types of network service is. So we got a kind of switch gears here and talk about
how we're going to put this all in place. And I think that client server is how we all live today. Most of the time,
Ah, lot of younger organizations who have come to me say, Well, we use peer to peer like bit torrent all the time to transfer files back and forth because it works really well for us.
You've just said to me we don't care about security and that we're willing to be compromised. Our files are willing to be compromised by everybody and we don't care. Okay, if that's the way that you feel, that's fine. But you don't care about security. So don't call me up and say, I need your help with security. If you're using bit torrent or anything like that because
you don't know who all the other nodes are.
You don't know if you're going to be a super node in this
and you don't play the same game that I d'oh
multi tier. We do see. But
we see it in one really, really focused, narrow place. At least I see it in one noticed fairy, uh, focused place. And that would be the database server that sits behind a Web server that offers up communications to a client that's out there.
Three other protocols that we should talk about or a standard D. N s. Remember that uses UDP and TCP
we talked about. It translates fully qualified domain names to I p addresses because we could, in theory, type in https. Colin Ford, ford slash 1 92.1 68.1 dot one. Ford slashed, and it would get us to that server. But remembering those I p addresses, I don't remember any of that stuff.
One day, D N s will get broken some way, shape or form, and knowing there's I P addresses will be great for one person on the planet. But the rest of us,
we'll just wait until the Internet Snow Day is over with
that runs on both TCP and UDP. Port 53
L DAP runs on a variety of ports that sometimes when we talk about these ports, it is 3 89 It's 969 and 33 86 depends on the implementation of L DAP and what it's being used in conjunction with. Like for active Directory, it's a little bit different than other l'd APP servers.
Net bias That's network basic input output systems runs on ports. Noticed those air you TP 1 37 1 38 and TCP 1 39
This process is L dap information, but it also process is a lot of other information that's too revealing about our organization. If I was building firewalls, I would block all outbound UDP 1 37 38 TCP 1 39 and anything inbound. Also, I would crush that. Now
some vendors out they're going to, but we use that protocol to go ahead and get our service for our application and our agent. The work
simple is that move on from there
instant messaging, IRC and network time protocol. So in instant messaging it is peer to peer. But unfortunately, a lot of the instant messaging that we think is peer to peer actually uses some sort of server where it's store and forward. So be very careful about using instant messaging.
If it's sensitive communication, don't. If this is casual chat, will
most of us are doing Texting. Now, Internet Relay Chat is a client server based system where we can actually do chatting there. The a lot of the evildoers out there will set up IRC to actually have their compromised computers communicate into this chat session where it says I've popped up and I've been compromised.
Please connect me. And they use that
to gather their bots together
and then to do command and control Doesn't happen as often these days. They're using a lot more. Http, an encrypted, Http. But IRC Internet relay chat has been used for that evil purpose in the past.
NTP you'd think a network time protocol can't really hurt us. I mean, synchronizing our watches is a good thing, right? Well, turns out about six months ago, six or nine months ago, there was an attack of a denial of service on NTP clients.
And so there was masses of information being flowed into lots and lots of networks
as a denial of service using NTP Network time protocol is a synchronization device is a really good thing from a security standpoint so that we can synchronize all our machines so that our all of our logs lineup if we're doing incident response or we're doing any kind of forensics analysis,
having an accurate timeline is critical to our achieving our goals.
As some TV popping I map, let's say male
Now on the server side, we talk about simple male transfer protocol that runs over Port 25. However,
today most Internet service providers will not allow their clients to communicate. SMTP and they make them go over on upper port that is usually encrypted.
I've seen 25 25 I've seen 5 87 and a couple of other ones that are out there that are encrypted SMTP
It is set up for client server for mail servers where you post your mail that is then sent on to the mail servers on the other side of the planet.
So when you send mail away as a client, you say Here, take this SMTP server. When SMTP servers talk to each other, they say here I have mail for you have resolved this via de ns I have mail for you. Take this male, put it in and then go ahead and get you back in the mail that you have.
Pop is purely popping I map are purely four clients.
When a client pops in, it is retrieving. It's male. When it goes toe, I map. It is retreating. It's male says you are my mail server. May I please have my mail? Here's my authentication credentials. I pulled down my mail and then I act on it.
Well, in pop, what we see is that was a very low level client to start off with. And so I map came along and said, Hey, we want rich messaging. We want to be able to do calendar ring and all the other good stuff that goes along with that. This is in the days before Google Calendar. So
I'm map was an excellent tool to use for us. It actually worked very, very well to do rich countering.
And now, through a lot of I Cal events, we can Actually, this is a lot easier today. We don't have to have that rich. I'm AP client actually do this unless we're in an office setting
common Internet file systems, server message block and secure network file systems, all file systems allowing us to do file transfer between each other in a rich environment where we have a high speed local area network.
So these are file sharing protocols. Uh, n f s is primarily used on the UNIX side of the house. And see, I f s is used definitely with Windows clients and potentially with Mac clients. In a lot of cases,
there are all sorts of different kinds of authentication allowed for each one of these. I want to pick on
in F s just for a second.
It does one thing from a security standpoint, it does this downgrading of security when the client on the other end says, Hey, I'm a poor dumb version one client and I could only do clear text password. We
please. Please, brother, can you hand me Ah, clear text. Can I hand you a clear text password?
Well, wait a minute.
You want clear text passwords? I think we're kind of over that. We've kind of figured out that that's probably bad.
But this protocol and
future versions of the protocol will all be backward compatible, which exposes us. And so that's why I say NFS is bad. But
there is a secure version of N S. F and I think that we can use it. I say we disable an F s if we can. It might be, ah, business requirement for you.
Let's switch gears and talk about communication to our hard drive a raise.
Now these hard drive of rays can be local or they can be across in I P Network. When they're across an I P network, they better be very close because it's hard drives and it better be a high speed line. Hopefully, it's fiber.
And for each one of these protocols that we have here, we have.
I don't have a lot of security because what we say is this very short distance. This is a private sub network that's on Lee shared from our file servers to our server back here. And if that's the case, then okay.
But if that's not the case, you might want to think about using i p sec for long haul stuff, especially when we go storage area network replication to storage area network over a fiber link that's like 90 miles away. FTP and T F T P A T F T P has no authentication whatsoever. It is used for downloading configurations
We used to do this for routers and switches.
We could still do this. I think we do a lot of T f T P for downloading phone configurations on the fly, which I find very interesting.
FTP file transfer protocol
goes over to different ports, and that causes some problems for firewalls and state full connections. You actually have to make an extra rule. In that rule, you say TCP port for control. That's to set it up and TCP Port 20 for data being passed back and forth
It's not that it's insecure. It's that it's clear text passwords,
clear text passwords or a bad thing. If you use an FTP server where there are no passwords whatsoever and say Here, take these files but you're not allowed to post anything to my server, then that's a reasonable use of FTP.
But if you're having open FTP server and you think that passwords we're going to protect you,
that's not the case you want to. If you're on the security side, things scan for these FT piece and see whether that is a valid business reason and then start stomping those
as fast as you possibly can.
What could you use in place? Well, hey, why not? Use
S f t p or F D P s. Either one of those will work now. SFTP is a pure protocol using secure shell and f T P s is using
S S l So you can get the confidentiality you need. You can get the encryption that you need. You can get the protection of that data transfer back and forth at not much of a cost.
So protect your network,
http https and remote desktop protocol.
Uh, before I was a little angry, a little bitter about stomping out FTP servers. I think we should do the same thing to remote desktop protocol.
Remote desktop protocol allows remote control off host
end users love it because, hey, we can already peon and somebody can convict convicts my computer whatsoever.
It has been known for a long time now that removed remote desktop critical has some
in some implementations, some flaws.
Those flaws haven't been fully explored it yet, But
I think it's coming.
You know, I'm looking into my crystal ball, which is kind of cloudy, but when I look at my crystal ball. What I see is remote desktop protocol is something that I would want to attack.
And also a lot of the underlying protocols that remote desktop protocol uses for authentication, depending on the implementation, are also weak.
What do I love? I love https.
our hypertext transfer protocol, our Web based protocol running over a secure connection. It's what we do. E commerce Lynn. I love it so much that I can do lots and lots of man in the middle against it, and
that's the problem with it.
If we're using it for E commerce today, it is sufficient for the task. But not for long.
There are many, many attacks against it. I think when those attacks become, um,
and deployed in earnest, I think when they're all automated, I think we're gonna have to convert over to installing P K I certificates on individual work stations. Ah, lot of the military people use something called common access card. Ah, there's another name for it. I think it's P I. V is the ah, the other term for,
I think that those are going to be issued out to end users in the future by their banks. So what are all these common ports? Let's roll this all up into one big ball here and summarize.
Listen, all those port