part05 communication security
DESCRIPTION
TRANSCRIPT
3/7/2012
1
Company
LOGO
IT Falcuty – DaLat University
March - 2012
Communication Security
Contents
Wireless
Directory Security
Internet Security
Email Security
Remote Access Technology
2
Remote Access Technology
Virtual Private Network (VPN)
Remote Authentication Dial-In User
Service (RADIUS)
Terminal Access Controller Access
Control System (TACACS)
Secure Shell (SSH)
Internet Protocol Security (IPSec)
3 Phan Thi Thanh Nga
Virtual Private Network (VPN)
A virtual private network (VPN) is a
communication tunnel between two
entities across an intermediary network
VPNs can be used to connect two
networks across the Internet or to allow
distant clients to connect into an office
LAN across the Internet
4 Phan Thi Thanh Nga
Virtual Private Network (VPN)
5 Phan Thi Thanh Nga
Virtual Private Network (VPN)
6 Phan Thi Thanh Nga
3/7/2012
2
Virtual Private Network (VPN)
Once a VPN link is established, the net-
work connectivity for the VPN client is
exactly the same as a LAN connected by a
cable connection.
The only difference between a direct LAN
cable connection and a VPN link is speed.
7 Phan Thi Thanh Nga
Virtual Private Network (VPN)
VPNs provide four critical functions
Access control: Restricts users from
accessing resources on a network
Authentication: Proves the identity of
communication partners
Confidentiality: Prevents unauthorized
disclosure of secured data
Data integrity: Prevents unwanted changes
of data while in transit
8 Phan Thi Thanh Nga
Virtual Private Network (VPN)
VPN links are established using VPN
protocols. There are several VPN
protocols, but the three you should
recognize are:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
Internet Protocol Security (IPSec)
As with any type of remote access
connection, VPN clients can be
authenticated through RADIUS.
9 Phan Thi Thanh Nga
RADIUS
RADIUS is a centralized authentication
system
RADIUS is known as an AAA server
10 Phan Thi Thanh Nga
TACACS
Terminal Access Controller Access
Control System (TACACS) is another
example of an AAA server
TACACS is a centralized remote access
authentication solution similar to RADIUS;
it uses ports TCP 49 and UDP 49
11 Phan Thi Thanh Nga
TACACS
12 Phan Thi Thanh Nga
3/7/2012
3
Secure Shell (SSH)
Secure Shell (SSH) is a secure
replacement for Telnet, rlogon, rsh, and
rcp
SSH transmits both authentication traffic
and data in a secured encrypted form
SSH operates over TCP port 22
More details: student’s presentation
13 Phan Thi Thanh Nga
Internet Protocol Security (IPSec)
Internet Protocol Security ( IPSec) is both
a stand-alone VPN protocol and a module
that can be used with L2TP.
IPSec can use in dial-up or network-to-
network connections.
14 Phan Thi Thanh Nga
Internet Protocol Security (IPSec)
Two of the primary protocols of IPSec are
Authentication Header (AH) and
encapsulating Security Payload (ESP).
AH provides authentication of the sender’s
data
ESP provides encryption of the transferred
data as well as limited authentication
IPSec operates at the OSI Model layer 3
15 Phan Thi Thanh Nga
Internet Protocol Security (IPSec)
IPSec can operate in two modes: tunnel
mode and transport mode .
16 Phan Thi Thanh Nga
Email Security
Internet-based e-mail relies primarily on a
single protocol: Simple Mail Transport
Protocol (SMTP)
SMTP has proven itself over the last 20+
years as a reliable e-mail delivery system
But, it’s nearly complete lack of security.
SMTP doesn’t offer encryption for
transmitted messages.
17 Phan Thi Thanh Nga
Email Security
several encryption options have been
developed to add security to e-mail used
over the Internet: S/MIME and PGP
18 Phan Thi Thanh Nga
3/7/2012
4
S/MIME
S/MIME is an Internet standard for
encrypting email.
S/MIME uses RSA (an asymmetric
encryption scheme) to encrypt and protect
19 Phan Thi Thanh Nga
S/MIME
Restriction: all communication partners
must have compatible S/MIME products
installed and use a common or compatible
source for their asymmetric encryption key
pairs.
Pretty Good Privacy’s (PGP) digital
signature feature is much more popular.
20 Phan Thi Thanh Nga
PGP
PGP uses RSA or Diffie-Hellman
asymmetric cryptography solutions
Another popular feature of PGP is digital
signatures
21 Phan Thi Thanh Nga
Internet Security
SSL/TLS
HTTP/HTTPS
FTP/ S/FTP /FTP with SSL (FTPS)
22 Phan Thi Thanh Nga
SSL/TLS
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) are used
to encrypt traffic between a web browser
and a web server
SSL and TLS can make web transactions
private and secure
SSL can also be used to provide
encrypted sessions for other application
layer protocols, such as Telnet, FTP, and
23 Phan Thi Thanh Nga
SSL/TLS
To establish the secured session a six-
step handshake process must be
completed
SSL uses symmetric keys as the session
keys.
The session keys are available in 40-bit
and 128-bit strengths.
24 Phan Thi Thanh Nga
3/7/2012
5
HTTP/HTTPS
HTTP is the standard foundational
protocol used on the Web. It operates over
TCP port 80.
HTTP is a plain text or clear text
communication protocol it offers no
security or privacy to transactions.
When SSL or TLS is used to secure
transactions, this is known as Hypertext
Transfer Protocol over SSL (HTTPS)
25 Phan Thi Thanh Nga
HTTP/HTTPS
S-HTTP:
Doesn’t use SSL
It encrypts individual web page elements
rather than the entire web communication
session
S-HTTP is less secure than HTTPS
26 Phan Thi Thanh Nga
Web vulnerabilities
Web vulnerabilities
JavaScript
ActiveX
Buffer overflows
Cookies
Signed applets
27 Phan Thi Thanh Nga
Web vulnerabilities
Javascript
A scripting programming language that can be
embedded directly into the HTML of a web
page
It’s executed by the web browser and can be
used to perform a wide range of functions,
both benign and malicious
28 Phan Thi Thanh Nga
Web vulnerabilities
ActiveX
A mobile code technology developed by
Microsoft
ActiveX controls or components are stand-
alone programs that can be attached to or
embedded in web documents to perform a
wide range of functions
The ActiveX component is saved to the hard
drive and can be accessed at a later time
significant security issue
29 Phan Thi Thanh Nga
Web vulnerabilities
Buffer overflow
Occurs when a program receives input that is
larger that it was designed to accept or
process
The result: such as a program crash, a
system freeze or crash, opening a port,
disabling a service, creating a user account,
elevating the privileges of an existing user
account, accessing a website, or executing a
utility
30 Phan Thi Thanh Nga
3/7/2012
6
Web vulnerabilities
Cookies
A tracking mechanism developed for web
servers to monitor and respond to a user’s
serial viewing of multiple web pages
Cookies are a common means of violating
your privacy by gathering information about
your identity, logon credentials, surfing habits,
work habits, …
31 Phan Thi Thanh Nga
Web vulnerabilities
Signed Applets
A piece of mobile code that has been digitally
signed using the creator’s or owner’s
certificate
A signed applet only proves the applet’s
identity or source; it provides no guarantee as
to the reliability or quality of the applet
problem
32 Phan Thi Thanh Nga
File Transfer Protocols
File Transport Protocol (FTP) is an in-the-
clear file exchange solution
S/FTP encrypts both authentication and
data traffic between the client and server;
it employs SSH to provide secure FTP
communications.
33 Phan Thi Thanh Nga
Directory Security
Lightweight Directory Access Protocol
(LDAP)
LDAP is a standardized protocol that
enables clients to access resources within
a directory service .
A directory service is a network service
that provides access to a central database
of information
34 Phan Thi Thanh Nga
Directory Security
Clients can interact with directory service
resources through LDAP by using
authentication that is at least a minimum of
a username and password.
It can employ SSL or TLS to provide
authentication and data encryption
security
LDAP operates over TCP ports 389 and
636
35 Phan Thi Thanh Nga
Directory Security
36 Phan Thi Thanh Nga
3/7/2012
7
Wireless Security
WTLS
802.11
WEP
WAP
37 Phan Thi Thanh Nga
Wireless Transport Layer Security (WTLS)
The security layer for the Wireless
Application Protocol (WAP)
Provides the security services of privacy,
integrity, and authentication for WAP-
supporting networks
Based on TLS
38 Phan Thi Thanh Nga
Wireless Transport Layer Security (WTLS)
39 Phan Thi Thanh Nga
802.11 and 802.11x
802.11 is the IEEE standard for wireless
network communications
Various versions of the standard have
been implemented in wireless networking
hardware, including 802.11a, 802.11b, and
802.11g
802.11x is often used to collectively refer
to all of these specific implementations as
a group
40 Phan Thi Thanh Nga
WEP
Wired Equivalent Privacy (WEP) is defined by
the IEEE 802.11 standard
Provides protection from packet sniffing and
eavesdropping against wireless transmissions.
It can be configured to prevent unauthorized
access to the wireless network
WEP uses a predefined shared secret key
The shared key is static and shared among all wireless
access points and device interfaces
A hash value is used to verify that received packets
weren’t modified or corrupted while in transit
41 Phan Thi Thanh Nga
WAP
Wireless Application Protocol (WAP) is
often deployed to support wireless
handheld devices like PDAs and cell
phones
WAP employs WTLS for security
42 Phan Thi Thanh Nga
3/7/2012
8
References
James Michael Stewart, Security+ Fass Pass,
Sybex, 2004
43 Phan Thi Thanh Nga