Network+ : Secure Networking

  1. Network+ Certification
  2. Network+ : Introductions and Resources
  3. Network+ : Network Models
  4. Network+: Cabling
  5. Network+ : Topologies
  6. Network+ : Ethernet Basics
  7. Network+ : Contemporary Ethernet
  8. Network+ : Installing a Physical Network
  9. Network+ : Booting and Getting On the Network
  10. Network+ : TCP/IP Basics
  11. Network+ : Subnetting
  12. Network+: Routing Protocols
  13. Network+ : Routing and Firewalls
  14. Network+ : TCP/IP Ports and Applications
  15. Network+ : Network Naming and Sharing Resources
  16. Network+ : Secure Networking
  17. Network+ : Advanced Networking Devices
  18. Network+ : IPv6
  19. Network+ : Remote Connectivity
  20. Network+ : WiFi
  21. Network+ : Virtualization
  22. Network+ : Mobile Networking
  23. Network+ : Building a Real-World Network
  24. Network+ : Managing Risk
  25. Network+ : Protecting Your Network
  26. Network+ : Network Monitoring
  27. Network+ : Network Troubleshooting
  28. Network+: Network Monitoring

Unit 16

Chapter 10

Critical Terms

Encoding and Decoding

Encoding provides casual obfuscation, but anyone can decode the data.

https://www.base64decode.org/

https://www.urldecoder.org/

https://gchq.github.io/CyberChef/

Hashing

Hashing provides a way to prove Integrity.

For instance, MD5 and SHA hashes are typically provided for downloadable files like ISOs. Once you’ve downloaded the file, you can calculate the hash(es) to ensure you’ve gotten a bit-for-bit perfect download.

MD5

https://en.wikipedia.org/wiki/MD5

SHA1, SHA2, SHA256 etc.

https://en.wikipedia.org/wiki/SHA-1

https://gchq.github.io/CyberChef/ –> Scroll down to “Hashing”

Hashing is critical to Authentication. You can’t store passwords; somebody sneaky will get them, for sure. But you can store the hash of a password, then when somebody logs in your system calculates the hash of that password, compares it to the stored hash, and if they match voila! You get Authenticated.

Encryption

Encryption provides actual Confidentiality, by making your data unreadable by others.

Cyphers: the actual Algorythms

Stream vs Block Cyphers

Symmetric Cyphers using Shared Secrets

Asymmetric Cyphers using a Public Key and a Private Key

PKI

Nonrepudiation

Nonrepudiation makes it impossible for someone who has said something to say, “I didn’t say that!” This is useful in, for instance, real estate transactions.

Asymmetric encryption is used for Nonrepudiation. I encrypt a document with my Private Key, and send it (the document, not the key!) to my Realtor. He easily gets my Public Key via PKI, and it easily decrypts my offer letter. Nobody in the universe but me (in theory) has my Private Key, so anything encrypted with it must have come from me. I can’t repudiate it; this operation has provided Nonrepudiation.

Digital Signatures

The only thing that’s wrong with the scenario above is that while I’ve provided Nonrepudiation, I haven’t provided an Integrity check (always think of a hash in these cases).

So let’s do this:

      1. Calculate the SHA1 hash of my Last Will and Testament.docx.
      2. Encrypt the resulting hash with my Private Key. This is a Digital Signature!
      3. Send an email to my lawyer, paste the Digital Signature into the text of the email, and attach my Will to the email.
      4. My lawyer gets my Will and calculates the SHA1 hash.
      5. My lawyer decrypts my Digital Signature and sees that the hash matches the one he just calculated for my Will.
      6. Bravo! The document is intact (has Integrity) and legal (because Digital Signatures are binding).

Authorization

Authorization is the only element on this list that doesn’t involve cryptography. It’s all about permissions: what shares you’re authorized to she, what documents you can change, what you can create or delete.

What Meyers doesn’t mention yet is that Authorization is part of another triad/list beloved by CompTIA, the AAA:

Authentication

Authorization

Audit (or Accountability)

Also know these common models for Access Control:

802.1x

ACL

MAC

DAC

RBAC

Authentication

See, told you Meyers was going to talk about this! Here are the major standards. Notice the discussion of AAA starting on page 370.

PPP

CHAP / MS-CHAP / MS-CHAPv2

RADIUS / Diameter

TACACS+

Kerberos

Encrypting Data Traffic

SSH

port 22

RSA Key

Tunneling

SSL / TLS

Everything below TLS 1.2 (“TLS 2”) is deprecated and not to be used, period.

Info
Walk through the process of setting up a TLS connection:
https://tls.ulfheim.net/

 

 

IPsec

Transport Mode

Tunnel Mode

Secure TCP/IP Applications

HTTPS

Uses SSL / TLS (meaning actually TLS).

CRL

OCSP

https://en.wikipedia.org/wiki/OCSP_stapling

SCP

Secure, encrypted copy between any two endpoints. You could be on Server A and “skip” a file from Server B to Server C, as long as you have credentials on all systems.

SFTP

Encrypted email

Uses SSH encryption and the SSH port (22).

SNMP

Troubles with v1 and v2. Use v3.

LDAP

Directories

NTP

Network Time Protocol (port 123)