When deciding to make a shift in careers down the IT path, I started looking into the world of industry certifications. When you first start down this path of certification it seems like a daunting mountain to climb. Which vendor certs should you choose? Which path in that vendor do you go down? With so many options to choose from it can be overwhelming when you don’t really now what these certifications can do for you. Luckily, I was able to get some great advice that from some folks in the industry to help me make my own decision on which path to follow. I choose to go after the CCNA first, and you can read my blog post about here. I knew that I wanted to be able to back up my networking knowledge with that certification first. The next decision was to follow that up with the Comp TIA Security+, my decision was based on the fact that proving I could secure the networks that I learned how to configure with the CCNA.
I began digging into resources and study material for the SYO-501 Security+ certification. This is a certification with a wide blueprint of material. The biggest thing that has stood out to me was learning all the protocols and their purpose. This is important to understand traffic flow in a network and how to manage it. So, to help myself solidify these topics I am going to describe them all here!
EMAIL and WEB use cases
Almost every organization is sending email, receiving email, sending and receiving secure email, and managing email folders. These are the uses cases needed to be secured and managed. Common use cases for web servers are for a company to host an internal web server for access by external clients.
Many of the following protocols support the use of the STARTTLS command which allows the protocol to use a single port for the encrypted and non-encrypted transmission of data.
- SMTP – Simple Mail Transfer Protocol transfer email between and servers.
- Uses TCP 25
- Unofficially uses port 465 with SSL and 587 with TLS
- Recommended to STARTTLS to initialize a secure connection
- POP3 and Secure POP – Post Office Protocol v3 transfers mail from servers down to clients
- POP3 uses TCP 110
- Secure POP encrypts with SSL or TLS on TCP 995
- Recommended to use STARTTLS to use port 110
- IMAP4 and Secure IMAP – Internet Message Protocol version 4 is used to store email on a web server
- IMAP4 uses TCP 143
- Secure IMAP with SSL or TLS uses TCP 993
- Recommended to use STARTTLS to use port 143
- HTTP – Hypertext Transfer Protocol is used to transmit web traffic on the internet
- HTTP uses TCP 80
- HTTPS – Hypertext Transfer Protocol Secure is used to encrypt web traffic with SSL or TLS
- HTTPS uses TCP 443
- DNS – Domain Name System provides domain name resolution
- DNS uses TCP 53
Directory Services and AAA use cases
Network operating systems typically use a directory service to simplify network management and to implement security. Administrators can then use various methods within the directory service to enforce identification, authentication, and authorization methods.
- Kerberos is an authentication protocol used in Windows domains and some UNIX environments to issue timestamped tickets to clients.
- Uses UDP 88
- LDAP – Lightweight Discovery Access Protocol is used to communicate with directories such a Windows Active Directory Domain Service. LDAP has a syntax used for object identification and management.
- LDAP uses TCP 389
- LDAPS uses TLS for encryption with TCP 636
- TACAS+ – Terminal Access Controller Access-Control System is a protocol handling remote authentication for network access control. It is a Cisco proprietary protocol.
- TACAS+ uses TCP 49
- RADIUS – Remote Authentication Dial-In User Service is a protocol used for AAA management for users connecting to network services.
- Authentication typically uses UDP 1812
- Accounting typically uses UDP 1813
File Transfer use cases
Data-in-transit is any traffic sent over the network. Sending this data in clear text gives attackers a chance to capture the data and use it for malicious things. Securing the transport of data is an important role of a security administrator to ensure confidentiality.
- FTP – File Transfer Protocol is used to transfer files between clients and an FTP server. It transmits data by default in cleartext.
- FTP uses TCP 20 for data
- FTP uses TCP 21 for control signals
- FTPS – File Transfer Protocol Secure uses TLS for encryption and has two different modes
- Explicit mode, the client will request a secure connection from the server and the server will negotiate the encryption method. This mode uses the same ports as FTP but with encryption.
- Implicit mode, there is no negotiation between the client and the server. The client must be configured correctly to operate with the correct encryption method with the server.
- Uses TCP 989 for data
- Uses TCP 990 for control signals
- SSH – Secure Shell encrypts traffic in transit and can be used with other protocols such as FTP. Commonly it is used for remote access by administrators to administer servers.
- SSH uses TCP 22
- SFTP – Secure File Transfer Protocol uses the SSH protocol to create a secure tunnel to transfer data in.
- SFTP uses TCP 22
- TFTP – Trivial File Transfer Protocol is used to transfer smaller amounts of data between network devices. It is an unsecure protocol and is commonly disabled by administrators.
- TFTP uses UDP 69
Other use cases
- SNMPv3 – Simple Network Management Protocol is used to monitor and manage network devices
- Uses UDP 161 to receive requests on the agent
- Uses UDP 162 to send traps (error messages and notifications) to the manager
- SMB – Server Message Block provides file sharing, network browsing, printing services, and communication over a network.
- SMB uses TCP 445
- RDP – Remote Desktop Protocol is used for remote access to systems by administrators. Uses TCP or UDP for transport but TCP is more commonly used.
- RDP uses TCP 3389