HTTP uses port 80 and HTTPS uses port 443 for a web server to be able to work with these protocols the firewall would need to allow communications through on these ports.

FTP over TLS/SSL  need to have a rule added to the firewall which allows TCP to pass through insection. The rule can be added with a command like ‘netsh advfirewall firewall add rule name=”FTP for IIS7″ service=ftpsvc action=allow protocol=TCP dir=in’. The user also must disable stateful insection of FTP communications. Port 21 must be open.

SMTP uses port 25 so the firewall must allow commuications on that port through. If an application is being used to manage email on the server the firewall might need the email application added to it’s white list as well.

Remote administration can be implement by selecting the Windows Management Instrumentation exception option on the windows firewall screen. The port 443 must be open.

MariaDB requires both inbound and outbound rules which open port 3306. Although if installed properly these rules should automatically be created. These rules must function on Domain, private, and public networks as such need to work with the 103.28.250.99/192.168.0.2 ip addresses.

MSSQL uses port 1433 with tcp so the fire wall must allow this. For the sever verson of MSSQL an additional port must be opened for UDP this port is 1434.

Rules:

HTTP; Inbound/ Detestation 103.28.251.162 port 80 Source any port 80. Outbound / Detestation Any port 80 Source 192.168.0.1

Firewall rules are important as they allow users to decide what ports and programs are allowed to interact with their system. With out strong rules it becomes easy for outside entities to interact with a system. However, strong rules can prevent programs and services to function properly. This is why is is important to be able to create and manage firewall rules. With additional knowledge of the programs which need to run on a network it could be possible to create firewall rules which only allow desired programs and services to function on the network. I feel that the example used in this lab were not sufficient to learn about configuring firewall rules. Through this lab we only did the most most basic of changes to a preexisting firewall rule. I think that this task would have be a lot more help full if instead on focusing on ‘testing’ the rules of the firewall were working, even though we were turning the same rule off and on, we could have work with different rules or created our own.

This is a limit on how many IPv4 addresses exist to save on the amount of IPs used certain addresses only can exist inside local networks allowing for then to be reused in different networks. That way this is utilised when the private networks are connected to the internet is by utilising NAT. NAT acts as a middle man in communications between local networks and the interenet remembering where each request is going or has come from. NAT firewalls only allow commications which have been requested from devices in a network to pass through. This prevents unwanted files from penetrating the network. By only letting commuications which were requested from with in the network pass we can ensure that any bad actors who are trying to gain access to the network can just access the network, while not interferring with ligitimate request from devices in the network. NAT firewall would normally be pair with other firewall funtionality as many common attacks are not stopped by NAT firewalls such as trojin or phishing attacks.

OpenSSH is a tool which helps to remotely connect to devices. OpenSSH prevents the connect from being observed or interferedwith by encripting the communication between the two devices. As the name surjects the program uses the SSH protocal to complete its commuciations. As part for the program the program provides tools for managing sercurity cetficates. Two uses of OpenSSH are providing sercure commucation with other devices such as in the lab when we connected to a server using SSH. This is important as it allows use to remotely connect to a devices and access it which is an important part of managing networks, OpenSSH also allows us to have this connection being sercure so we don’t have to worry about out side interference. Another use of OpenSSH is to sercure unsecure commucation protocols such as Telnet. As protocals like telnet don’t provide encription on their own and send all of their passwords as plain text we could use SSH to and encryption to these communications. This would be useful if for some reson we needed to use one of these protocols and we wanted to be safe.

Critical thinking

I think it would be useful if this lab when over move uses of the OpenSSH programs as in this lab we only set up a remote connection with the program. We didn’t go over important parts of this connection such as how this connection is encrypted.

I think NAT firewalls are useful tools as we don’t want outside efences to be able to enter our network without permission. I forsee NATfirewalls still be relenvent into the distant future. NAT firewalls use NAT which is a protocal which has come about because of the need to reuse IP addresses. IPv6 doesn’t need to use NAT so there for in the future is is possible that NAT firewalls won’t be as relevent as it is now. Although the need of a stateful filewall is still an important one I believe that spicifically NAT firewall may not be the best solution as they can prevent the implementaion of more robust sercurity techniques which will last the implemetaion of IPv6 and internet of things techonlogies. It is also possible that the implementaion of IPv6 will take such a long time that none of this concerns with ever matter.

As discussed in a previous blog the AD certificate services is a windows server role which allows a users to create and manage private keys/cetifications. Thought the certifcation sevices a use can allow users to request certification and them manage the requests. This allows for the server to verifie a users account. Some examples of how Certification can be used includes encripting files and managing emails.

CA Web Enrollment allow from a certficate to be validated or request though a web browser. Through this funtion it is possible for a user to be able to preform basic CA tasks such as requesting a cetification on downloading the centification list.( Archiveddocs. (n.d.). )

Key archival is when a private key is saved so if it is ever lost due to an event such as the destrution of a computer which stored the key or the thieft of a smart card. By saving the key in such a way it can easierly be restore. When a user regains a key they are able to have the same access they had before for example if a user was to encript a file the they would not be able to unencript it until they gain their primary key.

( Key Archival and Key Recovery. (n.d.). )

They Key recovery agent is a service which allows for the recovery of keys on windows server. Windows server does not natively have access to recover keys so without it if a key is lost it is lost perminately.

( Enabling Key Recovery in Active Directory Certificate Services )

One use of User Certification is the ability to encript files. Once a user is validated their certificate can then be used as a key to encripted files. This means to gain access to the files the user would then need to have access to their private key so they could prove who they are. Another use for User Certification is the ability to use it in tandom with windows networking sharing features and group policies this would allow a user to set shares which only users with cetain validations have access too.

Archiveddocs. (n.d.). Certification Authority Web Enrollment Guidance. Retrieved September 2, 2019, from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831649(v%3dws.11)

Enabling Key Recovery in Active Directory Certificate Services. (2009, March 20). Retrieved September 2, 2019, from IT Pro website: https://www.itprotoday.com/active-directory/enabling-key-recovery-active-directory-certificate-services

Key Archival and Key Recovery. (n.d.). Retrieved September 2, 2019, from Versasec website: http://versasec.zendesk.com/hc/en-us/articles/115000828553-Key-Archival-and-Key-Recovery

A root Ca is the form of validation which is used to validate the entire CA structure. A CA structure is hireracical which means that if the top level of the struture is comperimised than all other CA’s under it will also be compremised. Subordinate CAs are created from the root CA and validated off of this. Because it is both ineffiect to contunuusly have to validate the root CA and because like previously menation if the root CA is comprmissed all the subordate CA’s basied on it will also need to be replace, the root CA is normally left turned off until it is needed. CAs provide a computer a way of proving it is real and artherised to a user. By using a trusted CA another entite can have a private key which allows it to be signed and prove that it is who it says it is.

(Hierarchies in PKI. (, 18:59))

A user can install the CA role on to a server by going to the install roles and features selecting the valid roles from the roles area. After the roles are installed the user can navagate to the configuration area by clicking the flag on server manger and then selecting the correct roles they wish to configure. Once they arrive on the CA type the use can then select Subordinate CA from the two options. The user can then create a private key to sign documents. After this the user can select the CA cryptography type, name and where request are sent or save to.

After all of the CA is set up the user can then request a certificate on any of the computers on the network by going to MMC and requesting the cetification from the server the role is installed on.

Q3 ????

When a certification is revoked it means that the server no longer reconizes that cetificate as a valid option. Unlike in other system the certification is not deleted it is instead saved into a revocation list which store all such data. The resone to contuine storing the data is because if the CA forgot about it it could reissue an already issue cetification which was comprimised and revoked leading to the possiblity of a bad actor using it.

Active Directory Certificate Services allows a company that is running their own internal network to distribute and authenticate it’s users. By doing so the company is able to easierly distribute private keys to their employees helping them securely establise validated communications for activities such as encrypted emails and vpn. This is possible because the private key allows the network to confirm the identity of the entitie with the key. ( The benefits of creating your own Certificate Authority )

Hierarchies in PKI. (, 18:59). Retrieved September 1, 2019, from Networklore website: https://networklore.com/hierarchies-in-pki/

The benefits of creating your own Certificate Authority | What is an SSL-certificate. (n.d.). Retrieved September 2, 2019, from https://www.whatissslcertificate.com/the-benefits-of-creating-your-own-certificate-authority/

Cain and Able is a password cracking tool which lets a use try and gain access to the plain text version of a password hash. To use Cain and Able to crack a password a use must have access to the passwords hash. If the user gain access to the has they can have Cain and Able try and crack a password by running though every possible combination of characters until the user finds a hash which matches the once they are looking for. This is called a brute force attack. If a user is preforming a brute force attack they will also need to know what sort of inceptions is being used so that the program can guess against that. Other information can take be useful for this sort of attack to be able to reduce the time it takes to be able to complete the task, this extra data can include password minimum length, password maximum length and what characters are allowed.

An issue with brute force attacks is that they are slow espicisally if the password which is needed to crake is long, this can lead to it being slow to break password hashes and therefore might not be worth it. Another inhirent flaw is that people tend to make their passwords something they can rember like a word, ontop of this a lot of passwords are insercure which means that eventhough it might take a brute force hack a long time to crack the password the password might be easy to mannual guess making the brute force attack irralenvent. This is where dictonary attacks come into play. A dictionary attack allows a user to set a program to check if a users account matchs a password within a selected dictionary. By checking a password against a set of words ratter than a a random chain the hacker can better emulate how people normally set their passwords. This sort of attack can also change the letters in a word for common misspelling and leat-speak covering more possible combinations. This form of password generation can be quicker than brute force attacks but dictonary attacks can work out passwords with random letters in them and this method is less likely to work if a user is using rare or uncommon words.

From this lab we can see that it is important to have a password which is greater than 8 character as they will increase the time to crake it. It is also imporant that each password has as many possible characters as the more character a hacker has to run the longer it will take.

A hash is a fixed length string which can be generated from any set of data. As long as the original data is unchanged, the data will result in the same hash. Any change in the data will result in a different hash. MD5 is a hashing algorithm which is only suitable for checksum due to MD5 flaws. Checksum is when the user compares the hash of a file they have downloaded to the one that the files creator made before posting the file to the internet. If the file has been corrupted or altered in any way then the hashes will not match. The process of checking hashes can be speed up by the use of online hash comparison tools such as the one used in this lab. Being able to check valid a downloaded file is useful and is an important part of security. An issue with MD5 hashing are that it takes time to check the hashes which can prevent people from preforming the check. Checksums also require that the creator of a file provides a hash of the original file to validate again. MD5 checksums might be useful with the Security industry but i don’t believe that it is a concept the can be transferred outside of it unless it was done automatically.

MD5 has a smaller has than SDA-1 does making MD5 quicker to work. As far as is currently know SDA-1 has never been broken which is not true about MD5, because of this MD5 is not suitable to encrypt sensitive data. SDA-1 is also consider to be generally more secure as it takes more operation to to break it than it does MD5 . In general MD5 is only really suitable for something like checksums as it requires speed and doesn’t contain sensitive information. Where SDA-1 is useful when working with sensitive information.(hash – Algorithm Complexity & Security: MD5 or SHA1?)

SSL use hashes to verifies that the client is connecting to the site they think they are connecting to. Each site provides identification to the company providing them with the certification and in return they are provided a unique hash to validate them selves with. SHA is what is used to create theses hashes. They are several different versions of SHA currently SHA-1 is used, however google has recently been able to spoof SHA-1 to create two different sites with the same hash. This mean that SHA-1 may no longer be as sercure as it once was mean that other forms of SHA such as SHA-2 will likely become the future standard.(All about SHA1, SHA2 and SHA256 hash algorithms.)(Are Your Certificates Future-proof?)

hash – Algorithm Complexity & Security: MD5 or SHA1? (n.d.). Retrieved August 20, 2019, from Stack Overflow website: https://stackoverflow.com/questions/2948156/algorithm-complexity-security-md5-or-sha1

Are Your Certificates Future-proof? SHA-1 Sunset. (2017, March 1). Retrieved August 20, 2019, from Predica website: https://predica.pl/blog/sha-1-certificates

All about SHA1, SHA2 and SHA256 hash algorithms. (n.d.). Retrieved August 20, 2019, from https://www.tbs-certificates.co.uk/FAQ/en/sha256.html