1 / 19

SYSTEM ADMINISTRATION Chapter 13

SYSTEM ADMINISTRATION Chapter 13. Security Protocols. Internet Protocol Security (IPSec). IPSec is an IETF standard designed to provide secure communications across both public and private networks.

adora
Télécharger la présentation

SYSTEM ADMINISTRATION Chapter 13

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SYSTEM ADMINISTRATIONChapter 13 Security Protocols

  2. Internet Protocol Security (IPSec) • IPSec is an IETF standard designed to provide secure communications across both public and private networks. • IPSec can deter several types of threats, including denial-of-service, identity spoofing, and packet sniffing.

  3. How IPSec Works • IPSec relies on key management functions through the use of Internet Key Exchange (IKE). • IKE provides the exchange of the required key types between the source and destination machines that will allow identification and authentication. • The key types supported by IPSec are: • Pre-shared Keys – same key installed on source and destination devices. • Public Key Cryptography – also known as PKI, requires a certificate to generate a key pair (public key and private key). (continued)

  4. How IPSec Works(continued) • Digital Signatures –allows a sending device to add digital code to a transmission, thus “sealing” the transmission. • Two types of headers are used with IPSec: • Authentication header (AH) – provides data integrity. • Encapsulating security payload (ESP) – provides data integrity and confidentiality.

  5. IPSec Modes of Operation • Transport Mode • IPSec in transport mode encrypts the payload of the packet only. • Original IP headers remain intact with correct information. Intervening devices know the real addresses of the source and destination. • Tunnel Model • Tunnel mode allows the entire datagram to be encrypted. • The real source and destination addresses are hidden, replaced by the source and destination addresses of the routers that handle the process. • End-systems do not need any configuration when deploying IPSec in tunnel mode.

  6. Virtual Private Networks (VPNs) • The VPN is a transmission between two systems that makes use of the public infrastructure as the medium for transmission, extending the boundary of the private network. • VPNs rely on tunneling to create a safe transmission. • The tunneling protocol “wraps’ the packet (often just the header), creating a virtual tunnel through which the data can be transmitted. • The encapsulation provides the needed routing information. (continued)

  7. Virtual Private Networks (VPNs)(continued) • VPN transmissions usually contain an encrypted payload. • The advantages of VPNs include: • Safety of transmission • Flexibility in the business environment • Lower transmission costs • Lower administrative overhead

  8. Point-to-Point Tunneling Protocol • PPTP is built on PPP used for remote access connections. • Transmissions are subject to setup negotiation, authentication, and error-checking. • PPTP supports a multiprotocol environment, using IP as the transport protocol, but allowing other protocols (IPX, NetBEUI) to be used for communication on the remote network. • PPTP uses MPPE as its encryption protocol on Microsoft networks. • PPTP supports 40-bit, 56-bit, and 128-bit encryption schemes.

  9. Layer 2 Tunneling Protocol (L2TP) • L2TP is a relatively new tunneling protocol, built by combining Microsoft’s PPTP and Cisco’s L2F technology. • L2TP uses a five-step process for encapsulation.

  10. Deploying L2TP and IPSec • L2TP and IPSec are used together on Microsoft networks to provide secure communications over the Internet or intranet. • When combined, L2TP provides the tunnel and IPSec provides the payload encryption necessary for security. • To communicate using L2TP/IPSec, both the source and destination devices must understand the mechanisms and be configured to use them.

  11. Secure Sockets Layer (SSL) • Secure Sockets Layer (SSL) is a protocol that has been designed to provide a secure connection over an insecure network, such as the Internet. • SSL runs above the TCP/IP protocol and below some of the higher-level protocols such as Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP). • SSL uses a series of keys, public and private, to encrypt the data that is transported across the secure connection. (continued)

  12. Secure Sockets Layer (SSL)(continued) • The RSA algorithm, or cipher, is a commonly used encryption and authentication algorithm that includes the use of a digital certificate. • The public key is made available to whomever needs it, while the private key is stored in a central location and never made public. • Data that is encrypted with the public key can be decrypted only with the private key.

  13. SSL Server Authentication • SSL server authentication allows a client computer to identify the server that it is talking with. • A client using SSL-enabled software uses a public key to verify that the server’s certificate and public ID are correct and valid and that they have been issued by a certificate authority (CA) that is listed on the client’s list of trusted CAs.

  14. SSL Client Authentication • SSL client authentication is used to verify the client’s identity. • SSL-enabled server software checks the client’s certificate and public ID to ensure they are correct and valid and that they have been issued by a CA listed on the server’s list of trusted CAs.

  15. Encrypted SSL Connection • The encrypted SSL connection ensures that all of the information transferred between the SSL-enabled client and SSL-enabled server are encrypted and decrypted during transmission. • Also, all of the data transmitted across the connection contains a mechanism to detect tampering, so the data can be checked to see if it was altered during the transfer process.

  16. SSL Subprotocols • The SSL Handshake Protocol • An SSL session begins with the SSL handshake process. • The handshake process is an exchange of messages that the server uses to authenticate itself to the client using a public key. • The client and the server cooperate to create symmetric keys that will be used for the encryption, decryption, and tamper-detection processes that occur during data transmission. • If necessary, the handshake process will also allow the client to authenticate itself to the server. • The SSL Record Protocol • The SSL Record protocol is used to define the message format that is used to transmit encrypted data. • The record protocol uses a series of algorithms that are generated by the handshaking process to encrypt the transmitted data.

  17. Man-in-the-Middle Attack • The Man in the Middle is a rogue program that intercepts all communication between the client and a server during an SSL session.

  18. Kerberos • Kerberos is a secure system, using strong encryption processes that are designed to provide authentication for users and services that need to communicate and be validated on a network. • Kerberos provides a way to prove identity in order to gain access to other network resources. • Kerberos works through the use of encrypted tickets and server processes that run on one or more third-party trusted servers. • The principals and the Kerberos server all share a secret password. • This secret password is used to verify that messages are authentic.

  19. Understanding the Kerberos Process • Begin the process by requesting authentication from the third-party, trusted Kerberos server. • This authentication server (AS) will create a session key, or “ticket-granting ticket” (TGT). • TGT goes to a ticket-granting server (TGS). • TGS verifies the ticket time stamps it and returns it to the principal that submitted it. • Ticket can be sent to accessible service. • Service can accept or reject the ticket. • Since the ticket was time stamped by the TGS, it is valid for more than one session. • Kerberos is the default encryption and security system used with Microsoft Windows 2000 operating systems.

More Related