270 likes | 401 Views
Lesson 11-Remote Access. Background. Remote access enables users outside a network to have network access and privileges as if they were inside the network. Connect remotely by dialing in, connecting using the Internet, or connecting through a wireless connection,
E N D
Background • Remote access enables users outside a network to have network access and privileges as if they were inside the network. • Connect remotely by dialing in, connecting using the Internet, or connecting through a wireless connection, • Connectivity depends upon security, hardware and software. • Microsoft Windows has the Remote Access Service (RAS) through dial-up modems. • Vendors and UNIX systems have implemented a variety of remote access methods. • Connecting by remote access involves two elements: • A temporary network connection. • A series of protocols to negotiate privileges and commands.
AAA and CIA • The three steps used to establish proper privileges for remote access are authentication, authorization, and accounting (AAA). • Authentication matches user-supplied credentials to stored credentials – usually done with an account name and a password. • Authorization grants users permissions to use resource. • Accounting collects billing and other detail records. It traces activities and establishes responsibility for actions. • CIA of Remote Access • Availability is used specifically to mean authorized accessed. • Authorization process keeps unauthorized users out. • Encryption keeps communication confident.
Authentication and Authorization • Authentication binds a specific ID to a specific computer connection. • Technological advances are establishing a new category – subconscious behaviors to be used individually or in combo.. • What users do (this can involve dynamic biometrics such as a voice print). • Authorization permits or denies access to specific resources. • It determines whether a user has permissions for a particular object or resource. • Any system or resource – hardware (router, workstation) or a software component (database system) can use its own authorization method once authentication has been resolved for it.
Telnet and SSH • Telnet is the TCP/IP protocol standard terminal-emulation defined in RFC 854 and allows users to log on remotely and access resources • Telnet sends account names and passwords in plain text over TCP port 23. • Secure Shell (SSH) replaces telnet and provides direct support for secure remote login, secure file transfer, and secure forwarding of TCP/IP and X Window System traffic. • SSH opens a secure transport between machines using an SSH daemon at each end on TCP port 22. • Supports strong encryption, cryptographic (host-based, not user-based) authentication, integrity protection and different encryption protocols. • It is computed from a shared secret, the contents of the packet, and the packet sequence number. • It is a transport layer protocol, User authentication protocol and Connection protocol.
Tunnels • Tunnels are a method of packaging packets so they traverse a network in a secure, confidential manner • Encapsulates packets within packets (wraps packets of information within IP packets), enabling dissimilar protocols to coexist • Data packets - deliver the payload • Control packets - the packets that establish the initial connection
PPTP Communication • Microsoft extended PPP to enable the creation of VPNs over TCP/IP so PPTP is built upon well-known standards in TCP/IP • Connection made in stages using 3 computers: • Client PPP to NAS (network access server) • Second PPP to server which creates VPN and tunnel and enables encryption • PPTP uses TCP port 1723 • Tasks • Queries status of communications servers • Provides in-band management • Allocates channels and places outgoing calls • Notifies server of disconnected calls • Assures data integrity; coordinates packet flow The port must remain open across the network firewalls for PPTP to be initiated.
L2TP • L2TP has replaced PPTP as the protocol of choice, • L2TP came from Cisco’s L2F; created to address issues with PPTP. • PPTP is designed around PPP and IP nets, • L2F and L2TP, is designed for use across all kinds of nets including ATM and frame relay. • PPTP is designed to be implemented in software at the client device, • L2TP is hardware based using routers or network appliance • L2TP may use IPsec and DES as encryption protocol • L2TP works with established AAA services • L2TP supports RADIUS and TACACS+ • L2TP is established via User Datagram Protocol (UDP) port 1701. • Multiple links can be bonded together to form a single channel (and hence a faster channel) even when the two (or more) links are spread out over different physical network access services.
VPN • Virtual private networking is not a protocol per se, but rather a method of using protocols to secure communications. • VPN end points can be software solutions, routers, or specific servers set up for specific functionality. • A VPN connection provides a private connection between machines where the client machine is acquiring an IP from the machine it's connecting. • Identification, authorization, and all other standard functions are done with the standard mechanisms for the established system.
VPN Protocols • VPNs use different protocols to offer a secure method of communicating between end points. • Both end points know the protocol and share a secret. • All necessary information is established when the VPN is set up. • At the time of use, the VPN only acts as a private tunnel between the two points, and does not constitute a complete security solution.
IPsec • IPsec (IP Security) is a set of protocols developed by the (IETF) to exchange packets securely at the network layer of the OSI model. Deployed widely and to implement VPNs. • IPsec only works with IP protocols. • Once an IPsec connection is established, it is possible to tunnel across other networks at lower levels of the OSI model. • Higher layer protocols, such as TCP, UDP, ICMP, and BGP are unaffected by the implementation of IPsec services. • In IP version 4 (IPv4), IPsec is an add-on, and its acceptance is vendor driven. • In IP version 6 (IPv6), IPsec is integrated into the IP protocol and is native on all packets. • IPSec is not just to protect the confidentiality of the data, but also to assure the authenticity of the sender and the integrity of the data (that it hasn’t been changed in transit).
IP Security Protocol • IPsec has two defined methodsthat provide different levels of security. • Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. • The more secure Tunnel mode encrypts both the header and the payload.. • For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. • Key management protocols are collectively referred to Internet Key Management (IKMP) and Internet Key Exchange (IKE) • IPsec does not define specific security algorithms, nor does it require specific methods of implementation.
IPSec configurations IPsec has four basic configurations: • The simplest is a host-to-host connection. • The Internet is not a part of the security association between the machines. • Both communicating parties must agree on the use of the protocols that are available (security association). • Two security devices - Gateway to gateway which relieves the hosts of calculation and encapsulation duties and has it’s own security association • Host to host and security devices: combines the first two. • A separate security association exists between the gateway devices and a security association exists between hosts. • This could be considered a tunnel inside a tunnel. • A fourth established a secure connection to remote gateway, then a second secure connection to the server.
IPsec CIA • IPsec allows several security technologies to be combined into a comprehensive solution for network-based confidentiality, integrity, and authentication CIA by using: • Diffie-Hellman public key exchanges to guarantee identity and avoid man-in-the-middle attacks. • Bulk encryption algorithms, such as IDEA and 3DES, • Keyed hash algorithms, such as HMAC, and traditional hash algorithms, such as MD5 and SHA-1, for packet-level authentication. • Digital certificates to act as digital ID cards between parties. • IPsec Header Extensions
IPsec Header extensions • IPsec provides two header extensions for secure traffic: • Authentication Header (AH) – • ensures integrity of the data and authenticity of data’s origin. • By protecting the non-changing elements in the IP header, the AH protects the IP address, which enables data-origin authentication. • Encapsulating Security Payload (ESP) – • Provides security for upper layer protocols of packet, not header • Can be used together or separately and both are used with tunnel and transport mode. • In transport mode, endpoints are providing encryption • In tunneling mode, endpoints encapsulate entire packet with new ip headers
802.1x General Topology • 802.1x is an Internet standard for Port Based Access Control for both wired and wireless networking, • Until a client has successfully authenticated itself to the device, only EAPOL (Extensible Authentication Portocol Over LAN) traffic is passed
EAPOL • EAPOL is an encapsulated method of passing EAP messages over 802 frames. • 802.1X ties a protocol called EAP to both the wired and wireless LANS media and supports multiple authentication methods including one-time passwords, Kerberos, public keys, and security device methods such as smart cards. • Supplicant (client who wants to authenticate); RADIUS (authentication server) and Authenticator (device in between)
RADIUS • Remote Authentication Dial-In User Service (RADIUS) is a protocol developed by Livingston Enterprises (acquired by Lucent) as an AAA protocol. • RADIUS is a connectionless protocol using UDP • RADIUS utilizes UDP ports 1812 for authentication and authorization and 1813 for accounting functions. • Uses a centralized database, • Has scalable architecture, • open protocols – RADIUS code can be modified to fit a company’s needs,
RADIUS communication sequence • Client is typically a NAS and server is a process or daemon • Communications between user and NAS are not encrypted • Communications between the RADIUS client and server are encrypted using a shared secret that is manually configured into each entity and not shared over a connection.
RADIUS communication sequence • A RADIUS user login authentication consists of a query from the client and a corresponding response from the server. • The query contains the username, encrypted password, NAS IP address, port, and contains information concerning the type of session the user wishes to initiate. • Once identity is established, the authorization process determines what parameters are returned to the client.
Accounting • RADIUS accounting functions are performed independently of authentication and authorization. • It can indicate resource utilization, such as time and bandwidth. • The accounting function uses a separate UDP port, 1813.
DIAMETER • DIAMETER is a proposed name for the new AAA protocol suite designated by IETF to replace RADIUS. • It improves upon RADIUS, resolving discovered weaknesses. • DIAMETER is a TCP-based service and has extensive capabilities in authentication, authorization, and accounting. • DIAMETER supports all types of remote access, not just modem pools. • DIAMETER also has an improved method of encrypting message exchanges to prohibit replay and man-in-the-middle attacks.
Terminal Access Controller Access Control System (TACACS+) • Originally TACACS was developed for MILNET which provided a combo of authentication and authorization. • Cisco extended this to provide separate AAA • Terminal Access Controller Access Control System+ (TACACS+) is a Cisco-developed authentication protocol that provides capabilities that RADIUS does not provide. • TACACS+ uses TCP (typically 49) instead of UDP. • TACACS+ server encrypts the entire message from client to server whereas RADIUS only encrypts the password. • TACACS+ is not backward compatible to TACACS. • Addresses need for scalable solution • Offers multiple protocol support • Provides immediate indication of a crashed server
TACACS+ Authentication • Authentication is optional and is determined as a site-configurable option. • Authentication is performed using three different packet types: START, CONTINUE, and REPLY. • START and CONTINUE packets originate from the client and are directed to the server. • The REPLY packet are from the server to the client. • This REPLY message indicates whether the authentication is complete or needs more information • The response from a client to a REPLY message requesting additional data is a CONTINUE message. • This process continues until the server has all the information needed, and the authentication process concludes with a success or failure.
TACACS+ Authorization • A default state of “unknown user” exists before a user is authenticated, and permissions can be determined for an unknown user. • As with authentication, authorization is an optional process and may or may not be part of a site-specific operation. • The authorization process uses two message types: REQUEST and RESPONSE. • The client issues an authorization REQUEST message containing a fixed set of fields that enumerate the authenticity of the user or process requesting permission and a variable set of fields enumerating the services or options. • The RESPONSE message in TACACS+ is not a simple yes or no; it may also include qualifying information.
TACACS+ Accounting • It typically follows the other services. • Accounting in TACACS+ is defined as the process of recording what a user or process has done. • To support this functionality, TACACS+ has three types of accounting records: START, STOP, and UPDATE. • START records indicate the time and the user or process that began an authorized process. • STOP records enumerate the same information concerning the stop times for specific actions. • UPDATE records act as intermediary notices that a particular task is still being performed. • Together, these three message types allow the creation of records that delineate the activity of a user or process on a system.
Remote Access Considerations • Data goes across internet. • L2TP and PPTP have problems with IPsec and NAT. • Software bugs that aren’t corrected immediately • Threat can be at home site or central office site, both need to be trusted • VPN software can be installed on handheld devices and connect to standard VPN gateways.