CompTIA Security+ 501 Summary Part 3

Feb. 27, 2023, 5:26 a.m.

This is a summary of my notes on Chapter 3 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition Things to keep in mind:

CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.
Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.
Some things are repeated but this is simply to reinforce.

1. Attacks & DNS Capturing data over a network, usually unencrypted, is called a Sniffing Attack. This happens at your local free wifi restaurant. Everything you do over that free wifi is being captured by a sniffer. Any website you visit that doesn’t force HTTPS is all in plain text. If DNS over HTTPS isn’t set then all your DNS look ups will be saved in plain text too. DoS is from a single source and DDoS is from multiple sources; both simply aim to disrupt a service which can be done in various ways including just requesting the home page of a website – the webserver or the proxy may not be able to handle a million requests a second and the website will crash. The attempt to corrupt caches is simply referred to as a poisoning attack. ARP Poisoning is when ARP packets are used to give a client false hardware address updates so that traffic can be redirected. DNS Poisoning results in a modified DNS cache where fake or intended IP addresses take the place of the older IP addresses. You can prevent DNS poisoning with DNSSEC or Domain Name Security Extensions which is a suite that provides validation by adding digital signatures to records. DNS servers host data in zones and hold records. “A” is a host record and holds the host name and IPv4 Address. “AAAA” is a record that holds the host name and IPv6 Address. A “PTR” record is the opposite of an “A” record in that the DNS client queries DNS with the IP address instead of the host name. “MX” is the Mail Exchange record. “CNAME” is a canonical name or alias and allows for a single IP address to have multiple names associated with it. “SOA” is the start of authority record that holds information on the DNS zone and settings. DNS servers usually use Berkeley Internet Name Domain (BIND) software and run on Unix or Linux servers. Use “nslookup” in Windows and “dig” in Linux to test DNS. A MAC flood attack attempts to overload a switch with multiple MAC addresses for every physical port but switches now come with flood guards which limit the memory used for storing MAC addresses. 2. Protocols Ports are logical numbers used by TCP/IP to direct traffic towards specific services. Well known ports range from 0-1023, registered ports range from 1024-49,151, and dynamic or private ports range from 49,152-65,535. When you think of port 80 you think of HTTP and web traffic, but when talking to a webserver through your browser, you send data out through an ephemeral port, or random port, like 40,152 for example, and you direct the data towards port 80 on the webserver. The webserver responds by also using port 80 and sends it to that first random port that your browser chose. Although we have a standard you can use port 80 for ssh traffic, or port 22 for HTTP traffic. The standard is there to make everything more streamlined, but the option to do what you wish is also there. You can block a port number outright with a firewall. You can also route traffic through a specific port. You can, for example, forward traffic hitting a specific port on your router towards a specific machine in your network on another port; port forwarding. Port security is very important and you should take a Least Privilege approach, or rather, an Implicit Deny approach when talking ports. Every port is implicitly blocked unless explicitly opened.

TCP = Transmission Control Protocol
UDP = User Datagram Protocol
ARP = Address Resolution Protocol
NDP = Neighbor Discovery Protocol (used with IPv6)
RTP = Real-Time Transport Protocol
SRTP = Secure Real-Time Transport Protocol
SSH = Secure Shell (port 22)
SCP = Secure Copy (copy encrypted files over a network)
SSL = Secure Sockets Layer (compromised and replaced by TLS)
TLS = Transport Layer Security Protocol
IPsec = Internet Protocol Security (encrypts IP traffic)
SFTP = Secure File Transfer Protocol (extension of SSH)
FTPS = File Transfer Protocol Secure (extension of FTP)
SMPT = Simple Mail Transfer Protocol (emails port 25)
POP3= Post Office Protocol v3 (port 110)
SPOP3 = Secure POP3 (port 995)
IMAP4 = Internet Message Access Protocol 4 (stores email on email server port 143)
Kerberos = Authentication protocol used in Windows domains and Unix.
LDAP = Lightweight Directory Access Protocol (communicate with AD DS)
RDP = Remote Desktop Protocol (TCP 3389 or UDP 3389)
NTP = Network Time Protocol (time synchronization)
SNTP = Simple Network Time Protocol (doesn’t use complex algorithms)
DHCP = Dynamic Host Configuration Protocol (dynamically assign IP addresses)
IPv4 = Internet Protocol Version 4 (32 bit addresses in dotted decimal format – 4 groups of 8 bit numbers
IPv6 = Internet Protocol Version 6 (128 bit addresses in hexadecimal – 8 groups of 4 hexadecimal characters where each character is 4 bits)
DNS = Domain Name System (domain resolution between host name and IP address port 53)
STP = Spanning Tree Protocol (switches)
RSTP = Rapid STP
NAT = Network Address Translation (private IP to public IP and reverse)

IPsec uses Authentication Headers (AH) port 51, Encapsulating Security Payloads (ESP) port 50, and the Internet Key Exchange (IKE) over UDP port 500. You can use STARTTLS to encrypt data over the desired port. For example you can force POP3 traffic to be encrypted using STATTLS and the data will keep with port 110 instead of using SPOP3 with port 995. STP and RSTP provide loop protection for switches. Aggregation switches combine multiple switches together in a network. You can antispoof a router by range-banning IP addresses. Stateless firewalls only filter traffic based off static information like the source and destination. Stateful firewalls filter traffic based on the entire context or “STATE” of the traffic. Routers and firewalls use Access Control Lists (ACL). Implicit Deny blocks all traffic that is not explicitly allowed. Use “Deny Any” at the end of an ACL, after all the explicit rules, to implement an Implicit Deny rule. Host-based Firewalls provide intrusion protection for a single host. Network-Based firewalls are usually dedicated servers and provide protection for an entire network. A Web Application Firewall (WAF) protects a web application hosted on a webserver. Intranet is an internal network while an Extranet can be accessed outside of a network by authorized personnel. The Demilitarized Zone (DMZ) sits in between a private network and the internet. It is common practice to have a firewall on the outer layer between the DMZ and internet, and a firewall on an inner layer between the DMZ and the intranet so a buffer zone is created. This squeezes traffic through multiple layers of security before hitting the internal network. NAT hides private IP’s and computers from the internet. Your router becomes the face of your internal network and it is exposed to the internet. Port Address Translation (PAT) is a commonly used form of NAT. NAT is not compatible with IPsec. Physical isolation, or an airgap, ensures a network isn’t connected to any other network. SCADA uses physical isolation. All the internal systems are cut off from the internet. Routers and firewalls provide separation and segmentation. Routers segment traffic between networks using rules within ACLs. Subnetting is used to divide IP ranges into small manageable ranges. Virtual Local Area Networks (VLANs) are created using Layer 3 switches. Layer 3 switches forward traffic based on IP address instead of MAC address and therefore are not susceptible to ARP poisoning. VLANs group different computers into a virtual network. VLANs separate or segment traffic and even traffic types on physical networks. For example, voice traffic can be sent to one VLAN and data traffic can be sent to another VLAN. A VoIP gateway converts your telephone traffic on a phone line to digital traffic onto an IP-based network. A Mail Gateway is a server that inspects all incoming and outgoing email traffic. Proxy servers can be used to manipulate and forward requests. A reverse proxy server accepts requests from the internet and forwards it to another server. A simple example is using a reverse proxy server to forward HTTP requests to a webserver. So when you visit a website, you first hit the reverse proxy server, which has its own configurations, and then it sends your requests to the webserver. The webserver responds back through the proxy to you. This is additional segmentation you can add to a network setup. A transparent proxy accepts and forwards requests without modifying them. A nontransparent proxy can modify requests or block traffic altogether. URL filters can be placed on nontransparent proxy servers. You might, for example, attempt to go to facebook but you end up getting redirected. It isn’t facebook that’s redirecting you. What is happening is your request first hits the proxy server and since it has a filter in place to block social media websites, it modifies your request and sends you to another destination. Internet applications use Application Programming Interfaces (API). If an application proxy receives a properly formatted and valid request, meaning it is this specific API compliant, it will then provide an answer. Unified Threat Management (UTM) is a single solution that combines multiple security controls and UTM appliances are usually at a network border. The controls include a firewall, antivirus, content filtering, and DDoS mitigation etc..