part05 communication security

3/7/2012

1

Company

LOGO

IT Falcuty – DaLat University

March - 2012

Communication Security

Contents

Wireless

Directory Security

Internet Security

Email Security

Remote Access Technology

2

Remote Access Technology

Virtual Private Network (VPN)

Remote Authentication Dial-In User

Service (RADIUS)

Terminal Access Controller Access

Control System (TACACS)

Secure Shell (SSH)

Internet Protocol Security (IPSec)

3 Phan Thi Thanh Nga


A virtual private network (VPN) is a

communication tunnel between two

entities across an intermediary network

VPNs can be used to connect two

networks across the Internet or to allow

distant clients to connect into an office

LAN across the Internet






3/7/2012

2


Once a VPN link is established, the net-

work connectivity for the VPN client is

exactly the same as a LAN connected by a

cable connection.

The only difference between a direct LAN

cable connection and a VPN link is speed.



VPNs provide four critical functions

Access control: Restricts users from

accessing resources on a network

Authentication: Proves the identity of

communication partners

Confidentiality: Prevents unauthorized

disclosure of secured data

Data integrity: Prevents unwanted changes

of data while in transit



VPN links are established using VPN

protocols. There are several VPN

protocols, but the three you should

recognize are:

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)


As with any type of remote access

connection, VPN clients can be

authenticated through RADIUS.


RADIUS

RADIUS is a centralized authentication

system

RADIUS is known as an AAA server


TACACS

Terminal Access Controller Access

Control System (TACACS) is another

example of an AAA server

TACACS is a centralized remote access

authentication solution similar to RADIUS;

it uses ports TCP 49 and UDP 49


TACACS


3/7/2012

3

Secure Shell (SSH)

Secure Shell (SSH) is a secure

replacement for Telnet, rlogon, rsh, and

rcp

SSH transmits both authentication traffic

and data in a secured encrypted form

SSH operates over TCP port 22

More details: student’s presentation



Internet Protocol Security ( IPSec) is both

a stand-alone VPN protocol and a module

that can be used with L2TP.

IPSec can use in dial-up or network-to-

network connections.



Two of the primary protocols of IPSec are

Authentication Header (AH) and

encapsulating Security Payload (ESP).

AH provides authentication of the sender’s

data

ESP provides encryption of the transferred

data as well as limited authentication

IPSec operates at the OSI Model layer 3



IPSec can operate in two modes: tunnel

mode and transport mode .


Email Security

Internet-based e-mail relies primarily on a

single protocol: Simple Mail Transport

Protocol (SMTP)

SMTP has proven itself over the last 20+

years as a reliable e-mail delivery system

But, it’s nearly complete lack of security.

SMTP doesn’t offer encryption for

transmitted messages.


Email Security

several encryption options have been

developed to add security to e-mail used

over the Internet: S/MIME and PGP


3/7/2012

4

S/MIME

S/MIME is an Internet standard for

encrypting email.

S/MIME uses RSA (an asymmetric

encryption scheme) to encrypt and protect

e-mail


S/MIME

Restriction: all communication partners

must have compatible S/MIME products

installed and use a common or compatible

source for their asymmetric encryption key

pairs.

Pretty Good Privacy’s (PGP) digital

signature feature is much more popular.


PGP

PGP uses RSA or Diffie-Hellman

asymmetric cryptography solutions

Another popular feature of PGP is digital

signatures


Internet Security

SSL/TLS

HTTP/HTTPS

FTP/ S/FTP /FTP with SSL (FTPS)


SSL/TLS

Secure Sockets Layer (SSL) and

Transport Layer Security (TLS) are used

to encrypt traffic between a web browser

and a web server

SSL and TLS can make web transactions

private and secure

SSL can also be used to provide

encrypted sessions for other application

layer protocols, such as Telnet, FTP, and

e-mail


SSL/TLS

To establish the secured session a six-

step handshake process must be

completed

SSL uses symmetric keys as the session

keys.

The session keys are available in 40-bit

and 128-bit strengths.


3/7/2012

5

HTTP/HTTPS

HTTP is the standard foundational

protocol used on the Web. It operates over

TCP port 80.

HTTP is a plain text or clear text

communication protocol it offers no

security or privacy to transactions.

When SSL or TLS is used to secure

transactions, this is known as Hypertext

Transfer Protocol over SSL (HTTPS)


HTTP/HTTPS

S-HTTP:

Doesn’t use SSL

It encrypts individual web page elements

rather than the entire web communication

session

S-HTTP is less secure than HTTPS


Web vulnerabilities

Web vulnerabilities

JavaScript

ActiveX

Buffer overflows

Cookies

Signed applets


Web vulnerabilities

Javascript

A scripting programming language that can be

embedded directly into the HTML of a web

page

It’s executed by the web browser and can be

used to perform a wide range of functions,

both benign and malicious


Web vulnerabilities

ActiveX

A mobile code technology developed by

Microsoft

ActiveX controls or components are stand-

alone programs that can be attached to or

embedded in web documents to perform a

wide range of functions

The ActiveX component is saved to the hard

drive and can be accessed at a later time

significant security issue


Web vulnerabilities

Buffer overflow

Occurs when a program receives input that is

larger that it was designed to accept or

process

The result: such as a program crash, a

system freeze or crash, opening a port,

disabling a service, creating a user account,

elevating the privileges of an existing user

account, accessing a website, or executing a

utility


3/7/2012

6

Web vulnerabilities

Cookies

A tracking mechanism developed for web

servers to monitor and respond to a user’s

serial viewing of multiple web pages

Cookies are a common means of violating

your privacy by gathering information about

your identity, logon credentials, surfing habits,

work habits, …


Web vulnerabilities

Signed Applets

A piece of mobile code that has been digitally

signed using the creator’s or owner’s

certificate

A signed applet only proves the applet’s

identity or source; it provides no guarantee as

to the reliability or quality of the applet

problem


File Transfer Protocols

File Transport Protocol (FTP) is an in-the-

clear file exchange solution

S/FTP encrypts both authentication and

data traffic between the client and server;

it employs SSH to provide secure FTP

communications.


Directory Security

Lightweight Directory Access Protocol

(LDAP)

LDAP is a standardized protocol that

enables clients to access resources within

a directory service .

A directory service is a network service

that provides access to a central database

of information


Directory Security

Clients can interact with directory service

resources through LDAP by using

authentication that is at least a minimum of

a username and password.

It can employ SSL or TLS to provide

authentication and data encryption

security

LDAP operates over TCP ports 389 and

636


Directory Security


3/7/2012

7

Wireless Security

WTLS

802.11

WEP

WAP


Wireless Transport Layer Security (WTLS)

The security layer for the Wireless

Application Protocol (WAP)

Provides the security services of privacy,

integrity, and authentication for WAP-

supporting networks

Based on TLS


Wireless Transport Layer Security (WTLS)


802.11 and 802.11x

802.11 is the IEEE standard for wireless

network communications

Various versions of the standard have

been implemented in wireless networking

hardware, including 802.11a, 802.11b, and

802.11g

802.11x is often used to collectively refer

to all of these specific implementations as

a group


WEP

Wired Equivalent Privacy (WEP) is defined by

the IEEE 802.11 standard

Provides protection from packet sniffing and

eavesdropping against wireless transmissions.

It can be configured to prevent unauthorized

access to the wireless network

WEP uses a predefined shared secret key

The shared key is static and shared among all wireless

access points and device interfaces

A hash value is used to verify that received packets

weren’t modified or corrupted while in transit


WAP

Wireless Application Protocol (WAP) is

often deployed to support wireless

handheld devices like PDAs and cell

phones

WAP employs WTLS for security


3/7/2012

8

References

James Michael Stewart, Security+ Fass Pass,

Sybex, 2004


part05 communication security

Education