Chapter 7: Telecommunications and Networking Security (Part C)

1
Chapter 7 Telecommunications and Networking
Security (Part C)

• Remote Access
• Wireless Technologies

2
Remote Access

• Remote access enables remote and home users to
  connect to networks that will grant them access
  to network resources
• The most common types of remote connectivity
  methods
• Dial-up connections
• VPNs
• ISDN
• Cable modems
• DSL

3
Dial-Up and RAS (1)

• Users dial into a Remote Access Service (RAS)
  server, which performs authentication by
  comparing the provided credentials with the
  database of credentials it maintains.
• Steps
• a request for a username and password takes place
• the RAS may hang up the call to call the user
  back at a predefined phone number.
• To ensure that only authenticated users are given
  access to the network.
• If a company has not implemented any (or strong)
  access control over the RAS, attackers can easily
  walk into its network without ever having to
  bother with the firewall.

4
Dial-Up and RAS (2)

• War dialing is used by many attackers to identify
  remote access modems.
• Program tools can be used to dial a large bank of
  phone numbers
• The tools log valid data connections (modems used
  for data transmission) and attempt to identify
  the system on the other end of the phone line.
• Some of these tools have the option of performing
  a dictionary attack
• To support the security policy of no
  unauthorized devices are to be attached to the
  data and telephone network.
• Companies perform war dialing on their own
  network
• Some PBX phone systems have the capability to
  detect modem signals on analog phone lines and
  audit/record their usage.
• Configuring the modem to answer on the fourth
  ring or higher
• attackers may not be able to tell that the
  telephone line is actually being used for remote
  data access.

5
ISDN

• Integrated Services Digital Network (ISDN) enable
  data, voice, and other types of traffic to travel
  over a medium in a digital manner that was
  previously used only for analog voice
  transmission.
• Provides a digital point-to-point
  circuit-switched medium and establishes a circuit
  between the two communicating devices.
• ISDN provides two basic home and business
  services Basic Rate Interface (BRI) and Primary
  Rate Interface (PRI)
• BRI has two B channels that enable data to be
  transferred and one D channel that provides for
  call setup, connection management, error control,
  caller ID, etc. The bandwidth is 144 Kbps.
• PRI has 23 B channels and one D channel, is more
  commonly used in corporations. The bandwidth is
  equivalent to a T1, which is 1.544 Mbps
• ISDN is not usually the primary
  telecommunications connection for companies, but
  it can be used as a backup.

6
DSL

• Digital Subscriber Line (DSL) is a high-speed
  connection technology used to connect a home or
  business to the service providers central
  office.
• uses all of the available frequencies that are
  available on a voice-grade UTP line
• Always connected
• provide up to 52-Mbps transmission speed
• have to be within a 2.5-mile radius of the DSL
  service providers equipment. As the distance
  between a residence and the central office
  increases, the transmission rates for DSL
  decrease.
• DSL offers
• Symmetric services (SDSL)
• Asymmetric services (ADSL)
• ISDN DSL (IDSL)
• High-bit-rate DSL (HDSL)

7
Cable Modem

• Cable modems provide high-speed access, up to 50
  Mbps, to the Internet through existing cable
  coaxial and fiber lines.
• Coaxial and fiber cables are used to deliver
  hundreds of television stations to users, and one
  or more of the channels on these lines are
  dedicated to carrying data.
• Always connected
• The bandwidth is shared between users in a local
  area therefore, it will not always stay at a
  static rate.
• Sharing the same media brings up security
  concerns, because users with network sniffers can
  easily view their neighbors traffic and data
• Many cable companies are now encrypting the data

8
VPN (1)

• A virtual private network (VPN) is a secure,
  private connection
• through a public network

9
VPN (2)

• Remote users can use VPNs to connect to their
  company network to
• access their e-mail, network resources, and
  corporate assets.
• A remote user must have VPN client installed to
  use a VPN.
• The user first makes a PPP connection to an ISP,
  and the ISP makes a full connection for the user
  to the destination network. (VPN server)
• PPP encapsulates datagrams to be properly
  transmitted over a telecommunication link.
• Once this connection has been made, the users
  software initiates a VPN connection with the
  destination network.
• the two entities go through a handshaking phase
  to agree upon the type of encryption that will be
  used and the key.

10
VPN (3) Tunneling

• Tunneling is how the VPN creates its private
  connection
• A tunnel is a virtual path across a network that
  delivers packets that are encapsulated and
  possibly encrypted.
• E.g.1 When an Ethernet network is connected to an
  FDDI backbone, that FDDI network does not
  understand the Ethernet frame format thus, the
  packets must be encapsulated within the FDDI
  protocol when they are sent over the FDDI
  network.
• E.g.2 If two networks use IPX and need to
  communicate across the Internet, these messages
  must also be encapsulated in a protocol that the
  Internet can understand, such as IP.

11
VPN (4) PPP

• Point-to-Point Protocol (PPP) allows TCP/IP
  traffic to be transmitted over a medium that was
  developed for telephone voice data.
• PPP needs to encapsulated the data traffic before
  it is put onto telephone link.
• PPP can authenticate to a network authentication
  server
• Password Authentication Protocol (PAP)
• Challenge Handshake Authentication Protocol
  (CHAP)
• Extensible Authentication Protocol (EAP)
• Since PPP frames are not routable over Internet,
  another tunneling protocol ( PPTP, L2TP, and
  IPSec) must encapsulate the PPP data in IP
  packets and tunnel it through the Internet to the
  corporate network. (three tunneling protocols
  will be covered in a moment)

12
VPN (5) PPP authentication

• Password Authentication Protocol (PAP)
• The password / username credentials are sent over
  the network to the authentication server via PPP
• The authentication server has a database of user
  credentials that are compared to the supplied
  credentials to authenticate users.
• the credentials are sent in cleartext ? the least
  secure authentication methods

13
VPN (6) PPP authentication

• Challenge Handshake Authentication Protocol
  (CHAP)
• uses a challenge/response mechanism to
  authenticate the user instead of sending a
  password.

14
VPN (7) PPP authentication

• Extensible Authentication Protocol (EAP)
• provides a framework to enable many types of
  authentication techniques to be used during PPP
  connections.
• extends the authentication possibilities from PAP
  and CHAP to other methods such as one-time
  passwords, token cards, biometrics, Kerberos.
• When a user dials into an authentication server
  and both have EAP capabilities, they can
  negotiate between a list of possible
  authentication methods.

15
VPN (8) Three main tunneling protocols

• Three main tunneling protocols are used in VPN
  connections
• Point-to-Point Tunneling Protocol (PPTP)
• L2TP
• IPSec
• These tunneling protocols reduce the cost of
  remote dial-up networking
• the user can dial into a local ISP instead of
  dialing directly to the corporate network

16
(No Transcript)
17
VPN (9) Point-to-Point Tunneling Protocol

• PPTP, a Microsoft protocol, allows remote users
  to set up a PPP connection to a local ISP and
  then create a secure VPN to their destination.
• PPTP has been the de facto industry-standard
  tunneling protocol for years
• The new de facto standard for VPNs is IPSec
• The users data is encapsulated within PPP, and
  then this PPP frame is encapsulated by PPTP. This
  encapsulation allows the resulting frame to be
  routable over Internet.
• When using PPTP, the PPP payload is encrypted.
  The keys are generated during the authentication
  process between the user and the authentication
  server.
• Limitation PPTP can work only over IP networks

18
PPTP Frame
19
VPN (10) Layer 2 Tunneling Protocol (L2TP)

• Cisco developed Layer 2 Tunneling Protocol (L2TP)
  would tunnel PPP traffic through other types of
  networks (frame relay, X.25, and ATM) other than
  just IP network)
• provides a higher level of security when combined
  with IPSec.
• supports TACACS and RADIUS

20
VPN (11) IPSec

• In IPSec, more than one security protocol can be
  applied to a packet.
• IPSec can also be configured to provide iterated
  tunneling, in which an IPSec tunnel is tunneled
  through another IPSec tunnel.
• Why do we need iterated tunneling ?
• if the traffic needed different levels of
  protection at different junctions of its path.

21
Index

• Remote Access
• Wireless Technologies

22
Wireless Technologies (1)

• Wireless communication involves transmitting
  signals via radio waves through air and space
• television transmissions, cellular phones,
  satellite transmissions, spying, surveillance,
  and garage door openers,
• frequency and amplitudes
• Signals are measured in frequency and amplitudes.
  
• The frequency dictates how much data can be
  carried and how far.
• The higher the frequency, the more data the
  signal can carry
• The higher the frequency, the more susceptible
  the signal is to atmospheric interference. (more
  like light, which will be blocked by obstacles)
• High frequency equipments are more expensive

23
Wireless Technologies (2)

• In wireless technologies, each device must share
  the allotted radio frequency spectrum with all
  other wireless devices that need to communicate.
• only one computer can send data at any given
  time, otherwise a collision can take place.
• Ethernet LAN employs the CSMA/CD (collision
  detection) technology. Wireless technology is
  very similar to Ethernet but it uses CSMA/CA
  (collision avoidance).
• Two different types of spread spectrum
  techniques
• frequency hopping
• Direct sequence

24
Wireless Technologies (3)

• Frequency Hopping Spread Spectrum (FHSS) takes
  the total amount of bandwidth (spectrum) and
  splits it into smaller subchannels.
• The sender and receiver work at one of these
  channels for a specific amount of time and then
  move to another channel.
• Hop sequence the FHSS algorithm determines the
  individual frequencies that will be used and in
  what order
• reduce the probability of interference
• difficult for eavesdropping

25
Wireless Technologies (4)

• Direct Sequence Spread Spectrum (DSSS)
• the sender combines the data with the chipping
  sequence, the new form of the information is
  modulated with a radio carrier signal, and it is
  shifted to the necessary frequency and
  transmitted.
• The receiver has to know the correct chipping
  sequence to change the received data into its
  original format.
• the sender and receiver must be properly
  synchronized.
• the sequence of how the chips are applied is
  referred to as the chipping code.

26
Wireless Technologies (5)
FHSS DSSS
uses only a portion of the total bandwidth available at any one time uses all of the available bandwidth continuously.
uses a narrow band carrier spreads the signals over a wider frequency band
higher data throughput and more security
27
WLAN (1)

• Infrastructure WLAN
• Wireless devices communicate with AP over the
  same channel.
• The AP and wireless devices form a basic service
  set (BSS), which has a SSID.
• Access point (AP) is a transceiver, usually
  connects to wired networks
• Ad hoc WLAN
• no AP
• the wireless devices communicate with each other
  through their wireless NICs

28
WLAN (2)

• IEEE created several task groups to work on
  specific areas within wireless communications.
• IEEE 802.11 project
• The first WLAN standard, 802.11 was developed in
  1997
• Uses FHSS
• works in the 2.4-GHz (unlicensed) frequency range
• provides 12 Mbps transfer rate

29
WLAN (3)

• 802.11b
• Uses DSSS
• works in the 2.4-GHz (unlicensed) frequency range
• provides up to 11 Mbps transfer rate
• The most common standard used today
• 802.11a
• Uses use the orthogonal frequency division
  multiplexing (OFDM) modulation scheme
• works in the 5-GHz frequency range
• provides up to 54 Mbps transfer rate, but covers
  smaller range

30
WLAN (4)

• 802.11e
• provided QoS and proper support of multimedia
  traffic.
• QoS provides the capability to prioritize
  traffic, and it affords guaranteed delivery
• 802.11f
• Roaming as the user moves out of the range of the
  first AP, another AP needs to pick up and
  maintain her signal
• 802.11f outlines how authentication and other
  necessary information can be properly shared
  among different APs during roaming

31
WLAN (5)

• 802.11g
• A speed extension for 802.11b, backward
  compatible with 802.11b
• provides up to 54 Mbps transfer rate
• works in the 2.4-GHz (unlicensed) frequency range
• 802.11h
• builds upon the 802.11a specification to meet the
  requirements of European wireless rules

32
Security in WLAN (1)

• Security in WLAN
• Open system authentication (OSA)
• Wired Equivalent Privacy (WEP)
• Extensible Authentication Protocol (EAP)
• Open system authentication (OSA)
• Does not require the wireless device to prove to
  the AP that it has a specific cryptographic key
  for authentication.
• In many cases, the wireless device needs to
  provide only the correct SSID value.
• Some APs are configured to broadcast their SSIDs
• All transactions are in clear text

33
Security in WLAN (2)

• Shared key authentication (SKA)
• The wireless device is authenticated to the AP by
  proving that it has the necessary encryption key.
  
• The AP sends a random value to the wireless
  device.
• The device encrypts this value with its
  cryptographic key and returns it.
• The AP decrypts and extracts the response, and if
  it is the same as the original value, the device
  is authenticated.
• SKA Is based on the Wired Equivalent Privacy
  (WEP) protocol
• Enables data transfers to be encrypted.
• Note WEP is usually disabled by default on the
  commonly purchased wireless AP devices.

34
Security in WLAN (3)

• Extensible Authentication Protocol (EAP)
• The use of Extensible Authentication Protocol
  (EAP) and 802.1X to enforce user authentication
  and mutual authentication has been integrated
  into 802.11i.
• Message Integrity Code (MIC) is integrated to
  detect modifications of bits during transmission
• The Temporal Key Integrity Protocol (TKIP)
  generates random values that are used in the
  encryption process
• Includes the new Advanced Encryption Standard
  (AES) algorithm

35
Security in WLAN (4) 802.11i

• 802.11i documents a wide range of security flaws
  in old WLAN standards
• No user authentication
• no mutual authentication between the wireless
  device and AP
• rogue APs can be erected
• Wireless traffic can be easily sniffed, data can
  be modified during transmission without the
  receiver being notified
• a flawed encryption protocol
• encrypted wireless traffic to be easily broken
  with downloadable tools

36
Security in WLAN (5) 802.11i

• The 802.11i standard employs two different
  approaches
• Temporal Key Integrity Protocol (TKIP) works with
  WEP by feeding it keying material, which is data
  to be used for generating new dynamic keys.
• More complexity is added to the key generation
  process
• only need to obtain firmware or software updates
  instead of purchasing new equipment for this type
  of protection.
• CCM Protocol (CCMP)
• The use of AES algorithm in counter mode with
  CBC-MAC (CCM)
• The AES is a much stronger algorithm than RC4

37
Security in WLAN (6) TKIP

• TKIP addresses the deficiencies of WEP pertaining
  to static WEP
• keys and inadequate use of IV values.
• Provides the ability to rotate encryption keys to
  fight against attacks
• increases the length of the IV value and ensures
  that each and every frame has a different IV
  value.
• The changing IV values and resulting keys make
  the resulting key stream less predictable
• Deals with the integrity issues by using a MIC
  instead of an ICV function.
• A symmetric key is used with a hashing function,
  which is similar to a CRC function but stronger.
• The use of MIC instead of ICV ensures that the
  receiver will be properly alerted if changes to
  the frame take place during transmission.

38
Security in WLAN (7) 802.1X

• The 802.1X standard is a port-based network
  access control
• ensures that a user cannot make a full network
  connection until he is properly authenticated.
• 802.11i is the lower layer contains the improved
  encryption algorithms (TKIP and CCMP). 802.1X
  contains the layer that resides on top of it .
• 802.1X provides an authentication framework and a
  method of dynamically distributing encryption
  keys
• the supplicant (wireless device)
• the authenticator (AP)
• the authentication server (usually a RADIUS
  server).

39
Security in WLAN (8) 802.1X

• 802.1X provides the framework that allows for the
  different EAP
• modules to be added by a network administrator.
• The two entities (supplicant and authenticator)
  agree upon one of these authentication methods
  (EAP modules) during their initial handshaking
  process.
• Cisco uses a purely password-based authentication
  framework called Lightweight Extensible
  Authentication Protocol (LEAP).
• Other vendors, including Microsoft, use EAP and
  Transport Layer Security (EAP-TLS), which carries
  out authentication through digital certificates.
• Another choice is Protective EAP (PEAP), where
  only the server uses a digital certificate.

40
other wireless standards (1)

• Some other wireless standards
• The 802.11j task group has been working on
  bringing together many of the different standards
  and streamlining their development to allow for
  better interoperability across borders.
• 802.11n is designed to be much faster
• throughput gt 100 Mbps, uses multiple input,
  multiple output (MIMO) to increase the
  throughput.
• two receive and two transmit antennas to
  broadcast in parallel using a 20-MHz channel.
• works at the same frequency range of 802.11a (5
  GHz)

41
other wireless standards (2)

• 802.16 is a metropolitan area network (MAN)
  wireless standard broadband wireless access
• cover a much wider geographical area.
• 802.15 is a wireless personal area network (WPAN)
  standard
• allows for connectivity to take place among local
  devices
• The Bluetooth wireless technology is a portion of
  the 802.15 standard.
• has a 13 Mbps transfer rate
• works in a range of approximately ten meters.
• Security risks when transferring unprotected data
  via Bluetooth in a public area
• In Bluejacking attack, someone sends an
  unsolicited message to a device that is Bluetooth
  enabled.

42
WAP (1)

• Wireless Application Protocol (WAP) is a de facto
• market and industry-driven protocol stack.
• standardizes the way that wireless devices
  interface with each other and the Internet
• Why do we need WAP?
• performs similar functionalities to those
  performed by protocols in the TCP/IP stack.
• E.g., Wireless Markup Language (WML), Wireless
  Transport Layer Security (WTLS)

43
WAP (2)

• WTLS works similarly to SSL/TLS, by encrypting
  data and allowing for authentication to take
  place between the communicating devices.
• WTLS has three classes that define how
  authentication takes place
• Class 1 Anonymous authentication
• Class 2 Server authentication
• Class 3 Two-way client and server authentication

44
WAP (3)

• A gateway is required to translate between WAP
  and the Internets protocols and application
  types
• Gap in the WAP at the service providers
  gateway, WTLS encrypted data will be decrypted at
  the service providers site and then encrypted
  with SSL or TLS ? for a second or two, the data
  is not protected.

45
WAP (4)

• The newer version of WAP is WAP2
• WAP2 is used mainly in North America
• Another wireless protocol stack i-Mode was
  developed by a company in Japan NTT DoCoMo
• Used in Japan and is currently spreading
  throughout Asia and parts of Europe

46
Mobile Phone Security

• Mobile Phone can connect to computers and
  networks, and thus are new entry points for
  malicious activities.
• should include this new technology and source of
  security breaches into their policies and
  security program.
• Cell phone cloning
• A regular cell phone can be stolen and then
  reprogrammed with
• Someone elses access credentials. This is a
  common activity used
• by organized crime rings
• Rouge base stations
• When a cell phone sends authentication data to
  this rouge base station, the attacker captures it
  and can now use it to authenticate and gain
  unauthorized access to the cellular network.

47
War Driving for WLANs (1)

• War driving attackers who drive around looking
  for wireless LANs to intercept

48
War Driving for WLANs (2)

• Tools for war driving
• Sniffer Kismet and NetStumbler
• WEP craker Airsnarf, AirSnort, and WEPCrack
• How to prevent war driving?
• the best practices pertaining to WLAN
  implementations (P569) -- (You should be able to
  list a few of them)