Securing TCP/IP–NETWORKING, SECURITY, & MORE ESSENTIALS—CompTIA Network+ (N10-007) NETWORK-PLUS Certification Prep Course Notes

Securing TCP/IP

• Making TCP/IP Secure
  • Security can be broken into 3 areas:
    • The “CIA of Security”:
    • Confidentiality,
    • Integrity, &
    • Availability
  • Confidentiality can be addressed through encryption.
  • Confidentiality & integrity must be balanced with availability.
  • Encryption
  • Non-repudiation
  • Availability
  • Authorization & Authentication–big part of CIA

• Symmetric Encryption
  • Cleartext is any unencrypted data.
  • Algorithms use keys to encrypt cleartext into cyphertext.
  • An algorithm that uses the same key to encrypt & decrypt is symmetric encryption.
  • Caesar Cipher–“old goldie”–like a secret decoder ring.
  • Algorithms–the process that “stirs up” the values.
    • Note: All algorithms work this way…we’re going to have cleartext, cyphertext, some form of algorithm, & a key.
  • Key
  • Cyphertext

• Asymmetric Encryption (created by Rivest-Shamir-Adleman)
• Asymmetric encryption uses a public & a private key.
• Public keys encrypt, private keys decrypt.
• For 2 people to communicate, they must exchange public keys.
• Key pair–a private key & its associated public key.
• Public keys are distributed so others can send you encrypted data.
  • known as “key exchange”

• Cryptographic Hashes
  • Hashes are used to verify data integrity.
  • Hashes are used for verifying data, not for encryption.
  • Hash values are always fixed in size & created by hash algorithm.
  • Two common hashes are MD5 & SHA-1.
  • Note: ‘Blowfish’ is an example of symmetric encryption.
  • ECC (Elliptical Curve Cryptography) & RSA (Rivest-Shamir-Adelman) are examples of asymmetric encryption.

• Identification, Authorization, & Authentication
  • Authentication requires sharing of something you know, something you have, or something you do.
  • A smartcard is an example of something you have, security questions are an example of something you know.
  • Federated System Trust is inherited from a different trusted system.
  • Know the difference between identification, authorization, & authentication!
    • Identification–proves who you are to the authenticating system.
    • Authentication–takes place by proving that you have rights to that system (through passwords, smartcards, retinal scanners, etc).
    • Authorization–means what rights you have to the system, once you have been authenticated.
  • Authentication Factors–
    • something you know (ex: passwords, pin codes, CAPTCHA’s, security questions),
    • something you have (ex: smartcards, RSA keys, or something you have on your person to authorize you), &
    • something about you (ex: retinal scanners, fingerprint, facial scanners).
    • RSA keys–like the random numbers generated by authenticator apps that last for 30 seconds.
    • In addition to the previous three authentication factors, there’s also:
      • something you do (like the rhythm of your typing when entering a password)
      • somewhere you are (like credit card companies using geography to help prevent fraud.)
    • Multi-Factor Authentication/2-Factor Authentication (MFA/2FA)–using a variety of factors to prove identity.

• Access Control
  • Three types to be aware of:
    • Mandatory Access Control (MAC) uses labels.
    • Discretionary Access Control (DAC) gives the creators control over permissions.
    • Role-based access control (RBAC) use groups.
      • Users –> (go into) –> Groups –> (that are given) –> Rights & Permissions
    • Access Control Lists–cornerstone of this process; generic, broad term.

• AAA (“Triple A”)
  • A RADIUS client is an intermediary agent between a RADIUS supplicant & a RADIUS server.
  • A RADIUS database of authenticated users and passwords may reside outside the RADIUS server.
  • *RADIUS uses UDP ports 1812-1813 or UDP ports 1645-1646.
  • *TACACS+ uses TCP port 49.
  • RADIUS provides AAA (“triple A”)–authentication, authorization & accounting.
  • TACACS+ is another version of AAA that’s proprietary to CISCO.

• Kerberos & EAP
  • Kerberos handles authentication & authorization for wired networks (LAN’s)
  • Kerberos relies heavily on time stamps
  • EAP enables flexible authentication.
  • KDC (Key Distribution Center)
    • KDC consists of AS (Authentication Service), &
    • TGS (Ticket Granting Service)
  • TGT (Ticket-Granting Ticket)
    • TGT issues tokens based on timestamp
  • Kerberos is a Microsoft proprietary technology (i.e.-must have a Windows server!)
  • EAP–Extensible Authentication Protocol (provides flexibility)
    • allows different authentication mechanism’s to talk to each other & work together.
    • EAP-PSK (Pre-Shared Key)–has a common key used by everyone to login; standard username & password;
    • EAP-PEAP
    • EAP-MD5–uses a hash;
    • EAP-TLS–uses a single certificate from server side of system.
    • EAP-TTLS–requires individual clients as well as the authenticating system to both have certificates.

• Single Sign-On
  • For local area network, use ‘Windows Active Directory’ for single sign-on.
    • Windows Active Directory has been around forever and is the “gold standard” when it comes to single sign-on tools for LANs.
  • SAML (Security Assertion Markup Language) is used to manage multiple apps using a single account.
  • SSO circle provides a variety of service provider (SP) samples.
  • Federated Systems–(when you hear/see “federated” think ‘trust’.)

• Certificates & Trust
  • Certificates include a public key & at least one digital signature.
  • Web of trust uses a web of mutually trusting peers.
  • Public Key (PK) infrastructure uses a hierarchical structure with root servers.
  • Either key in a private & public pair can be the public key.
  • Public key also sends a hash of the Web page.
  • Digital signature.
  • Digital certificates–has public key, digital signature, & 3rd party sign-off.
  • Unsigned certificate–no 3rd party sign-off (Self-signed certificate)
  • Web of trust–(requires a lot of maintenance)
  • PKI (Public Key Infrastructure)–PKI is the dominant one used on the internet.
    • -CAs (Certificate Authorities) –> Intermediate CAs –> Users

• Certificate Error Scenarios
  • A self-signed certificate can throw a “443 error”, as the certificate has not been issued by a certificate authority.
  • An expired certificate can be viewed, then fixed either by getting a new certificate from its issuer or accepting the certificate in its current state.
  • The setting to query OCSP to confirm the current validity of certificates is a good security setting.