1 / 64

Remote Access

Remote Access. Objectives. Secure Remote Access Harden File Transfer Protocol (FTP) Protect Directory Services. Remote Access – into Linux. vnc – (Virtual Network Connection) vnc-server (Fedora / CentOS) – tigervnc-server Establish password for communications

Télécharger la présentation

Remote Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Remote Access

  2. Objectives • Secure Remote Access • Harden File Transfer Protocol (FTP) • Protect Directory Services

  3. Remote Access – into Linux • vnc – (Virtual Network Connection) • vnc-server (Fedora / CentOS) – tigervnc-server • Establish password for communications • Decide which ports to use (multiple channels available) • Channel 0 = 5900; channel 1 = 5901, etc. • Start service “vncserver :1” • vnc clients • Linux: vncviewer • Windows: tightVNC, ultraVNC, etc.

  4. Remote Access – into Linux • Windows – tightVNC login

  5. Remote Access – into LinuxTightVNC client

  6. Remote Access – into Linux • noMachine nx • nx server available from NoMachine.com • Uses SSH for data transport • Runs on port 7100, but all data goes through SSH (22) • Uses SSH login (regular user) • Nx clients • Linux • Windows

  7. Remote Access – into Linux • Windows nx login

  8. Remote Access – into Linuxnx client

  9. Secure Remote Access • Windows NT includes User Manager to allow dial-in access, while Windows 2003 uses Computer Management for Workgroup access and Active Directory for configuring access to the domain • Windows XP, 2003 Remote Access Policies can lock down a remote access system to ensure that only those intended to have access are actually granted it

  10. Secure Remote Access • Linux – Remote access is not part of the kernel. Available as support programs. • Unsecured – telnet, ftp • Secured – SSH, PuTTY, etc.

  11. Tunneling Protocols • Tunneling: Technique of encapsulating one packet of data within another type to create a secure link of transportation.

  12. Secure Transmission Protocols • PPTP and other similar protocols provide a secure mechanism for preventing eavesdroppers from viewing transmissions • PPTP derived from Point-to-Point Protocol

  13. Point-to-Point Protocol • Initially designed to support serial connections (modems) to the Internet • Standard serial port provides only layer 1 protocol support (no layer 2 – data link) • PPP (and the earlier Serial Line Internet Protocol) were designed as a layer 2 protocol that can carry IP datagrams through a serial (modem) connection. • Functions: • Encapsulation • Link Control Protocol • Authentication • Network Control Protocols

  14. Point-to-Point Tunneling Protocol (PPTP) • Widely deployed tunneling protocol • Developed by Microsoft • Based on the Point-to-Point Protocol (PPP) • Client connects to a network access server (NAS) to initiate connection • Extension to PPTP is Link Control Protocol (LCP), which establishes, configures, and tests the connection

  15. PPTP (cont) client client Dial-up link PPTP PPP PPP Internet PPTP Server NAS

  16. PPTP (cont) • Used to encapsulate network protocols over a TCP/IP network • Used to carry PPP (which can encapsulate IP, IPX, Net BEUI, etc.) • Control messages • Manages VPN connections • Supports Authentication, Encryption • Data packets

  17. Layer 2 Tunneling Protocol (L2TP) • Represents a merging of features of PPTP with Cisco’s Layer 2 Forwarding Protocol (L2F), which itself was originally designed to address some of the weaknesses of PPTP • Unlike PPTP, which is primarily implemented as software on a client computer, L2TP can also be found on devices such as routers.

  18. L2TP (cont)

  19. L2TP (cont) • User initiates a PPP connection to the ISP, using the analog telephone system or ISDN. • The ISP network L2TP Access Concentrator (LAC) accepts the connection at the POP and the PPP link is established. • After the end user and the L2TP Network Server (LNS) negotiate Link protocol, the LAC partially authenticates the end user with CHAP or PAP. If the user is not a Virtual Private dialup Network (VPDN) client, authentication continues, and the client will access the Internet or other contacted service. If the username is a VPDN client, the mapping will name a specific endpoint (the LNS). • The tunnel end points, the LAC and the LNS, authenticate each other before any sessions are attempted within a tunnel. Alternatively, the LNS can accept tunnel creation without any tunnel authentication of the LAC. • Once the tunnel exists, an L2TP session is created for the end user. • The LAC will propagate the LCP negotiated options and the partially authenticated CHAP/PAP information to the LNS. The LNS will funnel the negotiated options and authentication information directly to the virtual access interface. If the options configured on the virtual template interface does not match the negotiated options with the LAC, the connection will fail, and a disconnect is sent to the LAC.

  20. PPPoE: PPP over Ethernet • Point to Point Protocol over Ethernet • RFC 2516 • Only Ethernet Framing and MAC address are relevant (Nothing from CSMA/CD protocol!) • Ability to connect a collection of hosts over a simple bridging access device to a remote access concentrator • Access control, billing and Type of service: on a per user basis • Each PPP session learns Ethernet address of remote peer with a unique session identifier

  21. PPPoE: cont’d • Revisit Ethernet Frame • DestAddr | SourceAddr | Ether_type | Payload | Checksum • DestAddr,SourceAddr: 6 byte MAC address (universally unique) • Ether_type: 2 bytes • Payload 46 – 1500 bytes • Checksum (FCS) 4 bytes

  22. Two stages of PPPoE: Discovery Stage • Host (client) may discover all Remote access concentrators and select one • A session_id is established • Ether_type: 0x8863 • Four messages: • Initiation (from host to RAC) • Offer from (RAC to host) • Request from (host to RAC) • Confirm (from RAC to host): contains session ID

  23. Session Stage • Now transmit PPP-LCP message to establish PPP session • First generated by host • DestAddr: Access Concentrator • SourceAddr: host • Ether_type: 0x8864 • SessionID: as obtained from Discovery Stage • Length: <rest of packet> • PPP protocol: 0xc021 (PPP-LCP) • Now PPP payload! • Continue with other PPP messages (PAP, IP-CP etc) to get to the IP datagram transmission phase

  24. Authentication Technologies • Authenticating a transmission to ensure that it comes from an approved sender can provide an increased level of security for remote access users • Examples: • Radius • Tacacs+

  25. (RADIUS) • Remote Authentication Dial-In User Service • Originally defined to enable centralized authentication and access control for PPP sessions • Requests are forwarded to a single RADIUS server • Supports authentication, authorization, and auditing functions • After connection is made, RADIUS server adds an accounting record to its log and acknowledges the request • Allows company to maintain user profiles in a central database that all remote servers can share

  26. (TACACS+) • Terminal Access Control Access Control System • Industry standard protocol specification that forwards username and password information to a centralized server • Whereas communication between a NAS and a TACACS+ server is encrypted, communication between a client and a NAS is not

  27. IPSec • Designed to create and support a cryptographically protected communication channel • This connection is called a Security Association. • SA defined by a set of security parameters referenced in a Security Parameter Index (SPI) and a destination host address.

  28. IP Security (IPSec) Considered to be a transparent security protocol operating at layer 3 Transparent to applications, users, and software Provides three areas of protection that correspond to three IPSec protocols: Key management (ISAKMP/IKE - Oakley) A way to establish an SA Authentication (AH) A way to ensure the integrity of the communication Confidentiality (ESP) A way to ensure the privacy of the communication. cs490ns-cotter 28

  29. IPsec Protocols • Internet Key Exchange • Internet Security Association and Key Mgmt protocol • OAKLEY – Based on Diffie-Hellman • RFC 2408 • Authentication Header Protocol • RFC2402 • Message digest based on data + key • Encapsulating Security Payload Protocol • RFC 2406 • Uses public key to encrypt, ICV to authenticate cs490ns-cotter 29

  30. IPSec (cont) Once an SA has been established, IPSec provides a 2 phase security association Supports 2 Phase 1 modes: Transport mode encrypts or authenticates only the data portion (payload) of each packet, yet leaves the header unencrypted. Tunnel mode encrypts both the header and data portion IPSec accomplishes transport and tunnel modes by adding new headers to the IP packet In tunnel mode the entire original packet is then treated as the data portion of the new packet cs490ns-cotter 30

  31. IPsec Transport Mode Orig. header Auth. header TCP Orig. Payload cs490ns-cotter 31

  32. IPsec Tunnel Mode Original Packet New header Orig. header TCP Orig. Payload New Payload New Packet cs490ns-cotter 32

  33. IPSec (cont) Supports 2 Phase 2 Associations Authentication Encryption Both Authentication Header (AH) and Encapsulating Security Payload (ESP) can be used with Transport or Tunnel mode, creating four possible transport mechanisms: AH in transport mode / tunnel mode ESP in transport mode / tunnel mode cs490ns-cotter 33

  34. Authentication Header Next = tcp AH len Reserved SPI (Security Parameters Index) Sequence Number Authentication Data (SHA-1, etc.) - Integrity Check Value -

  35. O X O X Hash Message Auth Code Secret Key Null pad 36363636 xor’d key Msg to Hash (full* IP Packet) 5c5c5c5c Hash Function xor’d key hash Hash Function Integrity Check Value

  36. AH in Transport Mode Orig IP header Authentication header (AH) TCP Orig. Payload Authenticated packet cs490ns-cotter 36

  37. AH in Tunnel Mode Original Packet New IP header Authentication header (AH) Orig IP header TCP Orig. Payload encrypted Authenticated cs490ns-cotter 37

  38. ESP in Transport Mode encrypted Orig IP header ESP header TCP Orig. Payload trailer ESP authentication Authenticated cs490ns-cotter 38

  39. ESP in Tunnel Mode encrypted New IP header ESP header Orig IP header TCP Orig. Payload trailer ESP authentication Authenticated cs490ns-cotter 39

  40. Internet Key Exchange • ISAKMP – Internet Security Association and Key Management Protocol • A framework to define and exchange the data elements (fiitds) needed to support secure communications • IKE – Internet Key Exchange • Definition of a protocol that workws within the ISAKMP framework to establish an SA. • DOI – Domain of Interpretation. • Provides the specifications for a particular use of ISAKMP. • Original intent twas that there would be many different DOIs for many different applications that might use ISAKMP

  41. IKE – 2 Phases • Phase 1 • Known as the ISAKMP SA • Mutual authentication and establish session keys. • Based on names, k]public keys, and/or shared secrets. • Phase 2 • Known as ESP or AH SA • Uses keys established in phase 1 to develop multiple separate channels

  42. Phase 1 IKE – 2 modes • Aggressive Mode • Establishes mutual authentication and session key establishment in 3 messages • Simple and quick • Main Mode • Uses 6 messages to establish mutual authentication and session key, • Allows for selection of cryptographic protocols

  43. IKE – Aggressive Mode ga mod p, “Alice”, crypto proposal Alice Bob gb mod p, crypto choice, proof for “Bob” Proof for Alice

  44. IKE – Main Mode Crypto suites I support Alice Bob Parameter Negotiation Crypto suite I choose ga mod p Diffie-Hellman exchange gb mod p gab mod p, proof for “Alice” Send ID’s, Authenticate, etc. gab mod p, proof for “Bob”

  45. IKE Phase 1 Key Types • How do we authenticate? What info is used? • Four Authentication Methods • Original Public Key Encryption • Revised Public Key Encryption • Public Key Signature • Pre-shared Key • Two modes for each method • Aggressive Mode • Main Mode

  46. Basic Phase 1 Association • Revised Public key – main mode Crypto Proposal Alice Bob Crypto Proposal Accepted KA = hash (nonceA, cookieA) {nonceA}Bob, KA{ga mod p}, KA{Alice}, KA{Alice cert} KB = hash (nonceB, cookieB) {nonceB}Alice, KB{gb mod p}, KB{Bob} K = f(gab mod p, nonceA, nonceB, CookieA, CookieB) K{proof I’m Alice} K{proof I’m Bob}

  47. Phase 2 IKE – IPSec SA • Quick Mode Alice Phase 1 SA Bob X, Y, CP, traffic, SPIA, nonceA, [ga mod p] X, Y, CPA, traffic, SPIB, nonceB, [gb mod p] X, Y, ack

  48. Virtual Private Networks (VPNs) • Takes advantage of using the public Internet as if it were a private network • Allow the public Internet to be used privately • Prior to VPNs, organizations were forced to lease expensive data connections from private carriers so employees could remotely connect to the organization’s network

  49. VPNs (cont) • Two common types of VPNs include: • Remote-access VPN or virtual private dial-up network (VPDN): user-to-LAN connection used by remote users • Site-to-site VPN: multiple sites can connect to other sites over the Internet • VPN transmissions achieved through communicating with endpoints • An endpoint can be software on a local computer, a dedicated hardware device such as a VPN concentrator, or even a firewall

  50. VPNs (cont)

More Related