300 likes | 593 Views
Chapter 8. Security Protocols. Types of Attacks. Altering data Eavesdropping IP address spoofing Password pilfering Denial of service Virus See Table 8-1. IPSec. IP version 4.0 doesn’t include a native security method, so IPSec was created.
E N D
Chapter 8 Security Protocols
Types of Attacks • Altering data • Eavesdropping • IP address spoofing • Password pilfering • Denial of service • Virus • See Table 8-1
IPSec • IP version 4.0 doesn’t include a native security method, so IPSec was created. • Not only is IPSec considered an addition to IPv4, it also has been incorporated into the IPv6 protocol.
IPSec • Based on cryptography, Internet Protocol Security, or IPSec, ensures the privacy of network traffic as well as its authentication. • IPSec is used for peer-to-peer and client-server communications across a private or public network; secure LAN-to-LAN communications across a WAN; and remote access transmissions via either dialup or virtual private network (VPN). • IPSec functions at the Network layer.
IPSec • An IPSec session is initiated when the IP protocol receives data from upper layers. IPSec works with the destination computer to agree upon the shared key and then encrypts the data at the sending host. • This process ensures that the data packets are unreadable while en route to their destination, where they are then decrypted using the shared key.
IPSec • IPSec supports two types of encryption modes—transport and tunnel. • The transport mode encrypts only the data part of the packet, not the header. • Tunnel mode encrypts the entire header and data. • IPSec is used with L2TP to create a tunnel. • IPSec offers the tunnel an authentication and encryption method.
VPN Protocols • Virtual private networking is a system of creating a private network connection that travels through a public network. • Even though the VPN exists within a public network, the connection is intended to be as safe as a private network. • Reduces costs!
L2TP • L2TP is a VPN protocol used along with IPSec to ensure confidentiality of the data transmission. • L2TP grew out of the combination of two prior protocols—Point-to-Point Tunneling Protocol (PPTP) courtesy of Microsoft and Cisco’s Layer 2 Forwarding (L2F) protocol. • L2TP borrows many of the qualities of PPTP, especially in that it extends the Point-to-Point Protocol (PPP) used for remote access.
Why Use L2TP Instead of PPTP? • The main reason that an administrator would consider using L2TP over L2F is that the L2TP client is included in Windows 2000 and later operating systems. • PPTP is supported by Windows servers only, while L2TP was developed to be a standard that is already natively supported by Cisco routers and Windows 2000 servers. • Because L2TP is usually implemented along with IPSec to create a true VPN, it offers a much higher level of security than PPTP. • L2TP offers a wider variety of protocols than PPTP—supporting not only TCP/IP but also IPX/SPX and Systems Network Architecture (SNA), which is used by mainframe computers, and other types of computers.
Secure Sockets Layer (SSL) • SSL is the abbreviation for Secure Sockets Layer, but users will likely be more familiar with its manifestation as the HTTPS:// that precedes the URL of a secure Web site. • SSL is a protocol that uses a public key to encrypt the data transmitted across the Internet. • It is commonly used to provide privacy for sensitive information such as credit card numbers.
Kerberos • When an entity attempts to access a Kerberos-protected resource and provides correct authentication information, Kerberos issues a ticket to it. • This method does not require a password for transmission across the network. • The ticket is actually a temporary certificate with the information required to identify the entity to the network.
Kerberos • The entity uses this Kerberos ticket to request further Kerberos tickets to allow it to access subsequent services on the network. • Each process requires a complex mutual authentication, but this is completely transparent to the user.
Kerberos Trust Relationships • Kerberos enables trusts to be established between two different UNIX realms, between two Windows 2000 domains, or even between a UNIX realm and a Windows 2000 domain. • Trust relationships are established using Kerberos so that authentication credentials can be passed on to network resources in trusted domains or realms.
Kerberos Trust Relationships • Kerberos trust relationships are typically transitive and bidirectional in nature. • Transitive means that if domain A trusts domain B, and domain B trusts domain C, domain A is understood to trust domain C. • Bidirectional means that when domain A trusts domain B, domain B automatically trusts domain A.
Smart Cards • Smart cards are able to provide an interactive logon, secure e-mail messages, and authenticate access to network services. • When a user needs to access a resource, the user inserts the smart card into a reader attached to the network. • Smart cards require Public Key Infrastructure (PKI), a method of distributing encryption keys and certificates.
Firewalls • Typically a router with two interfaces—one leading to the public network and the other to the private network • One of the methods a firewall uses to secure the network is packet filtering. • This is the process of receiving data packets from one interface and examining them to see which packets meet the rules. • For packets that meet firewall rules, they are either permitted or blocked, depending on how the rule is implemented.
Firewalls • Firewalls provide packet filtering based on the permit and deny commands found in access control lists. • Traffic can be filtered based on its source or destination address, as well as its source or destination ports.
Demilitarized Zones • A demilitarized zone (DMZ) is an offshoot from a firewall that is not considered part of the Internet, nor is it considered part of the private network. • This configuration places the DMZ between two firewalls.
Demilitarized Zones • DMZ can be an offshoot area in which the firewall has three interfaces, one that connects to the Internet, a second that connects to the DMZ, and a third that connects to the private network. • This configuration is driven solely by access control lists in which the DMZ access is relaxed compared to that of the private network.
Demilitarized Zones • One reason to create a DMZ is to provide access to certain servers, such as a Web server or e-mail server, yet still protect the rest of the network from those types of traffic.
Proxy Servers • The traditional firewall acts at the network layer, filtering packets from one interface to the other. • This type of firewall will make all permit/deny decisions based on the source or destination addresses, domain names, or ports, which are all in the IP packet header. • For a more sophisticated and secure method of blocking and permitting traffic, you need to use a proxy server, which is sometimes called a dual-homed gateway.
Proxy Servers • A proxy server doesn’t permit traffic to pass through it between networks. • It does, however, examine each packet up to the application layer and reassemble a new packet for the other network. • Because each piece of data is so thoroughly examined, the proxy server is able to log traffic and perform audits.
Proxy Servers • Proxy servers are often preferred over firewalls because they fully prevent traffic from passing through from one network to another. • Because the proxy understands the application-layer protocol, it can implement security specific to that protocol.