Guide to Network Security First Edition Chapter Five Network Authentication and Remote Access Using VPN.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Internet Protocol Security (IP Sec)
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Guide to Network Defense and Countermeasures Second Edition
Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
11 Setting Up a Virtual Private Network
Access Control Methodologies
Module 5: Configuring Access for Remote Clients and Networks.
SCSC 455 Computer Security Virtual Private Network (VPN)
Security+ Guide to Network Security Fundamentals, Fourth Edition
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Guide to Network Defense and Countermeasures Second Edition
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
Virtual Private Networks and IPSec
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
Internet Protocol Security (IPSec)
Remote Networking Architectures
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Virtual Private Network
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Understanding VPN Concepts Virtual Private Network (VPN) enables computers to –Communicate securely over insecure channels –Exchange private encrypted.
1 Guide to Network Defense and Countermeasures Chapter 7.
Chapter 11: Setting up a Virtual Private Network.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Guide to Firewalls and VPNs, 3 rd Edition Chapter Ten Setting Up A Virtual Private Network.
Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.
BZUPAGES.COM. What is a VPN VPN is an acronym for Virtual Private Network. A VPN provides an encrypted and secure connection "tunnel" path from a user's.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
Privilege Management Chapter 22.
Guide to Network Defense and Countermeasures Third Edition
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Securing Access to Data Using IPsec Josh Jones Cosc352.
VIRTUAL PRIVATE NETWORKS Lab#9. 2 Virtual Private Networks (VPNs)  Institutions often want private networks for security.  Costly! Separate routers,
Security Methods and Practice CET4884
Presentation transcript:

Guide to Network Security First Edition Chapter Five Network Authentication and Remote Access Using VPN

© 2013 Course Technology/Cengage Learning. All Rights Reserved Objectives Define access control and identify the various ways it can be implemented Explain why authentication is a critical aspect of network access control Identify the component parts of virtual private networks (VPNs) List and define the essential activities that an VPN must be able to perform Explain the various VPN architectures in common use 2

© 2013 Course Technology/Cengage Learning. All Rights Reserved Introduction Network security strategies authenticate machines: –Rather than individuals Stronger level of authentication –Network Access Control (NAC) –VPN access controllers Main types of authentication performed by network security devices –Client –User –Session 3

© 2013 Course Technology/Cengage Learning. All Rights Reserved Access Control Access controls regulate admission into trusted areas of the organization –Logical access to information systems –Physical access to facilities Made up of policies, programs, and technologies Processes –Identification –Authentication –Authorization –Accountability 4

© 2013 Course Technology/Cengage Learning. All Rights Reserved Access Control (cont’d.) Key principles of access control –Least privilege Members allowed minimal amount of information necessary to perform required duties –Need to know Limits user’s access to specific information required for a task –Separation of duties Tasks are divided between two or more individuals 5

© 2013 Course Technology/Cengage Learning. All Rights Reserved Categories of Access Control Functional characteristics –Deterrent –Preventative –Detective –Corrective –Recovery –Compensating 6

© 2013 Course Technology/Cengage Learning. All Rights Reserved Categories of Access Control (cont’d.) NIST SP classification –Management –Operational –Technical Mandatory access controls –Controls enforced by computer system without intervention from the data owner 7

© 2013 Course Technology/Cengage Learning. All Rights Reserved8 Table 5-1 Examples of controls categorized by operational level and functional characteristics © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved Categories of Access Control (cont’d.) U.S. Military classification scheme –Unclassified –Sensitive but unclassified –Confidential –Secret –Top Secret Discretionary access controls –Implemented at the discretion of the data owner 9

© 2013 Course Technology/Cengage Learning. All Rights Reserved10 Figure 5-1 Sample access control matrix © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved Categories of Access Control (cont’d.) Nondiscretionary controls –Determined by a central authority –Can be either role-based or task-based Other forms of access control –Content-dependent –Constrained user interfaces –Temporal (time-based) isolation 11

© 2013 Course Technology/Cengage Learning. All Rights Reserved Identification Process by which a computer system recognizes a user’s identity Accounts are stored locally or centralized Default accounts –Operating systems have a default user account Root (UNIX) or administrator (Windows) –Default accounts should be renamed to make more difficult to access 12

© 2013 Course Technology/Cengage Learning. All Rights Reserved Identification (cont’d.) Periodic reviews –Performed by network administrators –Ensure employee still works at the company –Determine if employee still requires an account 13

© 2013 Course Technology/Cengage Learning. All Rights Reserved Authentication Act of confirming the identity or user account User proposes and verifies an identity with some combination of: –Something you know Password or passphrase –Something you have Smart card or key –Something you are Fingerprint, iris scan, or voiceprint 14

© 2013 Course Technology/Cengage Learning. All Rights Reserved Password Security Issues Cracking –Guessing, breaking, or stealing passwords to gain system access –Methods: dictionary and brute force attacks Rainbow tables –Contain hash outputs for many different password combinations Password policies –Guidelines to help enforce password confidentiality 15

© 2013 Course Technology/Cengage Learning. All Rights Reserved Password Security Issues (cont’d.) Example of a password policy –At least eight characters –Contain at least one uppercase character –Contain at least one lowercase character –Contain at least one number and symbol –Contain no part of the user’s name –Contain no words commonly found in a dictionary –Contain no repeating characters –Be combined with a salt when calculating hashes 16

© 2013 Course Technology/Cengage Learning. All Rights Reserved Password Security Issues (cont’d.) Example of password policy restrictions –Users must change passwords at least every 90 days –Remember 10 or more previously used passwords –Lock accounts after three to five invalid login attempts Lax security practices to avoid –Using simple passwords –Storing passwords on paper in readily visible areas –Sharing passwords between systems or with others 17

© 2013 Course Technology/Cengage Learning. All Rights Reserved Password Security Issues (cont’d.) One-time password software –Password generated for one-time use during a single session –Challenge-response passwords –Password list passwords –Token generators 18

© 2013 Course Technology/Cengage Learning. All Rights Reserved Implementing Authentication Most operating systems equipped with authentication schemes Firewalls and VPN access controllers can perform user authentication General process to authenticate users –Client requests access to a resource –Firewall prompts for username and password –User submits information and is authenticated –Request is checked against firewall’s rule base –Request is granted or denied 19

© 2013 Course Technology/Cengage Learning. All Rights Reserved20 Figure 5-2 Basic user authentication © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved Implementing Authentication (cont’d.) User authentication –Simplest type –Authorized users added to access control lists Client authentication –Similar to user authentication –Includes usage limits –Specific period of time or number of times –Standard or specific sign-on is used 21

© 2013 Course Technology/Cengage Learning. All Rights Reserved Implementing Authentication (cont’d.) Network access control (NAC) –Before a device may communicate on the network Must meet specific thresholds –Device has authorized user credentials needed to access network –Device must have appropriate security tools and up- to-date software versions –Device has correct system configuration –Device complies with security standards 22

© 2013 Course Technology/Cengage Learning. All Rights Reserved Implementing Authentication (cont’d.) Session authentication –Requires authentication whenever client system attempts connection –A session is established Some advanced firewalls: –Offer multiple authentication methods 23

© 2013 Course Technology/Cengage Learning. All Rights Reserved24 Table 5-2 Authentication methods © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved Implementing Authentication (cont’d.) Centralized authentication –Central server maintains all user authorizations Also called authentication, authorization, and auditing (AAA) server –Can use several different authentication methods See Figure 5-4 for Kerberos See Tables 5-3 and 5-4 for TACACS+ and RADIUS 25

© 2013 Course Technology/Cengage Learning. All Rights Reserved26 Figure 5-3 Centralized authentication © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved27 Figure 5-4 Kerberos authentication © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved28 Table 5-3 Characteristics of TACACS+ and RADIUS © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved29 Table 5-4 Filtering rules for TACACS+ and RADIUS © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved Virtual Private Networks Connects remote workers Older technology –Dial-up connectivity –Leased lines –Remote Authentication Service Virtual private networks (VPNs) –Provide secure point-to-point communication over the public Internet –Data is encapsulated and encrypted 30

© 2013 Course Technology/Cengage Learning. All Rights Reserved Extranets and Intranets Extranet –Extension of organization’s network using the Internet Intranet –Logical network restricted to employees within the organization 31

© 2013 Course Technology/Cengage Learning. All Rights Reserved Figure 5-5 VPN for intranets and extranets © Cengage Learning

© 2013 Course Technology/Cengage Learning. All Rights Reserved VPN Components and Operations Many telecommunications companies provide VPN services VPN components –Hardware devices –Software that performs security-related activities Endpoints or terminators –Hardware devices at each end –Perform encryption, authentication, and encapsulation 33

© 2013 Course Technology/Cengage Learning. All Rights Reserved VPN Components and Operations (cont’d.) VPN tunnel –Virtual communications path –Uses TCP/IP See Figures 5-6, 5-7, and 5-8 for example VPN configurations 34

© 2013 Course Technology/Cengage Learning. All Rights Reserved Figure 5-6 Simplified model VPN © Cengage Learning

© 2013 Course Technology/Cengage Learning. All Rights Reserved36 Figure 5-7 Model VPN © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved37 Figure 5-8 Common VPN © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved Essential Activities of VPNs IP encapsulation –Enclosing a packet within another packet Different IP source and destination information Data payload encryption –Transport method encrypts traffic when generated Data is encrypted, not header –Tunnel method encrypts data in transit Both header and data portions encrypted 38

© 2013 Course Technology/Cengage Learning. All Rights Reserved39 Figure 5-9 VPN IP encapsulation with transport encryption and tunnel encryption methods © Cengage Learning 2013

© 2013 Course Technology/Cengage Learning. All Rights Reserved Essential Activities of VPNs (cont’d.) Encrypted authentication –Encryption domain: everything in the protected network behind the gateway –Same cryptographic system that encrypts packets: Authenticates computers using the VPN 40

© 2013 Course Technology/Cengage Learning. All Rights Reserved Types of VPNs Site-to-site VPN –Links two or more networks Client-to-site VPN –Makes network accessible to remote users who need dial-in access Two types not mutually exclusive 41

© 2013 Course Technology/Cengage Learning. All Rights Reserved VPN Appliances Hardware device designed to terminate VPNs –Permits connections among large number of users –Does not provide file sharing and printing Software VPN –Less expensive than hardware systems –More scalable on fast-growing networks VPN combinations of hardware and software –Implement a VPN appliance at the central network –Use client software at remote end of each connection 42

© 2013 Course Technology/Cengage Learning. All Rights Reserved Figure 5-10 Hardware VPN © Cengage Learning

© 2013 Course Technology/Cengage Learning. All Rights Reserved VPN Architectures Mesh configuration –Each participant in the VPN has an approved relationship with every other participant Relationship called security association (SA) Hub-and-spoke configuration –Single VPN router contains records of all SAs in the VPN –All communication flows through central router Router must have double the bandwidth of other connections 44

© 2013 Course Technology/Cengage Learning. All Rights Reserved Figure 5-11 Mesh VPN © Cengage Learning

© 2013 Course Technology/Cengage Learning. All Rights Reserved Figure 5-12 Hub-and-spoke VPN © Cengage Learning

© 2013 Course Technology/Cengage Learning. All Rights Reserved VPN Architectures Hybrid configuration –Mixture of mesh and hub-and-spoke configurations –Mesh configuration should handle time-critical communications –Overseas branches can be part of hub-and-spoke configuration 47

© 2013 Course Technology/Cengage Learning. All Rights Reserved Tunneling Protocols Used with VPNs Proprietary protocols used in the past IPSec/IKE –Standard for secure encrypted communication –Uses two security methods Authenticated Headers (AH) Encapsulating Security Payload (ESP) –Works in both transport and tunnel modes Point-to-point tunneling protocol (PPTP) –Used for connection using dial-in modem 48

© 2013 Course Technology/Cengage Learning. All Rights Reserved Tunneling Protocols Used with VPNs (cont’d.) Layer2 tunneling protocol (L2TP) –Extension of PPP –Provides secure authenticated remote access –Separates process of initiating connection from process of forwarding data UNIX-based methods for creating VPNs –Point-to-point protocol over Secure Sockets Layer –Point-to-point protocol over Secure Shell 49

© 2013 Course Technology/Cengage Learning. All Rights Reserved Table 5-5 VPN protocols and their uses © Cengage Learning

© 2013 Course Technology/Cengage Learning. All Rights Reserved VPN Best Practices Create a VPN policy –Identify who can use VPN –Specify proper use of the VPN Determine where encryption/decryption will be performed –In relation to packet filtering –See Figures 5-13 and 5-14 for external and internal options 51

© 2013 Course Technology/Cengage Learning. All Rights Reserved Figure 5-13 External encryption © Cengage Learning

© 2013 Course Technology/Cengage Learning. All Rights Reserved Figure 5-14 Internal encryption © Cengage Learning

© 2013 Course Technology/Cengage Learning. All Rights Reserved Benefits and Drawbacks of VPNs Benefits –Secure networking without overhead of maintaining leased lines –Packet encryption/translation overhead handled on dedicated systems Decreased load on production machines Drawbacks –Complex –Can create network vulnerabilities if improperly configured 54

© 2013 Course Technology/Cengage Learning. All Rights Reserved Benefits and Drawbacks of VPNs (cont’d.) VPNs extend network boundaries Suggestions for dealing with increased risk –Multifactor authentication –Integrated virus protection –NAC –Usage limits 55

© 2013 Course Technology/Cengage Learning. All Rights Reserved Summary Network security devices require authentication: –To assign different levels of authorization to different users and groups Network security device authentication schemes –User, client, and session Centralized authentication methods include Kerberos, TACACS+, and RADIUS Passwords can be static or dynamically generated VPNs provide secure, point-to-point communications over the Internet 56

© 2013 Course Technology/Cengage Learning. All Rights Reserved Summary (cont’d.) VPNs can use mesh, hub-and-spoke, or hybrid configurations Standard protocols today include IPSec/IKE, PPTP, L2TP, PPP over SSL, and PPP over SSH 57

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.