1 / 29

Remote Access

Remote Access. Chapter 4. IEEE 802.1x. An internet standard created to perform authentication services for remote access to a central LAN. Simple Network Management Protocol (SNMP)

orrin
Télécharger la présentation

Remote Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Remote Access Chapter 4

  2. IEEE 802.1x • An internet standard created to perform authentication services for remote access to a central LAN. • Simple Network Management Protocol (SNMP) • A set of protocols for managing complex networks. It works by sending messages, called protocol data units (PDUs), to different parts of a network. An SNMP-compliant device, called an “agent,” stores data about itself in a Management Information Base (MIB) and returns this data to an SNMP requester.

  3. IEEE 802.1x • General Topology

  4. IEEE 802.1x • Extensive Authentication Protocol (EAP) • A protocol defined by IEEE 802.1x that supports multiple authentication methods. • EAP over LAN (EAPOL) • An encapsulation method for sending EAP over a LAN environment using IEEE 802 frames.

  5. IEEE 802.1x • IEEE 802.1x Conversation

  6. IEEE 802.1x • Telnet • The standard terminal emulation protocol within the TCP/IP protocol suite defined by RFC 854.

  7. Virtual Private Networks • A remote access method that secures the connection between the user and the home office using various different authentication mechanisms and encryption techniques.

  8. Virtual Private Networks • VPN Diagram

  9. Virtual Private Networks • VPN Options • Included in MS Windows packages. • MS PPTP. • Outsource to service provider. • Encryption does not happen until the data reaches the provider’s network.

  10. Virtual Private Networks • VPN Drawbacks • Not completely fault tolerant. • Diverse choices for implementing. • Law of diminishing returns. • Each incremental increase in security over a certain point becomes more and more expensive.

  11. Remote Authentication Dial-In User Service (RADIUS) • Uses a model of distributed security to authenticate users on a network. • User Datagram Protocol (UDP) • A connectionless protocol that, like TCP, runs on top of IP networks. It provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network.

  12. Remote Authentication Dial-In User Service (RADIUS) • Authentication with a RADIUS Server • Network Access Server (NAS) • This allows access to the network. • Serial Line Internet Protocol (SLIP) • A method of connecting to the Internet. Another more common method is PPP.

  13. Remote Authentication Dial-In User Service (RADIUS) • Authentication Client Internet RADIUS Server Access request Access accept (with exec authorization in attributes) Accounting request (start) Accounting response to client Accounting request (stop) Time Securing Response to client

  14. Remote Authentication Dial-In User Service (RADIUS) • Benefits • Greater security. • Scalable architecture. • Open protocols. • Future enhancements.

  15. Terminal Access Controller Access Control System (TACACS+) • An authentication system developed by Cisco Systems. • Developed to address the need for a scalable solution that RADIUS did not provide. • Uses Transmission Control Protocol (TCP) • Offers multiple protocol support

  16. Terminal Access Controller Access Control System (TACACS+) Client Internet TACACS+ Server Start (authentication) to connect user Reply (authentication) to ask client to get username Continue (authentication) to give server username Reply (authentication) to ask client to get password Continue (authentication) to give server password Reply (authentication) to indicate pass/fail status Request (accounting) for service=shel Time Response (authorization) to indicate pass/fail status

  17. Terminal Access Controller Access Control System (TACACS+) Client Internet TACACS+ Server Request (accounting) for start/exec Response (accounting) that record was received Request (authorization) for command and command-argument Response (authorization) to indicate pass/fail status Request (accounting) for command Response (accounting) that record was received Request (accounting) for stop/exec Time Response (accounting) that record was received

  18. Point-to-Point Tunneling Protocol (PPTP) • Built upon Point-to-Point Protocol (PPP) and Transmission Control Protocol/Internet Protocol (TCP/IP). • Handshaking • The process by which two devices initiate communications. Handshaking begins when one device sends a message to another device indicating that it wants to establish a communications channel. The two devices then send several messages back an forth that enable them to agree on a communications protocol.

  19. Point-to-Point Tunneling Protocol (PPTP) • Performs the following tasks: • Queries the status of communications servers • Provides in-band management • Allocates channels and places outgoing calls • Notifies Windows NT Server of incoming calls • Transmits and receives user data with bidirectional flow control • Notifies Windows NT Server of disconnected calls • Assures data integrity, while making the most efficient use of network bandwidth by tightly coordinating the packet flow

  20. Layer 2 Tunneling Protocol • Expands PPP by allowing both endpoints (layer two and PPP) to reside on different devices connected by a paket-switched network like the Internet. • Allows the processing of PPP packets to happen separately from the termination of the layer two circuits.

  21. Secure Shell (SSH) • A program used to log on to another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. • Uses a public key authentication method to establish an encrypted and secure connection from the user’s machine to the remote machine. • Certificate Revocation List (CRL) • A device used in SSH to manage certificates. Certificates that are no longer valid are placed on a list and verified by the SSH engine when authentication occurs.

  22. IP Security Protocol • Internet Engineering Task Force (IETF) • The main standards organization for the Internet. • IP Security (IPSec) • A set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPSec has been deployed widely to implement VPNs. • Secures Layer 3 of the OSI Model

  23. IP Security Protocol • Encapsulating Security Payload (ESP) • Provides a mix of security services in IPv4 and IPv6. It is used to provide confidentiality, data origin authentication, connectionless integrity, anti-replay, and limited confidentiality of the traffic flow. • Security Parameter Index (SPI) • An arbitrary 32-bit number used to specify to the device receiving the packet not only what group of security protocols the sender is using to communicate, but which algorithms and keys are being used, and how long those keys are valid.

  24. IP Security Protocol

  25. IP Security Protocol • Payload Data • Variable length – this is the data carried by the IP packet • Padding • 0 to 255 bytes used to ensure that ciphertext terminates on a 4-byte boundary • Pad Length • 8 bits – specifies the length of the payload data is padding • Next Header • 8 bits – an IP protocol number describing the format of the payload data • Authentication Data • Variable length – optional field used by the authentication service

  26. IP Security Protocol • ESP and Encryption Models • ESP can use several encryption protocols. The sender decides which ones to use. • The current standard for IPSec uses HMAC with Message Digest 5 (MD5). • Hash Message Authentication Code (HMAC) • A special algorithm defined by RFC 2104 that can be used in conjunction with many other algorithms, such as SHA-1, within the IPSec Encapsulating Security Payload.

  27. Telecommuting Vulnerabilities • Problems with traditional VPNs • Split tunneling – client can route traffic simultaneously to the corporate intranet and the Internet. • Sensitive information stored on remote user’s hard drive. • Lack of logging when client is not connected

  28. Telecommuting Vulnerabilities • Problems with Certificates • Compromised certificate can be used to gain access to machines within the security perimeter. • SOHO (small office/home office) • Products specifically designed to meet the needs of professionals who work at home or in small offices. • SOHO firewalls bypass the traditional perimeter authentication that takes place before a remote user is granted access to the internal network. • Provides back-door entry for intruders.

  29. Telecommuting Vulnerabilities • Remote Session • Data never leaves the secure intranet perimeter. • Dangers lie in user copying data to their local drive or printing to a local printer. • Remote Solutions • Citrix Metaframe Access Suite • Microsoft Terminal Server • Virtual Network Computing

More Related