Lesson 11: Implementing Secure Network Protocols (11A-11C)

Vocabulary flashcards covering key secure network protocol topics from DHCP/DNS to VPNs, TLS, LDAP, SNMP, SSH, and remote access concepts as presented in the lecture. Each card defines a critical term or concept relevant to implementing secure network protocols.

DHCP

Dynamic Host Configuration Protocol; automatic IP address allocation; only one DHCP server should offer addresses to a group; rogue servers can cause DoS or spoofed configurations.

Rogue DHCP server

An unauthorized DHCP server that can assign incorrect IP configuration, enabling DoS or man-in-the-middle activities.

DHCP starvation

Attack where a rogue client exhausts the IP address pool by requesting many IPs using spoofed MAC addresses.

DHCP snooping

Switch feature that mitigates rogue DHCP attacks by validating DHCP messages and restricting where DHCP responses can be sent.

DNS

Domain Name System; resolves FQDNs to IPs; uses port 53; distributed database across name servers; critical for network name resolution.

Domain Hijacking

Attack where an adversary gains control of a domain's registration, often through weak credentials or registrar compromise.

DNS poisoning

Attacks that corrupt DNS responses or caches to redirect users to malicious IPs; can involve ARP poisoning or rogue DNS servers.

DNSSEC

DNS Security Extensions; adds cryptographic signing of DNS data to prevent spoofing; relies on Zone Signing Key and Key Signing Key; creates a chain of trust from root to subdomains.

HOSTS file

Local name-to-IP mapping file (UNIX: /etc/hosts, Windows: %SystemRoot%\System32\Drivers\etc\hosts); checked before DNS; susceptible to manipulation for cache poisoning.

DNS footprinting

Exploratory activity to discover DNS information; zone transfers can reveal domain records to rogue servers.

DNS server patching

Regularly applying security updates to DNS server software (e.g., BIND, Microsoft DNS) to mitigate vulnerabilities.

LDAPS

LDAP over TLS; LDAP secured using certificates (port 636); provides encrypted directory authentication.

STARTTLS

Upgrades an existing plaintext LDAP (or other protocol) connection to TLS; used to secure the session.

LDAP

Lightweight Directory Access Protocol; directory services protocol (port 389); supports various authentication methods including anonymous, simple bind, SASL, STARTTLS, and LDAPS.

Access control in LDAP

Policies granting read-only vs read/write access to directory data; often enforced via vendor-specific mechanisms and network ACLs.

NTP

Network Time Protocol; time synchronization over UDP port 123; maintains UTC across devices; stratum levels from source clocks.

NTS

Network Time Security; security extension planned for NTP to protect time synchronization.

SNMP

Simple Network Management Protocol; monitoring protocol with agents and a management system; uses ports 161 (queries) and 162 (traps); relies on community strings or SNMPv3 user-based security.

SNMPv3

SNMP version with encryption and authentication (not plain-text community strings); supports ACLs and encryption.

TLS

Transport Layer Security; cryptographic protocol for securing communications (replaces SSL); uses certificates issued by trusted CAs; commonly on port 443 for HTTPS.

HTTPS

HTTP over TLS; secure web traffic; certificate-based authentication; padlock in browsers indicates secure session.

TLS downgrade attack

Attack where a client and server are forced to use older, weaker TLS versions or ciphers.

TLS cipher suite

Set of algorithms for key exchange, authentication, bulk encryption, and integrity; examples include ECDHE-RSA-AES128-GCM-SHA256 and TLSAES256GCMSHA384.

TLS handshake

Process by which client and server negotiate supported ciphers, exchange keys, and establish a secure session.

S/MIME

Secure/Multipurpose Internet Mail Extensions; uses digital certificates to provide authentication, message integrity, and confidentiality for email.

SMTP TLS (SMTPS/STARTTLS)

Email security via TLS; STARTTLS upgrades an existing SMTP connection; SMTPS initiates TLS on port 465; common ports are 25, 587, and 465.

POP3S

Secure POP3; POP3 over TLS (port 995) for secure retrieval of email.

IMAPS

Secure IMAP; IMAP over TLS (port 993) for secure access to mail on a server.

S/MIME certificates

Digital certificates containing a user’s public key, signed by a CA, used to secure email via S/MIME.

VoIP security

Protection of voice/video over IP; uses SIP/SIPS signaling, SRTP for media encryption, and TLS for signaling integrity.

SIP

Session Initiation Protocol; signaling protocol for establishing VoIP sessions; defaults to port 5060; SIPS uses TLS on port 5061.

SRTP

Secure Real-time Transport Protocol; provides encryption, message integrity, and authentication for RTP streams.

VPN TLS (SSL VPN)

VPN that uses TLS/SSL to secure remote access; often runs on port 443; supports mutual authentication via certificates.

OpenVPN

Open-source TLS VPN implementation; uses TLS for secure tunnels; can operate over TCP/UDP and support TAP/TUN modes.

SSTP

Secure Sockets Tunneling Protocol; Microsoft VPN technology using TLS to secure PPP traffic, typically over TCP port 443.

PPTP

Point-to-Point Tunneling Protocol; legacy VPN protocol with known security weaknesses; generally deprecated.

IPSec

Internet Protocol Security; network-layer security framework providing confidentiality and integrity; uses AH (integrity) and ESP (confidentiality/integrity); supports transport and tunnel modes.

AH

Authentication Header; provides data integrity and authentication for IP packets but not confidentiality.

ESP

Encapsulation Security Payload; provides confidentiality and/or integrity for IP packets; can be used alone or with AH.

IKE

Internet Key Exchange; protocol for negotiating, establishing, and managing Security Associations (SAs) for IPSec; uses DH for key exchange and may use certificates or pre-shared keys.

IKEv2

Improved IKE version with support for EAP, simplified setup, NAT traversal, and MOBIKE for multihoming.

L2TP/IPSec

Layer 2 Tunneling Protocol with IPSec; VPN technique combining L2TP tunneling with IPSec security.

DTLS

Datagram Transport Layer Security; TLS over UDP, used to secure datagrams in environments where UDP is preferred.

RDP

Remote Desktop Protocol; protocol for graphical remote access; can be placed behind a secure gateway or used with SSH tunneling.

Jump server

Secure intermediary server used for out-of-band management to reach devices in a secure zone; reduces exposure of admin interfaces.

SAWs

Secure Admin Workstations; dedicated hardened workstations for administering network devices with restricted access.

SSH

Secure Shell; secure remote command-line access and file transfer (SFTP); default port 22; uses host keys for authenticity.

SSH host key

Public/private key pair identifying an SSH server; must be kept secure; if compromised, keys should be rotated.

SSH authentication methods

Methods for SSH user authentication, including username/password, public key, and Kerberos (GSSAPI).

SSH commands

Common commands for SSH-based administration (ssh, ssh-keygen, scp, etc.) for secure remote management.

Always-On VPN

VPN that automatically establishes a VPN connection whenever a trusted network is detected, using cached credentials.

Split tunnel vs full tunnel

VPN data routing options: split tunnel sends default internet traffic directly; full tunnel routes all traffic through the corporate network.

DNS zone transfers

DNS data transfer between servers; can reveal private DNS records; mitigated by ACLs.

DNSSEC chain of trust

Trust path from root to subdomains through signed zones and DS records, enabling verification of DNS responses.

RADIUS/TACACS+ relevance

AAA authentication protocols used with VPNs and remote access to centralize user credentials.

Federated auth methods (SAML/OAuth)

Standards used to delegate authentication/authorization for APIs and services; require secure management of tokens.

Web APIs and tokens

APIs secured by tokens or secrets; secrets must be managed securely to prevent breaches.