570 likes | 709 Views
Chapter 7. SECURING COMMUNICATIONS. CHAPTER OBJECTIVES. Explain how to secure remote connections. Describe how to secure wireless communications. Describe how to use Internet Protocol Security (IPSec) to secure network communications. SECURING REMOTE ACCESS.
E N D
Chapter 7 SECURING COMMUNICATIONS
Chapter 7: SECURING COMMUNICATIONS CHAPTER OBJECTIVES • Explain how to secure remote connections. • Describe how to secure wireless communications. • Describe how to use Internet Protocol Security (IPSec) to secure network communications.
Chapter 7: SECURING COMMUNICATIONS SECURING REMOTE ACCESS • More workers are telecommuting now. • Remote users have various types of communication connections. • Remote connections have special security requirements.
Chapter 7: SECURING COMMUNICATIONS CHOOSING REMOTE CONNECTION METHODS • Modems support user dial-in connections. • A remote connection grants Internet access to network users via remote access services. • Internet connectivity supports virtual private network (VPN) links. • Connection media are often insecure.
Chapter 7: SECURING COMMUNICATIONS DIAL-UP VS. VPN
Chapter 7: SECURING COMMUNICATIONS DIAL-UP CONNECTIONS • Modems establish the network link. • The remote access server • Hosts modem banks • Authenticates remote users • Acts as a router or proxy
Chapter 7: SECURING COMMUNICATIONS DIAL-UP CONNECTIONS (CONT.)
Chapter 7: SECURING COMMUNICATIONS DIAL-UP PROTOCOLS • Point-to-Point Protocol (PPP) • Serial Line Internet Protocol (SLIP)
Chapter 7: SECURING COMMUNICATIONS CONNECTION-LEVEL SECURITY • Callback Control Protocol (CBCP) • Predefined • User-defined • Caller ID • Automatic number identification (ANI)
Chapter 7: SECURING COMMUNICATIONS ADVANTAGES OF DIAL-UP • Limited access for attackers • Low likelihood of eavesdropping
Chapter 7: SECURING COMMUNICATIONS DISADVANTAGES OF DIAL-UP • Cost • Low productivity • War dialing
Chapter 7: SECURING COMMUNICATIONS VPNs • VPNs are an alternative to dial-up networks. • VPNs use the Internet as a connection medium. • A VPN connection is a tunnel. • VPN tunnels typically encrypt data.
Chapter 7: SECURING COMMUNICATIONS VPN CONNECTIONS
Chapter 7: SECURING COMMUNICATIONS ADVANTAGES OF VPN • Low costs • High productivity • Fewer external connection points
Chapter 7: SECURING COMMUNICATIONS DISADVANTAGES OF VPN • Risk of attacks • Risk of eavesdropping • High exposure to attackers
Chapter 7: SECURING COMMUNICATIONS REMOTE CONNECTION REQUIREMENTS • Remote communications between two computers require using the same protocol. • Both computers should use secured protocols and applications. • The server should require user authentication.
Chapter 7: SECURING COMMUNICATIONS REMOTE CONNECTION REQUIREMENTS (CONT.)
Chapter 7: SECURING COMMUNICATIONS COMMON AUTHENTICATION PROTOCOLS • Password Authentication Protocol (PAP) • Shiva Password Authentication Protocol (SPAP) • Challenge Handshake Authentication Protocol (CHAP)
Chapter 7: SECURING COMMUNICATIONS COMMON AUTHENTICATION PROTOCOLS (CONT.) • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) • Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) • Extensible Authentication Protocol (EAP)
Chapter 7: SECURING COMMUNICATIONS CENTRALIZED AUTHENTICATION • Centralized authentication provides a single authentication control. • Remote access servers forward authentication requests. • Centralized authentication increases security.
Chapter 7: SECURING COMMUNICATIONS REMOTE ACCESS SERVER WITH CENTRALIZED AUTHENTICATION
Chapter 7: SECURING COMMUNICATIONS CENTRALIZED AUTHENTICATION PROTOCOLS • Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access Control Service (TACACS) • TACACS+
Chapter 7: SECURING COMMUNICATIONS RADIUS • Provides authentication, authorization, and accounting services • Is vendor independent • Provides authentication encryption
Chapter 7: SECURING COMMUNICATIONS RADIUS AUTHENTICATION PROCESS
Chapter 7: SECURING COMMUNICATIONS TACACS AND TACACS+ • Provide centralized access controls • Used by routers and remote access servers • Developed by Cisco Systems, Inc.
Chapter 7: SECURING COMMUNICATIONS DIFFERENCES BETWEEN RADIUS AND TACACS+ • RADIUS • Runs over the User Datagram Protocol (UDP) • Provides combined authentication and authorization • Used mainly by computers • TACACS+ • Runs over the Transmission Control Protocol (TCP) • Provides separate authentication and authorization • Used mainly by network devices such as routers and switches
Chapter 7: SECURING COMMUNICATIONS VPN PROTOCOLS • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tunneling Protocol (L2TP) • IPSec
Chapter 7: SECURING COMMUNICATIONS PPTP • Is a Layer 2 protocol that encapsulates PPP frames in IP datagrams • Uses PAP, CHAP, and MS-CHAP • Requires an IP-based network • Does not support header compression
Chapter 7: SECURING COMMUNICATIONS L2TP • Is an extension of PPP • Encapsulates PPP frames to be sent over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks • Can use encrypted or compressed frames • Includes no mechanisms for authentication or encryption • Often used with IPSec
Chapter 7: SECURING COMMUNICATIONS L2TP OVER IPSEC (L2TP/IPSEC) • IPSec is used with L2TP to create tunnels. • Client L2TP/IPSec connections are used to access networks. • L2TP/IPSec offers gateway-to-gateway (network-to-network) connections. • L2TP/IPSec supports a wide range of user authentication options.
Chapter 7: SECURING COMMUNICATIONS VPN ISSUES • IPSec provides for multi-vendor interoperability. • Some network address translation (NAT) implementations cannot use IPSec tunnel mode. • PPTP security depends on using a password.
Chapter 7: SECURING COMMUNICATIONS SECURING VPN CONNECTIONS • Encrypt authentication and data. • Monitor traffic leaving a VPN connection. • Use strong multi-factor authentication. • Require VPN clients to comply with security policy. • VPN clients should not bypass security for Internet access.
Chapter 7: SECURING COMMUNICATIONS TERMINAL SESSIONS • Provide remote access • Let you control a system using a remote client • Reduce hardware costs • Create inherent security risks
Chapter 7: SECURING COMMUNICATIONS SECURE SHELL PROTOCOL (SSH) • Is a secure, low-level transport protocol • Provides remote control and access • Replaces Telnet, rlogin, and FTP • Has strong security features
Chapter 7: SECURING COMMUNICATIONS WHAT SSH PROTECTS AGAINST • Packet spoofing • IP/host spoofing • Password sniffing • Eavesdropping
Chapter 7: SECURING COMMUNICATIONS WIRELESS COMMUNICATION ISSUES • Wireless connections are becoming popular. • Network data is transmitted using radio waves. • Physical security is no longer sufficient. • Transmissions can be intercepted outside the building where the data originates.
Chapter 7: SECURING COMMUNICATIONS HOW WIRELESS NETWORKING WORKS • Institute of Electrical and Electronics Engineers (IEEE) 802.11 is the standard • OSI Layers 1 and 2 • Can use various upper-layer protocols
Chapter 7: SECURING COMMUNICATIONS WIRELESS INFRASTRUCTURE MODE NETWORKING
Chapter 7: SECURING COMMUNICATIONS WIRELESS THREATS • Theft of service • Eavesdropping • Unauthorized access
Chapter 7: SECURING COMMUNICATIONS BASIC DEFENSES AGAINST WIRELESS ATTACKS • Limit the range of radio transmissions. • Conduct a site survey. • Measure the signal strength. • Search for unauthorized access points (APs). • Restrict access by using a service set identifier (SSID) or by limiting access to specific media access control (MAC) addresses. • Separate the wireless segment from the rest of the network.
Chapter 7: SECURING COMMUNICATIONS WIRED EQUIVALENCY PRIVACY (WEP) • Provides encryption and access control • Uses the RC4 encryption algorithm • Uses checksums • Supports 64-bit and 128-bit encryption • Supports shared key authentication and open authentication
Chapter 7: SECURING COMMUNICATIONS WEP KEYS • An attacker can discover the WEP key by using a brute-force attack. • All computers use a single shared WEP key. • WEP does not define a secure means to distribute the key. • WEP keys can use manual or automated distribution methods.
Chapter 7: SECURING COMMUNICATIONS ADVANTAGES OF WEP • All messages are encrypted. • Privacy is maintained. • WEP is easy to implement. • WEP provides a basic level of security. • Keys are user definable and unlimited.
Chapter 7: SECURING COMMUNICATIONS DISADVANTAGES OF WEP • A hacker can easily discover the shared key. • You must tell users about key changes. • WEP alone does not provide sufficient wireless local area network (WLAN) security. • WEP must be implemented on every client and AP.
Chapter 7: SECURING COMMUNICATIONS 802.1X PROTOCOL • Is a standard for port-based network access control • Requires authentication before access • Uses the Extensible Authentication Protocol over LAN (EAPOL) • Uses standard security protocols • Access is based on identity, not on media access control (MAC) • Supports extended forms of authentication
Chapter 7: SECURING COMMUNICATIONS WIRELESS PROTECTED ACCESS (WPA) • IEEE is developing a new standard, 802.11i. • WPA is an interim standard that • Uses 802.1x authentication • Uses native key management • Can support WEP simultaneously
Chapter 7: SECURING COMMUNICATIONS WIRELESS APPLICATION PROTOCOL (WAP) • Secures communications in OSI Layers 3–7 • Is commonly used for mobile devices • Uses Wireless Transport Layer Security (WTLS) • Is vulnerable to weak algorithms • Is vulnerable to physical control of wireless gateways
Chapter 7: SECURING COMMUNICATIONS USING IPSEC • Is a network-layer protocol • Provides authentication and encryption • Secures communications between any two devices • Secures routers or network to network communications • Is an industry standard
Chapter 7: SECURING COMMUNICATIONS IPSEC PRINCIPLES • End-to-end security • Remote-access VPN client and gateway functions • Site-to-site VPN connections
Chapter 7: SECURING COMMUNICATIONS IPSEC ELEMENTS • Encapsulating Security Payload (ESP) and Authenticated Header (AH) • Tunnel and transport modes