Title: Chapter 7: Telecommunications and Networking Security (Part C)
1Chapter 7 Telecommunications and Networking
Security (Part C)
- Remote Access
- Wireless Technologies
2Remote Access
- Remote access enables remote and home users to
connect to networks that will grant them access
to network resources - The most common types of remote connectivity
methods - Dial-up connections
- VPNs
- ISDN
- Cable modems
- DSL
3Dial-Up and RAS (1)
- Users dial into a Remote Access Service (RAS)
server, which performs authentication by
comparing the provided credentials with the
database of credentials it maintains. - Steps
- a request for a username and password takes place
- the RAS may hang up the call to call the user
back at a predefined phone number. - To ensure that only authenticated users are given
access to the network. - If a company has not implemented any (or strong)
access control over the RAS, attackers can easily
walk into its network without ever having to
bother with the firewall.
4Dial-Up and RAS (2)
- War dialing is used by many attackers to identify
remote access modems. - Program tools can be used to dial a large bank of
phone numbers - The tools log valid data connections (modems used
for data transmission) and attempt to identify
the system on the other end of the phone line. - Some of these tools have the option of performing
a dictionary attack - To support the security policy of no
unauthorized devices are to be attached to the
data and telephone network. - Companies perform war dialing on their own
network - Some PBX phone systems have the capability to
detect modem signals on analog phone lines and
audit/record their usage. - Configuring the modem to answer on the fourth
ring or higher - attackers may not be able to tell that the
telephone line is actually being used for remote
data access.
5ISDN
- Integrated Services Digital Network (ISDN) enable
data, voice, and other types of traffic to travel
over a medium in a digital manner that was
previously used only for analog voice
transmission. - Provides a digital point-to-point
circuit-switched medium and establishes a circuit
between the two communicating devices. - ISDN provides two basic home and business
services Basic Rate Interface (BRI) and Primary
Rate Interface (PRI) - BRI has two B channels that enable data to be
transferred and one D channel that provides for
call setup, connection management, error control,
caller ID, etc. The bandwidth is 144 Kbps. - PRI has 23 B channels and one D channel, is more
commonly used in corporations. The bandwidth is
equivalent to a T1, which is 1.544 Mbps - ISDN is not usually the primary
telecommunications connection for companies, but
it can be used as a backup.
6DSL
- Digital Subscriber Line (DSL) is a high-speed
connection technology used to connect a home or
business to the service providers central
office. - uses all of the available frequencies that are
available on a voice-grade UTP line - Always connected
- provide up to 52-Mbps transmission speed
- have to be within a 2.5-mile radius of the DSL
service providers equipment. As the distance
between a residence and the central office
increases, the transmission rates for DSL
decrease. - DSL offers
- Symmetric services (SDSL)
- Asymmetric services (ADSL)
- ISDN DSL (IDSL)
- High-bit-rate DSL (HDSL)
7Cable Modem
- Cable modems provide high-speed access, up to 50
Mbps, to the Internet through existing cable
coaxial and fiber lines. - Coaxial and fiber cables are used to deliver
hundreds of television stations to users, and one
or more of the channels on these lines are
dedicated to carrying data. - Always connected
- The bandwidth is shared between users in a local
area therefore, it will not always stay at a
static rate. - Sharing the same media brings up security
concerns, because users with network sniffers can
easily view their neighbors traffic and data - Many cable companies are now encrypting the data
8VPN (1)
- A virtual private network (VPN) is a secure,
private connection - through a public network
9VPN (2)
- Remote users can use VPNs to connect to their
company network to - access their e-mail, network resources, and
corporate assets. - A remote user must have VPN client installed to
use a VPN. - The user first makes a PPP connection to an ISP,
and the ISP makes a full connection for the user
to the destination network. (VPN server) - PPP encapsulates datagrams to be properly
transmitted over a telecommunication link. - Once this connection has been made, the users
software initiates a VPN connection with the
destination network. - the two entities go through a handshaking phase
to agree upon the type of encryption that will be
used and the key.
10VPN (3) Tunneling
- Tunneling is how the VPN creates its private
connection - A tunnel is a virtual path across a network that
delivers packets that are encapsulated and
possibly encrypted. - E.g.1 When an Ethernet network is connected to an
FDDI backbone, that FDDI network does not
understand the Ethernet frame format thus, the
packets must be encapsulated within the FDDI
protocol when they are sent over the FDDI
network. -
- E.g.2 If two networks use IPX and need to
communicate across the Internet, these messages
must also be encapsulated in a protocol that the
Internet can understand, such as IP.
11VPN (4) PPP
- Point-to-Point Protocol (PPP) allows TCP/IP
traffic to be transmitted over a medium that was
developed for telephone voice data. - PPP needs to encapsulated the data traffic before
it is put onto telephone link. - PPP can authenticate to a network authentication
server - Password Authentication Protocol (PAP)
- Challenge Handshake Authentication Protocol
(CHAP) - Extensible Authentication Protocol (EAP)
- Since PPP frames are not routable over Internet,
another tunneling protocol ( PPTP, L2TP, and
IPSec) must encapsulate the PPP data in IP
packets and tunnel it through the Internet to the
corporate network. (three tunneling protocols
will be covered in a moment)
12VPN (5) PPP authentication
- Password Authentication Protocol (PAP)
- The password / username credentials are sent over
the network to the authentication server via PPP - The authentication server has a database of user
credentials that are compared to the supplied
credentials to authenticate users. - the credentials are sent in cleartext ? the least
secure authentication methods
13VPN (6) PPP authentication
- Challenge Handshake Authentication Protocol
(CHAP) - uses a challenge/response mechanism to
authenticate the user instead of sending a
password.
14VPN (7) PPP authentication
- Extensible Authentication Protocol (EAP)
- provides a framework to enable many types of
authentication techniques to be used during PPP
connections. - extends the authentication possibilities from PAP
and CHAP to other methods such as one-time
passwords, token cards, biometrics, Kerberos. - When a user dials into an authentication server
and both have EAP capabilities, they can
negotiate between a list of possible
authentication methods.
15VPN (8) Three main tunneling protocols
- Three main tunneling protocols are used in VPN
connections - Point-to-Point Tunneling Protocol (PPTP)
- L2TP
- IPSec
- These tunneling protocols reduce the cost of
remote dial-up networking - the user can dial into a local ISP instead of
dialing directly to the corporate network
16(No Transcript)
17VPN (9) Point-to-Point Tunneling Protocol
- PPTP, a Microsoft protocol, allows remote users
to set up a PPP connection to a local ISP and
then create a secure VPN to their destination. - PPTP has been the de facto industry-standard
tunneling protocol for years - The new de facto standard for VPNs is IPSec
- The users data is encapsulated within PPP, and
then this PPP frame is encapsulated by PPTP. This
encapsulation allows the resulting frame to be
routable over Internet. - When using PPTP, the PPP payload is encrypted.
The keys are generated during the authentication
process between the user and the authentication
server. - Limitation PPTP can work only over IP networks
18PPTP Frame
19VPN (10) Layer 2 Tunneling Protocol (L2TP)
- Cisco developed Layer 2 Tunneling Protocol (L2TP)
would tunnel PPP traffic through other types of
networks (frame relay, X.25, and ATM) other than
just IP network) - provides a higher level of security when combined
with IPSec. - supports TACACS and RADIUS
20VPN (11) IPSec
- In IPSec, more than one security protocol can be
applied to a packet. - IPSec can also be configured to provide iterated
tunneling, in which an IPSec tunnel is tunneled
through another IPSec tunnel. - Why do we need iterated tunneling ?
- if the traffic needed different levels of
protection at different junctions of its path.
21Index
- Remote Access
- Wireless Technologies
22Wireless Technologies (1)
- Wireless communication involves transmitting
signals via radio waves through air and space - television transmissions, cellular phones,
satellite transmissions, spying, surveillance,
and garage door openers, - frequency and amplitudes
- Signals are measured in frequency and amplitudes.
- The frequency dictates how much data can be
carried and how far. - The higher the frequency, the more data the
signal can carry - The higher the frequency, the more susceptible
the signal is to atmospheric interference. (more
like light, which will be blocked by obstacles) - High frequency equipments are more expensive
23Wireless Technologies (2)
- In wireless technologies, each device must share
the allotted radio frequency spectrum with all
other wireless devices that need to communicate. - only one computer can send data at any given
time, otherwise a collision can take place. - Ethernet LAN employs the CSMA/CD (collision
detection) technology. Wireless technology is
very similar to Ethernet but it uses CSMA/CA
(collision avoidance). - Two different types of spread spectrum
techniques - frequency hopping
- Direct sequence
24Wireless Technologies (3)
- Frequency Hopping Spread Spectrum (FHSS) takes
the total amount of bandwidth (spectrum) and
splits it into smaller subchannels. - The sender and receiver work at one of these
channels for a specific amount of time and then
move to another channel. - Hop sequence the FHSS algorithm determines the
individual frequencies that will be used and in
what order - reduce the probability of interference
- difficult for eavesdropping
25Wireless Technologies (4)
- Direct Sequence Spread Spectrum (DSSS)
- the sender combines the data with the chipping
sequence, the new form of the information is
modulated with a radio carrier signal, and it is
shifted to the necessary frequency and
transmitted. - The receiver has to know the correct chipping
sequence to change the received data into its
original format. - the sender and receiver must be properly
synchronized. - the sequence of how the chips are applied is
referred to as the chipping code.
26Wireless Technologies (5)
FHSS DSSS
uses only a portion of the total bandwidth available at any one time uses all of the available bandwidth continuously.
uses a narrow band carrier spreads the signals over a wider frequency band
higher data throughput and more security
27WLAN (1)
- Infrastructure WLAN
- Wireless devices communicate with AP over the
same channel. - The AP and wireless devices form a basic service
set (BSS), which has a SSID. - Access point (AP) is a transceiver, usually
connects to wired networks - Ad hoc WLAN
- no AP
- the wireless devices communicate with each other
through their wireless NICs
28WLAN (2)
- IEEE created several task groups to work on
specific areas within wireless communications. - IEEE 802.11 project
- The first WLAN standard, 802.11 was developed in
1997 - Uses FHSS
- works in the 2.4-GHz (unlicensed) frequency range
- provides 12 Mbps transfer rate
29WLAN (3)
- 802.11b
- Uses DSSS
- works in the 2.4-GHz (unlicensed) frequency range
- provides up to 11 Mbps transfer rate
- The most common standard used today
- 802.11a
- Uses use the orthogonal frequency division
multiplexing (OFDM) modulation scheme - works in the 5-GHz frequency range
- provides up to 54 Mbps transfer rate, but covers
smaller range
30WLAN (4)
- 802.11e
- provided QoS and proper support of multimedia
traffic. - QoS provides the capability to prioritize
traffic, and it affords guaranteed delivery - 802.11f
- Roaming as the user moves out of the range of the
first AP, another AP needs to pick up and
maintain her signal - 802.11f outlines how authentication and other
necessary information can be properly shared
among different APs during roaming
31WLAN (5)
- 802.11g
- A speed extension for 802.11b, backward
compatible with 802.11b - provides up to 54 Mbps transfer rate
- works in the 2.4-GHz (unlicensed) frequency range
- 802.11h
- builds upon the 802.11a specification to meet the
requirements of European wireless rules
32Security in WLAN (1)
- Security in WLAN
- Open system authentication (OSA)
- Wired Equivalent Privacy (WEP)
- Extensible Authentication Protocol (EAP)
- Open system authentication (OSA)
- Does not require the wireless device to prove to
the AP that it has a specific cryptographic key
for authentication. - In many cases, the wireless device needs to
provide only the correct SSID value. - Some APs are configured to broadcast their SSIDs
- All transactions are in clear text
33Security in WLAN (2)
- Shared key authentication (SKA)
- The wireless device is authenticated to the AP by
proving that it has the necessary encryption key.
- The AP sends a random value to the wireless
device. - The device encrypts this value with its
cryptographic key and returns it. - The AP decrypts and extracts the response, and if
it is the same as the original value, the device
is authenticated. - SKA Is based on the Wired Equivalent Privacy
(WEP) protocol - Enables data transfers to be encrypted.
- Note WEP is usually disabled by default on the
commonly purchased wireless AP devices.
34Security in WLAN (3)
- Extensible Authentication Protocol (EAP)
- The use of Extensible Authentication Protocol
(EAP) and 802.1X to enforce user authentication
and mutual authentication has been integrated
into 802.11i. - Message Integrity Code (MIC) is integrated to
detect modifications of bits during transmission - The Temporal Key Integrity Protocol (TKIP)
generates random values that are used in the
encryption process - Includes the new Advanced Encryption Standard
(AES) algorithm
35Security in WLAN (4) 802.11i
- 802.11i documents a wide range of security flaws
in old WLAN standards - No user authentication
- no mutual authentication between the wireless
device and AP - rogue APs can be erected
- Wireless traffic can be easily sniffed, data can
be modified during transmission without the
receiver being notified - a flawed encryption protocol
- encrypted wireless traffic to be easily broken
with downloadable tools
36Security in WLAN (5) 802.11i
- The 802.11i standard employs two different
approaches - Temporal Key Integrity Protocol (TKIP) works with
WEP by feeding it keying material, which is data
to be used for generating new dynamic keys. - More complexity is added to the key generation
process - only need to obtain firmware or software updates
instead of purchasing new equipment for this type
of protection. - CCM Protocol (CCMP)
- The use of AES algorithm in counter mode with
CBC-MAC (CCM) - The AES is a much stronger algorithm than RC4
37Security in WLAN (6) TKIP
- TKIP addresses the deficiencies of WEP pertaining
to static WEP - keys and inadequate use of IV values.
- Provides the ability to rotate encryption keys to
fight against attacks - increases the length of the IV value and ensures
that each and every frame has a different IV
value. - The changing IV values and resulting keys make
the resulting key stream less predictable - Deals with the integrity issues by using a MIC
instead of an ICV function. - A symmetric key is used with a hashing function,
which is similar to a CRC function but stronger. - The use of MIC instead of ICV ensures that the
receiver will be properly alerted if changes to
the frame take place during transmission.
38Security in WLAN (7) 802.1X
- The 802.1X standard is a port-based network
access control - ensures that a user cannot make a full network
connection until he is properly authenticated. - 802.11i is the lower layer contains the improved
encryption algorithms (TKIP and CCMP). 802.1X
contains the layer that resides on top of it . - 802.1X provides an authentication framework and a
method of dynamically distributing encryption
keys - the supplicant (wireless device)
- the authenticator (AP)
- the authentication server (usually a RADIUS
server).
39Security in WLAN (8) 802.1X
- 802.1X provides the framework that allows for the
different EAP - modules to be added by a network administrator.
- The two entities (supplicant and authenticator)
agree upon one of these authentication methods
(EAP modules) during their initial handshaking
process. - Cisco uses a purely password-based authentication
framework called Lightweight Extensible
Authentication Protocol (LEAP). - Other vendors, including Microsoft, use EAP and
Transport Layer Security (EAP-TLS), which carries
out authentication through digital certificates. - Another choice is Protective EAP (PEAP), where
only the server uses a digital certificate.
40other wireless standards (1)
- Some other wireless standards
- The 802.11j task group has been working on
bringing together many of the different standards
and streamlining their development to allow for
better interoperability across borders. - 802.11n is designed to be much faster
- throughput gt 100 Mbps, uses multiple input,
multiple output (MIMO) to increase the
throughput. - two receive and two transmit antennas to
broadcast in parallel using a 20-MHz channel. - works at the same frequency range of 802.11a (5
GHz)
41other wireless standards (2)
- 802.16 is a metropolitan area network (MAN)
wireless standard broadband wireless access - cover a much wider geographical area.
- 802.15 is a wireless personal area network (WPAN)
standard - allows for connectivity to take place among local
devices - The Bluetooth wireless technology is a portion of
the 802.15 standard. - has a 13 Mbps transfer rate
- works in a range of approximately ten meters.
- Security risks when transferring unprotected data
via Bluetooth in a public area - In Bluejacking attack, someone sends an
unsolicited message to a device that is Bluetooth
enabled.
42WAP (1)
- Wireless Application Protocol (WAP) is a de facto
- market and industry-driven protocol stack.
- standardizes the way that wireless devices
interface with each other and the Internet - Why do we need WAP?
- performs similar functionalities to those
performed by protocols in the TCP/IP stack. - E.g., Wireless Markup Language (WML), Wireless
Transport Layer Security (WTLS)
43WAP (2)
- WTLS works similarly to SSL/TLS, by encrypting
data and allowing for authentication to take
place between the communicating devices. - WTLS has three classes that define how
authentication takes place - Class 1 Anonymous authentication
- Class 2 Server authentication
- Class 3 Two-way client and server authentication
44WAP (3)
- A gateway is required to translate between WAP
and the Internets protocols and application
types - Gap in the WAP at the service providers
gateway, WTLS encrypted data will be decrypted at
the service providers site and then encrypted
with SSL or TLS ? for a second or two, the data
is not protected.
45WAP (4)
- The newer version of WAP is WAP2
- WAP2 is used mainly in North America
- Another wireless protocol stack i-Mode was
developed by a company in Japan NTT DoCoMo - Used in Japan and is currently spreading
throughout Asia and parts of Europe
46Mobile Phone Security
- Mobile Phone can connect to computers and
networks, and thus are new entry points for
malicious activities. - should include this new technology and source of
security breaches into their policies and
security program. - Cell phone cloning
- A regular cell phone can be stolen and then
reprogrammed with - Someone elses access credentials. This is a
common activity used - by organized crime rings
- Rouge base stations
- When a cell phone sends authentication data to
this rouge base station, the attacker captures it
and can now use it to authenticate and gain
unauthorized access to the cellular network.
47War Driving for WLANs (1)
- War driving attackers who drive around looking
for wireless LANs to intercept
48War Driving for WLANs (2)
- Tools for war driving
- Sniffer Kismet and NetStumbler
- WEP craker Airsnarf, AirSnort, and WEPCrack
- How to prevent war driving?
- the best practices pertaining to WLAN
implementations (P569) -- (You should be able to
list a few of them)