Remote Access Chapter 4. IEEE 802.1x An internet standard created to perform authentication services for remote access to a central LAN. An internet standard.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

IPSec.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
K. Salah1 Security Protocols in the Internet IPSec.
Remote Networking Architectures
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.
Chapter Overview TCP/IP Protocols IP Addressing.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
1. Collision domains are unsecure 2. The employees often need to remote access to corporate network resources  The Internet traffic is much more vulnerable.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
VPN Protocol What is a VPN? A VPN is A network that uses Internet or other network service to transmit data. A VPN includes authentication and.
11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.
Chapter Three Network Protocols By JD McGuire ARP Address Resolution Protocol Address Resolution Protocol The core protocol in the TCP/IP suite that.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.
TCP/IP Protocols Contains Five Layers
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
1 Chapter 8 – TCP/IP Fundamentals TCP/IP Protocols IP Addressing.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
K. Salah1 Security Protocols in the Internet IPSec.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
IP Security
Virtual Private Networks
IPSec Detailed Description and VPN
IPSecurity.
Virtual Private Networks
Microsoft Windows NT 4.0 Authentication Protocols
Chapter 18 IP Security  IP Security (IPSec)
NET 536 Network Security Lecture 5: IPSec and VPN
Virtual Private Networks (VPN)
Virtual Private Network zswu
Presentation transcript:

Remote Access Chapter 4

IEEE 802.1x An internet standard created to perform authentication services for remote access to a central LAN. An internet standard created to perform authentication services for remote access to a central LAN. Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) A set of protocols for managing complex networks. It works by sending messages, called protocol data units (PDUs), to different parts of a network. An SNMP-compliant device, called an “agent,” stores data about itself in a Management Information Base (MIB) and returns this data to an SNMP requester. A set of protocols for managing complex networks. It works by sending messages, called protocol data units (PDUs), to different parts of a network. An SNMP-compliant device, called an “agent,” stores data about itself in a Management Information Base (MIB) and returns this data to an SNMP requester.

IEEE 802.1x General Topology General Topology

IEEE 802.1x Extensive Authentication Protocol (EAP) Extensive Authentication Protocol (EAP) A protocol defined by IEEE 802.1x that supports multiple authentication methods. A protocol defined by IEEE 802.1x that supports multiple authentication methods. EAP over LAN (EAPOL) EAP over LAN (EAPOL) An encapsulation method for sending EAP over a LAN environment using IEEE 802 frames. An encapsulation method for sending EAP over a LAN environment using IEEE 802 frames.

IEEE 802.1x IEEE 802.1x Conversation IEEE 802.1x Conversation

IEEE 802.1x Telnet Telnet The standard terminal emulation protocol within the TCP/IP protocol suite defined by RFC 854. The standard terminal emulation protocol within the TCP/IP protocol suite defined by RFC 854.

Virtual Private Networks A remote access method that secures the connection between the user and the home office using various different authentication mechanisms and encryption techniques. A remote access method that secures the connection between the user and the home office using various different authentication mechanisms and encryption techniques.

Virtual Private Networks VPN Diagram VPN Diagram

Virtual Private Networks VPN Options VPN Options Included in MS Windows packages. Included in MS Windows packages. MS PPTP. MS PPTP. Outsource to service provider. Outsource to service provider. Encryption does not happen until the data reaches the provider’s network. Encryption does not happen until the data reaches the provider’s network.

Virtual Private Networks VPN Drawbacks VPN Drawbacks Not completely fault tolerant. Not completely fault tolerant. Diverse choices for implementing. Diverse choices for implementing. Law of diminishing returns. Law of diminishing returns. Each incremental increase in security over a certain point becomes more and more expensive. Each incremental increase in security over a certain point becomes more and more expensive.

Remote Authentication Dial-In User Service (RADIUS) Uses a model of distributed security to authenticate users on a network. Uses a model of distributed security to authenticate users on a network. User Datagram Protocol (UDP) User Datagram Protocol (UDP) A connectionless protocol that, like TCP, runs on top of IP networks. It provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. A connectionless protocol that, like TCP, runs on top of IP networks. It provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network.

Remote Authentication Dial-In User Service (RADIUS) Authentication with a RADIUS Server Authentication with a RADIUS Server Network Access Server (NAS) Network Access Server (NAS) This allows access to the network. This allows access to the network. Serial Line Internet Protocol (SLIP) Serial Line Internet Protocol (SLIP) A method of connecting to the Internet. Another more common method is PPP. A method of connecting to the Internet. Another more common method is PPP.

Remote Authentication Dial-In User Service (RADIUS) Authentication Authentication ClientRADIUS Server Internet Access request Access accept (with exec authorization in attributes) Accounting request (start) Accounting response to client Accounting request (stop) Securing Response to client Time

Remote Authentication Dial-In User Service (RADIUS) Benefits Benefits Greater security. Greater security. Scalable architecture. Scalable architecture. Open protocols. Open protocols. Future enhancements. Future enhancements.

Terminal Access Controller Access Control System (TACACS+) An authentication system developed by Cisco Systems. An authentication system developed by Cisco Systems. Developed to address the need for a scalable solution that RADIUS did not provide. Developed to address the need for a scalable solution that RADIUS did not provide. Uses Transmission Control Protocol (TCP) Uses Transmission Control Protocol (TCP) Offers multiple protocol support Offers multiple protocol support

Terminal Access Controller Access Control System (TACACS+) ClientTACACS+ Server Internet Start (authentication) to connect user Reply (authentication) to ask client to get username Continue (authentication) to give server username Reply (authentication) to ask client to get password Continue (authentication) to give server password Reply (authentication) to indicate pass/fail status Request (accounting) for service=shel Response (authorization) to indicate pass/fail status Time

Terminal Access Controller Access Control System (TACACS+) ClientTACACS+ Server Internet Request (accounting) for start/exec Response (accounting) that record was received Request (authorization) for command and command-argument Response (authorization) to indicate pass/fail status Request (accounting) for command Response (accounting) that record was received Request (accounting) for stop/exec Response (accounting) that record was received Time

Point-to-Point Tunneling Protocol (PPTP) Built upon Point-to-Point Protocol (PPP) and Transmission Control Protocol/Internet Protocol (TCP/IP). Built upon Point-to-Point Protocol (PPP) and Transmission Control Protocol/Internet Protocol (TCP/IP). Handshaking Handshaking The process by which two devices initiate communications. Handshaking begins when one device sends a message to another device indicating that it wants to establish a communications channel. The two devices then send several messages back an forth that enable them to agree on a communications protocol. The process by which two devices initiate communications. Handshaking begins when one device sends a message to another device indicating that it wants to establish a communications channel. The two devices then send several messages back an forth that enable them to agree on a communications protocol.

Point-to-Point Tunneling Protocol (PPTP) Performs the following tasks: Performs the following tasks: Queries the status of communications servers Queries the status of communications servers Provides in-band management Provides in-band management Allocates channels and places outgoing calls Allocates channels and places outgoing calls Notifies Windows NT Server of incoming calls Notifies Windows NT Server of incoming calls Transmits and receives user data with bidirectional flow control Transmits and receives user data with bidirectional flow control Notifies Windows NT Server of disconnected calls Notifies Windows NT Server of disconnected calls Assures data integrity, while making the most efficient use of network bandwidth by tightly coordinating the packet flow Assures data integrity, while making the most efficient use of network bandwidth by tightly coordinating the packet flow

Layer 2 Tunneling Protocol Expands PPP by allowing both endpoints (layer two and PPP) to reside on different devices connected by a paket-switched network like the Internet. Expands PPP by allowing both endpoints (layer two and PPP) to reside on different devices connected by a paket-switched network like the Internet. Allows the processing of PPP packets to happen separately from the termination of the layer two circuits. Allows the processing of PPP packets to happen separately from the termination of the layer two circuits.

Secure Shell (SSH) A program used to log on to another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. A program used to log on to another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. Uses a public key authentication method to establish an encrypted and secure connection from the user’s machine to the remote machine. Uses a public key authentication method to establish an encrypted and secure connection from the user’s machine to the remote machine. Certificate Revocation List (CRL) Certificate Revocation List (CRL) A device used in SSH to manage certificates. Certificates that are no longer valid are placed on a list and verified by the SSH engine when authentication occurs. A device used in SSH to manage certificates. Certificates that are no longer valid are placed on a list and verified by the SSH engine when authentication occurs.

IP Security Protocol Internet Engineering Task Force (IETF) Internet Engineering Task Force (IETF) The main standards organization for the Internet. The main standards organization for the Internet. IP Security (IPSec) IP Security (IPSec) A set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPSec has been deployed widely to implement VPNs. A set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPSec has been deployed widely to implement VPNs. Secures Layer 3 of the OSI Model Secures Layer 3 of the OSI Model

IP Security Protocol Encapsulating Security Payload (ESP) Encapsulating Security Payload (ESP) Provides a mix of security services in IPv4 and IPv6. It is used to provide confidentiality, data origin authentication, connectionless integrity, anti-replay, and limited confidentiality of the traffic flow. Provides a mix of security services in IPv4 and IPv6. It is used to provide confidentiality, data origin authentication, connectionless integrity, anti-replay, and limited confidentiality of the traffic flow. Security Parameter Index (SPI) Security Parameter Index (SPI) An arbitrary 32-bit number used to specify to the device receiving the packet not only what group of security protocols the sender is using to communicate, but which algorithms and keys are being used, and how long those keys are valid. An arbitrary 32-bit number used to specify to the device receiving the packet not only what group of security protocols the sender is using to communicate, but which algorithms and keys are being used, and how long those keys are valid.

IP Security Protocol

Payload Data Payload Data Variable length – this is the data carried by the IP packet Variable length – this is the data carried by the IP packet Padding Padding 0 to 255 bytes used to ensure that ciphertext terminates on a 4-byte boundary 0 to 255 bytes used to ensure that ciphertext terminates on a 4-byte boundary Pad Length Pad Length 8 bits – specifies the length of the payload data is padding 8 bits – specifies the length of the payload data is padding Next Header Next Header 8 bits – an IP protocol number describing the format of the payload data 8 bits – an IP protocol number describing the format of the payload data Authentication Data Authentication Data Variable length – optional field used by the authentication service Variable length – optional field used by the authentication service

IP Security Protocol ESP and Encryption Models ESP and Encryption Models ESP can use several encryption protocols. The sender decides which ones to use. ESP can use several encryption protocols. The sender decides which ones to use. The current standard for IPSec uses HMAC with Message Digest 5 (MD5). The current standard for IPSec uses HMAC with Message Digest 5 (MD5). Hash Message Authentication Code (HMAC) Hash Message Authentication Code (HMAC) A special algorithm defined by RFC 2104 that can be used in conjunction with many other algorithms, such as SHA- 1, within the IPSec Encapsulating Security Payload. A special algorithm defined by RFC 2104 that can be used in conjunction with many other algorithms, such as SHA- 1, within the IPSec Encapsulating Security Payload.

Telecommuting Vulnerabilities Problems with traditional VPNs Problems with traditional VPNs Split tunneling – client can route traffic simultaneously to the corporate intranet and the Internet. Split tunneling – client can route traffic simultaneously to the corporate intranet and the Internet. Sensitive information stored on remote user’s hard drive. Sensitive information stored on remote user’s hard drive. Lack of logging when client is not connected Lack of logging when client is not connected

Telecommuting Vulnerabilities Problems with Certificates Problems with Certificates Compromised certificate can be used to gain access to machines within the security perimeter. Compromised certificate can be used to gain access to machines within the security perimeter. SOHO (small office/home office) SOHO (small office/home office) Products specifically designed to meet the needs of professionals who work at home or in small offices. Products specifically designed to meet the needs of professionals who work at home or in small offices. SOHO firewalls bypass the traditional perimeter authentication that takes place before a remote user is granted access to the internal network. SOHO firewalls bypass the traditional perimeter authentication that takes place before a remote user is granted access to the internal network. Provides back-door entry for intruders. Provides back-door entry for intruders.

Telecommuting Vulnerabilities Remote Session Remote Session Data never leaves the secure intranet perimeter. Data never leaves the secure intranet perimeter. Dangers lie in user copying data to their local drive or printing to a local printer. Dangers lie in user copying data to their local drive or printing to a local printer. Remote Solutions Remote Solutions Citrix Metaframe Access Suite Citrix Metaframe Access Suite Microsoft Terminal Server Microsoft Terminal Server Virtual Network Computing Virtual Network Computing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.