Wes is a career changer, who came from construction and fast food management prior to his IT career. He went to back to school and earned multiple IT certifications before deciding to be an IT instructor.
He has been an instructor for just under a decade and enjoys seeing other fellow career changers succeed in their IT careers.
In his spare time he enjoys family time with his wife and kids as well as steel tip darts, guitar, knives, fishing and eating chicken wings!!!
Knowledge is a road to be traveled upon, not a destination to be reached~~
I didn't forget about you! I have been out of the office for a bit. The last one we have to talk about is VPNs and TLS. When we think about HTTPS remember that this protocol encrypts the communication between a web browser and a server.
So take for instances a quick little diagram:
In this diagram we have
User01needs to access a public website, so how to we make it to where a user traversing a public network can connect to our company's website in a secure manner that protects the confidentiality, integrity and availability of the
communication, we implement HTTPS which uses the security layer today of TLS.
DMZhere, the first (external) firewall allows for public access to our company's internal resources which in this case is the company website. So what does this do for us?
What does this do?
1 - Allows access to our internal resources
2 - Does not expose our internal network to the outside world when accessing the company website
3 - Allows the customer confidentiality of the communication - via HTTPS-based encryption
4 - Allows for integrity of the communication as there is a certificate exchange/validation of the web server.
5 - Encrypts ```web-based`` communication or HTML-based communications.
What doesn't this do?
1 - Allow for access from a public network (Internet) to the internal network for
2 - Provide authentication, authorization or auditing of those external to internal connections for
So what can we do to allow
authorized usersor employees access to internal company resources. For example Remote User 01 works from home 3 days out of the week. This user also needs access to her work files stored in a centralized file server located on the internal company network.
We could (please do not....lol) do this
1 - Place the web application server in the DMZ
2 - Place the file server in the DMZ
As I am sure you are aware this presents a major security risk:
The web application and file server are now exposed to the public (and all the bad actors)
Authentication and authorization has to be performed, which in this case will expose the user database to the public (and all the bad actors)
Sensitive information is now exposed to the public
This is not a solution. So we need to:
1 - Keep these resources
protected insidethe company's internal network
2 - Implement a remote access technology that will allow for public access to internal resources that are not limited to web-based technologies such as HTTPS.
3 - Allow for the implementation of authentication, authorization and auditing.
This is where HTTPS is not a viable option because while it does allow for an encrypted communication between a web browser and a
web serverbut lacks the other attributes we need. So insert ```VPN`` technologies.
VPNs allow us to:
1 - Connect to internal resources over existing public networks
2 - Connections appear as though the remote user is connected to the physical network
3 - Do not expose internal resources to those public networks
4 - Authentication can be performed by implementing technologies like RADIUS, TACACS+, Diameter
5 - Protect the user database from exposure to the public and bad actors
6 - Provide confidentiality to sensitive internal data through application of strong encryption.
7 - Allows for connections to and utilization of resources that do not use HTTPS (such as FTP, SSH, LDAP, SMB, NFS to name a few)
When we implement the VPN technologies we get these and more benefits. To the end user it looks like they are connected to the LAN and can access resources (not just HTTPS or web-based technologies)
And VPNs security layer can be TLS!
I hope this helps @Thomas-Pondant
Hopefully that helps with HTTPS and S/MIME, now on to TLS:
When we reference HTTPS today, we commonly say HTTP over SSL, but this is just because that term is widely popular and the most recognized when referring to HTTPS. In reality when you by an "SSL" certificate from say Symantec, GoDaddy, Verisign you are actually purchasing a TLS certificate. For example when you browse to https://www.msn.com you will see the "https" designation in the URL, so one would think "this is SSL'" but in the screenshot you can see HTTPS is being implemented via TLS 1.2 (SSL versions went to SSL 3.0, see below):
The versions of SSL/TLS are
- TLS 1.0
- TLS 1.1
- TLS 1.2
- TLS 1.3 (Draft or No official IETF RFC as of yet)
So keep in mind that with modern websites using HTTPS, it will be implemented with TLS.
I hope this helps
Next up is VPNs vs. HTTPS
Hey @Thomas-Pondant great question, I think I am going to put this into a multipart answer. First HTTPS vs. S/MIME:
- HTTPS allows a user to secure the communication between the web browser and a website (such as gmail).
- HTTPS does not ensure that the email itself is encrypted ONLY the communication between the browser and the website.
- HTTPS secures the communication and email only while it is in transit between the client and server.
- HTTPS does not secure the email while at rest (ie. downloaded to a mobile device or laptop), S/MIME encrypts the message at rest.
- HTTPS will not secure the email when being forwarded between other email servers.
For instance if you connect to a server via HTTPS and send an IMAP email.
- The web browser communication is secure, however what happens to the email as it gets passed through the fabric of the internet? HTTPS is no longer there to help us protect that email while it is “in the wild”
- Has the email been modified since it left the secure communication channel of HTTPS? We cannot be sure, S/MIME to the rescue with digital signatures and now we can validate the integrity of the email.
- Remember that enterprise email will most likely NOT be using Gmail, yMail, Outlook.com but more enterprise level versions.
I hope this helps, next up will be VPNs and TLS.
I wanted to add a little on the SMB protocol for clarification, while I am not sure that this will help on the exam, it might help for understanding the SMB protocol packet exchange:
Keep in mind that SMB allows you to print to share printers as well
- The client and server establish a NetBIOS session. (This is the NetBIOS part see the packet capture below)
- The client and server negotiate the Microsoft SMB Protocol dialect.
- The client logs on to the server.
- The client connects to a share on the server.
- The client opens a file on the share.
- The client reads from the file.
Here is a Windows 10 Workstation below using NETBIOS:
Hey @Thomas-Pondant great question, yes NetBIOS was an older name resolution protocol. The protocol for connecting to shared resources is SMB or server message block. Under the hood though when you click the plus button to "Add a Printer" this will kick off a couple of underlying protocols:
1- Multicast DNS (for locating services, devices on small local networks without a name server)
2- SSDP or Simple Service Discovery Protocol (advertise and locating services on a local network)
But you are right NetBIOS was for name resolution via broadcast communications on older networks but is still used in Windows today. As for connecting to shared resources that will be SMB.
I hope this helps
I agree with @Ronnie-Wong, the DLNA protocol is 15 years old and really "outlived" it's usefulness. When this was the very few specs that would/will let you stream from your PC, gaming console (which is funny as it was Sony's was a member company of the standard, but no longer supports DLNA on the PS4), mobile devices and more, it (DLNA) was useful. The DLNA standard uses UPnP, allowing for the discovery of other devices and communicate with those devices. So if you are not streaming media from a local PC(or other device) on your network then you will be OK to disable it. I would be careful disabling UPnP though as other technologies that you use might rely on it. However, disable UPnP, then see if any applications or devices stop functioning as expected.
When it comes to Samba, unless you need to connect to a file server that is non-Windows based on your network, then you will be fine to disable it. Your Windows machines will use:
- SMB 2.1 for Windows 7
- SMB 3.0 Windows 8
- SMB 3.0.2 Windows 8.1
- SMB 3.1.1 Window 10 (Adds AES 128 GCM encryption)
Hope this helps!
This is another great question, when it comes to the practice tests, they will scare you at first, I know they have got my attention before as well. They are structured to give the exam candidate and idea as to how prepared they are ( or might not be), and more importantly where to focus your study time in (i.e. which domains/objectives you are weak on). When looked at from the perspective that you where right around 4-10% off from passing the practice test on the very first try, says a lot about your study methods as you are very close. It is advised to take the areas in the "post-score breakdown" that you are the weakest in and research those areas more in depth. The content that we provide is comprehensive but not completely exhaustive. However we always recommend that additional methods be added to the exam candidate's bag of study tools. This is why we have the added value of Practice-Labs.com and practice tests to supplement the members training. I would also recommend using additional prep material such as FlashcardMachine.com, Quizlet.com and our forums here. There are also books that provide extra material such as ExamCram. I hope this helps and please keep us informed on your progress as you most certainly do not have to go at this alone.
Robert you are absolutely correct, apparently my mouth and brain were not in sync with each other, I will post an errata as the term "whaling" does refer to a phishing scam in which "C-level" employees are targeted. In my usual explanation, I tell students think of it as "targeting the big fish" in the company as a way to remember the term vs. spear phishing which emails are received and appear to be from a trusted source. Whatever the reason may be, I definitely did not define that correctly. Thank you for pointing this out.