Another protocol we use to retrieve our email is called IMAP4, and that stands for Internet Message Access Protocol, and it's version number 4. Now is designed as a complete management solution of an email box by multiple email clients. Clients typically leave messages on the server until the user explicitly deletes them. For example, I'm using my mobile phone, and my mobile phone, my smartphone here, somewhat smart-looking is going to connect up to a mail server and let's say that our mail server, in this case, is an Internet mail server here, and so I'm going to connect up and retrieve my mail here. Now, I may not want to store my mail on my phone, I may just want to be able to a look at it, read it, maybe delete it, manage it, but I don't necessarily want to keep it all there and maybe later I want to access my email from my laptop so I go up to my mail server here. IMAP allows me to keep it all on the server and then use multiple devices and not have to just retrieve it and it's determined that there's only one device where I can actually use my email. Now, IMAP also uses two TCP ports, and it uses port 143 for the non-encrypted traffic and 993 for encrypted. Now, virtually all modern email clients and servers support IMAP and POP 3 and many Webmail service providers such as Gmail, Outlook, and Yahoo. Finally, there's a protocol we use to send email messages between servers, and that's what's known as SMTP, or Simple Mail Transfer Protocol and most email systems send mail over the Internet using SMTP to send messages from one server to another. The messages then are retrieved with the previously mentioned protocols, POP or IMAP. Now, in addition, SMTP is generally used to send messages from a mail client to a mail server. This is why you need to specify both the POP or IMAP server and the SMTP server when you configure an email application. SMTP uses TCP port number 25. Point-to-Point Protocol or PPP provides a standard for transporting multi-protocol data over point-to-point links. It's actually a data link layer protocol meaning it runs at layer two below IP, and TCP, and UDP. PPP encapsulates IP across serial link between two devices. Because IP and TCP don't support point-to-point connections, PPP can be used to send them over Ethernet or other physical media. Point-to-Point Protocol Over Ethernet or PPPOE is used most commonly by Internet service providers to establish a Digital Subscriber [inaudible] or DSL Internet service connection with customers. If I was using DSL for my router that we call a DSL modem, would then be connecting to another modem from our ISP and then we would have this point-to-point connection, it's directly connected here to here. PPPOE would be used to authenticate and then manage that connection. The first thing is authentication. The two routers here will send authentication messages to each other and there's two forms of authentication choices. There's one called PAP which stands for Password Authentication Protocol, and then there's another one called CHAP, and CHAP stands for Challenge Handshake Authentication Protocol. PPP also handles compression, meaning it increases the effective throughput on the connections by reducing the amount of data in the frame that has to travel across that link. Remember, it's a layer two protocol, so it uses what we call frames. The protocol decompresses the frame at its destination. It also does error detection, so identifies any fault conditions, helps ensure a reliable loop-free data link and it can also handle multi-link meaning it can load balance when there are several interfaces moving across so it uses this by what we call multi-link PPP. Server Message Block Protocol SMB. Is a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network. It enables an application to access files on a remote server as well as other resources, including printers, mail slots named pipes. That's a client application can open, read, move, create update files on the remote server. It can also communicate with any server program to set up to receive an SMB client request. The SMB protocol is known as a response request protocol meaning it transmits multiple messages between the client and server to establish a connection, and it runs over TCP ports 445 and 193. Now a good example of SMB is when you are on a Windows network. If I've got a file server up here and I've got some files that I want to download, I will connect up with my laptop using SMB and pull these files back down. That is how typically how Windows handles is using the SMB protocol to transfer files across the network. Simple network management protocol or SNMP, is a protocol that allows servers to share information about their current state. SNMP systems can be very complex. There are multiple versions of the SNMP protocol. The most widely used currently is version 1. The version 1 is not very secure. The other version in use is actually version 3, which provides advanced security features. SNMP uses agents, which are programs that can gather information about a piece of hardware, organize it into predefined entries and respond to queries using the SNMP protocol. They do the bulk of the work, they're responsible for gathering information about the local system and storing them in a format that can be queried. They also update a database called the Management Information Base, or MIB. The SNMP manager queries agents for information. The computers are configured to pull those SNMP agents and it forms a message that request information, we call it a get, and it basically will ask for things like the number of active sessions, the name of the community to which the SNMP manager belongs, and the destination IP address of the message. When the message is received, it verifies the community name contained in the packet, is on its list of acceptable community names, it evaluates the request against the agents list of the access permissions for that community, and it verifies the source IP address. The session information sent to the server is based on the Devices Management Information Base or MIB. It retrieves the requested session information from the MIB. It uses the retrieved session information from the extension agent, and then the SNMP service sends that response to the server. For example, I may have SNMP server up here and then I had agents running on, say, my switch, my firewall, and then my router. My server is going to send out requests to each of the agents and those agents are going to send back the response based on the MIBs that they carry. Telnet and Secure Shell, which is also known as SSH, are protocols used for remotely administering servers and other network devices, once connected, a user logs in with a local account and the access privileges are determined by that local account. In other words, this may be an account that has super user access, meaning there can be read and write access anywhere on that device, or it might be limited to certain areas of the device. It might be read only or whatever we want to do to limit access to certain people. Now, Telnet is not a secure connection, and it can be monitored in plain text, it uses TCP Port 23. SSH is a secure protocol and is probably the most common of the two, for that reason. It uses encryption and it establishes a secure connection between the two parties. It authenticates each side to the other and then passes the commands and output back and forth. To secure the transmission of data between two parties, SSH employees, symmetric and asymmetric encryption, it also uses hashes. Now, SSA uses Port 22. Symmetric encryption is where one key can be used to encrypt messages between the two parties, it's also known as a shared secret or secret key encryption. Typically, there is only one key use for all operations. With asymmetric encryption, two keys are needed, a private and a public. The public key can be freely shared with any party and is associated with its parent key, but the private key cannot be derived from the public key. The mathematical relationship between the public key and the private key allows the public key to encrypt messages that can only be decrypted by the private key. This is one way, meaning the public key cannot decrypt the messages it writes, nor can it decrypt anything the private key may send. For this to work, the private keys should be kept entirely secret and never shared with another party, since the private key is the only key capable of decrypting the messages that are encrypted by that public key. SSH also uses cryptographic hashing what this means, that it creates a unique signature. A summary of a set of information and using the same hashing function and message should produce the same hash and modifying any portion of the data should produce an entirely different hash. With the advent of the Internet, the number of devices and services communicating with each other grows exponentially each year. We've moved from personal computers to all manner of smart devices and apps. The ability to compromise one's data being sent across the Internet is a major concern for all, whether it is personal, financial or medical information, a company's intellectual property, a government or military secret information all are potentially vulnerable through networking Internet access. Now, because all network communication uses protocols to send and receive information, the need to control what is and isn't allowed is a primary part of network security. On a network, packet filtering is the process of passing or blocking packets at a network interface based on the source destination, information, and protocols. This is that source IP, source port, destination IP, destination port and protocol, which makes it what we call five tuple information. We saw this before, but let's look at another example. Once again, let's see my laptop here which is 10.1.1.100, wants to go to www.example.com, and it's going to be this time on https. Now, that means it's going to run on port 443, not port 80 as we looked at last time. I have my source IP of 10, 1, 1, 100. It's going to generate a dynamic source port, which we'll say is 49,200, it's going to then go to whatever the address is that resolves to example dotcom. Let's just say, for example, 90.4.3.2, and it's port 443. This is our destination. Now because this is running on TCP, that means it's Protocol 6. Now the way we filter these packets is through what we call access control lists or ACLs or just access lists. They exist to grant or deny access based on that five tuple information. Initially, ACLs filtering the traffic based on the five tuple was the best way to control traffic. Now network security has evolved to where the entire packet can be analyzed at all layers and more criteria can be used to match traffic against a security policy, including the very application that is running across this communication. The way an access list is written out will vary depending on the device, but here's a somewhat generic example. In this case we'll show how to permit traffic. It may start off something like this. Permit and then the protocol that we're using, so TCP and we'll use the same source and destination IP addresses we have right here, so 10.1.1.100, destination 90.4.3.2, and then the port 443. This is allowing any traffic from this particular source, this one host to the web server, 90.4.3.2 which equates to example, dot.com here in our example. Conversely, we can use port blocking as a way to stop traffic based on that TCP or UDP port. Let's say that we have some employees that are playing Call of Duty on company time, and I'd like to stop that. I'd create a access list that may start off something like this, deny TCP and then in this case, I might say, I don't want anybody doing this, so I'm going to put "Any". It'll be any in all hosts on my network going to any in all hosts on the Internet or anywhere for that matter. Then I can put the port numbers that are specific to Call of Duty, so 20,500. Then maybe I can either add all these ports into one rule or make three separate rules to handle the three ports I want to focus on. The other would be 20,5100 and the last one would be 28,960. But now I can block that traffic from working, so as Call of Duty tries to connect to its servers, it won't be able to do so because the ports it uses are now blocked. Now, many applications use standard ports and they don't change, so port filtering is a very good way to block that traffic. But some applications can be dynamic and they can find open ports when their preferred ports are blocked. They may use one that we normally use and don't want to block, like ports 80 and 443 or maybe port 53 for the domain name system. Now we don't want to block those ports because then we block Internet traffic. This is a way to get around the port filtering, which is a limitation of access lists and port filtering in general. Continuing with port blocking, there are few methods we can use to do that. One is called silent dropping. Now, silent dropping is a way to stop traffic from being received by your device without notifying the other side of the conversation. Someone's trying to send some communication to your network and you are just dropping that traffic with no explanation. This has its benefits because it allows the device to remain invisible, to say would be hackers by not alerting them to what ports are open on my device. A silent drop can also prevent what we call reflective attacks, where a source to address sent to a device is fake or what we call spoofed and the firewall router or other system sends traffic back. But this is also a method used to gather information about a device, and it's open ports along with other types of scans. Another way is using what's called a TCP reset. A TCP reset is an immediate close of a TCP connection. It actually sends to the other device and tells it to close that connection. Not only does this allow the system to release resources allocated for the previous connection and to be made available again, but TCP also aborts the connection and the application being sent knows the connection has failed. This allows the rejected application to notify the user and tell the sending system to cease sending. Now, this is a more finer way to do this, but it also means that it does alert the other side to your presence. If you're trying to remain invisible, this is not the method that's going to do that. This concludes the presentation. I hope you learned a lot and have a great day.
