1. 11 SECURING COMMUNICATIONS Chapter 7

2. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how to secure wireless communications.  Describe how to use Internet Protocol Security (IPSec) to secure network communications.  Explain how to secure remote connections.  Describe how to secure wireless communications.  Describe how to use Internet Protocol Security (IPSec) to secure network communications.

3. Chapter 7: SECURING COMMUNICATIONS3 SECURING REMOTE ACCESS  More workers are telecommuting now.  Remote users have various types of communication connections.  Remote connections have special security requirements.  More workers are telecommuting now.  Remote users have various types of communication connections.  Remote connections have special security requirements.

4. Chapter 7: SECURING COMMUNICATIONS4 CHOOSING REMOTE CONNECTION METHODS  Modems support user dial-in connections.  A remote connection grants Internet access to network users via remote access services.  Internet connectivity supports virtual private network (VPN) links.  Connection media are often insecure.  Modems support user dial-in connections.  A remote connection grants Internet access to network users via remote access services.  Internet connectivity supports virtual private network (VPN) links.  Connection media are often insecure.

5. Chapter 7: SECURING COMMUNICATIONS5 DIAL-UP VS. VPN

6. Chapter 7: SECURING COMMUNICATIONS6 DIAL-UP CONNECTIONS  Modems establish the network link.  The remote access server  Hosts modem banks  Authenticates remote users  Acts as a router or proxy  Modems establish the network link.  The remote access server  Hosts modem banks  Authenticates remote users  Acts as a router or proxy

7. Chapter 7: SECURING COMMUNICATIONS7 DIAL-UP CONNECTIONS (CONT.)

8. Chapter 7: SECURING COMMUNICATIONS8 DIAL-UP PROTOCOLS  Point-to-Point Protocol (PPP)  Serial Line Internet Protocol (SLIP)  Point-to-Point Protocol (PPP)  Serial Line Internet Protocol (SLIP)

9. Chapter 7: SECURING COMMUNICATIONS9 CONNECTION-LEVEL SECURITY  Callback Control Protocol (CBCP)  Predefined  User-defined  Caller ID  Automatic number identification (ANI)  Callback Control Protocol (CBCP)  Predefined  User-defined  Caller ID  Automatic number identification (ANI)

10. Chapter 7: SECURING COMMUNICATIONS10 ADVANTAGES OF DIAL-UP  Limited access for attackers  Low likelihood of eavesdropping  Limited access for attackers  Low likelihood of eavesdropping

11. Chapter 7: SECURING COMMUNICATIONS11 DISADVANTAGES OF DIAL-UP  Cost  Low productivity  War dialing  Cost  Low productivity  War dialing

12. Chapter 7: SECURING COMMUNICATIONS12 VPNs  VPNs are an alternative to dial-up networks.  VPNs use the Internet as a connection medium.  A VPN connection is a tunnel.  VPN tunnels typically encrypt data.  VPNs are an alternative to dial-up networks.  VPNs use the Internet as a connection medium.  A VPN connection is a tunnel.  VPN tunnels typically encrypt data.

13. Chapter 7: SECURING COMMUNICATIONS13 VPN CONNECTIONS

14. Chapter 7: SECURING COMMUNICATIONS14 ADVANTAGES OF VPN  Low costs  High productivity  Fewer external connection points  Low costs  High productivity  Fewer external connection points

15. Chapter 7: SECURING COMMUNICATIONS15 DISADVANTAGES OF VPN  Risk of attacks  Risk of eavesdropping  High exposure to attackers  Risk of attacks  Risk of eavesdropping  High exposure to attackers

16. Chapter 7: SECURING COMMUNICATIONS16 REMOTE CONNECTION REQUIREMENTS  Remote communications between two computers require using the same protocol.  Both computers should use secured protocols and applications.  The server should require user authentication.  Remote communications between two computers require using the same protocol.  Both computers should use secured protocols and applications.  The server should require user authentication.

17. Chapter 7: SECURING COMMUNICATIONS17 REMOTE CONNECTION REQUIREMENTS (CONT.)

18. Chapter 7: SECURING COMMUNICATIONS18 COMMON AUTHENTICATION PROTOCOLS  Password Authentication Protocol (PAP)  Shiva Password Authentication Protocol (SPAP)  Challenge Handshake Authentication Protocol (CHAP)  Password Authentication Protocol (PAP)  Shiva Password Authentication Protocol (SPAP)  Challenge Handshake Authentication Protocol (CHAP)

19. Chapter 7: SECURING COMMUNICATIONS19 COMMON AUTHENTICATION PROTOCOLS (CONT.)  Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)  Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)  Extensible Authentication Protocol (EAP)  Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)  Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)  Extensible Authentication Protocol (EAP)

20. Chapter 7: SECURING COMMUNICATIONS20 CENTRALIZED AUTHENTICATION  Centralized authentication provides a single authentication control.  Remote access servers forward authentication requests.  Centralized authentication increases security.  Centralized authentication provides a single authentication control.  Remote access servers forward authentication requests.  Centralized authentication increases security.

21. Chapter 7: SECURING COMMUNICATIONS21 REMOTE ACCESS SERVER WITH CENTRALIZED AUTHENTICATION

22. Chapter 7: SECURING COMMUNICATIONS22 CENTRALIZED AUTHENTICATION PROTOCOLS  Remote Authentication Dial-In User Service (RADIUS)  Terminal Access Controller Access Control Service (TACACS)  TACACS+  Remote Authentication Dial-In User Service (RADIUS)  Terminal Access Controller Access Control Service (TACACS)  TACACS+

23. Chapter 7: SECURING COMMUNICATIONS23 RADIUS  Provides authentication, authorization, and accounting services  Is vendor independent  Provides authentication encryption  Provides authentication, authorization, and accounting services  Is vendor independent  Provides authentication encryption

24. Chapter 7: SECURING COMMUNICATIONS24 RADIUS AUTHENTICATION PROCESS

25. Chapter 7: SECURING COMMUNICATIONS25 TACACS AND TACACS+  Provide centralized access controls  Used by routers and remote access servers  Developed by Cisco Systems, Inc.  Provide centralized access controls  Used by routers and remote access servers  Developed by Cisco Systems, Inc.

26. Chapter 7: SECURING COMMUNICATIONS26 DIFFERENCES BETWEEN RADIUS AND TACACS+  RADIUS  Runs over the User Datagram Protocol (UDP)  Provides combined authentication and authorization  Used mainly by computers  TACACS+  Runs over the Transmission Control Protocol (TCP)  Provides separate authentication and authorization  Used mainly by network devices such as routers and switches  RADIUS  Runs over the User Datagram Protocol (UDP)  Provides combined authentication and authorization  Used mainly by computers  TACACS+  Runs over the Transmission Control Protocol (TCP)  Provides separate authentication and authorization  Used mainly by network devices such as routers and switches

27. Chapter 7: SECURING COMMUNICATIONS27 VPN PROTOCOLS  Point-to-Point Tunneling Protocol (PPTP)  Layer 2 Tunneling Protocol (L2TP)  IPSec  Point-to-Point Tunneling Protocol (PPTP)  Layer 2 Tunneling Protocol (L2TP)  IPSec

28. Chapter 7: SECURING COMMUNICATIONS28 PPTP  Is a Layer 2 protocol that encapsulates PPP frames in IP datagrams  Uses PAP, CHAP, and MS-CHAP  Requires an IP-based network  Does not support header compression  Is a Layer 2 protocol that encapsulates PPP frames in IP datagrams  Uses PAP, CHAP, and MS-CHAP  Requires an IP-based network  Does not support header compression

29. Chapter 7: SECURING COMMUNICATIONS29 L2TP  Is an extension of PPP  Encapsulates PPP frames to be sent over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks  Can use encrypted or compressed frames  Includes no mechanisms for authentication or encryption  Often used with IPSec  Is an extension of PPP  Encapsulates PPP frames to be sent over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks  Can use encrypted or compressed frames  Includes no mechanisms for authentication or encryption  Often used with IPSec

30. Chapter 7: SECURING COMMUNICATIONS30 L2TP OVER IPSEC (L2TP/IPSEC)  IPSec is used with L2TP to create tunnels.  Client L2TP/IPSec connections are used to access networks.  L2TP/IPSec offers gateway-to-gateway (network- to-network) connections.  L2TP/IPSec supports a wide range of user authentication options.  IPSec is used with L2TP to create tunnels.  Client L2TP/IPSec connections are used to access networks.  L2TP/IPSec offers gateway-to-gateway (network- to-network) connections.  L2TP/IPSec supports a wide range of user authentication options.

31. Chapter 7: SECURING COMMUNICATIONS31 VPN ISSUES  IPSec provides for multi-vendor interoperability.  Some network address translation (NAT) implementations cannot use IPSec tunnel mode.  PPTP security depends on using a password.  IPSec provides for multi-vendor interoperability.  Some network address translation (NAT) implementations cannot use IPSec tunnel mode.  PPTP security depends on using a password.

32. Chapter 7: SECURING COMMUNICATIONS32 SECURING VPN CONNECTIONS  Encrypt authentication and data.  Monitor traffic leaving a VPN connection.  Use strong multi-factor authentication.  Require VPN clients to comply with security policy.  VPN clients should not bypass security for Internet access.  Encrypt authentication and data.  Monitor traffic leaving a VPN connection.  Use strong multi-factor authentication.  Require VPN clients to comply with security policy.  VPN clients should not bypass security for Internet access.

33. Chapter 7: SECURING COMMUNICATIONS33 TERMINAL SESSIONS  Provide remote access  Let you control a system using a remote client  Reduce hardware costs  Create inherent security risks  Provide remote access  Let you control a system using a remote client  Reduce hardware costs  Create inherent security risks

34. Chapter 7: SECURING COMMUNICATIONS34 SECURE SHELL PROTOCOL (SSH)  Is a secure, low-level transport protocol  Provides remote control and access  Replaces Telnet, rlogin, and FTP  Has strong security features  Is a secure, low-level transport protocol  Provides remote control and access  Replaces Telnet, rlogin, and FTP  Has strong security features

35. Chapter 7: SECURING COMMUNICATIONS35 WHAT SSH PROTECTS AGAINST  Packet spoofing  IP/host spoofing  Password sniffing  Eavesdropping  Packet spoofing  IP/host spoofing  Password sniffing  Eavesdropping

36. Chapter 7: SECURING COMMUNICATIONS36 WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted using radio waves.  Physical security is no longer sufficient.  Transmissions can be intercepted outside the building where the data originates.  Wireless connections are becoming popular.  Network data is transmitted using radio waves.  Physical security is no longer sufficient.  Transmissions can be intercepted outside the building where the data originates.

37. Chapter 7: SECURING COMMUNICATIONS37 HOW WIRELESS NETWORKING WORKS  Institute of Electrical and Electronics Engineers (IEEE) 802.11 is the standard  OSI Layers 1 and 2  Can use various upper-layer protocols  Institute of Electrical and Electronics Engineers (IEEE) 802.11 is the standard  OSI Layers 1 and 2  Can use various upper-layer protocols

38. Chapter 7: SECURING COMMUNICATIONS38 WIRELESS INFRASTRUCTURE MODE NETWORKING

39. Chapter 7: SECURING COMMUNICATIONS39 WIRELESS THREATS  Theft of service  Eavesdropping  Unauthorized access  Theft of service  Eavesdropping  Unauthorized access

40. Chapter 7: SECURING COMMUNICATIONS40 BASIC DEFENSES AGAINST WIRELESS ATTACKS  Limit the range of radio transmissions.  Conduct a site survey.  Measure the signal strength.  Search for unauthorized access points (APs).  Restrict access by using a service set identifier (SSID) or by limiting access to specific media access control (MAC) addresses.  Separate the wireless segment from the rest of the network.  Limit the range of radio transmissions.  Conduct a site survey.  Measure the signal strength.  Search for unauthorized access points (APs).  Restrict access by using a service set identifier (SSID) or by limiting access to specific media access control (MAC) addresses.  Separate the wireless segment from the rest of the network.

41. Chapter 7: SECURING COMMUNICATIONS41 WIRED EQUIVALENCY PRIVACY (WEP)  Provides encryption and access control  Uses the RC4 encryption algorithm  Uses checksums  Supports 64-bit and 128-bit encryption  Supports shared key authentication and open authentication  Provides encryption and access control  Uses the RC4 encryption algorithm  Uses checksums  Supports 64-bit and 128-bit encryption  Supports shared key authentication and open authentication

42. Chapter 7: SECURING COMMUNICATIONS42 WEP KEYS  An attacker can discover the WEP key by using a brute-force attack.  All computers use a single shared WEP key.  WEP does not define a secure means to distribute the key.  WEP keys can use manual or automated distribution methods.  An attacker can discover the WEP key by using a brute-force attack.  All computers use a single shared WEP key.  WEP does not define a secure means to distribute the key.  WEP keys can use manual or automated distribution methods.

43. Chapter 7: SECURING COMMUNICATIONS43 ADVANTAGES OF WEP  All messages are encrypted.  Privacy is maintained.  WEP is easy to implement.  WEP provides a basic level of security.  Keys are user definable and unlimited.  All messages are encrypted.  Privacy is maintained.  WEP is easy to implement.  WEP provides a basic level of security.  Keys are user definable and unlimited.

44. Chapter 7: SECURING COMMUNICATIONS44 DISADVANTAGES OF WEP  A hacker can easily discover the shared key.  You must tell users about key changes.  WEP alone does not provide sufficient wireless local area network (WLAN) security.  WEP must be implemented on every client and AP.  A hacker can easily discover the shared key.  You must tell users about key changes.  WEP alone does not provide sufficient wireless local area network (WLAN) security.  WEP must be implemented on every client and AP.

45. Chapter 7: SECURING COMMUNICATIONS45 802.1X PROTOCOL  Is a standard for port-based network access control  Requires authentication before access  Uses the Extensible Authentication Protocol over LAN (EAPOL)  Uses standard security protocols  Access is based on identity, not on media access control (MAC)  Supports extended forms of authentication  Is a standard for port-based network access control  Requires authentication before access  Uses the Extensible Authentication Protocol over LAN (EAPOL)  Uses standard security protocols  Access is based on identity, not on media access control (MAC)  Supports extended forms of authentication

46. Chapter 7: SECURING COMMUNICATIONS46 WIRELESS PROTECTED ACCESS (WPA)  IEEE is developing a new standard, 802.11i.  WPA is an interim standard that  Uses 802.1x authentication  Uses native key management  Can support WEP simultaneously  IEEE is developing a new standard, 802.11i.  WPA is an interim standard that  Uses 802.1x authentication  Uses native key management  Can support WEP simultaneously

47. Chapter 7: SECURING COMMUNICATIONS47 WIRELESS APPLICATION PROTOCOL (WAP)  Secures communications in OSI Layers 3–7  Is commonly used for mobile devices  Uses Wireless Transport Layer Security (WTLS)  Is vulnerable to weak algorithms  Is vulnerable to physical control of wireless gateways  Secures communications in OSI Layers 3–7  Is commonly used for mobile devices  Uses Wireless Transport Layer Security (WTLS)  Is vulnerable to weak algorithms  Is vulnerable to physical control of wireless gateways

48. Chapter 7: SECURING COMMUNICATIONS48 USING IPSEC  Is a network-layer protocol  Provides authentication and encryption  Secures communications between any two devices  Secures routers or network to network communications  Is an industry standard  Is a network-layer protocol  Provides authentication and encryption  Secures communications between any two devices  Secures routers or network to network communications  Is an industry standard

49. Chapter 7: SECURING COMMUNICATIONS49 IPSEC PRINCIPLES  End-to-end security  Remote-access VPN client and gateway functions  Site-to-site VPN connections  End-to-end security  Remote-access VPN client and gateway functions  Site-to-site VPN connections

50. Chapter 7: SECURING COMMUNICATIONS50 IPSEC ELEMENTS  Encapsulating Security Payload (ESP) and Authenticated Header (AH)  Tunnel and transport modes  Encapsulating Security Payload (ESP) and Authenticated Header (AH)  Tunnel and transport modes

51. Chapter 7: SECURING COMMUNICATIONS51 USES FOR IPSEC

52. Chapter 7: SECURING COMMUNICATIONS52 IPSEC PROTECTION IPSec protects against  Man-in-the-middle attacks  Spoofing  Replay attacks IPSec protects against  Man-in-the-middle attacks  Spoofing  Replay attacks

53. Chapter 7: SECURING COMMUNICATIONS53 IPSEC SECURITY COMPONENTS  Security association (SA)  Internet Key Exchange (IKE)  Kerberos v5  Certificates  Preshared authentication keys  Security association (SA)  Internet Key Exchange (IKE)  Kerberos v5  Certificates  Preshared authentication keys

54. Chapter 7: SECURING COMMUNICATIONS54 HOW IPSEC SECURES TRAFFIC

55. Chapter 7: SECURING COMMUNICATIONS55 IPSEC LIMITATIONS  Computers and devices must support IPSec.  IPSec is limited by the encryption and authentication methods that devices support.  IPSec does not secure broadcast and multicast traffic.  Initialization traffic is not secured.  IPSec increases the load on system processors.  There are no software controls because IPSec can be handled by hardware.  Computers and devices must support IPSec.  IPSec is limited by the encryption and authentication methods that devices support.  IPSec does not secure broadcast and multicast traffic.  Initialization traffic is not secured.  IPSec increases the load on system processors.  There are no software controls because IPSec can be handled by hardware.

56. Chapter 7: SECURING COMMUNICATIONS56 SUMMARY  RADIUS and TACACS+ are used for centralized authentication of remote access users.  VPNs are a cost-effective method for users to establish remote connections across the Internet. PPTP and L2TP/IPSec are the most commonly used protocols for VPN connections.  Terminal sessions and SSH are methods for accessing one computer from another computer over a secure network connection.  RADIUS and TACACS+ are used for centralized authentication of remote access users.  VPNs are a cost-effective method for users to establish remote connections across the Internet. PPTP and L2TP/IPSec are the most commonly used protocols for VPN connections.  Terminal sessions and SSH are methods for accessing one computer from another computer over a secure network connection.

57. Chapter 7: SECURING COMMUNICATIONS57 SUMMARY (CONT.)  Wireless networks present specific security challenges for administrators. WEP is a commonly used protocol for securing wireless connections, but it has many shortcomings that reduce the security that it provides. The 802.1x and WPA protocols provide better security.  IPSec secures network traffic at the IP level by providing authentication and encryption. IPSec is transparent to upper layer protocols and to applications.  Wireless networks present specific security challenges for administrators. WEP is a commonly used protocol for securing wireless connections, but it has many shortcomings that reduce the security that it provides. The 802.1x and WPA protocols provide better security.  IPSec secures network traffic at the IP level by providing authentication and encryption. IPSec is transparent to upper layer protocols and to applications.