• Can be used with any type of TCP/IP transmission– Most commonly setup on routers or other connectivity devices in the context of VPNs• IPSec (cont’d.)• Tunnel mode: IPSec communication between two networks (corporate office that connects to a branch office)– Uses gateway/router as the end points• Transport mode: IPSec communication between two hosts (client and server connection)• IPSec (cont’d.)• VPN concentrator– Specialized device • Positioned private network edge • Establishes multiple VPN connections– Authenticates VPN clients– Establish tunnels for VPN connections• Authentication Protocols• Authentication– Process of verifying user’s credentials• Grant user access to secured resources• Authentication protocols– Rules computers follow to accomplish authentication• Several authentication protocol types– Vary by encryption scheme• And steps taken to verify credentials• RADIUS and TACACS+• Centralized service– Often used to manage resource access• AAA (authentication, authorization, and accounting)– Category of protocols that support many simultaneous connections and several user IDs and passwords• Establish client’s identity by prompting for username and password• Examine credentials and allow or deny access• Track client’s system or network usage• RADIUS and TACACS+ (cont’d.)• RADIUS (Remote Authentication Dial-In User Service)– Most popular AAA service
– Runs over UDP
– Can operate as application on remote access server
• Or on dedicated RADIUS server
– Highly scalable
– May be used to authenticate wireless connections
– Can work in conjunction with other network servers
• RADIUS and TACACS+ (cont’d.)
• TACACS+ (Terminal Access Controller Access Control System Plus)
– Separate access, authentication, and auditing capabilities
– Differences from RADIUS
• Relies on TCP at the Network layer
– Proprietary protocol developed by Cisco Systems, Inc.
– Typically installed on a router
• Radius & TACACS
– Both belong to a category of protocols known as AAA
• Authentication, Authorization, and Accounting (AAA)
• PAP, CHAP, MS-CHAP
• PAP (Password Authentication Protocol)
• PPP does not secure connections
– Requires authentication protocols
• PAP authentication protocol
– Operates over PPP
– Uses two-step authentication process
– Simple
– Not secure
• Sends client’s credentials in clear text
• CHAP and MS-CHAP
• CHAP (Challenge Handshake Authentication Protocol)
– Operates over PPP
– Encrypts user names, passwords
– Uses three-way handshake
• Requires three steps to complete authentication process
• Benefit over PAP
– Password never transmitted alone
– Password never transmitted in clear text
• CHAP and MS-CHAP (cont’d.)
• MS-CHAP (Microsoft Challenge Authentication Protocol)
– Similar authentication protocol to CHAP
• Used with Windows-based computers
• CHAP and MS-CHAP (cont’d.)
• MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2)
• Uses stronger encryption
• Does not use same encryption strings for transmission, reception
• Requires mutual authentication
• Mutual authentication
– Both computers verify credentials of the other—the client authenticates the server just as the server authenticates the client
• EAP (Extensible Authentication Protocol)
• Framework for transporting authentication protocols
• Works with other encryption and authentication schemes
• Provides an authentication framework for a wireless client, a wireless AP, and authentication server (RADIUS) to negotiate a connection
• Protocol for wireless networks
– Verifies client and server credentials
• EAP’s advantages: flexibility
– Supported by nearly all modern OSs
• Forms the basis of the most secure wireless authentication techniques
• Defines message formats for authentication and encryption methods
• 802.1x (EAPoL)
• Codified by IEEE
– Specifies use of one of many authentication methods plus EAP
– Grant access to and dynamically generate and update authentication keys for transmissions to a particular port
• Primarily used with wireless networks
• Originally designed for wired LAN
– EAPoL (EAP over LAN)
• Only defines process for authentication
• Commonly used with RADIUS wireless authentication
• Kerberos
• Cross-platform authentication protocol
• Uses key encryption
– Verifies client identity
– Securely exchanges information after client logs on
• Private key encryption service
• Provides significant security advantages over simple NOS authentication
• Kerberos (cont’d.)
• Terms
– KDC (Key Distribution Center)
– AS (authentication service)
– Ticket
– Principal
• Single sign-on
– Single authentication to access multiple systems or resources
• Two-factor authentication
– Example: token and password
• Wireless Network Security
• Wireless transmissions
– Susceptible to eavesdropping
• War driving
– Effective for obtaining private information
• War chalking
– Marking symbols to publicize access point SSID, secured status
• WEP (Wired Equivalent Privacy)
• 802.11 standard security
– None by default
– Access points
• No client authentication required prior to communication
– SSID: only item required
• WEP
– Uses keys
– Authenticates network clients
– Encrypts data in transit
• WEP (cont’d.)
• Network key
– Character string required to associate with access point
• WEP implementations
– First: 64-bit keys
– Current: 128-bit, 256-bit keys
• WEP flaws
• IEEE 802.11i and WPA (Wi-Fi Protected Access)
• 802.11i uses 802.1x (EAPoL)
– Authenticate devices
– Dynamically assign every transmission its own key
– Relies on TKIP
• Encryption key generation, management scheme
– Uses AES encryption
• WPA (Wi-Fi Protected Access)
– Subset of 802.11i
– Same authentication as 802.11i
– Uses RC4 encryption
• Summary
• Posture assessment used to evaluate security risks
• Router’s access control list directs forwarding or dropping packets based on certain criteria
• Intrusion detection and intrusion prevention systems used to monitor, alert, and respond to intrusions
• Firewalls selectively filter or block traffic between networks
• Various encryption algorithms exist
• TKIP: a better wireless security solution than WEP
đang được dịch, vui lòng đợi..