CompTIA Security+ SYO-401

Certification Training
9049 Learners
View Course Now!
33 Chapters +

Implementing Common Protocols and Services Tutorial

1 Implement Common Protocols and Services

Have you ever thought, what would happen if a virus bypasses your ports, and hits your networking system? The very thought of it is scary, as it would mean your system, network, and all the data is at great risk. Hence, we need strong measures to mitigate such risks. Let’s now look at the objectives in the following screen. After completing this lesson, you will be able to: • Comprehend different types of protocols, • Describe various uses of protocols, • Analyze the implementation of security protocols, and • Describe different ports, and their supported protocols.

2 Basic Concepts of Protocols

In this topic, we will cover some basic concepts on Protocols. Protocols are rules and behaviours of networking technologies. Actual communication is defined by various communication protocols. In the context of data communication, a protocol is a formal set of rules, conventions, and data structure that governs how computers and other network devices exchange information over a network. From a security perspective, you must use the most secure protocols. An important point to note: If you are unfamiliar about how the protocols work, and what they are used for, you will never be able to implement secure protocols. What is Transmission Control Protocol or TCP? It is responsible for delivering data, which is also known as connection-oriented delivery. Before a packet or data is sent, the device first confirms whether they have a connection to perform this task. If the verification fails, you are restricted from sending data. If there is any detected packet loss, the packet is retransmitted. This process is known as ‘three-way handshake’. The three-way handshake starts with synchronisation or SYN. The computer that opens a connection, also creates a connection to send an SYN packet first. As the recipient computer receives the SYN, it will send the packet back as SYN or ACK. Once the sender receives the ACK or SYN, it resends with an Acknowledgement or ACK packet to start the connection. At the end of transmitting the packet, the sender ends the session with an FIN flag, which conveys the receiver to stop the session connection. This process continues back and forth with an FIN and response from ACK like a three-way handshake. Finally, the receiver sends back an FIN, and the sender sends a final ACK. Transmission Control Protocol Ports are logical ports. Applications use these ports to transmit data and communicate over the network. The table on your screen displays the most common port numbers. We will cover these ports in detail in the last topic of this lesson. TCP header is part of a packet containing related information. It contains flag or options that define where the packet is heading, the expected contents and size of the packet, and the expected action of the packet. As a security expert, you must be familiar with flags in packets to detect possible attacks, but now we will concentrate on the TCP packet. The displayed diagram describes the TCP header. UDP is another method of connection transmission. It is considered to be unreliable and connectionless when compared to TCP’s connection-oriented transmission. UDP does not verify a connection with the target before sending the data, rather it begins by firing off the data. TCP and UDP, both use logical ports for different protocols. The displayed table describes the common UDP ports used for communication, and the services that use them.

3 Different Types of Protocols

In this topic, we will learn the different types of protocols. Internet Protocol Security or IPSec is a trending technology. This is because of its design, which encrypts data at the IP level. Everything at layer three and above gets encrypted irrespective of the application used to transmit data. This means you encrypt the data in transit. It is built into IPv6, but IPv4 does not use this technology by default. IPSec is not a tunneling protocol, but can be used in conjunction with tunneling protocols to strengthen encryption and authentication. IPSec uses Authentication Header or AH, and Encapsulating Security Payload or ESP, the methods of authentication and encryption. There are two modes of IPSec are, Transport mode and Tunnel mode. In transport mode, the encryption protection is limited only to the payload. Whereas, in tunnel mode, both payload and message header are encrypted and protected. In transport mode, IPSec leaves the original message header intact, but in tunnel mode, IPSec provides protection by encapsulating the original LAN protocol packet, and adds its own temporary header. The transport mode should be used only in a trusted network, whereas tunnel mode should be used while connecting to an untrusted network. In a VPN link that deploys IPSec, the partners and entities share secret keys. These are used to encrypt and decrypt traffic during communications. This is possible because IPSec employs symmetric cryptography to provide encrypted security. However, this cryptography is managed by a mechanism, Internet Key Exchange or IKE, which is responsible for secure exchange of secret keys, and smooth working of the encrypted VPN tunnel.Additionally, a secure VPN link needs a common authentication method, or a security association manager to negotiate between two communicating entities. To fulfil this requirement, IPSec employs Internet Security Association and Key Management Protocol or ISAKMP to manage negotiations and provide security associations with validated keying material in a secure manner. ISAKMP consists of four major components that are: • Authentication of communications peers, • Threat mitigation, • Security association creation and management, and • Cryptographic key establishment and management. Simple Network Management Protocol or SNMP is a method of centralizing network device management. It is a standard network management protocol, which by default uses the UDP Port, 161. Through the use of a management console, you can interact with various network devices such as bridges, firewalls, switches, WAPs, routers, printers, modems, VPN appliances, and others, to obtain status information, performance data, statistics, and configuration details. SNMP uses Management Information Base or MIB, which is a database feature of a particular device. Moreover, it uses traps to catch and convey this information, and send data back to a central location where it is managed and reviewed. These traps can be put across the network to catch any of the SNMP information that comes across the network. It can then be collected into comprehensive reports for monitoring. Finally, it is important to note that, most network devices and TCP/IP complaint hosts offer SNMP support. Secure shell or SSH is used to create a shell or secure session over TCP Port 22. It is important because in these shell environments there exists encryption and authentication. It secures the data that is being transmitted to the network device. SSH is a tunnelling protocol that was originally created to use with UNIX systems. It was created as a replacement for TELNET, which is not a secure way to send terminal data back and forth between client and server using a command line interface or CLI. Domain Name System or DNS allows hosts or machines to replace IP Addresses with fully qualified domain names of FQDNs. While accessing, there is a DNS server associated with one or many IP addresses of the servers that are programmed to display the site. DNS systems are necessary for us, because they save us from the trouble of remembering the IP addresses of systems by associating common names for them. DNS can be used internally so your domain knows all the computers and resolves their internal names to their internal IP addresses and are used externally. By default, DNS operates over port 53 for both TCP and UDP. The port 53 of TCP is used for zone file exchange between DNS Servers, Special Manual Queries, or when the size of a response exceeds 512 bytes. On the other hand, port 53 of UDP is used to manage DNS queries. DNS servers must be hardened to prevent things such as DNS Denial of Serviced (DoS) or DNS Poisoning.

4 Secure Socket Layer and Transport layer Security

SSL and TLS are closely related. SSL or Secure Socket Layer, was created first as a security method for Netscape web browser to secure website transactions. Once connected, the SSL layer uses certificates to authenticate and authorize connections. It is secure because a password or credentials are never exchanged in a way that they can be compromised easily. TLS or Transport Layer Security expands upon the original SSL, and in fact, it appears that TLS will eventually replace SSL. Transport Layer Security is not proprietary in design, unlike the Secure Socket Layer Netscape concept that predates the TLS protocol. There are many other services or protocols that use SSL and TLS to secure the communication that they transfer and share. Also, it is important to know that these two protocols use PKI certificates to encrypt and authenticate information and data. At the start of this lesson we have tried to understand TCP. Now let us have a closer look at TCP and IP in detail. TCP/IP is not a single protocol, rather it is a suite of protocols that are used to define how information is transmitted over network. Now we will study the second part of TCP/IP protocol Suite. It determines the source and destination of packets also how we address machines logically, so applications know how and where to send the information. The IP protocol lives on the layer 3 of the OSI model. The IP protocol in essence provides packet delivery for all the protocols placed higher in the OSI model. It is responsible for logical routing and addressing of packets using IP addressing and subnetting. There are other protocols within this IP protocol suite, but this is the fundamental knowledge that you need to combine with your previous review of IP Addressing and Subnetting from the perspective of security. File Transfer Protocol over SSL/TLS or FTPS is a secure method of using the FTP protocol. Whenever a protocol acronym that ends with S, such as FTPS, then you are seeing a protocol that is secured by TLS or SSL. From a security standpoint, FTPS should be used while trying to download or upload files using FTP server. This is a secure protocol that strengthens the usually unsecure File Transfer Protocol. An alternative to FTPS is known as SFTP. It stands for SSH File Transfer Protocol, wherein the SSH protocol is used to secure the FTP protocol. SFTP uses an SSH channel to secure the network and create a tunnel between client and server. Transfer Protocol (Contd.) Now, let’s see the mandatory multistep handshake process that takes place while using SSL/TLS to secure communication between a web browser and a web server. • We begin with the client requesting for a secure connection. • The server responds with details of its three entities: Certificate, Name of the Issuing Certificate Authority, and the Public Key. • The requesting client verifies the server’s certificate details, generates a symmetric encryption key for the session, encrypts the generated key with the server’s public key, and sends the final key to the server. • The Server unpacks the session key, and transfers the summary of the session details to the client. This includes the session key in an encrypted form. • The client verifies the received session summary, and sends its own summary encrypted with the session key back to the server. • Once both entities are satisfied with the matching session summary, secured SSL communication is initiated. The session keys for both SSL and TLS are symmetric keys. The session keys for SSL include 40-bit strength, whereas for TLS it is 128-bit. The range for TLS session keys fall between 128 and 256 bit. Have you ever thought if your net banking information is safe, and not misused by anyone? This is due to HTTP secure. This type of protocol security adds PKI certificate encryption to secure personal and sensitive information over a web browser. It uses the default Port 443 to send encrypted information over the Internet and network to web browsers. You can identify a HTTP secure session by the HTTPS in the URL of a web page. For example, HTTPS:// creates a secure web session with the web server. It is important to note that one shouldn't confuse HTTPS with S-HTTP or Secure HTTP. The latter is not widely used, and it doesn't use SSL. The encryption in S-HTTP is limited to only web page elements, and does not extend to the entire web communication session. So, the protocol used to display these encrypted web pages would be S-HTTP, and not HTTPS. This makes S-HTTP less secure than HTTPS.

5 Secure Copy Protocol

SCP is an alternative to copy files to an FTP server, and is one of the preferred protocols for Linux and UNIX platforms. This protocol combines the UNIX derived RCP (Remote Copy Protocol) with the SSH secure channel. It is mostly used to copy remote files to a local system. SCP includes SSH secure channels, which enables the copied information to remain secure. Internet Control Message Protocol or ICMP resides and operates in Layer 3 of the OSI model, and is mostly concerned with testing connectivity, and network health. Primarily, ICMP operates as the payload within an IP packet, and operates tools such as ping, traceroute, and pathping. ICMP is used to send a packet that requests a response or an echo back to the initiator. ICMP is different from most of the other services and protocols, as it does not use port numbers. Instead, it uses types and codes to identify different types of messages to be sent out. To understand how ICMP works, and how it can be used to damage a network, you need to refer to the displayed codes. Additionally, ICMP can be used for announcing errors or transmitting information. However, for the latter, it is mandatory for ICMP to receive a packet. If ICMP requests a query, and is not answered, or if ICMP replies are blocked or lost during transit, then ICMP fails to provide any information. Another use of ICMP is to scan the network and perform malicious attacks. As a network scanning tool, ICMP identifies the IP addresses in use. But, ICMP cannot be considered as one of the reliable host-discovery tool, because it can easily be ignored or blocked. For malicious attacks, ICMP can be used for: Ping of Death, Smurf, and Loki. Let’s study each of them. The Ping of Death attack freezes an unprotected system by creating and storing packet fragments on the target machine, and then enlarging the overall size of the ICMP/IP packets more than the maximum valid size of 65,535 bytes. In the Smurf attack, ICMP uses the flooding attack method. In this attack, the attacker broadcasts ICMP echo requests over several networks using a router or switch of an unprotected network. These requests are masked with victim’s IP address, as though the victim is sending these requests. The receiver of these requests responds to the echo requests, and the responses flood the traffic to the DoS of the victim. Finally, Loki is a tunneling program that uses ICMP like a non-encrypted VPN. It enables the outbound ICMP echo requests to travel across network boundaries with corresponding inbound echo replies. Many networks disable ICMP as a security measure, thereby hiding the network so that it does not respond to random ping requests as well as attempt to thwart Ping of Death, Smurf, and Loki. Disabling ICMP can help prevent ping-related exploits. ICMP is used for maintenance, connectivity, and types of reporting. It tests connectivity from one machine to another, or see the quality of connection. Internet Protocol that determines logical IP addressing, both in private networks and publically across the Internet has been around even before it was known as TCP/IP. The most common IP version is IPv4 or Internet Protocol version 4. This uses 32 bits of data to define IP addressing. This is broken down into four octets, which are represented alphanumerically. What does this mean? It means, there are 32 ones and zeros that are used to define networks and nodes on the networks. This is represented by four groups of eight bits or octets separated by a decimal. These octets are then translated into a number between 1 and 255. It was believed that this amount of addressing would last forever. Although, it was realized later that there were not enough addresses for all devices in the world. This was temporarily avoided by creating private ranges within each IP classes. These private ranges can be used by anyone within their own network, so as to allow all devices to get an address. But without routing, these private IP addresses cannot send data out to the public IP addresses. This seemed to alleviate the problem for a short time, but soon we started running out of addresses. In the meantime, IPv6 was created. IPv6 uses 128-bit addressing. This means, there are 128 bits that are defined using hexadecimals. This drastically increases the IP pool. IPv6 is intrinsically more complicated than IPv4. It was designed to replace IPv4, but hasn’t yet managed to replace IPv4. It is in-built with IPsec, and placed on the transport layer. iSCSI is the Internet Small Computer Systems Interface protocol. It uses ports, 860 and 3260 by default. It allows data storage and transfers across existing networks. It enables creation of large SANs or Storage Area Networks. Fibre Channel was originally created for the same purpose as iSCSI. It was intended to create SANs and work only on the fibre-based networks. It now uses iSCSI to create the SAN. Fibre Channel is a protocol that is used in conjunction with FCoE or Fibre Channel over Ethernet. FCoE borrows the technology of a Fibre Channel and transmits it over an Ethernet network. FCoE is non-routable at the IP layer, and cannot cross large networks. Whereas iSCSI is routable.

6 Transfer Protocol and its Different Types

In this topic, you will learn about Transfer Protocol and its different types.We learned about one of the secure forms of File Transfer Protocol, FTPS. Now, we will look at FTP. It has become antiquated, and is never recommended. FTP is set up on FTP servers, and their clients are known as FTP clients. The main purpose of this protocol is to upload and download files. By default, FTP uses two TCP ports, 20 and 21. The former is used to push the FTP data, and the latter to send over the commands. FTP was originally a command line utility like TELNET, but there are newer GUI clients that have been created in it. Like any other protocol, FTP is compromised if it’s not properly secured. Secure File Transfer Protocol is an FTP protocol that is secured over a Secure Shell channel. This provides authentication or encryption to the FTP protocol. The alternative is FTPS, which uses SSL and TLS to secure the channel.Trivial File Transfer Protocol is a method of FTP that allows users to download files without authentication. It is usually associated with small file transfers rather than large files, and due to its lack of security, it can be easily misused. By default, TFTP uses Port 69. Telnet is a terminal emulation protocol. It runs on Port TCP 23. It allows a client to emulate a program running on the server. It allows remote administration of network devices and servers. You often need a terminal application such as PuTTY. TELNET is totally insecure, and offers no encryption or authentication. S¬¬¬¬SH is used instead of TELNET to secure the transmission. Hypertext Transfer Protocol, more commonly known as HTTP, is the primary protocol over the World Wide Web. It is responsible for transmission of HTML pages consisting of text, graphics, videos, and information presented in any form. We won’t be wrong if we say, “Without HTTP, Internet wouldn’t have touched the lives of people.” However, unlike its successor HTTPS, HTTP is not considered secure, as it fails to provide secure authentication or encryption of data while communicating over the web. This is because, HTTP operates over Port 80 of TCP, which is used for plain text communication. Fortunately, for owners of web pages using HTTP, various add-on protocols can be used with means to secure their web pages. Moreover, HTTP is known as a Stateless Protocol, which means web servers are unaware of the client’s request. There are two subnets on the network separating two vital departments within the organization. You discover that both departments can browse Internet. But, only one department should browse the Internet, and it should be blocked completely for the other department. How would you secure one of the departments from web browsing using the current equipment in place? In this scenario, since there is a firewall in front of each department, you can configure one of the firewalls to either block Port 80 or prevent the HTTP protocol from crossing the network. Either of these solutions will disable the web browsing feature. Because, HTTP uses Port 80 by default to transfer information. NetBIOS is the Network Basic Input/Output System. It is an Application Programming Interface or API used to call remote systems over the network. It consists of three distinct services: NetBIOS over TCP/IP (NBT), NetBIOS Session Service, and NetBIOS Datagram Service. The first service uses the UDP Port 137, the second uses TCP Port 139, and the third service uses UDP Port 138. Microsoft uses NetBIOS to name computers. However, NetBIOS should be unique on a network to work correctly.

7 Ports and thier Supported Protocols

In this topic, you will learn about different ports and their supported protocols As discussed there are logical ports that are used by both TCP and UDP protocols to transfer data for different services. We have briefly touched upon the default ports of many services. Now, let’s go through each of the ports. Port 21 This is the default control port for FTP, where commands are sent to the server. And from the server, Port 21 determines the method for file transfer. Port 21 is not secured. Port 22 Port 22 is the default SSH or Secure Shell port. Data secured using SSH is sent over this port rather than their default port such as SFTP or SCP. SCP and RCP are secured using an SSH channel, hence their data is transferred over Port 22. Port 25 Port 25 is the port for SMTP or Simple Mail Transport Protocol. Here, emails are transferred from one server to another. Microsoft Exchange uses SMTP to send email in an exchange environment. It must be secured using various methods. If you want to prevent malware from sending emails from a network, and you use web mail, then close Port 25 to stop this behavior. Port 53 DNS sends queries using the UDP protocol over Port 53. Thus, information is built within the naming resolution table of a DNS server. The DNS queries are sent across the network, the replies hit Port 53 and deliver information to the DNS server, which then populates its name resolution tables. Port 53 can sometimes be used by worms or Trojans disguising their information as DNS UDP 53 Ports. Since most networks have some form of DNS, worms and Trojans target its port, expecting it to be open. Port 80 By default, HTTP uses Port 80. This port is not secured, and sends information from client to server. It is more secure to use HTTPS, which uses port 443. To stop web browsing, you can close port 80. Port 110 Post Office Protocol or POP3 uses Port 110. This protocol delivers email from the server to client interface. By default, POP3 is not secured. But it can be secured using TLS or SSL, which generally results in changing the port. POP3 is not protected by any additional authentication or encryption. Port 139 NetBIOS transfers data over Port 139. Some networks close this port by default as it’s an old protocol, and is not always used. Port 143 IMAP or Internet Mail Application Protocol uses Port 143, which is not secured. Like POP3, it can be secured with TLS or SSL. This protocol is used to transfer files and folder structures including emails from email servers to email clients. Port 443 By default, SSL and TLS use Port 443 for information and data transfer. Typically, any protocol that uses TLS and SSL, will use this default port. For example, HTTPS uses 443 by default. This is a secure channel used instead of Port 80 when delivering the secure HTTP traffic. Port 3389 Remote Desktop Protocol or RDP uses Port 3389. While the RDP protocol is more secure in itself, it is still a remote access protocol, which means it is possible for anyone with proper knowledge & skill to access the network. The safest way to handle a RDP is to allow it internally within the network; using port redirection, or completely disabling the protocol. A malware has entered your network environment, and is consistently sending emails from workstations using the open SMTP port. As a System Administrator, you are assigned the task of mitigating this damage by stopping the emails sent over SMTP. Unfortunately, the firewall in your system doesn’t block the SMTP protocol. How can you stop this type of traffic from being sent out in during a malware infection on a workstation without purchasing any new equipment? In this scenario, your alternative is to block Port 25 on the firewall. It comes in handy, whether or not it allows you to block a certain protocol. Since Port 25 is the default port of SMTP, blocking this port stops the malware from transmitting infection from the network. It’s over three decades since the OSI model was created as a reference to design and describe protocols. The protocol designers then started to use the model only as a reference point, and moved over to TCP/IP. As mentioned in earlier topics, TCP/IP consists of 4 layers as compared to 7 layers of the OSI model. The displayed image compares the two models.

9 Summary

• Protocols are rules and behaviors related to networking technologies. • TCP ports are logical ports. Applications use ports to transmit data and communicate over the network. • UDP is another method of connection transmission. It is considered to be unreliable and connectionless, when compared to TCP connection-oriented transmission. • Fibre Channel was originally created for the same purpose as iSCSI. It was intended to create SANs and work only on fibre-based networks. • Hypertext Transfer Protocol defines how web pages are transmitted to your web browser. • There are different ports such as Port 21, 22, 25, 53, 80, 110, 139, 143, 443, and 3389. • TCP/IP consists of 4 layers as compared to 7 layers of the OSI model. With this, we conclude the lesson, ‘Implementing Common Protocols and Services.’ The next lesson is, ‘Troubleshooting Security Issues Related to Wireless Networking.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Phone Number*
Job Title*