Chapter 7: SECURING COMMUNICATIONS 2
CHAPTER OBJECTIVES
Explain how to secure remote connections.
Describe how to secure wireless communications.
Describe how to use Internet Protocol Security (IPSec) to secure network communications.
Chapter 7: SECURING COMMUNICATIONS 3
SECURING REMOTE ACCESS
More workers are telecommuting now.
Remote users have various types of communication connections.
Remote connections have special security requirements.
Chapter 7: SECURING COMMUNICATIONS 4
CHOOSING REMOTE CONNECTION METHODS
Modems support user dial-in connections.
A remote connection grants Internet access to network users via remote access services.
Internet connectivity supports virtual private network (VPN) links.
Connection media are often insecure.
Chapter 7: SECURING COMMUNICATIONS 6
DIAL-UP CONNECTIONS
Modems establish the network link.
The remote access server Hosts modem banks
Authenticates remote users
Acts as a router or proxy
Chapter 7: SECURING COMMUNICATIONS 8
DIAL-UP PROTOCOLS
Point-to-Point Protocol (PPP)
Serial Line Internet Protocol (SLIP)
Chapter 7: SECURING COMMUNICATIONS 9
CONNECTION-LEVEL SECURITY
Callback Control Protocol (CBCP) Predefined
User-defined
Caller ID
Automatic number identification (ANI)
Chapter 7: SECURING COMMUNICATIONS 10
ADVANTAGES OF DIAL-UP
Limited access for attackers
Low likelihood of eavesdropping
Chapter 7: SECURING COMMUNICATIONS 12
VPNs
VPNs are an alternative to dial-up networks.
VPNs use the Internet as a connection medium.
A VPN connection is a tunnel.
VPN tunnels typically encrypt data.
Chapter 7: SECURING COMMUNICATIONS 14
ADVANTAGES OF VPN
Low costs
High productivity
Fewer external connection points
Chapter 7: SECURING COMMUNICATIONS 15
DISADVANTAGES OF VPN
Risk of attacks
Risk of eavesdropping
High exposure to attackers
Chapter 7: SECURING COMMUNICATIONS 16
REMOTE CONNECTION REQUIREMENTS
Remote communications between two computers require using the same protocol.
Both computers should use secured protocols and applications.
The server should require user authentication.
Chapter 7: SECURING COMMUNICATIONS 18
COMMON AUTHENTICATION PROTOCOLS
Password Authentication Protocol (PAP)
Shiva Password Authentication Protocol (SPAP)
Challenge Handshake Authentication Protocol (CHAP)
Chapter 7: SECURING COMMUNICATIONS 19
COMMON AUTHENTICATION PROTOCOLS (CONT.)
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
Extensible Authentication Protocol (EAP)
Chapter 7: SECURING COMMUNICATIONS 20
CENTRALIZED AUTHENTICATION
Centralized authentication provides a single authentication control.
Remote access servers forward authentication requests.
Centralized authentication increases security.
Chapter 7: SECURING COMMUNICATIONS 22
CENTRALIZED AUTHENTICATION PROTOCOLS
Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller Access Control Service (TACACS)
TACACS+
Chapter 7: SECURING COMMUNICATIONS 23
RADIUS
Provides authentication, authorization, and accounting services
Is vendor independent
Provides authentication encryption
Chapter 7: SECURING COMMUNICATIONS 25
TACACS AND TACACS+
Provide centralized access controls
Used by routers and remote access servers
Developed by Cisco Systems, Inc.
Chapter 7: SECURING COMMUNICATIONS 26
DIFFERENCES BETWEEN RADIUS AND TACACS+ RADIUS
Runs over the User Datagram Protocol (UDP) Provides combined authentication and
authorization Used mainly by computers
TACACS+ Runs over the Transmission Control Protocol
(TCP) Provides separate authentication and
authorization Used mainly by network devices such as routers
and switches
Chapter 7: SECURING COMMUNICATIONS 27
VPN PROTOCOLS
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
IPSec
Chapter 7: SECURING COMMUNICATIONS 28
PPTP
Is a Layer 2 protocol that encapsulates PPP frames in IP datagrams
Uses PAP, CHAP, and MS-CHAP
Requires an IP-based network
Does not support header compression
Chapter 7: SECURING COMMUNICATIONS 29
L2TP
Is an extension of PPP
Encapsulates PPP frames to be sent over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks
Can use encrypted or compressed frames
Includes no mechanisms for authentication or encryption
Often used with IPSec
Chapter 7: SECURING COMMUNICATIONS 30
L2TP OVER IPSEC (L2TP/IPSEC)
IPSec is used with L2TP to create tunnels.
Client L2TP/IPSec connections are used to access networks.
L2TP/IPSec offers gateway-to-gateway (network-to-network) connections.
L2TP/IPSec supports a wide range of user authentication options.
Chapter 7: SECURING COMMUNICATIONS 31
VPN ISSUES
IPSec provides for multi-vendor interoperability.
Some network address translation (NAT) implementations cannot use IPSec tunnel mode.
PPTP security depends on using a password.
Chapter 7: SECURING COMMUNICATIONS 32
SECURING VPN CONNECTIONS
Encrypt authentication and data.
Monitor traffic leaving a VPN connection.
Use strong multi-factor authentication.
Require VPN clients to comply with security policy.
VPN clients should not bypass security for Internet access.
Chapter 7: SECURING COMMUNICATIONS 33
TERMINAL SESSIONS
Provide remote access
Let you control a system using a remote client
Reduce hardware costs
Create inherent security risks
Chapter 7: SECURING COMMUNICATIONS 34
SECURE SHELL PROTOCOL (SSH)
Is a secure, low-level transport protocol
Provides remote control and access
Replaces Telnet, rlogin, and FTP
Has strong security features
Chapter 7: SECURING COMMUNICATIONS 35
WHAT SSH PROTECTS AGAINST
Packet spoofing
IP/host spoofing
Password sniffing
Eavesdropping
Chapter 7: SECURING COMMUNICATIONS 36
WIRELESS COMMUNICATION ISSUES
Wireless connections are becoming popular.
Network data is transmitted using radio waves.
Physical security is no longer sufficient.
Transmissions can be intercepted outside the building where the data originates.
Chapter 7: SECURING COMMUNICATIONS 37
HOW WIRELESS NETWORKING WORKS
Institute of Electrical and Electronics Engineers (IEEE) 802.11 is the standard
OSI Layers 1 and 2
Can use various upper-layer protocols
Chapter 7: SECURING COMMUNICATIONS 39
WIRELESS THREATS
Theft of service
Eavesdropping
Unauthorized access
Chapter 7: SECURING COMMUNICATIONS 40
BASIC DEFENSES AGAINST WIRELESS ATTACKS
Limit the range of radio transmissions.
Conduct a site survey.
Measure the signal strength.
Search for unauthorized access points (APs).
Restrict access by using a service set identifier (SSID) or by limiting access to specific media access control (MAC) addresses.
Separate the wireless segment from the rest of the network.
Chapter 7: SECURING COMMUNICATIONS 41
WIRED EQUIVALENCY PRIVACY (WEP)
Provides encryption and access control
Uses the RC4 encryption algorithm
Uses checksums
Supports 64-bit and 128-bit encryption
Supports shared key authentication and open authentication
Chapter 7: SECURING COMMUNICATIONS 42
WEP KEYS
An attacker can discover the WEP key by using a brute-force attack.
All computers use a single shared WEP key.
WEP does not define a secure means to distribute the key.
WEP keys can use manual or automated distribution methods.
Chapter 7: SECURING COMMUNICATIONS 43
ADVANTAGES OF WEP
All messages are encrypted.
Privacy is maintained.
WEP is easy to implement.
WEP provides a basic level of security.
Keys are user definable and unlimited.
Chapter 7: SECURING COMMUNICATIONS 44
DISADVANTAGES OF WEP
A hacker can easily discover the shared key.
You must tell users about key changes.
WEP alone does not provide sufficient wireless local area network (WLAN) security.
WEP must be implemented on every client and AP.
Chapter 7: SECURING COMMUNICATIONS 45
802.1X PROTOCOL
Is a standard for port-based network access control
Requires authentication before access
Uses the Extensible Authentication Protocol over LAN (EAPOL)
Uses standard security protocols
Access is based on identity, not on media access control (MAC)
Supports extended forms of authentication
Chapter 7: SECURING COMMUNICATIONS 46
WIRELESS PROTECTED ACCESS (WPA)
IEEE is developing a new standard, 802.11i.
WPA is an interim standard that Uses 802.1x authentication
Uses native key management
Can support WEP simultaneously
Chapter 7: SECURING COMMUNICATIONS 47
WIRELESS APPLICATION PROTOCOL (WAP)
Secures communications in OSI Layers 3–7
Is commonly used for mobile devices
Uses Wireless Transport Layer Security (WTLS)
Is vulnerable to weak algorithms
Is vulnerable to physical control of wireless gateways
Chapter 7: SECURING COMMUNICATIONS 48
USING IPSEC
Is a network-layer protocol
Provides authentication and encryption
Secures communications between any two devices
Secures routers or network to network communications
Is an industry standard
Chapter 7: SECURING COMMUNICATIONS 49
IPSEC PRINCIPLES
End-to-end security
Remote-access VPN client and gateway functions
Site-to-site VPN connections
Chapter 7: SECURING COMMUNICATIONS 50
IPSEC ELEMENTS
Encapsulating Security Payload (ESP) and Authenticated Header (AH)
Tunnel and transport modes
Chapter 7: SECURING COMMUNICATIONS 52
IPSEC PROTECTION
IPSec protects against
Man-in-the-middle attacks
Spoofing
Replay attacks
Chapter 7: SECURING COMMUNICATIONS 53
IPSEC SECURITY COMPONENTS
Security association (SA)
Internet Key Exchange (IKE) Kerberos v5
Certificates
Preshared authentication keys
Chapter 7: SECURING COMMUNICATIONS 55
IPSEC LIMITATIONS
Computers and devices must support IPSec.
IPSec is limited by the encryption and authentication methods that devices support.
IPSec does not secure broadcast and multicast traffic.
Initialization traffic is not secured.
IPSec increases the load on system processors.
There are no software controls because IPSec can be handled by hardware.
Chapter 7: SECURING COMMUNICATIONS 56
SUMMARY
RADIUS and TACACS+ are used for centralized authentication of remote access users.
VPNs are a cost-effective method for users to establish remote connections across the Internet. PPTP and L2TP/IPSec are the most commonly used protocols for VPN connections.
Terminal sessions and SSH are methods for accessing one computer from another computer over a secure network connection.
Chapter 7: SECURING COMMUNICATIONS 57
SUMMARY (CONT.)
Wireless networks present specific security challenges for administrators. WEP is a commonly used protocol for securing wireless connections, but it has many shortcomings that reduce the security that it provides. The 802.1x and WPA protocols provide better security.
IPSec secures network traffic at the IP level by providing authentication and encryption. IPSec is transparent to upper layer protocols and to applications.