11 securing communications chapter 7. chapter 7: securing communications2 chapter objectives ...

11

SECURING COMMUNICATIONS

Chapter 7

Chapter 7: SECURING COMMUNICATIONS 2

CHAPTER OBJECTIVES

Explain how to secure remote connections.

Describe how to secure wireless communications.

Describe how to use Internet Protocol Security (IPSec) to secure network communications.


SECURING REMOTE ACCESS

More workers are telecommuting now.

Remote users have various types of communication connections.

Remote connections have special security requirements.


CHOOSING REMOTE CONNECTION METHODS

Modems support user dial-in connections.

A remote connection grants Internet access to network users via remote access services.

Internet connectivity supports virtual private network (VPN) links.

Connection media are often insecure.


DIAL-UP VS. VPN


DIAL-UP CONNECTIONS

Modems establish the network link.

The remote access server Hosts modem banks

Authenticates remote users

Acts as a router or proxy


DIAL-UP CONNECTIONS (CONT.)


DIAL-UP PROTOCOLS

Point-to-Point Protocol (PPP)

Serial Line Internet Protocol (SLIP)


CONNECTION-LEVEL SECURITY

Callback Control Protocol (CBCP) Predefined

User-defined

Caller ID

Automatic number identification (ANI)


ADVANTAGES OF DIAL-UP

Limited access for attackers

Low likelihood of eavesdropping


DISADVANTAGES OF DIAL-UP

Cost

Low productivity

War dialing


VPNs

VPNs are an alternative to dial-up networks.

VPNs use the Internet as a connection medium.

A VPN connection is a tunnel.

VPN tunnels typically encrypt data.


VPN CONNECTIONS


ADVANTAGES OF VPN

Low costs

High productivity

Fewer external connection points


DISADVANTAGES OF VPN

Risk of attacks

Risk of eavesdropping

High exposure to attackers


REMOTE CONNECTION REQUIREMENTS

Remote communications between two computers require using the same protocol.

Both computers should use secured protocols and applications.

The server should require user authentication.


REMOTE CONNECTION REQUIREMENTS (CONT.)


COMMON AUTHENTICATION PROTOCOLS

Password Authentication Protocol (PAP)

Shiva Password Authentication Protocol (SPAP)

Challenge Handshake Authentication Protocol (CHAP)


COMMON AUTHENTICATION PROTOCOLS (CONT.)

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)

Extensible Authentication Protocol (EAP)


CENTRALIZED AUTHENTICATION

Centralized authentication provides a single authentication control.

Remote access servers forward authentication requests.

Centralized authentication increases security.


REMOTE ACCESS SERVER WITH CENTRALIZED AUTHENTICATION


CENTRALIZED AUTHENTICATION PROTOCOLS

Remote Authentication Dial-In User Service (RADIUS)

Terminal Access Controller Access Control Service (TACACS)

TACACS+


RADIUS

Provides authentication, authorization, and accounting services

Is vendor independent

Provides authentication encryption


RADIUS AUTHENTICATION PROCESS


TACACS AND TACACS+

Provide centralized access controls

Used by routers and remote access servers

Developed by Cisco Systems, Inc.


DIFFERENCES BETWEEN RADIUS AND TACACS+ RADIUS

Runs over the User Datagram Protocol (UDP) Provides combined authentication and

authorization Used mainly by computers

TACACS+ Runs over the Transmission Control Protocol

(TCP) Provides separate authentication and

authorization Used mainly by network devices such as routers

and switches


VPN PROTOCOLS

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

IPSec


PPTP

Is a Layer 2 protocol that encapsulates PPP frames in IP datagrams

Uses PAP, CHAP, and MS-CHAP

Requires an IP-based network

Does not support header compression


L2TP

Is an extension of PPP

Encapsulates PPP frames to be sent over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks

Can use encrypted or compressed frames

Includes no mechanisms for authentication or encryption

Often used with IPSec


L2TP OVER IPSEC (L2TP/IPSEC)

IPSec is used with L2TP to create tunnels.

Client L2TP/IPSec connections are used to access networks.

L2TP/IPSec offers gateway-to-gateway (network-to-network) connections.

L2TP/IPSec supports a wide range of user authentication options.


VPN ISSUES

IPSec provides for multi-vendor interoperability.

Some network address translation (NAT) implementations cannot use IPSec tunnel mode.

PPTP security depends on using a password.


SECURING VPN CONNECTIONS

Encrypt authentication and data.

Monitor traffic leaving a VPN connection.

Use strong multi-factor authentication.

Require VPN clients to comply with security policy.

VPN clients should not bypass security for Internet access.


TERMINAL SESSIONS

Provide remote access

Let you control a system using a remote client

Reduce hardware costs

Create inherent security risks


SECURE SHELL PROTOCOL (SSH)

Is a secure, low-level transport protocol

Provides remote control and access

Replaces Telnet, rlogin, and FTP

Has strong security features


WHAT SSH PROTECTS AGAINST

Packet spoofing

IP/host spoofing

Password sniffing

Eavesdropping


WIRELESS COMMUNICATION ISSUES

Wireless connections are becoming popular.

Network data is transmitted using radio waves.

Physical security is no longer sufficient.

Transmissions can be intercepted outside the building where the data originates.


HOW WIRELESS NETWORKING WORKS

Institute of Electrical and Electronics Engineers (IEEE) 802.11 is the standard

OSI Layers 1 and 2

Can use various upper-layer protocols


WIRELESS INFRASTRUCTURE MODE NETWORKING


WIRELESS THREATS

Theft of service

Eavesdropping

Unauthorized access


BASIC DEFENSES AGAINST WIRELESS ATTACKS

Limit the range of radio transmissions.

Conduct a site survey.

Measure the signal strength.

Search for unauthorized access points (APs).

Restrict access by using a service set identifier (SSID) or by limiting access to specific media access control (MAC) addresses.

Separate the wireless segment from the rest of the network.


WIRED EQUIVALENCY PRIVACY (WEP)

Provides encryption and access control

Uses the RC4 encryption algorithm

Uses checksums

Supports 64-bit and 128-bit encryption

Supports shared key authentication and open authentication


WEP KEYS

An attacker can discover the WEP key by using a brute-force attack.

All computers use a single shared WEP key.

WEP does not define a secure means to distribute the key.

WEP keys can use manual or automated distribution methods.


ADVANTAGES OF WEP

All messages are encrypted.

Privacy is maintained.

WEP is easy to implement.

WEP provides a basic level of security.

Keys are user definable and unlimited.


DISADVANTAGES OF WEP

A hacker can easily discover the shared key.

You must tell users about key changes.

WEP alone does not provide sufficient wireless local area network (WLAN) security.

WEP must be implemented on every client and AP.


802.1X PROTOCOL

Is a standard for port-based network access control

Requires authentication before access

Uses the Extensible Authentication Protocol over LAN (EAPOL)

Uses standard security protocols

Access is based on identity, not on media access control (MAC)

Supports extended forms of authentication


WIRELESS PROTECTED ACCESS (WPA)

IEEE is developing a new standard, 802.11i.

WPA is an interim standard that Uses 802.1x authentication

Uses native key management

Can support WEP simultaneously


WIRELESS APPLICATION PROTOCOL (WAP)

Secures communications in OSI Layers 3–7

Is commonly used for mobile devices

Uses Wireless Transport Layer Security (WTLS)

Is vulnerable to weak algorithms

Is vulnerable to physical control of wireless gateways


USING IPSEC

Is a network-layer protocol

Provides authentication and encryption

Secures communications between any two devices

Secures routers or network to network communications

Is an industry standard


IPSEC PRINCIPLES

End-to-end security

Remote-access VPN client and gateway functions

Site-to-site VPN connections


IPSEC ELEMENTS

Encapsulating Security Payload (ESP) and Authenticated Header (AH)

Tunnel and transport modes


USES FOR IPSEC


IPSEC PROTECTION

IPSec protects against

Man-in-the-middle attacks

Spoofing

Replay attacks


IPSEC SECURITY COMPONENTS

Security association (SA)

Internet Key Exchange (IKE) Kerberos v5

Certificates

Preshared authentication keys


HOW IPSEC SECURES TRAFFIC


IPSEC LIMITATIONS

Computers and devices must support IPSec.

IPSec is limited by the encryption and authentication methods that devices support.

IPSec does not secure broadcast and multicast traffic.

Initialization traffic is not secured.

IPSec increases the load on system processors.

There are no software controls because IPSec can be handled by hardware.


SUMMARY

RADIUS and TACACS+ are used for centralized authentication of remote access users.

VPNs are a cost-effective method for users to establish remote connections across the Internet. PPTP and L2TP/IPSec are the most commonly used protocols for VPN connections.

Terminal sessions and SSH are methods for accessing one computer from another computer over a secure network connection.


SUMMARY (CONT.)

Wireless networks present specific security challenges for administrators. WEP is a commonly used protocol for securing wireless connections, but it has many shortcomings that reduce the security that it provides. The 802.1x and WPA protocols provide better security.

IPSec secures network traffic at the IP level by providing authentication and encryption. IPSec is transparent to upper layer protocols and to applications.

11 securing communications chapter 7. chapter 7: securing communications2 chapter objectives ...

Documents

securing communicationsdial

user authentication

authentication requests

remote connections

single authentication

remote access servers

remote access services

chapter objectivesexplain