Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7: Protecting Advanced Communications

Published byChester Johnson Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 7: Protecting Advanced Communications"— Presentation transcript:

1 Chapter 7: Protecting Advanced Communications
Security+ Guide to Network Security Fundamentals Second Edition

2 Objectives Harden File Transfer Protocol (FTP) Secure remote access
Protect directory services Secure digital cellular telephony Harden wireless local area networks (WLAN)

3 Hardening File Transfer Protocol (FTP)
Three ways to work with FTP: Web browser FTP client Command line FTP servers can be configured to allow unauthenticated users to transfer files (called anonymous FTP or blind FTP) Anonymous connections use any address as the password

4 Hardening File Transfer Protocol (FTP)
Vulnerabilities associated with using FTP FTP does not use encryption Files being transferred by FTP are vulnerable to man-in-the-middle attacks Use secure FTP to reduce risk of attack Secure FTP is a term used by vendors to describe encrypting FTP transmissions Most secure FTP products use Secure Socket Layers (SSL) to perform the encryption

5 Hardening File Transfer Protocol (FTP)
FTP active mode Client connects from any random port >1,023 (PORT N) to FTP server’s command port, port 21 (Step 1) Client starts listening to PORT N+1 and sends the FTP command PORT N+1 to the FTP server FTP passive mode Client initiates both connections to server When opening an FTP connection, client opens two local random unprivileged ports >1,023

6 File Transfer Protocol Process
ephemeral port number

7 Active FTP Example

8 Passive FTP Example

9 Secure Remote Access Windows NT includes User Manager to allow dial-in access, while Windows 2003 uses Computer Management for Workgroup access and Active Directory for configuring access to the domain Windows 2003 Remote Access Policies can lock down a remote access system to ensure that only those intended to have access are actually granted it

10 Tunneling Protocols Tunneling: technique of encapsulating one packet of data within another type to create a secure link of transportation

11 Tunneling Protocols (continued)

12 Point-to-Point Tunneling Protocol (PPTP)
Most widely deployed tunneling protocol Connection is based on the Point-to-Point Protocol (PPP), widely used protocol for establishing connections over a serial line or dial-up connection between two points Client connects to a network access server (NAS) to initiate connection Extension to PPTP is Link Control Protocol (LCP), which establishes, configures, and tests the connection

13 Point-to-Point Tunneling Protocol (PPTP)

14 Layer 2 Tunneling Protocol (L2TP)
Represents a merging of features of PPTP with Cisco’s Layer 2 Forwarding Protocol (L2F), which itself was originally designed to address some of the weaknesses of PPTP Unlike PPTP, which is primarily implemented as software on a client computer, L2TP can also be found on devices such as routers

15 Authentication Technologies
Authenticating a transmission to ensure that it comes from an approved sender can provide an increased level of security for remote access users

16 IEEE 8021x Based on a standard established by the Institute for Electrical and Electronic Engineers (IEEE) Gaining wide-spread popularity Provides an authentication framework for 802-based LANs (Ethernet, Token Ring, wireless LANs) Uses port-based authentication mechanisms Switch denies access to anyone other than an authorized user attempting to connect to the network through that port

17 IEEE 8021x (continued) Network supporting the 8021x protocol consists of three elements: Supplicant: client device, such as a desktop computer or personal digital assistant (PDA), which requires secure network access Authenticator: serves as an intermediary device between supplicant and authentication server Authentication server: receives request from supplicant through authenticator

18 802.1x 802.1x is a standardized framework defined by the IEEE that is designed to provide port-based network access. The 802.1x framework defines three roles in the authentication process: Supplicant = endpoint that needs network access Authenticator = switch or access point Authentication Server = RADIUS, TACACS+, LDAP The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages between the supplicant and the authentication server.

19 IEEE 8021x (continued)

20 802.1x Roles Microsoft Windows XP includes 802.1x supplicant support
Authentication Server Authenticator Supplicant Microsoft Windows XP includes 802.1x supplicant support

21 How 802.1x Works Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) 802.1x RADIUS Actual authentication conversation occurs between the client and Authentication Server using EAP. The authenticator is aware of this activity, but it is just a middleman.

22 How 802.1x Works (Continued)
Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) EAPOL - Start EAP – Request Identity EAP – Response/Identity RADIUS Access - Request EAP – Request/OTP RADIUS Access - Challenge EAP – Response/OTP RADIUS Access - Accept EAP – Success Port Authorized EAPOL – Logoff Port Unauthorized

23 802.1x and EAP Prior to the client authentication, the port will only allow 802.1x protocol, CDP, and STP traffic. EAP is the transport protocol used by 802.1x to authenticate supplicants against an authentication server such as RADIUS. RFC 3748 updated EAP to support IEEE 802 On LAN media, the supplicant and authenticator use the EAP over LANs (EAPOL) encapsulation.

24 EAP Characteristics EAP – The Extensible Authentication Protocol
Extension of PPP to provide additional authentication features A flexible protocol used to carry arbitrary authentication information. Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+ Specified in RFC 2284 Support multiple authentication types : EAP-MD5: Plain Password Hash (CHAP over EAP) EAP-TLS (based on X.509 certificates) LEAP (EAP-Cisco Wireless) PEAP (Protected EAP) Extensible Authentication Protocol (EAP) is a flexible authentication protocol (specified in RFC 2284) that typically rides on the top of another protocol such as 802.1X, RADIUS, or TACACS+. It is an extension to the Point-to-Point Protocol (PPP) that enables the support of advanced authentication methods without a need to update the AAA client. EAP becomes the medium used the carry user authentication between the supplicant and the authentication server. Some examples of EAP types include: LEAP –802.1X EAP authentication type developed by Cisco to provide dynamic per-user, per-session WEP encryption keys PEAP X EAP authentication type designed to leverage server-side EAP-Transport Layer Security (EAP-TLS) and support a variety of different authentication methods, including log-on passwords and one-time passwords (OTPs) EAP-TLS –802.1X EAP authentication algorithm based on the TLS protocol (RFC2246). TLS utilizes mutual authentication based on X.509 certificates. EAP-MD5 (Message Digest 5) – Username/password method that incorporates MD5 hashing for more secure authentication. EAP-GTC (Generic Token Card) – Allows One Time Password (OTP) authentication.

25 How Does Basic Port Based Network Access Work?
Switch Request ID Send ID/Password or Certificate Switch Forward credentials to ACS Server Authentication Successful Client now has secure access 802.1x RADIUS Cisco Secure ACS AAA Radius Server 802.1x Capable Ethernet LAN Access Devices 1 2 3 4 5 6 7 applies policies and enables port. Host device attempts to connects to Switch Actual authentication conversation is between client and Auth Server using EAP. 6500 Series Access Points 4500/4000 Series 3550/2950 Series This diagram or illustration shows only the basic proponent of Identity Based Networking Services. The new being introduced builds upon this basic foundation. IEEE 802.1x is an open-standards-based protocol for authenticating network clients (or ports) on a user-ID or device basis. This process is called "port-level authentication". It takes the RADIUS (Remote Authentication Dial-In User Service) methodology and separates it into three distinct groups: the Supplicant, Authenticator, and Authentication Server X works between end devices and users (called “supplicants”) trying to connect to ports and the Ethernet solution such as Catalyst Switching, or Cisco Wireless Access Points (called the “authenticator”). Authentication and authorization are achieved with backend communication to an authentication server (such as Cisco Secure ACS). IEEE 802.1X provides automated user identification, centralized authentication, key management, and provisioning of LAN connectivity. See the diagram below for 802.1x in action. The first step is to define users or group policies within the authentication server or LDAP data store to be accessed by the authentication server. Basics Identity Based Networking Services: A user powers on, plugs in or activates their wireless network card. When the Catalyst Switch (authenticator) or Wireless Access Points (authenticator) detect that a user (supplicant) attempting to connect to the network it initiates an EAPOL (Extensible Authentication Protocol (EAP) over LANs) requesting the user to provide their credentials. The client sends it’s credentials to the switch or access point (authenticator) The authenticator forwards the credentials on to the authentication server. The authentication server authenticates the user and either grants or denies access accordingly. We will assume for the purposes of this illustration that the user is successfully authenticated. The authenticator communicates back to the authenticator that the user has successfully authenticated and can be granted access to the network. The switch or wireless access point opens the communications port for granting network access. The user now how access for physical LAN services. Cisco’s IBNS solution offers enhancements beyond identity authentication and secure network connectivity, to also support dynamic provisioning of VLANs on a per user basis, support for Guest VLAN, AVVID support for Auxiliary VLANs (VVID) and 802.1X with Port Security. The switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets the port to forwarding, and applies the designated policies.

26 IEEE 8021x (continued) Several variations of EAP can be used with 8021x: EAP-Transport Layer Security (EAP-TLS) Lightweight EAP (LEAP) EAP-Tunneled TLS (EAP-TTLS) Protected EAP (PEAP) Flexible Authentication via Secure Tunneling (FAST)

27 Remote Authentication Dial-In User Service (RADIUS)
Originally defined to enable centralized authentication and access control and PPP sessions Requests are forwarded to a single RADIUS server Supports authentication, authorization, and auditing functions After connection is made, RADIUS server adds an accounting record to its log and acknowledges the request Allows company to maintain user profiles in a central database that all remote servers can share

28 Terminal Access Control Access Control System (TACACS+)
Industry standard protocol specification that forwards username and password information to a centralized server (TACACS) Whereas communication between a NAS and a TACACS+ server is encrypted, communication between a client and a NAS is not TACACS+ utilizes TCP port 49. It is a Cisco proprietary enhancement to original TACACS protocol.

29 Secure Transmission Protocols
PPTP and L2TP provide a secure mechanism for preventing eavesdroppers from viewing transmissions

30 Secure Shell (SSH) One of the primary goals of the ARPANET (which became today’s Internet) was remote access SSH is a UNIX-based command interface and protocol for securely accessing a remote computer Suite of three utilities—slogin, ssh, and scp Can protect against: IP spoofing DNS spoofing Intercepting information

31 Secure Shell (SSH) (continued)

32 IP Security (IPSec) Different security tools function at different layers of the Open System Interconnection (OSI) model Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP) operate at the Application layer Kerberos functions at the Session layer

33 IP Security (IPSec) (continued)

34 IP Security (IPSec) (continued)
IPSec is a set of protocols developed to support the secure exchange of packets Encapsulating Security Payload (ESP) Authentication Header (AH) Internet Security Association and Key Management Protocol (ISAKMP/IKE) Considered to be a transparent security protocol Transparent to applications, users, and software because resides on Layer 3 of OSI Provides three areas of protection that correspond to three IPSec protocols: Authentication Confidentiality Key management

35 IP Security (IPSec) (continued)
Supports two encryption modes: Transport mode encrypts only the data portion (payload) of each packet, yet leaves the header unencrypted Tunnel mode encrypts both the header and the data portion IPSec accomplishes transport and tunnel modes by adding new headers to the IP packet The entire original packet is then treated as the data portion of the new packet

36 IP Security (IPSec) (continued)
Tunnel Mode

37 IP Security (IPSec) (continued)
Both Authentication Header (AH) and Encapsulating Security Payload (ESP) can be used with Transport or Tunnel mode, creating four possible transport mechanisms: AH in transport mode AH in tunnel mode ESP in transport mode ESP in tunnel mode Usually use a combination of the four for each VPN policy/transform set

38 Virtual Private Networks (VPNs)
Takes advantage of using the public Internet as if it were a private network Allow the public Internet to be used privately Prior to VPNs, organizations were forced to lease expensive data connections (leased lines) from private carriers so employees could remotely connect to the organization’s network

39 Virtual Private Networks (VPNs)
Two common types of VPNs include: Remote-access VPN or virtual private dial-up network (VPDN): user-to-LAN connection used by remote users Site-to-site VPN: multiple sites can connect to other sites over the Internet VPN transmissions achieved through communicating with endpoints An endpoint can be software on a local computer, a dedicated hardware device such as a VPN concentrator, or even a firewall

40 Virtual Private Networks (VPNs)

41 Hardening WLANs By 2007, >98% of all notebooks will be wireless-enabled Serious security vulnerabilities have also been created by wireless data technology: Unauthorized users can access the wireless signal from outside a building and connect to the network Attackers can capture and view transmitted data Employees in the office can install personal wireless equipment and defeat perimeter security measures Attackers can crack wireless security with kiddie scripts

42 IEEE Standards A WLAN shares same characteristics as a standard data-based LAN with the exception that network devices do not use cables to connect to the network RF is used to send and receive packets Sometimes called Wi-Fi for Wireless Fidelity, network devices can transmit 11 to 108 Mbps at a range of 150 to 375 feet 802.11a has a maximum rated speed of 54 Mbps and also supports 48, 36, 24, 18, 12, 9, and 6 Mbps transmissions at 5 GHz

43 IEEE Standards In September 1999, a new b High Rate was amended to the standard 802.11b added two higher speeds, 5.5 and 11 Mbps 802.11b operates at 2.4 GHz 802.11b had greater range and was more widely adapted than a despite its slower max throughput

44 IEEE Standards 802.11g features the best of both worlds with the max through put of a and the greater range of b and transmits at 2.4 GHz 802.11g is also backward compatible with b

45 WLAN Components Each network device must have a wireless network interface card installed Wireless NICs are available in a variety of formats: PCI card for your Desktop PCMCIA for your laptop USB stick for either

46 WLAN Components (continued)
An access point (AP) consists of three major parts: An antenna and a radio transmitter/receiver to send and receive signals An RJ-45 wired network interface that allows it to connect by cable to a standard wired network Special bridging software or bridge virtual interface (BVI) to bridge from the radio interface to the Ethernet interface

47 Basic WLAN Security Two areas:
Enterprise WLAN security Basic WLAN security uses two new wireless tools and one tool from the wired world: Service Set Identifier (SSID) beaconing MAC address filtering Wired Equivalent Privacy (WEP)

48 Service Set Identifier (SSID) Beaconing
A service set is a technical term used to describe a WLAN network SSID Beaconing means to broadcast your SSID (usually the default) Three types of service sets: Independent Basic Service Set (IBSS) is used for ad hoc wireless networks Basic Service Set (BSS) is used by an AP to send signals to other wireless devices Extended Service Set (ESS) use multiple APs to cover a large area Each WLAN is given a unique SSID

49 MAC Address Filtering Another way to harden a WLAN is to filter MAC addresses The MAC address of approved wireless devices is entered on the AP A MAC address can be spoofed When wireless devices and the AP first exchange packets, the MAC address of the wireless device is sent in plaintext, allowing an attacker with a sniffer to see the MAC address of an approved device

50 Wired Equivalent Privacy (WEP)
Optional configuration for WLANs that encrypts packets during transmission to prevent attackers from viewing their contents Uses shared keys ― the same key for encryption and decryption must be installed on the AP, as well as each wireless device A serious vulnerability in WEP is that the Initialization Vector (IV) is not properly implemented Every time a packet is encrypted it should be given a unique IV

51 Wired Equivalent Privacy (WEP)

52 Other Wireless Authentication Protocols
Wi-Fi Protected Access WPA The TKIP encryption algorithm was developed for WPA to provide improvements to WEP WPA2 WiFi Alliance branded version of the final i standard WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK) based security Also known as WPA Enterprise 802.1X LEAP PEAP TKIP

53 Untrusted Network The basic WLAN security of SSID beaconing, MAC address filtering, and WEP encryption is not secure enough for an organization to use One approach to securing a WLAN is to treat it as an untrusted and unsecure network Requires that the WLAN be placed outside the secure perimeter of the trusted network May use a DSL line for wireless access so that wireless network is not on the LAN

54 Untrusted Network (continued)

55 Trusted Network It is still possible to provide security for a WLAN and treat it as a trusted network Wi-Fi Protected Access (WPA) was crafted by the WECA in 2002 as an interim solution until a permanent wireless security standard could be implemented Has two components: WPA encryption WPA access control

56 Trusted Network (continued)
WPA encryption addresses the weaknesses of WEP by using the Temporal Key Integrity Protocol (TKIP) TKIP mixes keys on a per-packet basis to improve security Although WPA provides enhanced security, the IEEE 80211i solution is even more secure

57 Summary The FTP protocol has several security vulnerabilities—it does not natively use encryption and is vulnerable to man-in-the-middle attacks FTP can be hardened by using secure FTP (which encrypts using SSL) Protecting remote access transmissions is particularly important in today’s environment as more users turn to the Internet as the infrastructure for accessing protected information

58 Summary (continued) Authenticating a transmission to ensure it came from the sender can provide increased security for remote access users SSH is a UNIX-based command interface and protocol for securely accessing a remote computer A directory service is a database stored on the network itself and contains all the information about users and network devices Digital cellular telephony provides various features to operate on a wireless digital cellular device WLANs have a dramatic impact on user access to data

Download ppt "Chapter 7: Protecting Advanced Communications"

Similar presentations

Authentication.

Authentication.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Network Security.

Network Security.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Implementing Wireless LAN Security

Implementing Wireless LAN Security
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Remote Networking Architectures

Remote Networking Architectures
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Similar presentations

Ads by Google