Upload
tariq-wilgus
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
Network Security
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Intrusion Detection and Intrusion Prevention Systems
Intrusion Detection System (IDS)—Only detects unauthorized activity. Example: MS Event Viewer
Intrusion Prevention System (IPS)—Detects unauthorized activity and performs some function to stop the activity. Example: Most antivirus software
IDS and IPS require some form of port monitoring When a particular port on a switch is connected directly to the IDS or IPS and monitors all activity through another port on the same switch.
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Public Key Infrastructure (PKI)
Provides encryption and authenticationThe method of using an algorithm to encode data. Algorithm converts data into ciphertext
encrypted data Cryptology—Science of encrypting data Generates key and uses it for encryption Generates certificate to verify authentication
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Key Encryption Methods
Symmetric-key encryption—Generally used when large amounts of data need to be encrypted
Asymmetric-key encryption—Both the public and private keys are needed to encode and decode data
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Digital Certificate
A file that commonly contains data such as
the user’s name and e-mail address, the public key value assigned to the
user, the validity period of the public key, issuing authority identifier information
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Certificate Authority (CA)
1. Station1 applies for digital certificate from a CA to send an encrypted message to Station2
2. CA issues digital certificate to Station13. Station1 uses private key to encrypt message4. Station1 sends encrypted message to Station25. Station2 uses the public key to decode
encrypted message
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Details of a VeriSign Digital Certificate
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Security Sockets Layer (SSL) and Transport Layer Security (TLS)
Application layer protocols Support VoIP, e-mail, and remote connections Based on public key encryption technology Displays https:// when securing Web site
connection Not compatible with each other TLS more secure; SSL more popular
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Secure HTTP (S-HTTP)
Uses symmetric, or private, keys for encoding and decoding messages
Not supported by all Web browsers
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Virtual Network Connection (VNC)
Describes point-to-point connection to a remote device
Connection considered “virtual” because user’s network device is not a physical part of remote network
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Internet Protocol Security (IPSec)
Collection of security protocols, hashes, and algorithms
Authentication can be verified with Kerberos, a preshared key, or digital certificates
IPSec VPNs typically use public and private keys for encryption
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
IPSec Modes
Transport mode An IPSec mode that only encrypts the payload.
Tunnel mode An IPSec mode that encrypts the payload and the header.
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Secure Shell (SSH)
Originally designed for UNIX to replace Remote Login (rlogin), Remote Shell (rsh), and Remote Copy (rcp)
Uses port 22 Requires a private key, public key, and password Can be used on operating systems that support
TCP/IP
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
SSH Example
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Secure Copy Protocol (SCP)
Replacement for rcp command Does not require password
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Service Set Identifier (SSID)
Identifies wireless network Similar to workgroup name All wireless network devices are configured with a
default SSID To secure the wireless network, the default SSID
should be changed
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Media Access Control (MAC) Filtering
To configure MAC filtering, administrator creates an Access Control List (ACL)
ACL is located on Wireless Access Point (WAP) ACL contains list of MAC addresses belonging to
authorized wireless network devices
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Wired Equivalent Privacy (WEP)
First attempt to secure with encryption the data transferred across a wireless network
Algorithm not complex and can be easily cracked A VPN can add to the security set in place by
WEP
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
Wi-Fi Protected Access (WPA)
Developed by the Wi-Fi organization to overcome the vulnerabilities of WEP
Compatible with 802.11 devices Wi-Fi Protected Access 2 (WPA2) is an enhanced
version of WPA WPA2 is compatible with the 802.11i standard
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
802.11i
IEEE ratified 802.11 standard to remedy original security flaws
Specifies the use of a 128-bit Advanced Encryption Standard (AES) for data encryption
Generates fresh set of keys for each new connection
Downward compatible with existing 802.11 devices
Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc.
802.1x Authentication
Provides port-based, network access control Used for client/server-based networks Supplicant—Wireless network device requesting
network access Authenticator—WAP provides authentication Authentication server—Server running Remote
Authentication Dial-In User Service (RADIUS)
IN CLASS LAB
Languard Lab – download lab from course websiteLabsim 8.25
NEXT CLASS
No class on Monday November 11th, 2013November 13th, 2013 Labsim Homework 8.3.1–8.3.3