1 Network Security Revisited ITEC 370 George Vaughan Franklin University

2 Sources for Slides Material in these slides comes primarily from course text, Guide to Networking Essentials,Tomsho, Tittel, Johnson (2007). Other sources are cited in line and listed in reference section.

3 TCP/IP and OSI Models

4 VPN Wikipedia-VPN VPN – Virtual Private Network A virtual (logical) private network running on top of a public network (e.g. Internet). Useful for providing remote access without using dedicated lines. 2 parts: –‘inside’ network which is trusted –‘outside’ part which is not trusted. VPN Server manages authentication When active, all access from client to outside must pass through a firewall – makes client act as if it was in the ‘inside’ network.

5 VPN Advantages and Disadvantages Tomsho, Tittel, Johnson (2007) Advantages: –Significantly cheaper than leasing private lines. –Usable almost anywhere in the world. Disadvantages –Security risk if not properly configured –May be slower than leased lines (but often ‘fast enough’)

6 Transmission Using Leased Line Switch/ Router 1 (R1) Machine 1 (M1) LAN 1 Switch/ Router 2 (R2) Machine 2 (M2) LAN 2 WAN – Leased Line ($) IP Header Dest=M2 DataIP Header Dest=M2 DataIP Header Dest=M2 Data Trusted Area

7 Terminology Encapsulation: –Act of placing a packet (header and data) inside the data section of another packet. –Similar to placing an envelope containing a letter inside another envelope (which may have a different address). –sometimes the encapsulating packet is of a different protocol. Encryption: –The process of obscuring information Tunneling (Tunneling, 2005.): –Also known as "port forwarding" –the transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network.

8 Transmission Using VPN on Public Network Switch/ Router 1 (R1) Machine 1 (M1) VPN Client LAN 1 LAN 2 Switch/ Router 2 (R2) Machine 2 (M2) IP Header Dest=VPN1 Data IP Header Dest=M2 Data Public Internet Machine 1 encapsulates and encrypts original packet and wraps inside new packet with destination = VPN1 IP Header Dest=VPN1 Data IP Header Dest=M2 Data IP Header Dest=M2 DataIP Header Dest=M2 Data VPN Server (VPN1) VPN Server/Firewall De-encapsulates and decrypts original packet and sets destination = M2 Trusted Area Tunnel

9 Examples of VPN Tunneling Protocols IPSec –IP Security PPTP –Point-to-Point Tunneling Protocol L2TP –Layer 2 Tunneling Protocol

10 IPSec Wikipedia-IPSec (n.d). IP Security A set of protocols operating at the Network layer (layer 3). Often used for LAN-to-LAN VPNs 2 Modes –Transport Mode: Only payload in packet is encrypted (header is not) Host to Host communication –Tunnel Mode: Entire IP packet is encrypted, including header Encapsulated in another packet for routing across internet. Network to Network communication Optional in IPv4, obligatory in IPv6

11 PPTP Wikipedia-PPTP (n.d). Often used for Client-to-LAN VPNs. Establishes a regular PPP session with peer –Uses Generic Routing Encapsulation protocol (GRE) Establishes a second TCP session which is used to manage the GRE session First implemented by Cisco an later licensed to Microsoft. Easy to configure. First VPN protocol supported by Microsoft Dial- up Networking.

12 L2TP Often used for Client-to-LAN VPNs. An extension of PPTP (Microsoft) and LTF (Cisco). Developed by Cisco Doesn’t require registered IP addresses Does not contain encryption. Often used in conjunction with IPSec.

13 Protecting Networks with Firewalls Tomsho, Tittel, Johnson (2007) Firewall: HW device or SW program that inspects packets going into or out of a network or computer, and then discards/forwards them based on rules –Protects against outside attempts to access unauthorized resources, and against malicious network packets intended to disable or cripple a corporate network and its resources –If placed between Internet and corporate network, can restrict users’ access to Internet resources Firewalls can attempt to determine the context of a packet (stateful packet inspection (SPI))

14 Types of Firewalls Wikipedia-firewall (n.d.) Packet Filter Firewall: –Stateless –Rules are static Circuit Level Firewall: –Stateful –Can determine if packet is a new or part of an existing connection. Application Layer Firewall: –Also known as proxy based firewalls

15 Using a Router as a Firewall Tomsho, Tittel, Johnson (2007) A firewall is just a router with specialized SW that facilitates creating rules to permit or deny packets Many routers have capabilities similar to firewalls –After a router is configured, by default, all packets are permitted both into and out of the network –Network administrator must create rules (access control lists) that deny certain types of packets Typically, an administrator builds access control lists so that all packets are denied, and then creates rules that make exceptions

16 NAT Wikipedia-NAT (n.d.) Network Address Translation (IP-masquerading) Router/Firewall replaces internal IP source address in IP packet with its own IP address when sending packets out. Router/Firewall reverses process for incoming packets. Useful for hiding the Identify of real IP addresses behind the firewall Can be used for IP address reuse –multiple machines share same IP address –Common in home routers –ISP assigns single public IP address –Router maps to multiple private IP addresses

17 PAT Wikipedia-NAT (n.d.) A variation of NAT is PAT (Port address translation) Port addresses can be used for multiplexing Using ports, a single external IP address can map up to 65,000 internal network addresses (as big as a class B network)

18 Using Network Address Translation to Improve Security Tomsho, Tittel, Johnson (2007) A benefit of NAT is that the real address of an internal network resource is hidden and inaccessible to the outside world –Because most networks use NAT with private IP addresses, those devices configured with private addresses can’t be accessed directly from outside the network –An external device can’t initiate a network conversation with an internal device, thus limiting an attacker’s options to cause mischief

19 Implementing Wireless Security Tomsho, Tittel, Johnson (2007), Wikipedia Attackers who drive around looking for wireless LANs to intercept are called wardrivers Wireless security methods –SSID (not easy to guess and not broadcast) Service Set Identifier – identifies network –Wired Equivalency Protocol (WEP) 1999 – Can be cracked in 2 minutes w available software –Wi-Fi Protected Access (WPA) 2003 – Stronger than WEP. Not supported by all access points. –802.11i 2004 – same as WPA2, superset of WPA. –MAC address filtering Access control list based on MAC address You should also set policies: limit AP signal access, change encryption key regularly, etc.

20 References Tomsho, Tittel, Johnson (2007). Guide to Networking Essentials. Boston: Thompson Course Technology. Odom, Knott (2006). Networking Basics: CCNA 1 Companion Guide. Indianapolis: Cisco Press Tunneling (2005). Tunniling. Retreived 03/26/2007 from Wikipedia (n.d.). OSI Model. Retrieved 09/12/2006 from Wikipedia-IPSec (n.d). IPsec. Retrieved 01/30/2007 from: Wikipedia-VPN (n.d.). Virtual Private Network. Retrieved 01/30/2007 from: Wikipedia-firewall (n.d.) Firewall (Networking). Retrieved 01/30/2007 from: Wikipedia-NAT (n.d.) Network Address Translation. Retrieved 01/30/2007 from: