CompTIA CASP+ CAS-004 – Chapter 02 – Network and Security Components and Architecture Part 3

21. IP Security (IPSec)

So we mentioned IPsec here a couple of times, but we need to dig into this a little bit more. IPsec is actually a suite of protocols much like TCP IP is. It has a number of different components that you need to be familiar with. But as important as that is, you also need to understand what it does. It can provide encryption and therefore data confidentiality. It can provide data digital signatures and therefore data integrity as well as mutually authenticating both sides of a connection.

Now IPsec is typically used with VPNs, which is why we’re talking about it here, but it can actually be used internally in what’s called transport mode within systems on the same land. And one of the nice things is that it’s sort of oblivious to the upper layer traffic that’s being used. And so an application doesn’t have to support IPsec because it’s completely implemented at layer three. It’s a very secure mechanism. The major protocols in the suite are authentication header. Ah just provides data integrity as well as the authentication of the origin of the data and protection from replay attacks. It does not provide any encryption though, so it’s not heavily used, instead encapsulating security payload. ESP does everything that Ah does as well as encryption, therefore providing all of it.

Okay, mutual authentication, data confidentiality, data integrity. So ESP is typically the protocol of choice. The Internet Security Association and Key Management Protocol. Isa KMP handles the creation of what’s called An SA, the Security Association, for the session and the exchange of keys. The Security association is something that is negotiated between the sender and the recipient of data and must be negotiated and configured properly on both sides in order for communication to occur. So if one system is not IPsec enabled, then an IPsec system that requires IPsec is not going to talk to them. Now if we got two systems that are connected, or sorry, have IPsec enabled but differing and incompatible configurations, they’re not going to talk to one another.

If you cannot establish that security association using Isa KMP, then you will not communicate once that session that negotiation is done, then Internet Key Exchange, sometimes just referred to as IPsec Key Exchange just IC for short, is going to provide the authentication material that’s used to create the keys. This was proposed to be performed by a protocol called oakley initially that relied on the Daffier Hellman algorithm, but oakley has been now superseded by Internet Key Exchange. So oakley, if you see the term oakley, it’s not the sunglasses talking about, it’s the older version of that was used with IPsec.

22. IPSec Modes

Now, IPsec is a framework. It means it doesn’t really specify many of the components that are used with it. The components need to be identified in the configuration and they have to match in order for the two ends to create the required security association. There are two major modes that we mentioned. There’s tunnel mode and there’s transport mode. Now, in transport mode, the SA is established between the two end systems or between an end station and a gateway.

Transport mode is often used for a remote access VPN, or it can be used to secure internal traffic, which is what I had mentioned before. The encryption algorithm is going to encrypt the data. The hashing algorithm is going to sign the data, and then you have the mode and the protocol. With tunnel mode, the essay is going to exist between two gateways. So all traffic pass through the tunnel is protected. And this would be the type that is used for sitetosite VPNs.

23. Demo – Examining IPSec Policies

In this demonstration we’re going to take a look at IPsec policies and we’re going to do so in a couple of places. So I’m back on my network security appliance which has started responding again. And I’m going to go into the VPN settings. Okay. And in the VPN settings here you can see that we’ve got a VPN that’s created Wan group VPN. Now this is a remote access VPN. We could also create site to site VPNs. But I’m just going to go ahead and actually let’s get the one that’s not enabled here. This is a production machine. So I just want to show you some capabilities without really messing with anything. All right, so first off this would be the sonic walls version of an IPsec policy. We’re going to specify the authentication method. In these cases it’s all IPsec, so it’s IC using Internet Key Exchange using a pre shared secret or third party certificates. Now the pre shared secret is far more common the name here. But the reason that the pre shared secret is sometimes considered not secure is that right there it’s written in plain text if I can get access to the firewall.

That being said, certificates is kind of enough of a pain in the neck when it comes to site to site VPNs at least that you, you typically don’t, don’t do that. IPsec Proposals phase one, phase two. Phase one is known as main mode. Goes by main mode or phase one. And that is where the security associations are going to be established. Okay. And you notice here it’s specifying diffihelman group one, two or five are the options, the encryption algorithms that are used. So we’re it’s set to use triple des but can be up to AES 256. The hashing algorithms, MD Five and Shad are the two options here. And then phase two. So this is Initial Security Association key exchange. Then we get into what’s called phase two or Quick mode. And then here’s the protocol that’s going to be used. ESP encapsulating security payload as we talked about, provides both digital signatures for data authenticity as well as digital encryption for confidentiality. Perfect forward secrecy.

We’ll talk about it at some point, prevents key compromise and then you can get into some advanced settings as to whether we want to allow broadcast what we want the default gateway to be. Am I going to authenticate VPN clients in this case? This is the VPN server for the remote access connection. So. Yes, I am. And it’s going to come from this group of users and that’s defined down here and then the individual client. So can they cache usernames and passwords? Are we configuring a virtual adapter and giving it a DHCP lease? And then what are they going to be able to connect to? And so I can just say all gateways split tunnel that determines how the stuff should be routed once they’ve actually made that connection and then I would just hit okay, I’m going to go ahead and hit cancel. I would just hit okay. But we can see here there is a list of VPN policies.

I know it’s called a VPN policy here, but as we saw it was IPsec only. Another is the other option. You have an L, two TP server that you can enable. We have the SSL style VPN that we can enable as well. But my focus here is really just more on IPsec. Let’s see, I don’t think there was anything in here for IPsec. Okay, so anyway, that’s a network firewall and where we would see those settings at the network firewall level. So now let’s go and let’s just open up the actually let’s open up the Microsoft Management Console. MMC. From there I’m going to add the Windows Firewall with advanced security snap in. This is not the only way of doing this. This is also a server and clearly a little bit of an older server. I say clearly because of the look and feel of this.

I believe this is eight. But we can expand Windows Firewall with advanced security. And in here I’m going to have connection security rules. Now there are no rules in place, but you can right click and create a new rule. This would be running IPsec typically in transport mode. So we’re going to get a few options here for the different rule types. Isolation is restricting connections based on authentication status. So like you have to be a member of the domain or this is in conjunction with network Access control. So the health status authentication exemption is actually disabling IPsec for a particular computer. And the most common if you’re going to do it in transport mode is going to be server to server. It doesn’t have to be two specific endpoints.

It can be ranges of IPS. But typically if we’re doing this outside of a VPN and we’re configuring IPsec policies, then at that point we have a particular type of traffic in mind that we are trying to protect. Now notice that you do have tunnel mode, but that would only be if these servers were tunnel endpoints, which is very, very uncommon. All right, so we did next and then we would specify, okay, what traffic does this apply to any IP address, to any IP address, or more commonly here’s, a range of IP addresses. And then you hit add and we can actually type in the IP address or subnet. We can type in a particular range and we can even say a predefined set of computers. Okay, so to DHCP servers or DNS or anything on the local subnet, I’ll just leave this at any actually because we’re just kind of demoing it. The next would be the requirements.

What do I want to do? Well, in this case, I want to require authentication for both inbound and outbound connections. Okay, now we hit next. You have the option of requesting. You then have to choose authentication methods. The default and transport mode is Computer certificate, but you can hit advanced and hit customize. Computer certificate is pretty advanced, but as long as the certificates are issued, it’s fairly easy to do. Here’s where you could go in, you could add an authentication method, and you do have Kerberos in an active directory network, and you have the pre shared key as well. Okay, so if we’ve modified the default authentication, then we just need to make sure that it’s consistent across the other systems. We’d have to specify computer certificate authority, but then a profile is just going to be domain public private IPsec and Windows is integrated into the Windows Firewall, which is why I went to the Windows Firewall with advanced security to get to it.

And so it applies to a particular profile on the Firewall. If I’m connected to the domain, should this IPsec rule be active? If I’m connected to a public network, should this IPsec rule be active? That’s where you’re choosing. Just like with Firewall rules, you’re choosing when these rules will actually be active on the system. So I’m going to hit cancel. We’re not actually going to create those. I do want to go and show one more thing, and that is that with any of these inbound rules, one of the options for action is Allow or allow it if it’s secure. And if you choose to allow it if it’s secure and hit customized, then you can make a couple of other choices.

But essentially just that box radio button means it has to be secured with a connection security policy. Okay? And so that’s again, where we see the integration, the integration between these two systems. So those would be IPsec policies in transport mode. The first thing that we saw would be the IPsec policies at the firewall level and setting up a VPN that is a remote access Ike style VPN. And we see that there are some other options that you have here as well. Okay, so hopefully that helps just to visualize a little bit of what IPsec has to offer and how it is configurable on network devices.

24. Secure Sockets Layer (SSL)

We briefly mentioned the SSL style VPN. An application layer protocol is SSL that works to secure network traffic from client to server. If functionality exists in most browsers, typically it doesn’t require any user interaction and we don’t need to really worry about opening it up on a firewall. Some of these other VPNs have odd less well known port numbers, or maybe it less well known is probably not the right term, but they’re not automatically configured in some firewalls. SSL typically is always turned on in a firewall because it allows secure web traffic. I mentioned the portal VPN, the tunnel VPN. In a portal VPN the user has a single SSL connection for accessing multiple services on a web server. So once they’ve authenticated, then they get a page that sort of acts as a portal to other services.

Whereas an SSL tunnel VPN just uses an SSL tunnel to access services on a server that’s not a web server. So that one would actually require custom programming in order to be used. TLS transport layer security and SSL are similar, but they’re not the same. And so you just need to make sure that you do understand that. Advantages of SSL VPN data is encrypted. It’s supported by all browsers, users can easily identify it https but disadvantages is very heavy resource usage for the encryption and decryption on that server. And some critical troubleshooting components are actually encrypted, like the path, the URL path SQL queries parameters are being passed so that can make it difficult to troubleshoot.

25. Transport Layer Security (TLS

Now, transport layer security is, as we said, similar to SSL, but different. It is more advanced. It allows access to advanced cipher suites that support elliptical curve cryptography. TLS has improved support in its latest version, one two for hash negotiation, so it can negotiate any hash algorithm to be used as a builtin feature. The default ah, cipher pair would be your MD Five, Sha One or I’m sorry, that was the default in the latest version. It is the Sha 256 also improved to support certificate hash or certificate control. So TLS can configure the certificate requester to only accept a specific hash or signature algorithm pairs. And then it also supports the Suite B compliant cipher suites. All right, AES 128, AES 256 and Sha 256 and 384.

26. Additional Security Protocols

There are some additional security protocols that you want to be aware of. SSH is secure. Shell. In a lot of cases, you’ve got administrators or network technicians that need to manage and configure devices remotely. Well, the older protocols, like Telnet, allowed us to do that, but it was a very insecure connection. It passed everything in clear text. So Secure Shell was created in order to provide an encrypted method of doing or performing those procedures. So it connects like SSL using a secure channel over an insecure network.

You do have to have a system that’s running the server component of this, like a router firewall. And then you have to have an SSH client program. One of the most common third party client programs out there that’s free to use is a program called Putty. Several steps can be taken to enhance the security of SSH. The default port number is 22, but if you change that to something above 1024, that’s much better. Also, you should only use version two because it corrects a lot of the vulnerabilities that exist in the earlier versions. We should disable root login to devices that have a root account. That would be Linux Unix type devices. And you can also control access by using Access Control List. Remote Desktop Protocol, or RDP, is another remote connectivity protocol. This one’s proprietary to Microsoft, used to remotely connect to desktops running the Microsoft OS. The first version client version that ever supported RDP was all the way back to Windows XP. RDP is not enabled by default, so you do have to go in and turn it on.

But once turned on, then you can make a remote connection and it’s as if you were sitting in front of it. You can use this for individual access or connection to a virtual desktop infrastructure. So some organizations will use central servers, and sometimes it’s called terminal servers, and everybody’s connecting and they have their own virtual desktop there. All right, now, RDP does use native RDP encryption, but it doesn’t authenticate the session host server. So to mitigate that, you can use SSL. Some of the later ones will actually do that by default.

There are a lot of advantages and disadvantages of using RDP. The advantage data is kept in the data center instead of on individual machines, so it makes disaster recovery easier. Users can work from anywhere. They just need the ability to connect via RDP. And so a lot of times that helps to centralize things from a security perspective. But it’s also you’re able to centralize your management of applications that are hosted there as well. Disadvantages is that server downtime in conjunction with a VDI would cause an issue for a lot of users.

Network issues can cause problems, and you can have performance related issues as well. You have VNC virtual network computing. This operates a lot like RDP. It just uses a slightly different protocol remote frame buffer instead of Remote Desktop protocol. The other difference is that this is completely platform independent, so it could be used to transmit between a Linux server and a Mac OS laptop. You got a VNC server. That’s the program on the machine that’s sharing its screen. You have the VNC client or viewer, which is the program that connects and then you have the VNC protocol.

27. Authentication Protocols

Authentication protocols are the protocol and remote access that identifies the user. And so they’re very important. We don’t want to just allow anybody to connect to the network. We only want to allow authorized users to connect. There are a lot of types of protocols, but many of them are antiquated and not very secure. These are mentioned here for really historical purposes. You kind to want to know what they are, what they were, but you’re never going to use them. So PAP password authentication protocol credentials are sent in clear text and that’s all we really need to say. That’s a very old protocol, about 25 years old. Challenge handshake authentication protocol chap also very old chap it solves the clear text problem because it doesn’t actually send the credentials across the link.

So essentially the client sends the server sends the client a set of random texts referred to as a challenge or challenge string. And then the client encrypts the text with the password and sends it back. Now that’s kind of simplifying it. Basically the client is using the password as a key for a hashing algorithm and it’s using that key with the hashing algorithm to encrypt the challenge string. So when the server gets the challenge string back, the server then goes and grabs the password out of the directory, decrypts it, and does the same thing on its end. If the results of what you sent and what I came up with match, then you sent the correct information.

Microsoft created their own version, Ms chap. The first version was V one. The second version is V two. V two had stronger sending and stronger encryption keys, different keys for sending and receiving as well as mutual authentication. Neither are going to be used. If anything, it would be Ms. Chat version two. But most of the time now we’re in EAP Land extensible authentication protocol. It’s not really a single protocol, it’s more of a framework for port based access control. It uses the same three components that are used in Radius for centralized authentication and it can be used everywhere certificates, PKI, even simple password.

So you have EAP with MD five. Chap that’s just a variant of EAP that uses the Chap challenge process. But the challenge and responses are sent as EAP messages. This is what you would use if somebody’s actually using a password to authenticate. Whereas if somebody is using a certificate, often stored on a smart card, you would be using EAP. TLS eaptls requires a certificate on the server. Only the client uses the password, but the password sent within a protected EAP message. However, that’s based, or that’s going to be susceptible to password based attacks. We have some other options as well. 821 x is a standard that defines a framework for centralized port based authentication. It can be applied to wireless and wired networks. There are three essential components to it. The supplicant is the user or the device that’s requesting access to the network.

The Authenticator is the device through which the Supplicant is attempting. Okay, so in this case the Supplicant would be the let’s use a managed switch as an example. The Supplicant would be the client, the managed switch would be the Authenticator and then the authentication server is the centralized device that performs authentication. So in reality, that role of Authenticator can be done by a number of different devices.

So remote access servers, VPN servers, switches, wireless access points typically the role of authentication server is performed by a Radius server, remote Authentication dialing, user Service or Tacax terminal Access Controller Access Control System plus and yes, I do have to read that one. I don’t remember that one. In either case, the Authenticator is requesting credentials from the individual connecting the Supplicant and then when it receives them, it doesn’t actually validate them, it just forwards them to the authentication server. That’s where they’re validated. If you’re validated, then you are allowed to make the connection. So this is network access control on a switch or a wireless access point would actually utilize 821 x authentication.

28. Topic D: Network Solutions for Data Flow

In this next topic, we’ll be looking at network solutions for data flow. While it’s true that securing information that traverses the network is probably the most obvious duty of a security professional, we also need to have an awareness of the type of traffic that’s generated. And that’s equally as important, really, for both security and performance reasons. We need to understand the amounts of various traffic to types, the sources of those types of traffic. And so that’s what we’re going to look at in this section what data flows are, and then how to protect sensitive data flows.

29. Data Loss Prevention

We start with a concept called DLP, which we referred to before. Data leakage is going to occur when sensitive data gets disclosed to unauthorized personnel. Whether it’s intentional or inadvertent, it doesn’t matter. It’s still considered data leakage and something that we want to prevent. And data loss prevention software is going to attempt to do just that to prevent data leakage. Page it does this by maintaining awareness of actions that are authorized and actions that can’t be taken in respect to a document. Okay, so for instance, you might allow the printing of a document, but only at the company office. You might disallow sending that document through email. DLP software functions this way by using ingress and egress filters to identify sensitive information that’s leaving the organization, and then it can prevent that. So ingress is looking at information that’s coming in, whereas egress is examining information that’s going out. Using egress filtering is going to be one of your main mitigations to something called data exfiltration. The unauthorized transfer of data from the network policies can be implemented in a couple different locations. Let’s actually consider an example. Let’s say you’ve got some product plans that should only be available to the sales group.

So the particular document that contains these product plans, you would create a policy that specified that it can’t be emailed to anybody outside the sales group, can’t be printed, can’t be copied as an example, and then you could implement that policy in two locations, and any policy can be implemented in a couple of locations.

Network DLP or endpoint DLP. Network DLP is going to look at is going to be installed, I should say at network egress points near the perimeter. Network DLP just analyzes network traffic. Endpoint DLP is going to run on end user workstations and servers in the organization, and it really just depends on particular scenario. You can also use both precise and imprecise methods to determine what is sensitive. A precise method is going to involve content registration and a trigger.

And the primary benefit is you have almost zero false positives. Imprecise methods can use things like keywords regular expressions, which is looking for character patterns, metadata tags, statistics, analysis. And the problem there is, of course, you do have the possibility of false positives. Ultimately, the value of a DLP system is going to reside in the level of precision with which it can locate and actually prevent the leakage of sensitive data.

30. Data Flow Enforcement

Data flow enforcement can refer to controlling data flows within an application can also refer to controlling information flows within and between networks. Both of these are pretty important concepts for us to understand. It’s really critical that developers make sure applications handle data in a safe way that applies to both confidentiality as well as the integrity of the data.

And so the system architecture of an application needs to be designed to provide particular services. One of those is boundary control services. These would be services that are responsible for placing different components in security zones and maintaining some level of control between them. Generally it’s just accomplished by identifying which components and services are trusted or not trusted. Access control services allow us to deploy various methods of access control. Integrity services imply that we know integrity implies that data has not been changed.

And so these services would make sure that data that’s moving through the OS or the application can be verified so that we can determine that it hasn’t been damaged or corrupted. Cryptography Services if a system is capable of encrypting information in transit, then it’s said to provide cryptographic services. Auditing and Monitoring Services if it has the ability to track user activities, track the activities of system processes, then it’s able to provide auditing and monitoring.

So data flow enforcement is used for that. It can also refer to controlling data within between networks and preventing information from being transmitted in clear text to the Internet. For instance, blocking outside traffic that claims to be internal, preventing traffic that would bypass the proxy server. So data flow enforcement can refer to either of those two things.