1 / 57

SECURING COMMUNICATIONS

Chapter 7. SECURING COMMUNICATIONS. CHAPTER OBJECTIVES. Explain how to secure remote connections. Describe how to secure wireless communications. Describe how to use Internet Protocol Security (IPSec) to secure network communications. SECURING REMOTE ACCESS.

nathaniel-waller
Télécharger la présentation

SECURING COMMUNICATIONS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7 SECURING COMMUNICATIONS

  2. Chapter 7: SECURING COMMUNICATIONS CHAPTER OBJECTIVES • Explain how to secure remote connections. • Describe how to secure wireless communications. • Describe how to use Internet Protocol Security (IPSec) to secure network communications.

  3. Chapter 7: SECURING COMMUNICATIONS SECURING REMOTE ACCESS • More workers are telecommuting now. • Remote users have various types of communication connections. • Remote connections have special security requirements.

  4. Chapter 7: SECURING COMMUNICATIONS CHOOSING REMOTE CONNECTION METHODS • Modems support user dial-in connections. • A remote connection grants Internet access to network users via remote access services. • Internet connectivity supports virtual private network (VPN) links. • Connection media are often insecure.

  5. Chapter 7: SECURING COMMUNICATIONS DIAL-UP VS. VPN

  6. Chapter 7: SECURING COMMUNICATIONS DIAL-UP CONNECTIONS • Modems establish the network link. • The remote access server • Hosts modem banks • Authenticates remote users • Acts as a router or proxy

  7. Chapter 7: SECURING COMMUNICATIONS DIAL-UP CONNECTIONS (CONT.)

  8. Chapter 7: SECURING COMMUNICATIONS DIAL-UP PROTOCOLS • Point-to-Point Protocol (PPP) • Serial Line Internet Protocol (SLIP)

  9. Chapter 7: SECURING COMMUNICATIONS CONNECTION-LEVEL SECURITY • Callback Control Protocol (CBCP) • Predefined • User-defined • Caller ID • Automatic number identification (ANI)

  10. Chapter 7: SECURING COMMUNICATIONS ADVANTAGES OF DIAL-UP • Limited access for attackers • Low likelihood of eavesdropping

  11. Chapter 7: SECURING COMMUNICATIONS DISADVANTAGES OF DIAL-UP • Cost • Low productivity • War dialing

  12. Chapter 7: SECURING COMMUNICATIONS VPNs • VPNs are an alternative to dial-up networks. • VPNs use the Internet as a connection medium. • A VPN connection is a tunnel. • VPN tunnels typically encrypt data.

  13. Chapter 7: SECURING COMMUNICATIONS VPN CONNECTIONS

  14. Chapter 7: SECURING COMMUNICATIONS ADVANTAGES OF VPN • Low costs • High productivity • Fewer external connection points

  15. Chapter 7: SECURING COMMUNICATIONS DISADVANTAGES OF VPN • Risk of attacks • Risk of eavesdropping • High exposure to attackers

  16. Chapter 7: SECURING COMMUNICATIONS REMOTE CONNECTION REQUIREMENTS • Remote communications between two computers require using the same protocol. • Both computers should use secured protocols and applications. • The server should require user authentication.

  17. Chapter 7: SECURING COMMUNICATIONS REMOTE CONNECTION REQUIREMENTS (CONT.)

  18. Chapter 7: SECURING COMMUNICATIONS COMMON AUTHENTICATION PROTOCOLS • Password Authentication Protocol (PAP) • Shiva Password Authentication Protocol (SPAP) • Challenge Handshake Authentication Protocol (CHAP)

  19. Chapter 7: SECURING COMMUNICATIONS COMMON AUTHENTICATION PROTOCOLS (CONT.) • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) • Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) • Extensible Authentication Protocol (EAP)

  20. Chapter 7: SECURING COMMUNICATIONS CENTRALIZED AUTHENTICATION • Centralized authentication provides a single authentication control. • Remote access servers forward authentication requests. • Centralized authentication increases security.

  21. Chapter 7: SECURING COMMUNICATIONS REMOTE ACCESS SERVER WITH CENTRALIZED AUTHENTICATION

  22. Chapter 7: SECURING COMMUNICATIONS CENTRALIZED AUTHENTICATION PROTOCOLS • Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access Control Service (TACACS) • TACACS+

  23. Chapter 7: SECURING COMMUNICATIONS RADIUS • Provides authentication, authorization, and accounting services • Is vendor independent • Provides authentication encryption

  24. Chapter 7: SECURING COMMUNICATIONS RADIUS AUTHENTICATION PROCESS

  25. Chapter 7: SECURING COMMUNICATIONS TACACS AND TACACS+ • Provide centralized access controls • Used by routers and remote access servers • Developed by Cisco Systems, Inc.

  26. Chapter 7: SECURING COMMUNICATIONS DIFFERENCES BETWEEN RADIUS AND TACACS+ • RADIUS • Runs over the User Datagram Protocol (UDP) • Provides combined authentication and authorization • Used mainly by computers • TACACS+ • Runs over the Transmission Control Protocol (TCP) • Provides separate authentication and authorization • Used mainly by network devices such as routers and switches

  27. Chapter 7: SECURING COMMUNICATIONS VPN PROTOCOLS • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tunneling Protocol (L2TP) • IPSec

  28. Chapter 7: SECURING COMMUNICATIONS PPTP • Is a Layer 2 protocol that encapsulates PPP frames in IP datagrams • Uses PAP, CHAP, and MS-CHAP • Requires an IP-based network • Does not support header compression

  29. Chapter 7: SECURING COMMUNICATIONS L2TP • Is an extension of PPP • Encapsulates PPP frames to be sent over IP, X.25, frame relay, or Asynchronous Transfer Mode (ATM) networks • Can use encrypted or compressed frames • Includes no mechanisms for authentication or encryption • Often used with IPSec

  30. Chapter 7: SECURING COMMUNICATIONS L2TP OVER IPSEC (L2TP/IPSEC) • IPSec is used with L2TP to create tunnels. • Client L2TP/IPSec connections are used to access networks. • L2TP/IPSec offers gateway-to-gateway (network-to-network) connections. • L2TP/IPSec supports a wide range of user authentication options.

  31. Chapter 7: SECURING COMMUNICATIONS VPN ISSUES • IPSec provides for multi-vendor interoperability. • Some network address translation (NAT) implementations cannot use IPSec tunnel mode. • PPTP security depends on using a password.

  32. Chapter 7: SECURING COMMUNICATIONS SECURING VPN CONNECTIONS • Encrypt authentication and data. • Monitor traffic leaving a VPN connection. • Use strong multi-factor authentication. • Require VPN clients to comply with security policy. • VPN clients should not bypass security for Internet access.

  33. Chapter 7: SECURING COMMUNICATIONS TERMINAL SESSIONS • Provide remote access • Let you control a system using a remote client • Reduce hardware costs • Create inherent security risks

  34. Chapter 7: SECURING COMMUNICATIONS SECURE SHELL PROTOCOL (SSH) • Is a secure, low-level transport protocol • Provides remote control and access • Replaces Telnet, rlogin, and FTP • Has strong security features

  35. Chapter 7: SECURING COMMUNICATIONS WHAT SSH PROTECTS AGAINST • Packet spoofing • IP/host spoofing • Password sniffing • Eavesdropping

  36. Chapter 7: SECURING COMMUNICATIONS WIRELESS COMMUNICATION ISSUES • Wireless connections are becoming popular. • Network data is transmitted using radio waves. • Physical security is no longer sufficient. • Transmissions can be intercepted outside the building where the data originates.

  37. Chapter 7: SECURING COMMUNICATIONS HOW WIRELESS NETWORKING WORKS • Institute of Electrical and Electronics Engineers (IEEE) 802.11 is the standard • OSI Layers 1 and 2 • Can use various upper-layer protocols

  38. Chapter 7: SECURING COMMUNICATIONS WIRELESS INFRASTRUCTURE MODE NETWORKING

  39. Chapter 7: SECURING COMMUNICATIONS WIRELESS THREATS • Theft of service • Eavesdropping • Unauthorized access

  40. Chapter 7: SECURING COMMUNICATIONS BASIC DEFENSES AGAINST WIRELESS ATTACKS • Limit the range of radio transmissions. • Conduct a site survey. • Measure the signal strength. • Search for unauthorized access points (APs). • Restrict access by using a service set identifier (SSID) or by limiting access to specific media access control (MAC) addresses. • Separate the wireless segment from the rest of the network.

  41. Chapter 7: SECURING COMMUNICATIONS WIRED EQUIVALENCY PRIVACY (WEP) • Provides encryption and access control • Uses the RC4 encryption algorithm • Uses checksums • Supports 64-bit and 128-bit encryption • Supports shared key authentication and open authentication

  42. Chapter 7: SECURING COMMUNICATIONS WEP KEYS • An attacker can discover the WEP key by using a brute-force attack. • All computers use a single shared WEP key. • WEP does not define a secure means to distribute the key. • WEP keys can use manual or automated distribution methods.

  43. Chapter 7: SECURING COMMUNICATIONS ADVANTAGES OF WEP • All messages are encrypted. • Privacy is maintained. • WEP is easy to implement. • WEP provides a basic level of security. • Keys are user definable and unlimited.

  44. Chapter 7: SECURING COMMUNICATIONS DISADVANTAGES OF WEP • A hacker can easily discover the shared key. • You must tell users about key changes. • WEP alone does not provide sufficient wireless local area network (WLAN) security. • WEP must be implemented on every client and AP.

  45. Chapter 7: SECURING COMMUNICATIONS 802.1X PROTOCOL • Is a standard for port-based network access control • Requires authentication before access • Uses the Extensible Authentication Protocol over LAN (EAPOL) • Uses standard security protocols • Access is based on identity, not on media access control (MAC) • Supports extended forms of authentication

  46. Chapter 7: SECURING COMMUNICATIONS WIRELESS PROTECTED ACCESS (WPA) • IEEE is developing a new standard, 802.11i. • WPA is an interim standard that • Uses 802.1x authentication • Uses native key management • Can support WEP simultaneously

  47. Chapter 7: SECURING COMMUNICATIONS WIRELESS APPLICATION PROTOCOL (WAP) • Secures communications in OSI Layers 3–7 • Is commonly used for mobile devices • Uses Wireless Transport Layer Security (WTLS) • Is vulnerable to weak algorithms • Is vulnerable to physical control of wireless gateways

  48. Chapter 7: SECURING COMMUNICATIONS USING IPSEC • Is a network-layer protocol • Provides authentication and encryption • Secures communications between any two devices • Secures routers or network to network communications • Is an industry standard

  49. Chapter 7: SECURING COMMUNICATIONS IPSEC PRINCIPLES • End-to-end security • Remote-access VPN client and gateway functions • Site-to-site VPN connections

  50. Chapter 7: SECURING COMMUNICATIONS IPSEC ELEMENTS • Encapsulating Security Payload (ESP) and Authenticated Header (AH) • Tunnel and transport modes

More Related