1 / 38

CIS 534 Advanced Network Security Chapter # 2

Abraham Torres. CIS 534 Advanced Network Security Chapter # 2. Prof. Mort Anvari. Strayer University. Secure Technology Classes. A wide range of security technologies exists to provide solutions for

brock-meyer
Download Presentation

CIS 534 Advanced Network Security Chapter # 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abraham Torres CIS 534 Advanced Network SecurityChapter # 2 Prof. Mort Anvari Strayer University

  2. Secure Technology Classes A wide range of security technologies exists to provide solutions for security network access and data transport mechanisms within the corporate network infrastructure. Identity technologies Security in TCP/IP structure layers Virtual Private dial-up security technologies (VPM) Public Key Infrastructure and distribution models

  3. Identity Technologies Authentication is an extremely critical element because everything is based on who you are. In many corporate networks, you would not grant access to specific parts of the network before established who is trying to gain access to restricted resources How foolproof the authentication method is depends on the technology used

  4. Identity Product Technology • Secure Password Protocol (S/Key) • Token Password Authentication Schemes • Point-to-Point Protocol (PPP). • The TACACS+ Protocol. • The RADIUS Protocol. • The Kerberos Protocol

  5. Secure Key Password Protocol The S/Key One-Time Password System, released by Bellcore and define in RFC 1760, is a one time password generation scheme based on MD4 and MD5. The S/key protocol is designed to counter a replay attack when a user is attempting to log in to a system. Involves three distinct steps Preparation step: The client enters a secret pass phrase. This pass phrase is concatenated with the seed that was transmitted from the server in cleartext. Generation step: Applies the secure hash function multiple times, producing a 64-bit final output Output Function: Takes the 64-bit one-time password and displays it in readable form.

  6. Token Password Authentication Token authentication systems generally require the use of a special smart card or token card. Although some implementations are dome using software to alleviate the problem of loosing the smart card or token this types of authentication mechanisms are based on one or two alternatives schemes: • Challenge-Response • Time-Synchronous Authentication

  7. Step for Authentication Step1: The user dials into an authentication server, which then issues a prompt for a user id. Step2: The user provides the ID to the server, which then issues a challenge a random number that appears on the user’s screen. Step3: The user enters that challenge number into the token or smart card, a credit-card-like device, which then encrypts the challenge with the user’s encryption key and displays a response. Step4: The user types this response and sends it to the Authentication server. While the user is obtaining a response from the token, the Authentication server calculates what the appropriate response should be based on its database of user keys. Step5: When the server receives the user’s response, it compares that response with the one it has calculated

  8. Client User Authentication Server Dial into server Prompt for access code 8HAD589 7968D95 User enters PIN Compare 8HAD589 Token card displays digits Time-Synchronous Token Authentication 8HAD589

  9. Point-to-Point Protocol The Point-to-Point Protocol (PPP) is most often used to establish a dial connection over serial lines or ISDN. PPP authentication mechanism include the Password Authentication Protocol (PAP), The Challenge Handshake Protocol (CHAP), and the Extensible Authentication Protocol (EAP). In all these cases, the peer device is being authenticated rather than the user of the device. PPP provides for an optional authentication phase before proceeding to the network-layer protocol phase Point-to-Point Frame Format FLAG Address Control Protocol Data FCS Flag

  10. PPP Authentication Summary Strength Weakness Protocol PAPEasy to implement CHAPPassword encrypted EAPFlexible, more robust authentication support Does not have strong authentication; password is sent in the clear between client and server; no playback protection Password must be between client and stored in cleartext on server; both client And server playback protection New; may not yet be widely deployed

  11. TACACS + Protocol The TACACS+ protocol is the latest generation of TACACS. TACACS is a simple UDP-based access control protocol originally developed by BBN for the MILNET. Cisco has enhanced (extended) TACACS several times, and Cisco’s implementation, based on the original TACACS, is referred to as XTACACS Fundamental Differences • TACACS: Combined authentication and authorization process. • XTACACS: Separated authentication, authorization, and accounting. • TACAS+: XTACAS with extended attributed control and accounting

  12. RADIUS Protocol The Remote Address Dial-In User Service protocol was developed by Livingston Enterprises, Inc. as an access server authentication and accounting protocol. In June 19966, the RADIUS protocol specifications was submitted to the IETF. The RADIUS specification (RFC2058) and RADIUS accounting standard (RFC 2059) are now proposed standard protocols RADIUS Authentication: Server can support a variety of methods to authenticated a user, can support PPP, PAP,CHAP, UNIX and other authentication mechanisms RADIUS Authorization: The authentication and authorization functionalities are coupled together, typical parameters include service type (shell or frame), protocol type, IP address to assign the user (static or dynamic), access list to apply, or the static route in the NAS

  13. RADIUS Accounting: Allows data to be sent at the start and end of sessions, indicating the amount of resources (such as time, packets, bytes, and so on) used during the session.RADIUS Transactions: Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server to eliminate the possibility that someone snooping on an unsecured network RADIUS Protocol No encryption RADIUS Client RADIUS Server Modem Encryption of Applicable TACACS+/RADIUS parameters

  14. The Kerberos Protocol Kerberos is a secret-key network authentication protocol, develop a Massachusetts Institute of Technology (MIT), that uses the Data Encryption Standard (DES) Cryptographic algorithm for encryption and authentication. The Kerberos Version 5 protocol is an Internet standard specified by RFC 1510 Shared key between KDC and client Server Client Shared Key between KDC and server KDC Key client Key server When the client wants to create an association with a particular application server, the client uses the authentication request and response to first obtain a ticket and a session key from the KDC.

  15. The FORTEZZA Multilevel Information Systems Security Initiative (MISSI) is a network Security initiative, under the leadership of the National Security Agency (NSA). MISSI provides a framework for the development and evolution of interoperable security products to provide flexible, modular security for the networked information systems across the Defense Information Infrastructure (DII) and the National Information Infrastructure (MII). Netscape has a build-in browser that links SSl. MISSI Building Blocks • FORTEZZA and FORTEZZA Plus. • Firewalls • Guards. • Inline encryptors. • Trusted computing

  16. Mayor Types of FORTEZA • Electronic Messaging: Can secure e-mail, electronic data interchange (EDI), electronic commerce, and facsimile to provide message encryption, authentication, and data integrity. • World Wide Web: Can protect secure Web transactions using strong identification and authentication and secure-sockets-layer (SSL) interactions. • File and Media Encryptors: These encryptors are applications written to enable FORTEZZA to secure user files on strong media. • Identification and Authentication: After the FORTEZZA card has been installed in the workstation and the PIN has been correctly entered, the identity of the user is known and trusted.

  17. Security in TCP/IP Layers TELNET FTP SMTP DNS SNMP DHCP Application Presentation Session RIP Transport RTP RTCP User Datagram Protocol Transmission Control Protocol OSPF IGMP ICMP Network Internet Protocol ARP Data link Physical Ethernet FDDI Token Bus Token Ring

  18. TCP/IP Application Layer Provides access to network for end-user. User’s capabilities are determined by what items are available on this layer Logic needed to support various applications each type of application (file transfer, remote access) requires different software on this layer. FTP: Protocol for copying files between hosts HTTP: Primary protocol used to implement the WWW. Telnet: Remote terminal protocol enabling any terminal to log in to any host NNTP: Protocol used to transmit and received network news. SMTP: Protocol used for managing network resources, e-mail SHTTP: Protocol designed for the used of secure Web Transactions

  19. Transport Layer Concerned with reliable transfer of information between applications. Independent of the nature of the application. Includes aspects like flow control and error checking. Isolates messages from lower and upper layers. Breaks down message size. Monitors quality of communications channel. Selects most efficient communication service necessary for a given Transmission. Also called host-to-host layer. Uses TCP protocols for transmission.

  20. Secure Socket Layer Protocol The Secure Socket Layer (SSL) is an open protocol designed by Netscape; it specifies a mechanism for providing data security layered between Application protocols (such as HTTP, Telnet, NNTP, or FTP) and TCP/IP. It provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. Goals of SSL The Handshake Protocol: This protocol negotiates the cryptographic parameters to be used between the client and the server. The Record Protocol: This protocol is used to exchange Application layer data, messages are fragmented into manageable blocks, optional compressed, and a MAC is applied; the result is encrypted and transmitted. The Alert Protocol: This protocol is used to indicate when errors have occurred or when a session between two hosts is being terminated

  21. The Secure Shell Protocol The Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. It provides support for secure remote login, secure file transfer, and the secure forwarding of TCP/IP and X Windows system traffic. SSH three major components • The Transport layer protocol, which provides server authentication, confidentiality, and integrity with perfect forward secrecy. Optionally, it may also provide compression • The user authentication protocol, which authenticates the client to the server. • The connection protocol, which multiplexes the encrypted tunnel into several logical channels.

  22. The SOCKS Protocol Is a transport layer-based secured networking proxy protocol. It is designed to provide a framework for client/server applications in both the TCP and UDP domains to conveniently and securely use the services of a network Firewall. SOCKS was originally developed by David and Michelle Koblas; the code was made freely available on the Internet. SOCKS version 4; provides for unsecured firewall traversal for TCP-based client/server applications including Telnet, FTP, and the popular information discovery protocols such as HTTP, WAIS, and Gopher. SOCKS Version 5; defined in RFC 1928, extends the SOCKS version 4 model to include UDP, extends the framework to include provisions for generalized strong authentication schemes, and extends the addressing scheme to encompass domain-name and IPv6 addresses

  23. Network Layer Security Network Layer security pertains to security services at the IP layer of the TCP/IP protocol stack. Many years of work have produce a set of standards from the IETF that, collectively, define how to secure services at the IP Network layer IP Security • have considered some application specific security mechanisms • - eg. S/MIME, PGP, Kerberos, SSL/HTTPS • however there are security concerns that cut across protocol layers • would like security implemented by the network for all applications

  24. IPSec • general IP Security mechanisms • provides • authentication • confidentiality • key management • applicable to use over LANs, across public & private WANs, & for the Internet Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter. • is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users if desired

  25. IP Security Architecture • Specification is quite complex. • Defined in numerous Request For Common Architectures (RFC) • RFC 2401: The IP Security Architecture. • RFC 2402: The IP Authentication Header (AH). • RFC 2406: The IP Encapsulation Security Payload (ESP. • RFC 2408: The Internet Security and Key Management Protocol (ISAKMP). • Many others, grouped by category • Mandatory in IPv6, optional in IPv4

  26. IPSec Uses

  27. IPSec Services • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • a form of partial sequence integrity • Confidentiality (encryption) • Limited traffic flow confidentiality

  28. Virtual Private Dial-up Security Technologies Enable large enterprises to extend their private networks across dial-up lines. Instead of incurring large costs to ensure security by dialing into a campus site from any where in the world or lessening security by dialing in locally and using the Internet as the transport to get to the main enterprise campus. Dial-Up Protocols Layers The Layer 2 Forwarding (L2F) Protocol Created by Cisco Systems. It permits the tunneling of the link layer- that is, High-Level Data Link Control (HDLC), a sync HDLC, or Serial Line Internet Protocol (SLIP) frames –of higher-level protocols

  29. Dial-Up Protocols The Point-to-Point Tunneling Protocol Was initiated by Microsoft. It is a client/server architecture that allows the Point-to-Point Protocols (PPP) to be tunneled through an IP network and decouples functions that exist in current NASs. The Layer 2 Tunneling Protocol (L2TP) Cisco and Microsoft, along with other vendors, have collaborated on a single standard: a track protocol within the IETF, which is now called Layer 2 Tunneling Protocol (L2TP).

  30. Public Key Infrastructure The purpose of a Public Key Infrastructure (PKI) is to provide trusted and efficient key and certificate management to support these protocols. A PKI is defined by the Internet X.509 Public Key Infrastructure PKIX Roadmap “work in progress”. A PKI consists of the following five types of components: The set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke certificates based on public-key cryptography

  31. PKI Components • Certification Authorities (CAs) that issue and revoke certificates. • Organizational Registration Authorities (ORAs) that vouch for the binding between public keys, certificate holder identities, and other attributes. • Certificate holders that are issued certificates and that can sign digital documents. • Clients that validated digital signatures and their certification paths from a known public key of a trusted CA. • Repositories that store and make available certificates and Certificate Revocation Lists (CRLs) MIST Special Publication 800-15, Minimum Interoperability Specification for PKI Components, Version 1, September 1997, by William Burr, Donna Dodson, Noel Nazario, and W. Timothy Polk.

  32. Functions of a PKI • Registration • Initialization. • Certification. • Key Pair Recovery. • Key Generation. • Key Update. • Cross-Certification. • Revocation.

  33. A Sample Scenario Using a PKI

  34. Certificates Certificates are used in the process of validating data. Specifies vary according to which algorithm is used, but the general process works as follows: • The recipient of signed data verifies that the claimed identity of the user is in accordance with the identity contained in the certificate. • The recipient validates that no certificate in the path has been revoked, and that all certificates were within their validity periods at the time the data was signed. • The recipient verifies that the data does not claim to have any attributes for which the certificate indicates that the signer is not authorized. • The recipient verifies that the data has not been altered since it was signed by using the public key in the certificate

  35. The X.509 Certificate The X.509 standard constitutes a widely accepted basis for a PKI infrastructure, defining data formats and procedures related to the distribution of the public keys using certificates digitally signed by CAs. RFC 1422 specified the basis of an X.509-based PKI, Targeted primarily at satisfying the needs of Internet privacy enhanced mail (PEM). The current standards define the X.509 Version 3 certificate and Version 2 CRL.

  36. Version Number Serial Number Issuer Subject Subject’s Public Key (Algorithm, Key) Validity Period (not before, not after) Optional Extensions Signature Algorithm Signature The X.509 V3 Certificate Every Certificate contains three main fields Certificate Body

  37. The X.509 V2 CRL X.509 V2 defines one method of certificate revocation. This method requires each CA to periodically issue a signed data structure called a Certificate Revocation List (CRL). A CRL is a time stamped list that identifies revoked certificates. Each revoked certificate is identified in a CRL by its certificate serial number. The lightweight Directory Access Protocol Is used for accessing online directory services. LDAP was developed by the University of Michigan in 1995 to make it easier to access. LDAP is specially targeted at management applications and browser applications that provide read/write interactive access to directories. LDAP is intended to be a complement to the X.500 DAP. The LDAP V2 protocol is defined in RFC 1777

  38. Summary This chapter detailed many of the current and evolving technologies relating to security. One of the most important security considerations is establishing the identity of the entity that wants to access the corporate network. This process usually entails authenticating the entity and subsequently authorizing that entity and establishing access controls. Some protocols are specifically designed to only authenticate end-users (people) or end-devices (hosts, routers). Frequently, you have to combine the two protocols so that both end-users and the end-devices they are using to access the network are authenticated. In addition to establishing identity, you must ensure data integrity and confidentiality; that is, you must protect the data traversing the corporate network. Many technologies exist to provide security services for various TCP/IP layers. Although Application layer security protocols provide the most flexibility for application-specific parameters, using a different security protocol for every application is not practical. Transport security protocols such as SSL and SSH are widely deployed. SSL is bundled into many Web servers and clients and has become a de facto standard in securing Web transactions; SSH is most often used for securing Telnet or FTP transactions. IPsec is becoming widely deployed and can offer security services for the Transport and Application layer traffic on a per-packet basis. IPsec should be able to secure Telnet, FTP, and Web traffic but may be harder to scale until client support is more readily available on many platforms.

More Related