CHAPTER

SECURITY
TECHNOLOGIES
AND PROTOCOLS
Module Objectives:
8.1 MONITORING
COMMON PROTOCOLS
Syslog and NTP
Various protocols that commonly appear on networks have
features that make them of special interest in security
monitoring. For example, syslog and Network Time Protocol
(NTP) are essential to the work of the cybersecurity analyst.
NTP
Syslog messages are usually
timestamped. This allows
messages from different sources
to be organized by time to
provide a view of network
communication processes.
Because the messages can come
from many devices, it is
important that the devices share
a consistent timeclock. One way
that this can be achieved is for
the devices to use Network Time
Protocol (NTP).
DNS
Domain Name Service (DNS) is used by millions of people daily.
Because of this, many organizations have less stringent policies
in place to protect against DNS-based threats than they have to
protect against other types of exploits. Attackers have
recognized this and commonly encapsulate different network
protocols within DNS to evade security devices. DNS is now
used by many types of malware.
HTTP and HTTPS
Hypertext Transfer Protocol (HTTP) is the backbone protocol of the World
Wide Web. However, all information carried in HTTP is transmitted in
plaintext from the source computer to the destination on the internet. HTTP
does not protect data from alteration or interception by malicious parties,
which is a serious threat to privacy, identity, and information security. All
browsing activity should be considered to be at risk.
HTTPS Protocol Diagram
HTTPS Transactions
Email Protocols
Email protocols such as SMTP, POP3, and IMAP can be used by
threat actors to spread malware, exfiltrate data, or provide
channels to malware CnC servers, as shown in the figure.
ICMP
ICMP has many legitimate uses, however ICMP
functionality has also been used to craft a
number of types of exploits. ICMP can be used
to identify hosts on a network, the structure of a
network, and determine the operating systems
at use on the network. It can also be used as a
vehicle for various types of DoS attacks.
8.2 SECURITY
TECHNOLOGIES
ACLs
Many technologies and protocols can have
impacts on security monitoring. Access Control
Lists (ACLs) are among these technologies. ACLs
can give a false sense of security if they are
overly relied upon. ACLs, and packet filtering in
general, are technologies that contribute to an
evolving set of network security protections.
Mitigating ICMP Abuse
NAT and PAT
Network Address
Translation (NAT) and
Port Address
Translation (PAT) can
complicate security
monitoring. Multiple
IP addresses are
mapped to one or
more public
addresses that are
visible on the
internet, hiding the
individual IP
addresses that are
inside the network
(inside addresses).
Encryption, Encapsulation, and
Tunneling
As mentioned with HTTPS, encryption can present
challenges to security monitoring by making packet
details unreadable. Encryption is part of VPN
technologies. In VPNs, a commonplace protocol like
IP, is used to carry encrypted traffic. The encrypted
traffic essentially establishes a virtual point-to-point
connection between networks over public facilities.
Encryption makes the traffic unreadable to any
other devices but the VPN endpoints.
Peer-to-Peer Networking and Tor
In peer-to-peer (P2P) networking,
shown in the figure, hosts can
operate in both client and server
roles. Three types of P2P applications
exist: file sharing, processor sharing,
and instant messaging. In file sharing
P2P, files on a participating machine
are shared with members of the P2P
network. Examples of this are the
once popular Napster and Gnutella.
Bitcoin is a P2P operation that
involves the sharing of a distributed
database, or ledger, that records
Bitcoin balances and transactions.
BitTorrent is a P2P file sharing
network.
Tor Operation
Load Balancing
Load balancing
involves the
distribution of traffic
between devices or
network paths to
prevent overwhelming
network resources
with too much traffic.
If redundant resources
exist, a load balancing
algorithm or device
will work to distribute
traffic between those
resources, as shown in
the figure.
 Summary
• Many types of devices from many different vendors can use syslog to send log entries to
central servers that run a syslog daemon.
• This centralization of log collection helps to make security monitoring practical.
• One way that this can be achieved is for the devices to use Network Time Protocol (NTP).
• Threat actors may attempt to attack the NTP infrastructure in order to corrupt time
information that is used to correlate logged network events or use NTP systems to direct
DDoS attacks through vulnerabilities in client or server software.
• Attackers commonly encapsulate different network protocols within DNS to evade security
devices. DNS is now used by many types of malware.
• Various types of encoding can be used to camouflage the data and evade basic data loss
prevention (DLP) measures. It is likely that the subdomain part of such queries would be
much longer than usual requests.
• Hypertext Transfer Protocol (HTTP) is the backbone protocol of the World Wide Web.
• TTPS adds a layer of encryption to the HTTP protocol by using secure socket layer (SSL),
making the HTTP data unreadable as it leaves the source computer until it reaches the
server.
• Email protocols such as SMTP, POP3, and IMAP can be used by threat actors to spread
malware, exfiltrate data, or provide channels to malware CnC servers.
Summary (cont.)
• ACLs can give a false sense of security if they are overly relied upon.
Attackers can determine which IP addresses, protocols, and ports
are allowed by ACLs.
• Network Address Translation (NAT) and Port Address Translation
(PAT) can complicate security monitoring.
• Encryption can present challenges to security monitoring by making
packet details unreadable. Encryption is part of VPN technologies.
• n peer-to-peer (P2P) networking, hosts can operate in both client
and server roles.
• Tor is a software platform and network of P2P hosts that function as
internet routers on the Tor network.
• Load balancing involves the distribution of traffic between devices
or network paths to prevent overwhelming network resources with
too much traffic.