CSIT560 Project Presentation Network Security Instructor: Mounir Hamdi Network Security Instructor:...

CSIT560 Project PresentationCSIT560 Project Presentation

Network Security

Instructor: Mounir Hamdi

Network Security

Instructor: Mounir Hamdi

Zhang Nan 06766498 zhangnan@ust.hkCao Zhe 06766723 caozhe@ust.hkHuang Qiankun 06767040 qkhuang@ust.hkZhang Weiwei 06767296 jacko@ust.hk

Group Members

AGENDAAGENDA

Introduction

Firewall Technology

Intrusion Prevention System (IPS)

Virtual Private Network (VPN)

Wireless Network Security Issues

Introduction

Firewall Technology

Intrusion Prevention System (IPS)

Virtual Private Network (VPN)

Wireless Network Security Issues

IntroductionIntroduction Background Background

25% of respondents detected system penetration from the outside.

27% of respondents detected denial of service attacks. 79% detected employee abuse of Internet access privileges (for

example, downloading pornography or pirated software, or inappropriate use of e-mail systems).

85% detected computer viruses 19% suffered unauthorized access or misuse within the last

twelve months. 273 organizations that were able to quantify their losses reported

a total of $265,589,940 ……

(From The Computer Security Institute)

IntroductionIntroduction Core Reason Core Reason

Lack of security design in TCP/IP model

3-way handshake in TCP/IP

TCP/IP doesn’t verify the authenticity and validity of the source address before establish a connection.

IntroductionIntroduction Distributed Denial of Service (DDoS) Attack Distributed Denial of Service (DDoS) Attack

FirewallFirewall What is Firewall? What is Firewall?

A firewall is a security device which is configured to permit, deny, or proxy data connections set and configured by the organization's security policy. Firewalls can either be hardware or software based.

FirewallFirewall Firewall Architecture Firewall Architecture

Packet Filter Firewall

A packet filter firewall is a first-generation firewall technology that analyzes network traffic at the transport protocol layer. Each IP network packet is examined to see if it matches one of a set of rules defining what data flows are allowed. These rules identify whether communication is allowed based upon information contained within the Internet and transport layer headers and the direction in which the packet is headed (internal to external network or vice-versa).

FirewallFirewall Firewall Architecture Firewall Architecture

Circuit Level Firewall

A circuit level firewall is a second-generation firewall technology. To validate a session, a circuit level firewall examines each connection setup to ensure that it follows a legitimate handshake for the transport layer protocol being used. In addition, data packets are not forwarded until the handshake is complete. The firewall maintains a table of valid connections and lets network packets containing data pass through when network packet information matches an entry in the virtual circuit table. Once a connection is terminated, its table entry is removed, and that virtual circuit between the two peer transport layers is closed.

FirewallFirewall Firewall Architecture Firewall Architecture

Application Layer Firewall

An application layer firewall is a third-generation firewall technology that evaluates network packets for valid data at the application layer before allowing a connection. It examines the data in all network packets at the application layer and maintains complete connection state and sequencing information. In addition, an application layer firewall can validate other security items that only appear within the application layer data, such as user passwords and service requests.

FirewallFirewall Firewall Architecture Firewall Architecture

Dynamic Packet Filter Firewall

A dynamic packet filter firewall is a fourth-generation firewall technology that allows modification of the security rule base on the fly. This type of technology is most useful for providing limited support for the UDP transport protocol. The UDP transport protocol is typically used for limited information requests and queries in application layer protocol exchanges.

FirewallFirewall Cisco IOS Firewall Analysis Cisco IOS Firewall Analysis

Cisco IOS Firewall is a stateful security software component of Cisco IOS Software. Firewall integration in Cisco IOS routers augments a router's inherent capabilities: multi-topology interfaces, industry-standard routing protocols, and a broad range of services, as well as an expanding group of other security features such as VPN and IPS features. Cisco IOS Firewall interoperates with other Cisco IOS Software technologies, including NAT, QoS, and IPSec and SSL VPN, to become a vital component of an end-to-end network security infrastructure.

FirewallFirewall Cisco IOS Firewall Analysis Cisco IOS Firewall Analysis

Configuration

Router 1 Router 2 Router 3

S0 192.168.1.1/24

192.168.1.2/24 S0

S1 192.168.2.1/24

192.168.2.2/24 S0

Router_1#ping 192.168.2.2

Type escape sequence to about.Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Router_1#telnet 192.168.2.2Trying 192.168.2.2 ... % Destination unreachable; gateway or host down

Router_2(config)#access-list 110 deny tcp any host 192.168.1.1 eq 23Router_2(config)#access-list 110 permit ip any anyRouter_2(config)#int s1 Router_2(config-if)#ip access-group 110 out Router_2(config-if)#exit Router_2(config)#

FirewallFirewall Limitations of Firewall Limitations of Firewall

Firewall cannot prevent attacks from internal networks. If a complainer from the internal network made an attack, since he’s dataflow didn’t go through firewall, the firewall could do nothing.

Firewalls offer weak defense from viruses so antiviral software and an IDS/IPS which protects against Trojans and port scans should also complement our firewall in the layering defense.

A firewall protection is limited once you have an allowable connection open. This is where another program should be in place to catch Trojan horse viruses trying to enter your computer as unassuming normal traffic.

Intrusion Prevention System

(IPS)

Intrusion Prevention System

(IPS)

BackgroundBackground

Traditional security system:

Fire wall

designed to deny clearly suspicious traffic - such as an attempt to telnet to a device when corporate security policy forbids telnet access completely

Intrusion detection systems (IDS)

effective at detecting suspicious activity, but do not provide protection against attacks.

Traditional security system:

Fire wall

designed to deny clearly suspicious traffic - such as an attempt to telnet to a device when corporate security policy forbids telnet access completely

Intrusion detection systems (IDS)

effective at detecting suspicious activity, but do not provide protection against attacks.

Current SystemsCurrent Systems

Firewall

will allow some traffic through-web

Intrusion detection systems

Do not provide protection against attacks.  Recent worms such as Slammer and Blaster have such fast propagation speeds that by the time an alert is generated, the damage is done and spreading fast.

Firewall

will allow some traffic through-web

Intrusion detection systems

Do not provide protection against attacks.  Recent worms such as Slammer and Blaster have such fast propagation speeds that by the time an alert is generated, the damage is done and spreading fast.

IPS SystemsIPS Systems

IPS systems are proactive defence mechanisms designed to detect malicious packets within normal network traffic (something that the current breed of firewalls do not actually do, for example) and stop intrusions dead, blocking the offending traffic automatically before it does any damage rather than simply raising an alert as, or after, the malicious payload has been delivered.   

Within the IPS market place, there are two main categories of product: Host IPS and Network IPS. 

IPS systems are proactive defence mechanisms designed to detect malicious packets within normal network traffic (something that the current breed of firewalls do not actually do, for example) and stop intrusions dead, blocking the offending traffic automatically before it does any damage rather than simply raising an alert as, or after, the malicious payload has been delivered.   

Within the IPS market place, there are two main categories of product: Host IPS and Network IPS. 

Host IPS (HIPS)Host IPS (HIPS)

As with Host IDS systems, the Host IPS relies on agents installed directly on the system being protected. It binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.  

It may also monitor data streams and the environment specific to a particular application (file locations and Registry settings for a Web server, for example) in order to protect that application from generic attacks for which no “signature” yet exists. 

One potential disadvantage with this approach is that, given the necessarily tight integration with the host operating system, future OS upgrades could cause problems. 

Since a Host IPS agent intercepts all requests to the system it protects, it has certain prerequisites - it must be very reliable, must not negatively impact performance, and must not block legitimate traffic. Any HIPS that does not meet these minimum requirements should never be installed in a host, no matter how effectively it blocks attacks.  

As with Host IDS systems, the Host IPS relies on agents installed directly on the system being protected. It binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.  

It may also monitor data streams and the environment specific to a particular application (file locations and Registry settings for a Web server, for example) in order to protect that application from generic attacks for which no “signature” yet exists. 

One potential disadvantage with this approach is that, given the necessarily tight integration with the host operating system, future OS upgrades could cause problems. 

Since a Host IPS agent intercepts all requests to the system it protects, it has certain prerequisites - it must be very reliable, must not negatively impact performance, and must not block legitimate traffic. Any HIPS that does not meet these minimum requirements should never be installed in a host, no matter how effectively it blocks attacks.  

Network IPS (NIPS)Network IPS (NIPS)

The Network IPS combines features of a standard IDS, an IPS and a firewall, and is sometimes known as an In-line IDS or Gateway IDS (GIDS). The next-generation firewall - the deep inspection firewall - also exhibits a similar feature set, though we do not believe that the deep inspection firewall is ready for mainstream deployment just yet. 

The Network IPS combines features of a standard IDS, an IPS and a firewall, and is sometimes known as an In-line IDS or Gateway IDS (GIDS). The next-generation firewall - the deep inspection firewall - also exhibits a similar feature set, though we do not believe that the deep inspection firewall is ready for mainstream deployment just yet. 

Network IPS (NIPS)Network IPS (NIPS)

As with a typical firewall, the NIPS has at least two network interfaces, one designated as internal and one as external. As packets appear at the either interface they are passed to the detection engine, at which point the IPS device functions much as any IDS would in determining whether or not the packet being examined poses a threat.  

As with a typical firewall, the NIPS has at least two network interfaces, one designated as internal and one as external. As packets appear at the either interface they are passed to the detection engine, at which point the IPS device functions much as any IDS would in determining whether or not the packet being examined poses a threat.  

Network IPS (NIPS)Network IPS (NIPS)

However, if it should detect a malicious packet, in addition to raising an alert, it will discard the packet and mark that flow as bad. As the remaining packets that make up that particular TCP session arrive at the IPS device, they are discarded immediately.  

However, if it should detect a malicious packet, in addition to raising an alert, it will discard the packet and mark that flow as bad. As the remaining packets that make up that particular TCP session arrive at the IPS device, they are discarded immediately.  

Network IPS (NIPS)Network IPS (NIPS)

Challenges In-line device fails, however, it can seriously

impact the performance of the network. Perhaps latency rises to unacceptable values, or perhaps the device fails closed, in which case you have a self-inflicted Denial of Service condition on your hands.

Challenges In-line device fails, however, it can seriously

impact the performance of the network. Perhaps latency rises to unacceptable values, or perhaps the device fails closed, in which case you have a self-inflicted Denial of Service condition on your hands.

Network IPS (NIPS)Network IPS (NIPS)

As an integral element of the network fabric, the Network IPS device must perform much like a network switch. It must meet stringent network performance and reliability requirements as a prerequisite to deployment, since very few customers are willing to sacrifice network performance and reliability for security. A NIPS that slows down traffic, stops good traffic, or crashes the network is of little use. 

As an integral element of the network fabric, the Network IPS device must perform much like a network switch. It must meet stringent network performance and reliability requirements as a prerequisite to deployment, since very few customers are willing to sacrifice network performance and reliability for security. A NIPS that slows down traffic, stops good traffic, or crashes the network is of little use. 

Requirements of IPS SystemRequirements of IPS System

In-line operation Reliability and availability Resilience Low latency High performance Unquestionable detection accuracy Fine-grained granularity and control Advanced alert handling and forensic analysis

capabilities -

In-line operation Reliability and availability Resilience Low latency High performance Unquestionable detection accuracy Fine-grained granularity and control Advanced alert handling and forensic analysis

capabilities -

NSS IPS TestNSS IPS Test

The NSS Group has conducted the first comprehensive IPS test of its kind. This exhaustive review will give readers a complete perspective of the capabilities, maturity and suitability of the products tested for their particular needs.    

If a particular IPS has been designated as NSS Approved, customers can be confident that the device will not significantly impact network/host performance, cause network/host crashes, or otherwise block legitimate traffic.  

The NSS Group has conducted the first comprehensive IPS test of its kind. This exhaustive review will give readers a complete perspective of the capabilities, maturity and suitability of the products tested for their particular needs.    

If a particular IPS has been designated as NSS Approved, customers can be confident that the device will not significantly impact network/host performance, cause network/host crashes, or otherwise block legitimate traffic.  

Example CISCO IOS IPS Example CISCO IOS IPS Cisco IOS IPS uses the underlying routing infrastructure to provide an

additional layer of security with investment protection. Because Cisco IOS IPS is inline and supported on a broad range of routing

platforms, attacks can be effectively mitigated to deny malicious traffic from both inside and outside the network. When used in combination with Cisco IOS Firewall, VPN, and Network

Admission Control (NAC) solutions, Cisco IOS IPS provides superior threat protection at all entry points into the network. Cisco IOS IPS is supported by easy and effective management tools, reducing

operational complexity and expenditure (refer to Cisco Router and Security Device Manager and CiscoWorks VPN/Security Management

Solution). Whether threats are targeted at endpoints, servers, or the network

infrastructure, Cisco Systems® offers pervasive intrusion prevention solutions that

are designed to integrate smoothly into the network infrastructure and proactively protect vital resources.

Cisco IOS IPS uses the underlying routing infrastructure to provide an additional layer of security with investment protection.

Because Cisco IOS IPS is inline and supported on a broad range of routing platforms, attacks can be effectively mitigated to deny malicious traffic

from both inside and outside the network. When used in combination with Cisco IOS Firewall, VPN, and Network

Admission Control (NAC) solutions, Cisco IOS IPS provides superior threat protection at all entry points into the network. Cisco IOS IPS is supported by easy and effective management tools, reducing

operational complexity and expenditure (refer to Cisco Router and Security Device Manager and CiscoWorks VPN/Security Management

Solution). Whether threats are targeted at endpoints, servers, or the network

infrastructure, Cisco Systems® offers pervasive intrusion prevention solutions that

are designed to integrate smoothly into the network infrastructure and proactively protect vital resources.

Example CISCO IOS IPSExample CISCO IOS IPS

Cisco IOS IPS has two main deployment scenarios:

Cisco IOS IPS protecting the Internet-facing (untrusted) interface

Cisco IOS IPS within the internal (trusted) network

Cisco IOS IPS has two main deployment scenarios:

Cisco IOS IPS protecting the Internet-facing (untrusted) interface

Cisco IOS IPS within the internal (trusted) network

Cisco Deployment ScenarioCisco Deployment Scenario

Cisco Deployment ScenarioCisco Deployment Scenario

(1) Cisco IOS IPS Protecting the Internet-Facing (Untrusted) Interface

Cisco recommends enabling Cisco IOS IPS on the Internet traffic to protect the network from attacks and exploits that might come into the branch office or telecommuter personal computers, which could in turn affect the corporate network.

(1) Cisco IOS IPS Protecting the Internet-Facing (Untrusted) Interface

Cisco recommends enabling Cisco IOS IPS on the Internet traffic to protect the network from attacks and exploits that might come into the branch office or telecommuter personal computers, which could in turn affect the corporate network.

GENERAL CISCO IOS IPS STRUCTUREGENERAL CISCO IOS IPS STRUCTURE

Cisco IOS IPS uses technology from Cisco Intrusion Detection System (IDS) and IPS sensor product lines, including Cisco IDS 4200 Series Sensors, Cisco Catalyst® 6500 Series IDS Services Modules, and network module hardware IDS appliances. Cisco IOS IPS relies on signature microengines (SMEs) to support IPS signatures. Each engine categorizes a group of signatures, and each signature detects patterns of misuse in network traffic.

Cisco IOS IPS uses technology from Cisco Intrusion Detection System (IDS) and IPS sensor product lines, including Cisco IDS 4200 Series Sensors, Cisco Catalyst® 6500 Series IDS Services Modules, and network module hardware IDS appliances. Cisco IOS IPS relies on signature microengines (SMEs) to support IPS signatures. Each engine categorizes a group of signatures, and each signature detects patterns of misuse in network traffic.

Virtual Private Network

(VPN)

Virtual Private Network

(VPN)

Introduction to VPNIntroduction to VPN

Virtual private network (VPN) is a cost effective and secure way for different corporations to provide user access to the corporate network and for remote networks to communicate with each other across the Internet.

Usually VPN involves two parts: the protected or "inside" network, which provides physical and administrative security to protect the transmission; and a less trustworthy, "outside" network. Between them, there’s usually a firewall.

Virtual private network (VPN) is a cost effective and secure way for different corporations to provide user access to the corporate network and for remote networks to communicate with each other across the Internet.

Usually VPN involves two parts: the protected or "inside" network, which provides physical and administrative security to protect the transmission; and a less trustworthy, "outside" network. Between them, there’s usually a firewall.

Applications for VPNApplications for VPN

VPN ArchitectureVPN Architecture Remote-access VPNs

allow one remote system to connect to a network.

The dashed-blue data flow implies access to the entire corporate LAN. In practice, a remote-access VPN tunnel can limit that access through access control lists (ACLs) or firewall rules.

Remote-access VPNs allow one remote system to connect to a network.

The dashed-blue data flow implies access to the entire corporate LAN. In practice, a remote-access VPN tunnel can limit that access through access control lists (ACLs) or firewall rules.

VPN ArchitectureVPN Architecture A point-to-point VPN

connects two networks. An encrypted point-to-

point connection between two different networks are created over some untrusted medium. Routers, firewalls and dedicated VPN concentrators or servers,can be used as VPN endpoints.

A point-to-point VPN connects two networks.

An encrypted point-to-point connection between two different networks are created over some untrusted medium. Routers, firewalls and dedicated VPN concentrators or servers,can be used as VPN endpoints.

Technical Features Technical Features

Encryption Key Generation and management Certification Tunneling Interoperability

Encryption Key Generation and management Certification Tunneling Interoperability

Encryption Encryption

Starting point of VPN solution Well-established encryption algorithms and

strong encryption keys can make VPN much more effective.

Starting point of VPN solution Well-established encryption algorithms and

strong encryption keys can make VPN much more effective.

Key Generation and management Key Generation and management

Key length: In general, the longer the key, the tougher to break. Today, a key length of less than 56 bits is considered insecure.

Key exchange: should be based on well-established algorithms (e.g. Diffie–Hellman for encryption and RSA for signature) as specified in strong key management standards.

Key length: In general, the longer the key, the tougher to break. Today, a key length of less than 56 bits is considered insecure.

Key exchange: should be based on well-established algorithms (e.g. Diffie–Hellman for encryption and RSA for signature) as specified in strong key management standards.

Key Generation and managementKey Generation and management

Rate of key exchange: The more frequently a key is automatically exchanged, the more secure the encrypted data is.

Key generation: The use of true random keys ensures the highest levels of security. The best method of key generation is using hardware.

Rate of key exchange: The more frequently a key is automatically exchanged, the more secure the encrypted data is.

Key generation: The use of true random keys ensures the highest levels of security. The best method of key generation is using hardware.

Certification Certification

Certification is the registration and identification of VPN components.

It requires establishing well-defined secrets between a centrally controlled Certification Authority and any VPN device.

Certification is the registration and identification of VPN components.

It requires establishing well-defined secrets between a centrally controlled Certification Authority and any VPN device.

Tunneling Tunneling

Tunneling is the encapsulation and encryption of entire transmitted packets.

An effective tunneling mechanism hides the networking data in addition to the application and payload layers. A VPN solution which only encrypts the payload is not sufficiently secure, as a multitude of information is obtained by analyzing networking parameters.

Tunneling is the encapsulation and encryption of entire transmitted packets.

An effective tunneling mechanism hides the networking data in addition to the application and payload layers. A VPN solution which only encrypts the payload is not sufficiently secure, as a multitude of information is obtained by analyzing networking parameters.

Interoperability Interoperability The emerging Internet Protocol Security (IPSec)

standard is becoming the international standard for VPN.

IPSec has created a secure means for interoperable security, which guarantees that encrypted information is protected on its way from one network to another, while also allowing partner companies to link their respective VPNs together, even if their encryption systems were manufactured by different vendors.

The emerging Internet Protocol Security (IPSec) standard is becoming the international standard for VPN.

IPSec has created a secure means for interoperable security, which guarantees that encrypted information is protected on its way from one network to another, while also allowing partner companies to link their respective VPNs together, even if their encryption systems were manufactured by different vendors.

Wireless Network Security Issues

Wireless Network Security Issues

IntroductionIntroduction

The use of wireless networks is increasingly popular among personal, academic, business, and government users.

With the increasing deployment of wireless networks (802.11 architecture) in enterprise environments, IT enterprises are working to implement security mechanisms that are equivalent to those existing today for wire-based networks.

The use of wireless networks is increasingly popular among personal, academic, business, and government users.

With the increasing deployment of wireless networks (802.11 architecture) in enterprise environments, IT enterprises are working to implement security mechanisms that are equivalent to those existing today for wire-based networks.

What is 802.11?

Wireless Local Area Network (WLAN) Protocol

Defines Ethernet-like communication channel using radios instead of wires

Advantages over other standards - longer ranges, higher speeds, simpler configurations

IEEE 802.11 (WLAN)IEEE 802.11 (WLAN)

Wired vs. WirelessWired vs. Wireless

Wired networks offer more and better security options than wireless

More thoroughly established standards with wired networks

Wireless networks are much more equipment dependent than wired networks

Easier to implement security policies on wired networks

Wired networks offer more and better security options than wireless

More thoroughly established standards with wired networks

Wireless networks are much more equipment dependent than wired networks

Easier to implement security policies on wired networks

Wireless Vs WiredWireless Vs Wired

What is WEPWhat is WEP

WEP encodes your data using an encryption "key" before sending it out into the air. Any receiving unit must know the same key to decrypt the data. Keys can be 64- or 128-bits long. The longer the key, the stronger the encryption.

Keys are entered as strings of 10 or 26 hexadecimal digits. A "Pass phrase" feature is an easy-tore member word or phrase is entered, and an algorithm generates the hexadecimal keys for you.

WEP encodes your data using an encryption "key" before sending it out into the air. Any receiving unit must know the same key to decrypt the data. Keys can be 64- or 128-bits long. The longer the key, the stronger the encryption.

Keys are entered as strings of 10 or 26 hexadecimal digits. A "Pass phrase" feature is an easy-tore member word or phrase is entered, and an algorithm generates the hexadecimal keys for you.

Is WEP Safe?Is WEP Safe?

Weaknesses in Wired Equivalent Privacy (WEP), the original native security mechanism for wireless local area networks (WLANs) in the Institute of Electrical and Electronics Engineers (IEEE) 802.11 specification.

With WEP enabled, an intruder equipped with the proper tools and a moderate amount of technical knowledge could gain unauthorized access to the wireless network via the WLAN.

Enterprises found it necessary to supplement WEP with third-party security solutions such as VPN, IEEE 802.1X authentication services servers, or add-on proprietary technologies.

Weaknesses in Wired Equivalent Privacy (WEP), the original native security mechanism for wireless local area networks (WLANs) in the Institute of Electrical and Electronics Engineers (IEEE) 802.11 specification.

With WEP enabled, an intruder equipped with the proper tools and a moderate amount of technical knowledge could gain unauthorized access to the wireless network via the WLAN.

Enterprises found it necessary to supplement WEP with third-party security solutions such as VPN, IEEE 802.1X authentication services servers, or add-on proprietary technologies.

What is WPAWhat is WPA

Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks.

WPA replaces WEP with a strong new encryption technology called Temporal Key Integrity Protocol (TKIP) with Message Integrity Check (MIC).

It also provides a scheme of mutual authentication using either IEEE 802.1X/Extensible Authentication Protocol (EAP) authentication or pre-shared key (PSK) technology.

The Wi-Fi Alliance created WPA to enable introduction of standard-based secure wireless network products prior to the IEEE 802.11i group finishing its work.

Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks.

WPA replaces WEP with a strong new encryption technology called Temporal Key Integrity Protocol (TKIP) with Message Integrity Check (MIC).

It also provides a scheme of mutual authentication using either IEEE 802.1X/Extensible Authentication Protocol (EAP) authentication or pre-shared key (PSK) technology.

The Wi-Fi Alliance created WPA to enable introduction of standard-based secure wireless network products prior to the IEEE 802.11i group finishing its work.

What is WPA What is WPA The Encrypted Key for WEP is a static sequence, meaning it

never changes. This means that if someone else figured the Key out, they too would be able to access the network.

To further strengthen wireless security, WPA was developed which uses a Dynamic Key. These keys constantly change to keep hackers out!

The Encrypted Key for WEP is a static sequence, meaning it never changes. This means that if someone else figured the Key out, they too would be able to access the network.

To further strengthen wireless security, WPA was developed which uses a Dynamic Key. These keys constantly change to keep hackers out!

What is TKIPWhat is TKIP

The Temporal Key Integrity Protocol, is part of the IEEE 802.11i encryption standard for wireless LANs,which is used to secure 802.11 wireless LANs.

Provides per- packet key (dynamic) mixing, a message integrity check and a re- keying mechanism, thus fixing the flaws of WEP.

Increases size of key from 40 to 128-bits Replaces WEP’s single static key with keys that are dynamically

generated and distributed by the authentication server Extra step of entering user name/password (in addition to WEP)

The Temporal Key Integrity Protocol, is part of the IEEE 802.11i encryption standard for wireless LANs,which is used to secure 802.11 wireless LANs.

Provides per- packet key (dynamic) mixing, a message integrity check and a re- keying mechanism, thus fixing the flaws of WEP.

Increases size of key from 40 to 128-bits Replaces WEP’s single static key with keys that are dynamically

generated and distributed by the authentication server Extra step of entering user name/password (in addition to WEP)

WPA and WPA2 Mode TypesWPA and WPA2 Mode Types

How to authenticateHow to authenticate

WPA-Enterprise and WPA2-Enterprise mutual authentication is initiated when a user associates with an access point. The AP blocks access to the network until the user can be authenticated. The user provides credentials which are communicated to the authentication server.

The authentication process is enabled by the IEEE 802.1X/EAP framework. Mutual authentication helps to ensure that only authorized users access the network and confirms that the client is authenticating to an authorized server. It helps to protect users from accidentally connecting to unauthorized ‘rogue’ APs.

WPA-Enterprise and WPA2-Enterprise mutual authentication is initiated when a user associates with an access point. The AP blocks access to the network until the user can be authenticated. The user provides credentials which are communicated to the authentication server.

The authentication process is enabled by the IEEE 802.1X/EAP framework. Mutual authentication helps to ensure that only authorized users access the network and confirms that the client is authenticating to an authorized server. It helps to protect users from accidentally connecting to unauthorized ‘rogue’ APs.

WPA2WPA2

WPA2 offers advanced protection from wireless network attacks. Using AES, government grade encryption and IEEE 802.1X/EAP authentication WPA2 provides stronger standards-based mutual authentication and advanced encryption to protect the Wi-Fi network from a variety of threats and attacks.

WPA2 offers advanced protection from wireless network attacks. Using AES, government grade encryption and IEEE 802.1X/EAP authentication WPA2 provides stronger standards-based mutual authentication and advanced encryption to protect the Wi-Fi network from a variety of threats and attacks.

What is AESWhat is AES

AES is a block cipher, a type of symmetric key cipher that uses groups of bits of a fixed length - called blocks. A symmetric key cipher is a cipher that uses the same key for both encryption and decryption. The word cipher is used in cryptography to describe the instructions or algorithm used for encrypting and decrypting information.

With AES, bits are encrypted in blocks of plaintext that are calculated independently, rather than a key stream acting across a plaintext data input stream. AES has a block size of 128 bits with 3 possible key lengths 128, 192 and 256 bits as specified in the AES standard.

AES is a block cipher, a type of symmetric key cipher that uses groups of bits of a fixed length - called blocks. A symmetric key cipher is a cipher that uses the same key for both encryption and decryption. The word cipher is used in cryptography to describe the instructions or algorithm used for encrypting and decrypting information.

With AES, bits are encrypted in blocks of plaintext that are calculated independently, rather than a key stream acting across a plaintext data input stream. AES has a block size of 128 bits with 3 possible key lengths 128, 192 and 256 bits as specified in the AES standard.

ConclusionConclusion One single technology cannot secure the whole network

environment. What we need is coordination. (Firewall, IPS, VPN…)

The security policy is the core of the security system. The policy must be carefully designed, and once it has been implemented, all people in the organization must obey, or else the security is just a blank of paper.

In the long run, an entirely new structure of the Internet must be implemented instead of TCP/IP. We imagine that a new structure with fine security protection design will come out soon.

One single technology cannot secure the whole network environment. What we need is coordination. (Firewall, IPS, VPN…)

The security policy is the core of the security system. The policy must be carefully designed, and once it has been implemented, all people in the organization must obey, or else the security is just a blank of paper.

In the long run, an entirely new structure of the Internet must be implemented instead of TCP/IP. We imagine that a new structure with fine security protection design will come out soon.