unit08
TRANSCRIPT
Unit08:
Security Protocols
Overview
• Network Security
• IPSec
• VPN Protocol
• Kerberos
• Smart Cards
• Firewalls
• Proxy Servers
Network Security
• Security protocols protect a computer from attacks • Networks and data are vulnerable to both active attacks,
in which information is altered or destroyed, and passive attacks, in which information is monitored
• Types of Attacks :– Altering data. – Eavesdropping eg:sniffing– IP/mac address spoofing eg:cheating– Password pilfering eg:guessing– Denial of service – Virus
IPSec
• Based on cryptography /encryption• ensures the privacy of network traffic as well as its authentication. • IPSec functions at the Network layer • The fact that IPSec is a network-layer protocol makes its services
transparent to applications• IPSec ensures that data cannot be tampered with while it is
traversing any part of the network
IPSec
• Hands On Lab on Ipsec : gpedit.msc
• ICMP– Authentication method:– Keberos– PreShared – Certificates
VPN Protocols
• Virtual private networking is a system of creating a private network connection that travels through a public network
• One of the top considerations for using a VPN is to reduce costs
• L2TP– L2TP is a VPN protocol used along with IPSec to
ensure confidentiality of the data transmission– PPTP Point-to-Point Tunneling Protocol courtesy of
Microsoft and Cisco’s Layer 2 Forwarding (L2F) protocol
VPN
• Why Use L2TP Instead of PPTP – L2TP client is included in Windows 2000 and later
operating systems – L2TP supports both Cisco TACACS+ and Remote
Authentication Dial-In User Service (RADIUS) authentication
– L2TP was developed to be a standard that is already natively supported by Cisco routers and Windows 2000 servers
– offers a much higher level of security than PPTP – L2TP offers a wider variety of protocols than PPTP—
supporting not only TCP/IP but also IPX/SPX and Systems Network Architecture (SNA)
Secure Sockets Layer (SSL)
• SSL is a protocol that uses a public key to encrypt the data transmitted across the Internet
• SSL runs transparently to applications, because it sits below upper-layer applications and above the IP
• Working on behalf of upper-layer protocols, the SSL server authenticates itself using a certificate and public ID to an SSL-enabled client, which includes both Netscape Navigator and Microsoft Internet Explorer Web browsers, and others
SSL
SSL
• The SSL client ensures that the server’s certificate has been issued by a trusted certificate authority (CA), it authenticates itself back to the server using the same process, and an encrypted link is created between the two
• During the ensuing data transmission, SSL enacts a mechanism to ensure that the data is not tampered with before it reaches its destination
SSL is able to use several different types of ciphers• Data encryption standard (DES) and Triple DES.
– DES is a private key exchange that applies a 56-bit key to each 64-bit block of data. Triple DES is the application of three DES keys in succession.
• Key Exchange Algorithm (KEA). – KEA enables the client and server to establish mutual keys to use in
encryption.• Message Digest version 5 (MD5).
– This cipher creates a 128-bit message digest to validate data.• Rivest-Shamir-Adleman (RSA).
– This is the most commonly used key exchange for SSL. It works by multiplying two large prime numbers, and through an algorithm determining both public and private keys. The private key does not need to be transmitted across the Internet but is able to decrypt the data transmitted with the public key.
• Secure Hash Algorithm (SHA).– SHA produces a message digest of 160 bits using the SHA-1 80-bit key
to authenticate the message.
Client makes certain that the SSL server’s
certificate is issued by a trusted CA
Clients are authenticated by SSL servers
Kerberos
• Kerberos is an authentication protocol that is used to establish trust relationships between domains and verify the identities of users and network services
• When an entity attempts to access a Kerberos-protected resource and provides correct authentication information, Kerberos issues a ticket to it
• The ticket is actually a temporary certificate • Each process requires a complex mutual authentication,
but this is completely transparent to the user
Kerberos
• Kerberos Trust Relationships – Kerberos trust relationships
are typically transitive and bidirectional in nature
– Wherever a Kerberos trust exists, the users in one domain will be able to access resources in the other domain as long as the administrator has granted those users access
Smart Cards
• A way to ensure secure authentication using a physical key
• Smart cards contain chips to store a user’s private key and can also store logon information
• Smart cards require Public Key Infrastructure (PKI), a method of distributing encryption keys and certificates
Firewall
• Piece of equipment is actually a router with two interfaces—one leading to the public network and the other to the private network
• One of the methods a firewall uses to secure the network is packet filtering
• For packets that meet firewall rules, they are either permitted or blocked, depending on how the rule is implemented
• Firewalls are useful for protecting the network from unauthorized access to data
• A firewall uses an access control list for all the commands to execute packet filters
• When implementing a new firewall, you should review every application that must function across the firewall.
Firewall
Firewall
• Demilitarized Zones – demilitarized zone (DMZ) is an offshoot from a firewall – DMZ is a middle area that offers more freedom of access from
the Internet – DMZ is to provide access to certain servers, such as a Web
server or e-mail server, yet protects your network
Proxy Servers
• For a more sophisticated and secure method of blocking and permitting traffic, you need to use a proxy server
• A proxy server doesn’t permit traffic to pass through it between networks
• examine each packet up to the application layer and reassemble a new packet for the other network
• the proxy server is able to log traffic and perform audits