CCIE Security: Theory – Section 3

More notes, again I will probably add more to this, if you think anything should be added, then do so through the comments section.

3.0 Application and Infrastructure Security

3.1 HTTP

Port 80

Status codes

100 – Continue – client should continue with request
200 – OK – request succeeded
201 – Created – new resource should be created
202 – Accepted – request accepted but processing not completed
203 – Non-Authorative Information – metainformation gathered from local or third-party copy
204 – No Content
205 – Reset content
206 – Partial content
300 – Multiple choices
301 – Moved Permanently – new permanent URI
302 – Found
303 – See Other – response can be found under different URI and should use GET method on that resource
304 – Not Modified – if use conditional GET and document not modified then should give this
305 – Use Proxy – must be accessed through proxy given in Location Field
307 – Temporary Redirect
400 – Bad request – malformed syntax
401 – Unauthorized – requires authorization, response requires WWW-Authenticate Header
402 – Payment Required – reserved
403 – Forbidden – understood request by refused to fulfill
404 – Not Found
405 – Method Not Allowed
406 – Not Acceptable
407 – Proxy Authorization Required – similar to 401 – but client must authenticate with proxy first
408 – Request Timeout – client did not produce request quick enough
409 – Conflict – most likely to occur in PUT requests (i.e. versioning)
410 – Gone – response no longer available – not permanent – should use 404 instead
411 – Length Required – server required Content-Length
412 – Precondition failed – precondition tested false
413 – Request Entity Too Large
414 – Request-URI too Long – URI longer than one server willing to accept
415 – Unsupported Media Tytpe
416 – Requested Range Not Satisfiable
417 – Expectation Failed – request possibly not met by next-hop server
500 – Internal Server Error
501 – Not Implemented – server does not support functionality too fulfill request
502 – Bad Gateway – server acting as gateway or proxy received invalid response from upstream server
503 – Service Unavailable – temporary overloading or maintenance
504 – Gateway Timeout – server acting as gateway or proxy did not receive response from upstream server
505 – HTTP Version Not Supported – server does not support ot refused to support HTTP protocol version in Request

3.2 HTTPS

Port 443
AKA: HTTP over TLS, HTTP over SSL, HTTP Secure
Protects against MITM attacks, provides bidirectional encryption
Requires certificates

3.3 SMTP

Connection-oriented, text-based protocol
TCP port 25, port 587 for submission, SMTPS – port 465

MUA – Mail User Agent – User interface (like Outlook) used by end user connects to
MSA – Mail Submission Agent. MSA delivers mail to
MTA – Mail transfer Agent – Moves email from sending main server to recipient mail server. Uses DNS to find MX record for recipients domain. MX target accepts incoming message and passes it to
MDA – Mail delivery Agent – Moves email from MTA to user mailbox in recipient mail server, which waits for MUA to pick up using
POP/IMAP – protocol used to fetch email from recipient mail server mailbox to recipient MUA

3.4 DHCP

DORA – Discover, Offer, Request, Acknowledge

UDP/67 on server, UDP/68 on client
CIADDR – Client IP address
YIADDR – Your IP address
SIADDR – Server IP address
GIADDR – Gateway IP address
CHADDR – Client Hardware address

Options

3 – Router
4 – Timer server
5 – Name server
6 – DNS
12 – hostname
15 – Domain name
42 – NTP server
50 – Requested Ip address
51 – Lease time
52 – option overhead
53 – DHCP Discover
54 – Server Identifier
55 – Parameter request list
60 – Vendor Class identifier
61 – client Identifier
66 – TFTP Server name
67 – bootfile name

DHCP relay – point to DHCP server on different subnet

3.5 DNS

UDP/53

Opcodes 
0 – Query
1 – iQuery (obsolete)
2 – Status (server status request)
3 – Unassigned
4 – Notify
5 – Update
6 – 15 – Unassigned

RCodes
0 – NoError
1 – FormErr
2 – Servfail
3 – NXDomain (Non-Existent Domain)
4 – NotIm
5 – Refused

3.6 FTP and SFTP

Active or Passive, – Client creates TCP control connection to FTP port 21. Active – client starts listening for incoming data, sends FTP command PORT M to inform server what port it is listening on. Server initiates data channel from port 20. If client behind firewall (unable to accept incoming TCP connections) – use passive mode. In passive mode the client uses the control connection to send PASV command, receives server IP address and server port number. client then opens a data connection to server IP address and port number given.

Simple FTP (SFTP) – unsecured. Implicit SFTP – passive mode by default

3.7 TFTP

UDP port 69. No login etc.

3.8 NTP

UDP/123

Stratums
0 – Reference clocks
1 -> 15 – 1 is better, 15 lowest. Can be used.
16 – Unsynchronized

3.9 SNMP

UDP/161, udp/162 for traps and InformRequests

GetRequest
SetRequest
GetNextRequest
GetBulkRequest (added in SNMPv2)
Response
Trap
InformRequest (added in SNMPv2)
Report (added in SNMPv3)

SNMPv2 added performance, security, confidentiality, and manager to manager communications.
SNMPv3 Added confidentiality, integrity & authentication – user-based Security (NoAuthNoPriv, AuthNoPriv, AuthPriv), uses MD5 & SHA

3.10 syslog

Facilities 0 – 23.
Severity 0 – 7:
0 – Emergency
1 – Alert
2 – Critical
3 – Error
4 – Warning
5 – notice
6 – Informational
7 – Debug

3.11 Netlogon, NetBIOS, and SMB

Network Basic Input/Output system – session layer OSI. API. not usable on networks over 50 computers annoying if over 10. DNS is better.
UDP/137 & 138
TCP/137 & 139

SMB – Server Message Block AKA CIFS. Application-layer. Does network sharing. TCP port 445

3.12 RPCs

Remote Procedure Call – program causes procedure to execute in another address space.

3.13 RDP and VNC

Remote GUIs. RDP – TCCP/UDP port 3389. VNC platform independent. Server/client based. TCP port 5900+N

3.14 PCoIP

PC-over-IP – remote display protocol/ Licensed by VMWare & AWS. UDP based.

3.15 OWASP

Open Web Application Security Project – dedicated to web application security.

3.16 Manage unnecessary services

Turn them off!!!

no service tcp-small-servers (echo, chargen, discard, daytime)
no service udp-small-servers (echo, discard, chargen)

Echo – echos what you type through “telnet x.x.x.x echo”
Chargen – generates stream of ASCII “telnet x.x.x.x chargen”
Discard – Throws away whatever you type
Daytime – returns system date and time

no ip finger
no ip bootp server
no mop enabled – disables Maintenance Operation protocol
no ip domain-lookup
no service pad – disables Packet Assembler/Disassembler on X.25 networks
no ip http server
no ip http secure-server
no service config – disables looking to TFTP for config

One Response

  1. Peter Sithole December 1, 2015