***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-implementation/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``Secure Protocols``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Secure Protocols](#a) <br/><br/>

- [Real-time Transport Protocol](#b) <br/><br/>
    - [``RTP``](#b) <br/><br/>
        - [Secure Real-time Transport Protocol](#b) <br/><br/>
            - [Secure RTP](#b) <br/><br/>
                - [``SRTP``](#b) <br/><br/>
                    - [Encryption](#c) <br/><br/>
                        - [``AES``](#c) <br/><br/>
                    - [Hash-based Message Authentication Code](#d) <br/><br/>
                        - [``HMAC-SHA1``](#d) <br/><br/>
- [Network Time Protocol](#e) <br/><br/>
    - [``NTP``](#e) <br/><br/>
        - [``DDoS``](#e) <br/><br/>
            - [``Amplification Attacks``](#e) <br/><br/>
        - [Secure Network Time Protocol](#f) <br/><br/>
            - [``NTPsec``](#f) <br/><br/>
- [Email](#g) <br/><br/>
    - [Secure Multipurpose Internet Mail Extensions](#g) <br/><br/>
        - [``S/MIME``](#g) <br/><br/>
            - [Public / Private Key Encryption](#g) <br/><br/>
                - [``Digital Signatures``](#g) <br/><br/>
    - [``POP3`` - ``IMAP``](#h) <br/><br/>
        - [``SSL``](#h) <br/><br/>
            - [Secure POP](#h) <br/><br/>
                - [``STARTTLS``](#h) <br/><br/>
            - [``Secure IMAP``](#h) <br/><br/>
- [Web](#i) <br/><br/>
    - [Secure Sockets Layer](#i) <br/><br/>
        - [``SSL``](#i) <br/><br/>
            - [Transport Layer Security](#i) <br/><br/>
                - [``TLS``](#i) <br/><br/>
    - [``HTTPS``](#j) <br/><br/>
        - [``HTTP Secure``](#j) <br/><br/>
- [Internet Communication](#k) <br/><br/>
    - [Encrypted Tunnel](#k) <br/><br/>
        - [Internet Protocol Security](#k) <br/><br/>
            - [``IPsec``](#k) <br/><br/>
                - [Tunnel Implementation](#l) <br/><br/>
                    - [Authentication Header](#l) <br/><br/>
                        - [``AH``](#l) <br/><br/>
                            - [Integrity](#l) <br/><br/>
                    - [Encapsulation Security Payload](#l) <br/><br/>
                        - [``ESP``](#l) <br/><br/>
                            - [Encryption](#l) <br/><br/>
- [File Transfer](#m) <br/><br/>
    - [File Transfer Protocol Secure](#m) <br/><br/>
        - [``FTPS``](#m) <br/><br/>
            - [``FTP-SSL``](#m) <br/><br/>
                - [Encryption](#m) <br/><br/>
                    - [``SSL``](#m) <br/><br/>
    - [SSH File Transfer Protocol](#m) <br/><br/>
        - [``SFTP``](#m) <br/><br/>
            - [Encryption](#m) <br/><br/>
                - [``SSH``](#m) <br/><br/>
- [Directory Services](#n) <br/><br/>
    - [Lightweight Directory Access Protocol](#n) <br/><br/>
        - [``LDAP``](#n) <br/><br/>
            - [``X.500``](#n) <br/><br/>
                - [``Microsoft Active Directory``](#n) <br/><br/>
                - [``OpenDirectory``](#n) <br/><br/>
                - [``OpenLDAP``](#n) <br/><br/>
    - [Lightweight Directory Access Protocol Secure](#o) <br/><br/>
        - [``LDAPS``](#o) <br/><br/>
            - [``SSL``](#o) <br/><br/>
        - [Framework](#p) <br/><br/>
            - [Simple Authentication and Security Layer](#p) <br/><br/>
                - [``SASL``](#p) <br/><br/>
                    - [``Kerberos``](#p) <br/><br/>
- [Remote Access](#q) <br/><br/>
    - [Secure Shell](#q) <br/><br/>
        - [``SSH``](#q) <br/><br/>
- [Domain Name Resolution](#r) <br/><br/>
    - [Domain Name System](#r) <br/><br/>
        - [``DNS``](#r) <br/><br/>
            - [Domain Name System Security Extensions](#r) <br/><br/>
                - [``DNSSEC``](#r) <br/><br/>
                    - [Public Key Cryptography](#r) <br/><br/>
                        - [``Digital Signatures``](#r) <br/><br/>
- [Routing and Switching](#s) <br/><br/>
    - [Secure Shell](#s) <br/><br/>
        - [``SSH``](#s) <br/><br/>
    - [Simple Network Management Protocol Version 3](#s) <br/><br/>
        - [``SNMPv3``](#s) <br/><br/>
    - [``HTTPS``](#s) <br/><br/>
- [Network Address Allocation](#t) <br/><br/>
    - [Securing Dynamic Host Configuration Protocol](#t) <br/><br/>
        - [ ``DHCP``](#t) <br/><br/>
            - [Active Directory](#u) <br/><br/>
                - [``Rogue DHCP Servers``](#u) <br/><br/>
            - [Switch](#u) <br/><br/>
                - [``DHCP Snooping``](#u) <br/><br/>
    - [Client DoS](#v) <br/><br/>
        - [``DHCP Starvation Attack``](#v) <br/><br/>
            - [Switch Configuration](#v) <br/><br/>
                - [Limit Media Access Control ADDRs](#v) <br/><br/>
- [Subscription Services](#w) <br/><br/>
    - [``AV``](#w) <br/><br/>
        - [Update Signatures](#w) <br/><br/>
            - [``IPS``](#w) <br/><br/>
                - [Update those Signatures](#w) 
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Secure Protocols
***

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Real-time Transport Protocol - ``RTP`` - Secure Real-time Transport Protocol - Secure RTP - ``SRTP``
***

Ever used Voice over IP or a Voice over IP telephone then you’ve used the ``Real-time Transport Protocol`` (``RTP``).

![image.png](attachment:image.png)

There is an encrypted version of ``RTP`` called the ``Secure Real-time Transport Protocol`` - sometimes see this referred to as ``Secure RTP`` or very simply ``SRTP``.

The goal with ``RTP`` is to take conversations that normally would not be encrypted across the network and add encryption for security so that nobody can listen in to your conversation. 

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### Secure Real-time Transport Protocol - ``Secure RTP`` - Encryption - ``AES``
***

The encryption used for ``SRTP`` is ``AES`` - this ensures that your communication with Voice over IP or Video over IP will be secure. 

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### Secure Real-time Transport Protocol - ``Secure RTP`` - Hash-based Message Authentication Code - ``HMAC-SHA1``
***

There’s more to ``SRTP`` than simply encryption - there are additional security features, such as authentication, integrity, and replay protection - this is accomplished by using ``HMAC-SHA1`` which is a ``Hash-based Message Authentication Code`` using the hashing protocol ``SHA1``.

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### Network Time Protocol - ``NTP`` - ``DDoS`` - ``Amplification Attacks``
***

One of the challenges we have with legacy protocols that we’ve used for so many years on the internet is that they were never originally designed with any security features - a good example of this is the ``Network Time Protocol`` or ``NTP``.

The original specifications for ``NTP`` didn’t include any security features and we’ve noticed recently that attackers have taken advantage of this by using ``NTP`` in ``Amplification Attacks`` when they’re performing Distributed Denial of Service attacks.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### Network Time Protocol - ``NTP`` - Secure Network Time Protocol - ``NTPsec``
***

Thirty years after it was introduced ``NTP`` has now started to have additional security features added - is added as part of the ``NTPsec`` protocol which is the ``Secure Network Time Protocol`` - this update has added a number of security features to ``NTP`` and has cleaned up some of the old code to remove some existing vulnerabilities. 

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### Email - Secure Multipurpose Internet Mail Extensions - ``S/MIME`` - Public / Private Key Encryption - ``Digital Signatures``
***

As users are sending an increasing amount of email we of course, need to be able to keep the information within those emails confidential.

One way that you can do this is with SMIME that stands for ``Secure Multipurpose Internet Mail Extensions`` - this is a ``Public/Private Key Encryption`` mechanism that allows you to protect the information using that encryption and to provide ``Digital Signatures`` for integrity. 

Since ``S/MIME`` requires this public private key pair there needs to be some type of public key infrastructure or ``PKI`` in place in order to properly manage these keys.

< [Table of Contents](#top) | [References](#references) >
<a id="h"></a>
***
###### Email - ``POP3`` - ``IMAP`` - Encrypt with ``SSL``  - Secure POP - ``STARTTLS`` - ``Secure IMAP``
***

``POP3`` and ``IMAP`` also have some security extensions to those as well. 

> With ``POP3`` you can use a ``STARTTLS`` extension to include ``SSL`` as part of that ``POP3`` communication.

> With ``IMAP`` you can choose to use ``Secure IMAP`` which also uses ``SSL``.

If you’re using a browser based email such as Google Gmail or Yahoo Mail then you should always be using an encrypted communication and your browser should always be using ``SSL`` (``TLS``) to provide that confidentiality.

< [Table of Contents](#top) | [References](#references) >
<a id="i"></a>
***
###### Web - Secure Sockets Layer - ``SSL`` - Transport Layer Security - ``TLS``
***

Often refer to browser-based encryption as ``SSL`` - ``Secure Sockets Layer`` - in the reality we’re using a newer version of ``SSL`` called ``TLS`` - ``Transport Layer Security``.

These days if somebody is using the older term ``SSL`` they are actually referring to ``TLC``.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="j"></a>
***
###### Web - ``HTTPS`` - ``HTTP Secure``
***

Sending encrypted data over a connection it’s using the ``HTTPS`` secure protocol that stands for ``HTTP over TLS`` or ``HTTP over SSL`` - sometimes see it referred to as ``HTTP Secure``. 

The most common form of ``HTTPS`` is going to use a ``Public Key Encryption`` method.

Uses that ``Public`` and ``Private`` Key paired in order to ``transfer Symmetric Key`` across the network (using ``Asymmetric Encryption``) so that a ``Session Key`` can then be used symmetrically during the communication.

This is the backbone for most of the encryption that we’re doing on the internet - if you’re on the ``professormessor.com`` website or the ``youtube.com`` website then you are using ``HTTPS`` to be able to send that information privately.

< [Table of Contents](#top) | [References](#references) >
<a id="k"></a>
***
###### Internet Communication - Encrypted Tunnel - Internet Protocol Security - ``IPsec``
***

Need to communicate between two locations across the internet in a secure form, then you’ll probably need to use some type of encrypted tunnel. 

One of the most common types is ``Internet Protocol Security`` (``IPsec``) - this allows you to send information across this ``Layer 3`` public internet but encrypt the data so that all of that information remains confidential.

``IPsec`` also includes packet signing for integrity and anti replay features. 

One nice part of ``IPsec`` is that it is so standardized and you can use different manufacturers equipment on both ends of the tunnel and both of those manufacturers will be able to communicate with each other using ``IPsec`` because this is such a well-known and well-established standard. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="l"></a>
***
###### Internet Communication - Encrypted Tunnel - Internet Protocol Security - ``IPsec`` - Tunnel Implementation - Authentication Header - ``AH`` - Integrity - Encapsulation Security Payload - ``ESP`` - Encryption
***

Implementing an ``IPsec`` tunnel - will be using two main protocols:

> ``Authentication Header`` (``AH``) which provides the integrity.

> ``Encapsulation Security Payload`` (``ESP``) provides the encryption.

< [Table of Contents](#top) | [References](#references) >
<a id="m"></a>
***
###### File Transfer - File Transfer Protocol Secure - ``FTPS`` - ``FTP-SSL`` - Encryption - ``SSL`` - SSH File Transfer Protocol - ``SFTP`` - Encryption - ``SSH``
***

If transferring files between devices you’ll also want to use a secure protocol for those. 

Two of the most common are ``FTPS`` and ``SFTP``. 

``FTPS`` is the ``File Transfer Protocol Secure`` and it’s using ``SSL`` to encrypt the information that we’re sending using that ``FTP`` client. 

Although the name is very similar, ``FTPS`` is using a completely different mechanism to communicate than ``SFTP``. 

``SFTP`` is the ``SSH File Transfer Protocol`` - where ``FTPS`` was using ``SSL`` to provide the encryption, ``SFTP`` is using ``SSH`` to provide that encryption.

``SFTP`` also includes some additional management capabilities for example you can resume interrupted transfers, you can get a listing of the directories that are on a device, you can remove files and directories, and manipulate the file system using the ``SFTP`` protocol. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="n"></a>
***
###### Directory Services - Lightweight Directory Access Protocol - ``LDAP`` - ``X.500`` - ``Microsoft Active Directory`` - ``OpenDirectory`` - ``OpenLDAP``
***

Most enterprise networks will have a central directory where information is stored on the network - this directory can be accessed using common protocols - one of those protocols is the ``Lightweight Directory Access Protocol`` (``LDAP``).

The standard for having a centralized directory on the network comes from an ``X.500`` standard by the International Telecommunications Union. 

This original standard was actually called ``DAP`` and it ran on the ``OSI Protocol Stack`` - when this was updated for ``TCP/IP`` networks they created the ``LDAP`` version of this protocol. 

If using ``Microsoft Active Directory`` - Apple’s ``OpenDirectory`` or you’re using ``OpenLDAP`` then you’re using a directory that can be accessed using this standardized ``LDAP`` protocol.

< [Table of Contents](#top) | [References](#references) >
<a id="o"></a>
***
###### Directory Services - Lightweight Directory Access Protocol Secure - ``LDAPS`` - ``SSL``
***

``LDAP Secure`` (``LDAPS``) is a non-standard version of ``LDAP`` that provides a level of security. 

Very similar to other protocols ``LDAPS`` uses ``SSL`` to be able to communicate securely to an ``LDAP`` server. 

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="p"></a>
***
###### Directory Services - Lightweight Directory Access Protocol Secure - ``LDAPS`` - Framework - Simple Authentication and Security Layer - ``SASL`` - ``Kerberos``
***

A more common form of security is the ``Simple Authentication and Security Layer`` (``SASL``), which is a framework that many different application protocols can use to be able to communicate securely. 

``LDAP`` uses ``SASL`` for this and it can communicate using ``Kerberos``, Client Certificates, and other methods as well.

< [Table of Contents](#top) | [References](#references) >
<a id="q"></a>
***
###### Remote Access - Secure Shell - ``SSH``
***

Referenced earlier ``SFTP`` to communicate with ``File Transfer Protocol`` over ``SSH``. 

``SSH`` stands for ``Secure Shell`` and it’s commonly used to provide a terminal screen that is encrypting the information between the client and the server. 

``SSH`` effectively replaces the older ``Telnet`` protocol which was still provided a terminal screen but there was no encryption mechanism within ``Telnet`` - this made ``SSH`` a very popular upgrade and it’s very common now to use ``SSH`` almost exclusively when doing any type of terminal communication.

< [Table of Contents](#top) | [References](#references) >
<a id="r"></a>
***
###### Domain Name Resolution - Domain Name System - ``DNS`` - Domain Name System Security Extensions - ``DNSSEC`` - Public Key Cryptography - ``Digital Signatures``
***

``Domain Name System`` (``DNS``) is another one of those legacy protocols that was originally created without any type of security features - this allowed attackers to change the information that was being sent to and from a ``DNS`` server effectively allowing them to redirect traffic to whatever server they’d like. 

To avoid this we’ve added additional security features to DNS this would be ``DNSSEC`` this stands for the ``Domain Name System Security Extensions``. 

``DNSSEC`` gives us a way to validate the information we’re getting from a ``DNS`` server so that we know that it really did come from the ``DNS`` server that we were requesting it from and that the information was not changed as it went through the network. 

Able to do this using ``Public Key Cryptography``, we can sign the information that we’re adding to a ``DNS`` server and then the recipient of that information can verify that information is correct based on those ``Digital Signatures``.

< [Table of Contents](#top) | [References](#references) >
<a id="s"></a>
***
###### Routing and Switching - Secure Shell - ``SSH`` - Simple Network Management Protocol Version 3 - ``SNMPv3`` - ``HTTPS``
***

If you’re in charge of managing switches or routers then you’re performing a number of different communications to those devices and you need to be sure that these communications are secure.

This notebook has already referenced how to connect to these devices using a terminal - protected by using ``SSH`` or ``Secure Shell``.

If querying your routers or switches for information then you’ll use the ``Simple Network Management Protocol Version 3`` (``SNMPv3``) - want to make sure that its secure then the secure version is ``SNMPv3``.

This 3rd version added encryption so we can have confidentiality of the data - also have integrity and authentication capabilities so that we know the data wasn’t changed as it went through the network and we can be assured that we’re communicating directly to that device and receiving responses from that device without anyone modifying that information in the middle of the conversation.

![image.png](attachment:image.png)

Although it’s commonly used as ``SSH`` to modify the configuration of a switch a router at the command line, it’s also becoming common to do this from a web browser, so we’ll want to use ``HTTPS`` rather than the insecure ``HTTP`` to make sure that all of our browser communication is running over an encrypted connection. 

< [Table of Contents](#top) | [References](#references) >
<a id="t"></a>
***
###### Network Address Allocation - Securing Dynamic Host Configuration Protocol - ``DHCP``
***

We rely on the ``Dynamic Host Configuration Protocol`` (``DHCP``) to automatically assign IP addresses to the devices on our network - ``DHCP`` does not include any particular security functionality within the original specification and so there are opportunities for attackers to be able to manipulate this information or modify what people are seeing from a ``DHCP`` server.

< [Table of Contents](#top) | [References](#references) >
<a id="u"></a>
***
###### Network Address Allocation - Securing Dynamic Host Configuration Protocol - ``DHCP`` - Active Directory - ``Rogue DHCP Servers`` - Switch - ``DHCP Snooping``
***

In order to enhance the security of ``DHCP`` we’ve added additional controls outside of the ``DHCP`` protocol, for example, with ``Active Directory`` you can avoid ``Rogue DHCP Servers`` by authorizing what devices are able to act as ``DHCP`` devices on your network. 

Many switches can also be configured to monitor for ``DHCP`` communication and only allowed ``DHCP`` to come from trusted interfaces on that switch.

If a switch sees ``DHCP`` being sent from an untrusted interface it can block that communication on Cisco’s which is you’ll see this configuration referred to as ``DHCP Snooping``.

< [Table of Contents](#top) | [References](#references) >
<a id="v"></a>
***
###### Network Address Allocation - Securing Dynamic Host Configuration Protocol - ``DHCP`` - Client DoS - ``DHCP Starvation Attack`` - Switch Configuration - Limit Media Access Control ADDRs
***

Another attack you might see with ``DHCP`` is where the attacker will change their MAC address and use up all of the available IP addresses that are in a ``DHCP Pool`` - effectively causing starvation or limiting the number of IP addresses that are available to other devices on the network. 

To prevent this from occurring we can make other configurations to the switch that will limit the number of MAC addresses that can be seen from any particular interface - if an interface is connected to a single workstation we would only expect to see a single MAC address from that interface - if suddenly we see a large number of MAC addresses being created that interface can automatically disable itself and prevent a ``DHCP Starvation Attack``.

< [Table of Contents](#top) | [References](#references) >
<a id="w"></a>
***
###### Subscription Services - ``AV`` - Update Signatures - ``IPS`` - Update those Signatures
***

There are a number of different devices on our network that are constantly updating themselves automatically.

``Antivirus`` and ``Anti-malware`` Software will update their ``Signatures``.

Intrusion prevention systems that require updates to those Signatures and we might even have firewalls that update a huge list of IP addresses to be able to block known malicious locations. 

One challenge we have with managing these updates is that each one of these devices is commonly using a different method to be able to perform the update using different protocols and communicating to different IP addresses. 

It may require that we examine each one of these devices individually to understand more about the protocols that it uses during the update process and that we can configure firewall rules and trust relationships to only allow that device to receive updates from specific well known and trusted servers.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK