer. Of course, switches also increase the efficiency of a network.

Remember this Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.

Unlike the normal ports that only see traffic specifically addressed to the port, the monitoring port will see all traffic in or out of the switch.

Loop protection such as STP or RSTP is necessary to protect against switching loop problems, such as those caused when two ports

In a MAC flood attack, an attacker sends a large amount of traffic with spoofed MAC addresses to the same port.

Routers and stateless firewalls (or packet-filtering firewalls) perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An

ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list. Antispoofing

block traffic using A...

bridge directs traffic based on the destination MAC address.

A bridge typically learns MAC addresses in different bridge networks by analyzing traffic.

More advanced firewalls go beyond simple packet filtering and include advanced content filtering.

Linux systems support iptables and many additions to iptables, such as ipv6tables, arptables, and so on. Generically, administrators commonly refer to these as xtables.

Malicious software (malware) and social engineering are two common attack categories that any organization will face,

A script kiddie is an attacker who uses existing computer scripts or code to launch attacks.

A hacktivist launches attacks as part of an activist movement or to further a cause.

An insider is anyone who has legitimate access to an organization’s internal resources.

Some attackers are organized and sponsored by a nation-state or government. An advanced persistent threat (APT) is a targeted attack against a network.

and more. You might hear people use the term virus to describe all types of malware, but that isn’t accurate. A virus is a specific type of malware, and malware includes many other types of malicious software, including worms, logic bombs, Trojans, ransomware, rootkits, spyware, and more.