Security Protocols

1
Chapter 8

• Security Protocols

2
Types of Attacks

• Altering data
• Eavesdropping
• IP address spoofing
• Password pilfering
• Denial of service
• Virus
• See Table 8-1

3
IPSec

• IP version 4.0 doesnt include a native security
  method, so IPSec was created.
• Not only is IPSec considered an addition to IPv4,
  it also has been incorporated into the IPv6
  protocol.

4
IPSec

• Based on cryptography, Internet Protocol
  Security, or IPSec, ensures the privacy of
  network traffic as well as its authentication.
• IPSec is used for peer-to-peer and client-server
  communications across a private or public
  network secure LAN-to-LAN communications across
  a WAN and remote access transmissions via either
  dialup or virtual private network (VPN).
• IPSec functions at the Network layer.

5
IPSec

• An IPSec session is initiated when the IP
  protocol receives data from upper layers. IPSec
  works with the destination computer to agree upon
  the shared key and then encrypts the data at the
  sending host.
• This process ensures that the data packets are
  unreadable while en route to their destination,
  where they are then decrypted using the shared
  key.

6
IPSec

• IPSec supports two types of encryption
  modestransport and tunnel.
• The transport mode encrypts only the data part of
  the packet, not the header.
• Tunnel mode encrypts the entire header and data.
• IPSec is used with L2TP to create a tunnel.
• IPSec offers the tunnel an authentication and
  encryption method.

7
VPN Protocols

• Virtual private networking is a system of
  creating a private network connection that
  travels through a public network.
• Even though the VPN exists within a public
  network, the connection is intended to be as safe
  as a private network.
• Reduces costs!

8
L2TP

• L2TP is a VPN protocol used along with IPSec to
  ensure confidentiality of the data transmission.
• L2TP grew out of the combination of two prior
  protocolsPoint-to-Point Tunneling Protocol
  (PPTP) courtesy of Microsoft and Ciscos Layer 2
  Forwarding (L2F) protocol.
• L2TP borrows many of the qualities of PPTP,
  especially in that it extends the Point-to-Point
  Protocol (PPP) used for remote access.

9
L2TP
10
Why Use L2TP Instead of PPTP?

• The main reason that an administrator would
  consider using L2TP over L2F is that the L2TP
  client is included in Windows 2000 and later
  operating systems.
• PPTP is supported by Windows servers only, while
  L2TP was developed to be a standard that is
  already natively supported by Cisco routers and
  Windows 2000 servers.
• Because L2TP is usually implemented along with
  IPSec to create a true VPN, it offers a much
  higher level of security than PPTP.
• L2TP offers a wider variety of protocols than
  PPTPsupporting not only TCP/IP but also IPX/SPX
  and Systems Network Architecture (SNA), which is
  used by mainframe computers, and other types of
  computers.

11
Secure Sockets Layer (SSL)

• SSL is the abbreviation for Secure Sockets Layer,
  but users will likely be more familiar with its
  manifestation as the HTTPS// that precedes the
  URL of a secure Web site.
• SSL is a protocol that uses a public key to
  encrypt the data transmitted across the Internet.
  
• It is commonly used to provide privacy for
  sensitive information such as credit card numbers.

12
Secure Sockets Layer (SSL)
13
Secure Sockets Layer (SSL)
14
Kerberos

• When an entity attempts to access a
  Kerberos-protected resource and provides correct
  authentication information, Kerberos issues a
  ticket to it.
• This method does not require a password for
  transmission across the network.
• The ticket is actually a temporary certificate
  with the information required to identify the
  entity to the network.

15
Kerberos

• The entity uses this Kerberos ticket to request
  further Kerberos tickets to allow it to access
  subsequent services on the network.
• Each process requires a complex mutual
  authentication, but this is completely
  transparent to the user.

16
Kerberos Trust Relationships

• Kerberos enables trusts to be established between
  two different UNIX realms, between two Windows
  2000 domains, or even between a UNIX realm and a
  Windows 2000 domain.
• Trust relationships are established using
  Kerberos so that authentication credentials can
  be passed on to network resources in trusted
  domains or realms.

17
Kerberos Trust Relationships

• Kerberos trust relationships are typically
  transitive and bidirectional in nature.
• Transitive means that if domain A trusts domain
  B, and domain B trusts domain C, domain A is
  understood to trust domain C.
• Bidirectional means that when domain A trusts
  domain B, domain B automatically trusts domain A.

18
Smart Cards

• Smart cards are able to provide an interactive
  logon, secure e-mail messages, and authenticate
  access to network services.
• When a user needs to access a resource, the user
  inserts the smart card into a reader attached to
  the network.
• Smart cards require Public Key Infrastructure
  (PKI), a method of distributing encryption keys
  and certificates.

19
Firewalls

• Typically a router with two interfacesone
  leading to the public network and the other to
  the private network
• One of the methods a firewall uses to secure the
  network is packet filtering.
• This is the process of receiving data packets
  from one interface and examining them to see
  which packets meet the rules.
• For packets that meet firewall rules, they are
  either permitted or blocked, depending on how the
  rule is implemented.

20
Firewalls

• Firewalls provide packet filtering based on the
  permit and deny commands found in access control
  lists.
• Traffic can be filtered based on its source or
  destination address, as well as its source or
  destination ports.

21
Firewalls
22
Demilitarized Zones

• A demilitarized zone (DMZ) is an offshoot from a
  firewall that is not considered part of the
  Internet, nor is it considered part of the
  private network.
• This configuration places the DMZ between two
  firewalls.

23
Demilitarized Zones
24
Demilitarized Zones

• DMZ can be an offshoot area in which the firewall
  has three interfaces, one that connects to the
  Internet, a second that connects to the DMZ, and
  a third that connects to the private network.
• This configuration is driven solely by access
  control lists in which the DMZ access is relaxed
  compared to that of the private network.

25
Demilitarized Zones
26
Demilitarized Zones

• One reason to create a DMZ is to provide access
  to certain servers, such as a Web server or
  e-mail server, yet still protect the rest of the
  network from those types of traffic.

27
Proxy Servers

• The traditional firewall acts at the network
  layer, filtering packets from one interface to
  the other.
• This type of firewall will make all permit/deny
  decisions based on the source or destination
  addresses, domain names, or ports, which are all
  in the IP packet header.
• For a more sophisticated and secure method of
  blocking and permitting traffic, you need to use
  a proxy server, which is sometimes called a
  dual-homed gateway.

28
Proxy Servers

• A proxy server doesnt permit traffic to pass
  through it between networks.
• It does, however, examine each packet up to the
  application layer and reassemble a new packet for
  the other network.
• Because each piece of data is so thoroughly
  examined, the proxy server is able to log traffic
  and perform audits.

29
Proxy Servers
30
Proxy Servers

• Proxy servers are often preferred over firewalls
  because they fully prevent traffic from passing
  through from one network to another.
• Because the proxy understands the
  application-layer protocol, it can implement
  security specific to that protocol.