WEBVTT

00:00.090 --> 00:05.310
There are zillions of Internet services out there and if you're going to harden them well the main thing

00:05.310 --> 00:11.110
you're going to be doing is use a secure protocol so if you read the questions on the exam.

00:11.250 --> 00:17.400
Always think in terms of security so don't use regular FTB use a secure FGP if you're doing some kind

00:17.400 --> 00:20.540
of file transfer if you're going to be using terminals.

00:20.550 --> 00:21.900
Don't use telnet.

00:21.900 --> 00:24.690
Use S-sh if you're going to be doing web stuff.

00:24.810 --> 00:26.300
Use HTP.

00:26.460 --> 00:27.840
Don't use HTP.

00:27.840 --> 00:33.420
And by the way I've got entire episodes that cover these and their port numbers in particular the port

00:33.420 --> 00:34.060
numbers.

00:34.140 --> 00:41.410
So you might want to refer back to those so you're going to run into lots of questions on the exam and

00:41.410 --> 00:45.490
they're going to be like long files and stuff like that and you're going to be looking for problems

00:45.820 --> 00:49.930
in general insecure protocols are always a bad idea.

00:49.930 --> 00:55.330
So when you're going through this stuff make sure when you get questions like this that you're looking

00:55.330 --> 01:01.000
for insecure protocols and there's nothing better you can do to harden the service than to dump the

01:01.000 --> 01:02.400
insecure and go with the Secure.

01:02.400 --> 01:10.750
However there are two protocols in particular two services in particular that I don't really cover well

01:10.750 --> 01:13.000
enough and I want to take a moment to do that right now.

01:13.150 --> 01:14.950
So let's start with good old DNS

01:19.160 --> 01:23.150
DNS has been around since pretty much almost the beginnings of the Internet.

01:23.180 --> 01:31.340
Now DNS runs on port 53 remember that and DNS from the beginning has been a completely insecure protocol.

01:31.340 --> 01:37.390
I mean there is absolutely nothing there at all so let's make sure we understand how DNS works.

01:37.490 --> 01:41.740
So here's my computer over here and he needs the IP address for something.

01:41.870 --> 01:45.710
So this computer over here goes up to his DNS server.

01:46.010 --> 01:51.550
Every computer's got a DNS server and now this DNS server is going to march through the DNS hierarchy

01:51.560 --> 01:54.470
I don't want to go through all that let's just add one DNS server.

01:54.500 --> 02:00.500
So this DNS server will then talk to his upstream DNS server in an attempt to resolve.

02:00.500 --> 02:06.380
Now it could go higher from there but eventually this DNS server is going to come back with the IP information

02:06.380 --> 02:08.480
which is then passed down to the client.

02:08.480 --> 02:15.100
The problem here is that it's trivial for let's put another computer in here that acts as a buffer.

02:15.110 --> 02:20.570
So he's in essence doing a man in the middle attack and is intercepting these DNS requests and sending

02:20.570 --> 02:26.200
my poor client off to some scary strange place in the late 1990s.

02:26.210 --> 02:35.030
DNS SEC was forwarded as a tool to force authentication of DNS servers to make this work a DNS SEC capable

02:35.030 --> 02:43.610
server generates a key pair and it has upstream DNS server signed them creating new DNS records for

02:43.640 --> 02:44.450
each zone.

02:44.450 --> 02:46.510
So you'll get records like this.

02:46.520 --> 02:50.210
Now what's important is you'll notice this one is a public signing key.

02:50.210 --> 02:53.320
So let's watch how all this works together.

02:53.420 --> 03:00.140
So now once again the little individual client's going to go up to his DNS SEC capable DNS server and

03:00.140 --> 03:01.490
make a request.

03:01.640 --> 03:07.130
This time the DNS server is going to go ahead and make a request to the upstream server just like he

03:07.130 --> 03:08.180
did before.

03:08.180 --> 03:13.760
But he's also going to ask for the key from that upstream server.

03:13.760 --> 03:21.260
That way he can go ahead and authenticate to verify that he really is getting DNS information from that

03:21.260 --> 03:22.290
upstream server.

03:22.310 --> 03:24.560
No man in the middle attack fears.

03:24.680 --> 03:27.650
There's two things I need you to know about DNS sec.

03:27.650 --> 03:31.000
Number one DNS SEC is not an encryption.

03:31.040 --> 03:38.260
It's purely an authentication tool so it doesn't hide the DNS requests it just prevents man in the middle.

03:38.270 --> 03:43.100
Also dnssec has become quite popular on public DNS servers.

03:43.100 --> 03:52.040
A lot of the most famous DNS servers out there like Google's famous 8. 8 8 8 8 are fully dnssec capable.

03:52.430 --> 03:55.720
OK the next thing I want to take a quick look at is e-mail

04:00.050 --> 04:08.570
e-mail at least the original S-M T-P pop and IMAP protocols have always been totally insecure and this

04:08.570 --> 04:09.890
has always been a big issue.

04:09.890 --> 04:19.220
Now not that terribly long ago we came up with secure versions of IMAP POP and S-M t.p So let's go through

04:19.220 --> 04:19.950
all of these.

04:20.000 --> 04:21.650
Let's start with a.p.

04:21.740 --> 04:25.770
Here I have my computer that is local with some email client on it.

04:26.030 --> 04:30.690
And way over here is the A.P. server for the person I want to send email to.

04:30.740 --> 04:34.640
Now I'll use DNS to get the IP address of this Esam t.p server.

04:34.790 --> 04:39.950
But once I have that once I make that connection all the data that I'm sending is completely in the

04:39.950 --> 04:42.520
clear with secure S.M. teepee.

04:42.590 --> 04:49.760
All we're doing is we're creating a less connection between my client system and the A.P. server.

04:49.790 --> 04:53.890
So the data is sent with authentication and encryption.

04:54.010 --> 04:57.670
Now MTV by itself will just use port 25.

04:57.770 --> 05:04.460
But if you're using SSL slash TS encrypted as a.p it's going to be either using port for sixty five

05:04.580 --> 05:06.390
or five 87.

05:06.530 --> 05:11.170
That was so much fun let's do it again except this time let's do it with IMAP and pop.

05:11.180 --> 05:18.050
So here's my individual client system and here's my IMAP or pop server they were equally the same.

05:18.050 --> 05:22.960
Now normally I would just log in in the clear to my I'm pop server and get my email.

05:23.000 --> 05:24.380
So everything's in the clear.

05:24.380 --> 05:26.600
Even my passwords in the clear here.

05:26.900 --> 05:33.770
Now what we'll use instead is something called Start T.L. s start TLM is just an extension to IMAP and

05:33.770 --> 05:35.170
pop protocols.

05:35.180 --> 05:41.420
All that does is basically my client will sit there and say hey can we make a start TLM connection my

05:41.420 --> 05:42.440
server will we respond.

05:42.440 --> 05:47.820
Yes and it will immediately be put into a Teale s encrypted tunnel.

05:47.830 --> 05:54.250
Now normally I'm going to use port 1:43 But if we're using SSL T.L. s encrypted I map it's gonna be

05:54.250 --> 05:56.250
using port 993.

05:56.470 --> 06:01.880
Pop would normally use 110 but encrypted pop uses port nine ninety five.

06:01.930 --> 06:08.360
The big takeaway here when it comes to Internet service hardening is use secure protocols.

06:08.470 --> 06:14.140
Make sure that you always know that there's a secure protocol option available and also make sure you're

06:14.140 --> 06:15.880
comfortable with the terminology here.

06:15.910 --> 06:17.890
Make sure you know about DNS sec.

06:17.890 --> 06:22.300
Make sure you know about starting less and the different types of protocols they are attributed to.