CCIE SEC Application Protocols

HTTP
1. Hypertext Transfer Protocol
2. TCP 80
3. RFC2616
4. HTTP is a request/response standard between a client and a server.
5. The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. It is a generic, stateless, protocol which can be used for many tasks beyond its use for hypertext, such as name servers and distributed object management systems, through extension of its request methods, error codes and headers
6. Request methods
  1. HEAD
  2. GET
  3. POST
  4. PUT
  5. DELETE
  6. TRACE
  7. OPTIONS
  8. CONNECT
7. In HTTP/0.9 and 1.0, the connection is closed after a single request/response pair. In HTTP/1.1 a keep-alive-mechanism was introduced, where a connection could be reused for more than one request.
8. HTTP is Clear Text Secured by two Methods
  1. HTTPS URI scheme
    1. Use of HTTPS in URI's
  2. HTTP 1.1 Upgrade header
    1. HTTP 1.1 introduced support for the Upgrade header. In the exchange, the client begins by making a clear-text request, which is later upgraded to TLS.
    2. which looks like this:
      Client: GET /encrypted-area HTTP/1.1 Host: www.example.com Server: HTTP/1.1 426 Upgrade Required Upgrade: TLS/1.0, HTTP/1.1 Connection: Upgrade The server returns a 426 status-code because 400 level codes indicate a client failure (see List of HTTP status codes), which correctly alerts legacy clients that the failure was client-related.
9. sample conversation between an HTTP client and an HTTP server running on www.example.com, port 80.
  1. Client request
    GET /index.html HTTP/1.1 Host: www.example.com
  2. Server Responce
    HTTP/1.1 200 OK Date: Mon, 23 May 2005 22:38:34 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8
10. Common Status Codes
  1. 200 OK
  2. 301 Moved Permanently
  3. 400 Bad Request
  4. 403 Forbidden
  5. 404 Not Found
  6. 500 Internal Server Error
SMTP
1. Simple Mail Transfer Protocol
2. TCP 25
3. SMTP is a "push" protocol that cannot "pull" messages from a remote server on demand.
4. telnet smtp.example.com 25
  S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM: S: 250 Ok C: RCPT TO: S: 250 Ok C: RCPT TO: S: 250 Ok C: DATA S: 354 End data with . C: From: "Bob Example" C: To: Alice Example C: Cc: theboss@example.com C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 headers and 4 lines in the body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection}
5. One of the limitations of the original SMTP is that it has no facility for authentication of senders. Therefore the SMTP-AUTH extension was defined. However, the impracticalities of widespread SMTP-AUTH implementation and management means that E-mail spamming is not and cannot be addressed by it.
FTP
1. File Transfer Protocol
2. File Transfer Protocol (FTP) is a network protocol used to transfer data from one computer
3. TCP 21
4. Active & Passive Modes
  1. Active DATA TCP 20
    1. FTP client opens a dynamic port,
    2. The CLient sends the FTP server the dynamic port number on which it is listening over the control stream and waits for a connection from the FTP server.
    3. When the FTP server initiates the data connection to the FTP client it binds the source port to port 20 on the FTP server
  2. Passive DATA TCP 21
    1. FTP server opens a dynamic port
    2. The Server sends the port it's listening on to the client and awaits a connection
    3. The client connects to the dynamic port & the control port 21
5. Clear Text Protocol
DNS
1. Domain Name System
2. UDP 53 DNS Requests / Lookups
3. TCP 53 DNS Zone Transfers
TFTP
1. Trivial File Transfer Protocol
  1. It cannot list directory contents.
  2. It has no authentication or encryption mechanisms.
  3. It is used to read files from, or write files to, a remote server.
  4. Due to the lack of security, it is dangerous over the open Internet.
2. Trivial File Transfer Protocol (TFTP) is a simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).
3. UDP 69
NTP
1. Network Time Protocol
2. ntp.org documentation
3. Wikipedia Entry
4. Cisco Entry
  1. Best Practices / GOOD Document
5. UDP 123
6. hierarchical
  1. Stratum 0
    1. These are devices such as atomic (caesium, rubidium) clocks, GPS clocks or other radio clocks. Stratum-0 devices are traditionally not attached to the network; instead they are locally connected to computers (e.g., via an RS-232 connection using a Pulse per second signal).
  2. Stratum 1
    1. These are computers attached to Stratum 0 devices. Normally they act as servers for timing requests from Stratum 2 servers via NTP.
    2. These computers are also referred to as time servers.
  3. Stratum 2
    1. These are computers that send NTP requests to Stratum 1 servers.
    2. Normally a Stratum 2 computer will reference a number of Stratum 1 servers and use the NTP algorithm to gather the best data sample, dropping any Stratum 1 servers that seem obviously wrong
    3. Stratum 2 computers will peer with other Stratum 2 computers to provide more stable and robust time for all devices in the peer group
  4. Stratum 3
    1. These computers employ exactly the same NTP functions of peering and data sampling as Stratum 2
7. Read From Servers
8. Read / Write with Peers
9. Note: PIX and ASA cannot be configured as an NTP server, but they can be configured as an NTP client.
Syslog
1. Cisco Entry
  Syslog is a method to collect messages from devices to a server running a syslog daemon. Logging to a central syslog server helps in aggregation of logs and alerts. Cisco devices can send their log messages to a Unix-style SYSLOG service. A SYSLOG service simply accepts messages, and stores them in files or prints them according to a simple configuration file. This form of logging is the best available for Cisco devices because it can provide protected long-term storage for logs. This is useful both in routine troubleshooting and in incident handling.
2. Wikipedia
3. UDP 514
LDAP
1. Lightweight Directory Access Protocol
2. TCP 389
  1. The default port for LDAP over SSL is 636.
3. Wikipedia
4. A directory is a set of objects with similar attributes organised in a logical and hierarchical manner
5. The protocol accesses LDAP directories, which follow the 1993 edition of the X.500 model
  1. A directory is a tree of directory entries.
  2. An entry consists of a set of attributes.
  3. An attribute has a name (an attribute type or attribute description) and one or more values
  4. Each entry has a unique identifier: its Distinguished Name (DN).
    EXAMPLE: dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: john@example.com manager: cn=Barbara Doe,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top
6. Client Operations
  1. Start TLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
  2. Bind — authenticate and specify LDAP protocol version
  3. Search — search for and/or retrieve directory entries
  4. Compare — test if a named entry contains a given attribute value
  5. Add a new entry
  6. Delete an entry
  7. Modify an entry
  8. Modify Distinguished Name (DN) — move or rename an entry
  9. Abandon — abort a previous request
  10. Extended Operation — generic operation used to define other operations
  11. Unbind — close the connection (not the inverse of Bind)