Understanding Protocol Security LESSON Security Fundamentals

LESSON 3.4 Lesson Overview In this lesson, you will learn about:  Protocol spoofing  IPsec  Tunneling  DNSSEC  Network sniffing  Common attack methods

Security Fundamentals LESSON 3.4 Anticipatory Set  List common network attack methods.  Summarize the IPsec goals and how they are met.

Security Fundamentals LESSON 3.4 Configure IIS IP and DNS Restrictions Configure restrictions based on IP address. Use IIS Manager to grant or deny access to websites or applications for: o a single computer. o a group of computers.

Security Fundamentals LESSON 3.4 Grant Access to Resources for a Computer 1. In IIS Manager, expand the local computer, right-click a website, directory, or file you want to configure, and click Properties. 2. Click the Directory Security or File Security tab. In the IP address and domain name restrictions section, click Edit. 3. Click Granted access. 4. When you select Granted access, you grant access to all computers and domains, except to those that you specifically deny access. 5. Click Add. Click Single computer. 6. Click DNS Lookup to search for computers or domains by name, rather than by IP address. 7. Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box.

Security Fundamentals LESSON 3.4 Deny Access to Resources for a Computer 1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file you want to configure, and click Properties. 2. Click the Directory Security or File Security tab. In the IP address and domain name restrictions section, click Edit. 3. Click Denied access. 4. When you select Denied access, you deny access to all computers and domains, except to those that you specifically grant access. 5. Click Add. Click Single computer. 6. Click DNS Lookup to search for computers or domains by name, rather than by IP address. 7. Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box.

Security Fundamentals LESSON 3.4 IPSec  Internet protocol security (IPsec) is a framework of open standards for helping to ensure private, secure communications over IP networks through the use of cryptographic security services.  Supports network-level data integrity, data confidentiality, data origin authentication, and replay protection.  Provides security for almost all protocols in the TCP/IP suite.  Protects against network-based attacks from: o Untrusted computers and attacks that can result in the denial-of- service of applications, services, or the network o Data corruption o Data theft o User-credential theft o Administrative control of servers, other computers, and network

Security Fundamentals LESSON 3.4 IPsec – Successful Mutual Authentication  For IPsec-secured communications to be established, there must be mutual authentication between IPsec peers.  IPsec requires the use of one of the following authentication methods: o Kerberos version 5 o X.509 version 3 computer certificate issued by a public key infrastructure (PKI), o a preshared key  The two IPsec peers must use at least one common authentication method.

Security Fundamentals LESSON 3.4 VPN Tunneling Protocols  Enables the encapsulation of a packet from one type of protocol within the datagram of a different protocol.  Uses point-to-point tunneling protocol (PPTP) to encapsulate IP packets over a public network, such as the Internet.  You can configure a VPN solution based on: o PPTP. o Layer two tunneling protocol (L2TP). o Secure socket tunneling protocol (SSTP). o Internet protocol security (IPsec) using Internet key exchange version 2 (IKEv2).

Security Fundamentals LESSON 3.4 VPN Tunneling Protocols (continued)  PPTP o Allows multiprotocol traffic to be encrypted and encapsulated in an IP header to be sent across an IP network or a public IP network. o Can be used for remote access and site-to-site VPN connections.  L2TP/IPsec o Allows multiprotocol traffic to be encrypted and sent over any medium that supports point-to-point datagram delivery, such as IP or asynchronous transfer mode (ATM). o Is a combination of PPTP and layer 2 forwarding (L2F), a technology developed by Cisco Systems, Inc. L2TP represents the best features of PPTP and L2F.

Security Fundamentals LESSON 3.4  Secure Socket Tunneling Protocol (SSTP) o Uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. o Provides a mechanism to encapsulate PPP traffic over the secure sockets layer (SSL) channel of the HTTPS protocol.  IKEv2 o Uses the IPsec tunnel mode protocol over UDP port 500. o Provides resilience to the VPN client when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection.

Security Fundamentals LESSON 3.4 DNS Vulnerabilities and DNSSEC Improvements  Domain Name System (DNS) – database that contains mappings between names and other information, such as IP addresses.  Allows users to locate resources on the network by converting human- readable names to IP addresses through name resolution.  Web, , instant messaging, applications and technologies like Active Directory ® Domain Services (AD DS) rely on DNS.  Is vulnerable to spoofing, man-in-the-middle, and cache poisoning.  Domain name system security extensions (DNSSEC) is a suite of extensions that add security to the DNS protocol.  DNSSEC provides origin authority, data integrity, and authenticated denial of existence.  DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC and DS) to DNS.

Security Fundamentals LESSON 3.4 Attacks on DNS Clients and DNS Servers If a malicious user might be able to guess that a DNS client or server has sent a DNS query and is waiting for a DNS response. When he has determined this to be true, the attacker can send spoofed DNS response packets and try to beat the authentic response back.

Security Fundamentals LESSON 3.4 Common Network Attacks  Without security measures and controls in place, your data might be subjected to an attack.  Some attacks are passive—information is only viewed.  Others are active—information is altered with intent to corrupt or destroy the data or the network itself.  Your networks and data are vulnerable to any of the following types of attacks if you do not have a security plan in place: o Identity spoofing Sniffing o Eavesdropping Data modification o Password-based attacks Man-in-the-middle attack o Denial-of-service attack Application-layer attack o Compromised key attack

Security Fundamentals LESSON 3.4 Identity Spoofing (IP Address Spoofing)  Occurs when the attacker identifies and uses an IP address of a network, computer, or network component to pose as the legitimate entity.  A successful attack allows the attacker to operate as if the attacker is the entity normally identified by the IP address—modify, reroute, or delete your data.  Within Office Communications Server 2007 R2, this situation occurs only if an administrator has done both of the following: 1. Configured connections that support only transmission control protocol (TCP). This is not recommended, because TCP communications are unencrypted. 2. Had to mark the IP addresses of those connections as trusted hosts. This is less of a problem for transport layer security (TLS) connections, which are by definition encrypted.

Security Fundamentals LESSON 3.4 Network Sniffing  The ability of an attacker to eavesdrop on communications between network hosts, read your communications, and cause the network to crash or to become corrupted  An attacker can perform network sniffing by performing the following tasks: o Compromising the host. o Installing a network sniffer. o Capturing sensitive data such as network credentials. o Using network credentials to compromise additional hosts.  A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets.

Security Fundamentals LESSON 3.4 Countermeasures for Network Sniffing Attacks Reduce the threat of network sniffing attacks on your network:  Use encryption to protect data.  Use switches instead of hubs.  Secure core network devices.  Use crossover cables.  Develop use computer and network policies.  Conduct regular scans.

Security Fundamentals LESSON 3.4 Eavesdropping  Majority of network communications are unsecured or "cleartext", which allows an attacker who has gained access to data paths in your network to "listen in" or interpret (read) the traffic.  Referred to as sniffing or snooping. Data Modification  An attacker can modify the data in the packet without the knowledge of the sender or receiver.  Even if you do not require confidentiality for all communications, you do not want messages to be modified in transit.

Security Fundamentals LESSON 3.4 Password-Based Attacks  Older applications do not always protect identity information as it is passed through the network for validation. This might allow an eavesdropper to gain access to the network by posing as a valid user.  An attacker with password information has the same rights as the real user. If the user has administrator-level rights, the attacker also can create accounts to be used at a later time.  A successful attacker can: o Obtain lists of valid user and computer names and network information. o Modify server and network configurations, including access controls and routing tables. o Modify, reroute, or delete your data.

Security Fundamentals LESSON 3.4 Denial-of-Service Attack  Prevents normal use of your computer or network by valid users.  After gaining access to your network, the attacker can: o Randomize the attention of your internal Information Systems staff so that they do not see the intrusion immediately. o Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services. o Flood a computer or the entire network with traffic until a shutdown occurs because of the overload. o Block traffic, which results in a loss of access to network resources by authorized users.

Security Fundamentals LESSON 3.4 Man-in-the-Middle Attack  Occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication.  The attacker can reroute a data exchange.  Resembles someone assuming your identity in order to read your message.  The person on the other end might believe it is you because the attacker might be actively replying as you to keep the exchange going and gain more information.

Security Fundamentals LESSON 3.4 Compromised-Key Attack  A key is a secret code or number necessary to interpret secured information.  An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack.  With the compromised key, the attacker can decrypt or modify data, and try to use the compromised key to get additional keys, which might allow the attacker access to other secured communications.

Security Fundamentals LESSON 3.4 Application-Layer Attack  Targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls and thus gain control of your application, system, or network.  Attacker can: o Read, add, delete, or modify your data or operating system. o Introduce a virus. o Introduce a sniffer program. o Abnormally terminate your data applications or operating systems. o Disable other security controls to enable future attacks.

Security Fundamentals LESSON 3.4 Lesson Review  IPsec is a solution for securing a network. o It provides a key line of defense against private network and Internet attacks and is easy of use.  IPsec has two goals: 1. To protect IP packets 2. To provide a defense against network attacks  How are these goals met?