Chapter 7 - 01 - Discuss Essential Network Security Protocols - 04_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 DNSSEC 0O Domain Name System Security Extensions (DNSSEC) is a suite of the Internet Engineering DNS Client Task Force (IETF) Q ‘j = Itis used for securing certain kinds of AAA information provided by DNS O Recursive ) L2 x It works by digitally signing records for DNS lookup with the help of public-key DS Server i sl %:..... ———p TS on Authoritative - \VdlidatedResponse ppp x Validated fa : B s cessosnas smmssnssenses Non- Auth Authenticity = Integrity = Absence of a domain name or type E Authentic Attacker = |® : cryptography DNSSEC guarantees the following: P DNS Server Attacker DNSSEC does not guarantee the following: 0 = Confidentiality = Protection against denial of service (DoS) attacks Copyright © by EC iL All Rights Reserved. Reproductionis Strictly Prohibited DNSSEC Domain Name System Security Extensions (DNSSEC) is a suite of specifications maintained by the Internet Engineering Task Force (IETF). It is used for securing certain kinds of information provided by DNS. It works by digitally signing records for DNS lookup with the help of public-key cryptography. DNSSEC provides security from attacks such as spoofing and poisoning, which aim to compromise DNS servers. DNSSEC secures DNS servers by validating DNS responses through authentication. The figure shows the functioning of DNSSEC in validating responses and preventing attacks on the DNS server and client. DR;;:'::; Authoritative DNS Client DNS Server Recursive Query Query _ 'll.ll...‘l‘ll.ll.ll'l.) E;r(. AA B T ——— Validated Response Non- Validated S— AAA e Authentic Response Non- Authentic SrEssssssss x —— ! '.l'lll.l‘llll.."lllll.) Figure 7.9: DNSSEC Validation of Queries and Responses For communication with DNSSEC, both parties should be configured with DNSSEC support. For security, DNSSEC requires four additional resources: resource record signatures (RRSIGs), DNS Module 07 Page 697 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls public key (DNSKEY), next secure record (NSEC), and delegation signer (DS). With the combination of these four resources, DNSSEC provides the following functionalities: * Maintains authentic responses to the desired requests only = Maintains data integrity = Monitors responses to requests made by clients DNSSEC guarantees the following: = Authenticity = Integrity = Absence of a domain name or type DNSSEC does not guarantee the following: * Confidentiality = Protection against denial of service (DoS) attacks Module 07 Page 698 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 Working of DNSSEC * DNSSEC works with the concept of. ! asymmetric keys: a public key and a private key ' ' DNSSEC : ! ! DNSSEC adds a digital signature to each piece of a domain name’s DNS ' @a. : e H information : :. NSEC3 When a guest enters the domain name’s H URL in a web browser, the resolver verifies the digital signature ' ' aaa I Resou rr.eRecords Resource Records Before Signing After Signing '. 0Ov 1 1 ' on file in the registry; else, the resolver rejects the response "“" e I The digital signature must match the value. | o ~ B 1 1: L] Working of DNSSEC DNSSEC works with the concept adds a digital signature to each enters the domain name’s URL in digital signature must match the response. of asymmetric keys: a public key and a private key. DNSSEC piece of a domain name’s DNS information. When a guest a web browser, the resolver verifies the digital signature. The value on file in the registry; else, the resolver rejects the Through the DNSSEC signing process, the DNS server zone is secured from attacks without any functional changes. By accepting DNSSEC signing, DNS responses are allowed for validation through digital signatures. These digital signatures are cryptographically encrypted. After completion of the signing process, the DNSSEC’s resource records process the digital signatures and append them to DNS responses. PR fi : - £)7)) fi fi tessasenssnn,qnnnnnnnnnna’ : H NSEC3 DNSKEY €E0E0ENEENENNNNNN00ENNNELO0ERERNR0RRRERRRRRRRRRRRSY ! e : T Resource Records Resource Records Before Signing After Signing Figure 7.10: Unsigned and Signed DNS Resource Records Module 07 Page 699 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 The red records are digitally signed records (RRSIGs) associated with each DNS record. These signatures ensure that the DNS responses are from a valid DNSSEC-signed DNS zone and not from an attacker. The DNSKEY holds the public key of the encrypted records, whereas the hash of a DNSKEY record is stored in DS. NSE3 is used for the explicit denial of existence of a DNS record. DNSSEC validation: DNS signatures; this decryption responses are validated is performed with DNSKEY through the decryption of their digital resource records. During this validation process, the hash values of the DNSSEC resource record are compared, and a response is sent accordingly. If the hash values are identical, then a DNS reply is sent to the DNS client; else, a SERVFAIL is sent. Module 07 Page 700 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 Secure Hypertext Transfer Protocol (S-HTTP) Q Secure hypertext transfer protocol (S-HTTP) is an application layer protocol that is used to encrypt web communications carried over HTTP O Itis an alternative for the HTTPS (SSL) protocol O It ensures secure data transmission of individual messages, while SSL establishes a secure connection between two entities thus ensuring security of the entire communication Client Machine WWW Server Machine Client HTTP o 8 Application- Level Crypto Sma ) Se cunty : § r S-HTTP 2 + WWW — checsmm| 0cecdecccssessecscansenssstssnsnsssssscssesssstcsssasssnsenss o | 3 Encryptedand/or Signed Messages Network Layer B : § T T T D P P CLTIETT > Server Encrypted and/or Signed Messages Network Layer Note: Not all Web browsers and servers support S-HTTP Copyright © by EC- cil All Rights Reserved. Reproductionis Strictly Prohibited. Secure Hypertext Transfer Protocol (S-HTTP) The secure hypertext transfer protocol (S-HTTP) ensures a secured exchange of data on the world wide web. It is an alternative for the HTTPS (SSL) protocol. It implements application level security that offers encryption and digital signatures on the message. S-HTTP verifies the user by using a certificate. It provides many cryptographic algorithms and modes of operations. It ensures secure data transmission of individual messages, while SSL establishes a secure connection between two entities thus ensuring security of the entire communication. The SHTTP protocol uses the client-server protocol to determine the security conditions for a clientserver communication. It allows the client to send a certificate in order to authenticate a user. There are many web servers that support the S-HTTP protocol that allows them to communicate without requiring any encryption. Client Machine Server Machine WWW Client v HTTP D T T T WWW Server T T PP PP PP senape| ¥. Crypto Smart. Crypto Smart - 4 ; Encrypted and/or Signed Messages 1 Network Layer L -~ - £ Unencrypted Channel r WGrrannsn T Bessnnn - 4 + ' Network | Encrypted and/or Signed Messages 1 Layer 4 Figure 7.11: S-HTTP Application-Level Security Module 07 Page 701 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 Hypertext Transfer Protocol Secure (HTTPS) e httpS ‘// ' O Hypertext transfer protocol secure (HTTPS) ensures secure communication between two computers over HTTP O ° It is often used in confidential online transactions O ‘ The connection is encrypted using a transport layer security (TLS) or SSL protocol Q It protects against man-in-the-middle attacks since the data are transmitted over an encrypted channel HTTPS A “Mypass”......................... ] “X254p6kd” Unauthorized Access 59) — fl EnCl’vptlOn.......-..u"..;.u....n... DECfyPtiDI‘I / B “Mypass” /u......u...............-...} = S ¥ Sends the Password Receive the Password Gets “Xz54p6kd " ’ Copyright © by EC I Al Rights Reserved. Reproductionis Strictly Prohibited Hypertext Transfer Protocol Secure (HTTPS) The hypertext transfer protocol secure (HTTPS) is a protocol used for ensuring secure communication in the network. It uses protocols such as TLS and SSL to ensure secure transmission of data. HTTPS confirms the verification of websites and preserves the confidentiality and reliability of the messages passed over the internet. It protects against man-in-the-middle attacks since the data are transmitted over an encrypted channel. A @ “Mypass” -.-.-.-.-.--nnuun-/ Encrypflon p— “X254p6kd” /- -------------- e— Decryp“on | “Mypass” ------------------------- ) Sends the Password Receive the Password Unauthorized Access Gets “X254p6kd” Figure 7.12: HTTPS Protection from MiTM Attack HTTPS mainly uses SSL in order to protect any website, thus making it easier for users to access the website. SSL has the following advantages: = |t encrypts the confidential information during exchange of data. * |t maintains a record of the details of the certificate owner. = A CA checks the owner of the certificate while issuing it. = |t is often used in confidential online transactions. Module 07 Page 702 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.