13 2 network security

8/10/2019 13 2 Network Security

1/67

6/10/2011

Network Security

User Authentication


2/67

6/10/2011

At the end of this lesson we will beable to

Explain methods of user authentication

Network+2009 Objective 6.4

What we will cover

Public Key Infrastructure (PKI) Kerberos Authentication Authorization Accounting

(AAA) Network Access Control (NAC) Challenge Handshake Authentication Protocol

(CHAP) Extensible Authentication Protocol (EAP)


3/67

6/10/2011

NETWORK AUTHENTICATIONMETHODS

In order to Secure your Network

Verify who is connecting toyour networkAuthentication

What are they allowed todoAuthorization

Log what they have doneAccounting


4/67

6/10/2011

Usernames and passwords

Usernames Unique identifier

Passwords Complex passwords use lower and uppercase

letters, numbers, special characters

Minimum password length

Password protection Use different passwords

Use longer passwords

Use combination of: a-z; A-Z; 0-9; and !@#$%^special characters

Change frequently

Avoid reusing passwords


5/67

6/10/2011

Strong passwords Balance difficulty of remembering with complexity

Create from first letter of title or phrase passphrase

Mix letter cases, add numbers and special characters

Do not using personal information

Authentication factors

Somethingyou know

Password

Somethingyou have

Securitytoken,Smart Card

Somethingyou are

Fingerprint,Retina


6/67

6/10/2011

One-factor authentication

Something you know Windows logon

dialog box Username and

password Something you are

Two-factor authentication

Something you knowPLUS

Something you have Something you are

Token plus a PIN Something you are

Fingerprint Voice Retina


7/67

6/10/2011

Three-factor authentication

Something you know+ something you have+ something you are

A PIN, a card, and afingerprint

Two Minute Activity

Think of scenarios where youmight use one, two, and three-

factor authentication


8/67

6/10/2011

Public Key Encryption

Cryptography - Science of encryption

Convert to Unreadable formatEncryption

Convert back to ReadableformatDecryption

Procedure for Encrypting orDecryptingAlgorithm

Encryption & DecryptionAlgorithm PairCipher


9/67

6/10/2011

The simple ROT13 cipher

Keys are used to Encrypt or Decrypt

Symmetric

Same key forencryption

anddecryption

Asymmetric

Differing keysfor encryption

anddecryption


10/67

6/10/2011

1

Symmetric encryption in action

Public key cryptography use two keys

Two related keys What one encrypts, only the other can decrypt One kept private One shared (public)

Keys mathematically related


11/67

6/10/2011

Asymmetric encryption in action

Public Key Cryptography Characteristics

It is mathematically difficult to derive theprivate key from the public key

Data encrypted with the public key canbe decrypted with only the private key

Data encrypted with the private key canbe decrypted with only the public key


12/67

6/10/2011

1

Public Key Infrastructure (PKI)

Public key infrastructure

Certificate authority (CA)

Registration authority (RA)

Certificate server


13/67

6/10/2011

1

Setup and initialization phase

Registration

Key pair generation

Certificate generation

Certificate dissemination

Administration phase

Key storage

Certificate retrieval and validation

Backup or escrow

Recovery


14/67

6/10/2011

1

Cancellation and history phase

Expiration

Renewal

RevocationSuspension

Destruction


15/67

6/10/2011

1

Kerberos is a network AuthenticationProtocol

Provides Secure Authentication over Insecurenetworks

Protects against Eavesdropping and Replay attacks

Works by issuing tickets to users who log in

Authenticates users over open multi-platform networkusing single login

Kerberos authentication process


16/67

6/10/2011

1

Kerberos security weaknesses

Subject to brute force attacksAssumes all network devices are physically secureCompromised passwords enable easy access toattackersVulnerable to DoS attacksAuthenticating devices need to be loosely synchronizedAccess to AS allows attacker to impersonate anyauthorized userAuthenticating device identifiers shouldnt be reusedon a short-time basis

Authentication

AccountingAuthorization


17/67

6/10/2011

1

Authentication

AuthorizationAccounting

RADIUS TACACS+

RADIUS Provides Authenticationon Wired and Wireless Network

Access

Accounting


18/67

6/10/2011

1

Terminal Access Controller Access-Control System Plus TACACS+


19/67

6/10/2011

1

802.1x - Network Access Control

802.1x

Password Authentication Protocol(PAP)

PAP send plain-text passwords over thenetwork

Insecure Use only as a last resort Client sends username and password Server responds with:

authentication-ACK (if credentials are OK) authentication-NAK (otherwise)


20/67

6/10/2011

2

Challenge Handshake AuthenticationProtocol (CHAP)

Microsoft Challenge HandshakeAuthentication Protocol (MS-CHAP)

MS-CHAPv1 MS-CHAPv2


21/67

6/10/2011

2

Extensible Authentication Protocol(EAP)

Is a Framework Can use Token Cards, One-Time Passwords,

Certificates, Biometrics Runs over Data Link layers Defines formats

LEAP EAP-TLS EAP-FAST

Mutual authentication

Client and server authenticate to each other Also known as two-way authentication Trust other computers digital certificate Can block rogue services


22/67

6/10/2011

2

Review

Public Key Infrastructure (PKI) Kerberos Authentication Authorization Accounting

(AAA) Network Access Control (NAC) Challenge Handshake Authentication Protocol

(CHAP) Extensible Authentication Protocol (EAP)


23/67

6/10/2011

2

Network Access Security

At the end of this lesson we will be able to Explain the methods of network access security



24/67

6/10/2011

2

What we will cover

Security Filtering Tunneling and encryption Remote access

SECURITY FILTERING


25/67

6/10/2011

2

Access Control Lists (ACL)

Found on Routers and Firewalls

Controls Traffic In/Out of an Interface

Top-Down List of Permissions

First Match Wins

No Match Drops Packet

MAC filtering

MAC Standard Access List use Source MACaddresses

MAC Extended Access List use Source and

Destination MAC addresses and optionalprotocol type information


26/67

6/10/2011

2

IP Filtering

Also know as Packet Filters

Permit or Deny Traffic based on IP address

Can sometimes also use Port Numbers

Called Stateless Filtering

TUNNELING AND ENCRYPTION


27/67

6/10/2011

2

What is a Virtual Private Network(VPN)

Allows information to securely tunnel

through an insecure network

Secure connection to branches

Secure connection for telecommuters

Helps save WAN connection cost

VPN Protocols

PPTP L2F L2TP IPSec SSL/TLS


28/67

6/10/2011

2

Types of VPNs

Remote Access

Site-to-Site

Extranet

IP Security (IPSEC) providesAuthentication and Encryption over

the IP Authentication Header (AH)

provides data Integrity and Authenticationservices only No Encryption

Encapsulating Security Payload (ESP) provides Encryption as well as data Integrity and

Authentication services


29/67

6/10/2011

2

IPSEC Transport and Tunneling Modes

Tunnel Mode

Secure Sockets Layer (SSL)

Minicomputer

Connection Request

Secure Connection Required

Security Capabilities

SSL Session Established

SSL Connection process


30/67

6/10/2011

3

SSL VPN allows secure access througha standard browser

Layer 2 Tunneling Protocol (L2TP)

Supports non-TCP/IP protocols in VPNs overthe Internet

A combination of Microsofts Point -to-PointTunneling Protocol (PPTP) and Ciscos Layer 2

Forwarding (L2F) Works at the Data Link layer (Layer 2) Does not itself provide any encryption


31/67

6/10/2011

3

Point to Point Tunneling Protocol(PPTP)

Use Generic Routing Encapsulation (GRE)session to secure PPP frames

tunneled PPP traffic can be authenticated withPAP, CHAP, Microsoft CHAP V1/V2 or EAP-TLS

The PPP payload is encrypted using MicrosoftPoint-to-Point Encryption (MPPE) when usingMSCHAPv1/v2 or EAP-TLS

PPTP versus L2TPPPTP L2TP

Encryption Native PPPNegotiations in plaintext

IPsec

Authentication PPP with PAP, CHAP, or MS-CHAP

RADIUS, TACACS+

Data protocols IP IP, IPX, SNA, NetBEUI

Port 1723 (TCP) 1701 (UDP)


32/67

6/10/2011

3

REMOTE ACCESS

Remote Access Services (RAS)

Not a protocol but a combination of hardwareand software required to make a remote-access connection


33/67

6/10/2011

3

Remote Desktop Protocol (RDP)

Allows connection to a computer usingMicrosofts Terminal Services

Graphical desktop-sharing system Allows remote control of a computer Keyboard, mouse, and video are sent over the

network

Remote Destop Connection


34/67

6/10/2011

3

Virtual Network Computing (VNC)

Graphical desktop-sharing system Uses the remote frame buffer (RFB) protocol Allows remote control of a computer Keyboard, mouse, and video are sent over the

network


35/67

6/10/2011

3

Independent Computing Architecture(ICA)

Protocol designed by Citrix Systems Allows clients with virtually any operating

system to access applications on Windowsservers

Typically used by Citrixs WinFrame

Point to Point Protocol (PPP)

Layer 2 protocol Provides authentication, encryption, and

compression services Allows clients to log in remotely


36/67

6/10/2011

3

Point to Point Protocol over Ethernet(PPPoE)

An extension of PPP Encapsulates PPP frames within Ethernet

frames Allows ISP to authenticate DSL and Cable

clients PPPoE works in two stages: discovery and

session Use end-point MAC addresses to create

sessions

Summary

Security Filtering Tunneling and encryption Remote access


37/67

6/10/2011

3


Explain the function of hardware and softwaresecurity devices


What we will cover

Network Based Firewall Host Based Firewall Intrusion Detection Systems Intrusion Prevention Systems VPN Concentrator


38/67

6/10/2011

3

Network Based Firewall device thatprotects network

Internet

ProtectedNetwork

Host Based Firewall software thatprotects individual host

Internet


39/67

6/10/2011

3

Intrusion Detection Systems monitortraffic to detect Attacks

UNTRUSTED

ProtectedNetwork

IDS

Firewall

In Parallel withTraffic

Intrusion Prevention Systems monitor traffic to block Attacks

ProtectedNetwork U

NTRU

STED

IPSFirewall

In Line withTraffic


40/67

6/10/2011

4

Intrusion Detection/PreventionSystems

IDS/IPS

Network

BasedHost

Based

VPN Concentrator

InternalNetwork

Internet

Firewall

VPNConcentrator

VPN Clients


41/67

6/10/2011

4

Cisco and Netgear VPN Concentrators

Review

Firewall

Network

Based

HostBased

IntrusionDetectionSystems

Network

Based

HostBased

IntrusionPrevention

Systems

Network

Based

HostBased

VPNConcentrator


42/67

6/10/2011

4

Firewall Features


Explain common features of a firewall



43/67

6/10/2011

4

Agenda Stateful vs. Stateless Application Layer vs. Network Layer Scanning Services Content Filtering Signature Identification

Zones

Stateful vs. Stateless

Stateless checks each packet individually Does not care if part of a message stream Susceptible to DoS attacks and IP spoofing

Stateful firewall keeps track of the variousdata streams passing through it

Better at preventing attacks that exploitexisting connections, or DoS attacks


44/67

6/10/2011

4

Application Layer vs. Network LayerFirewalls

Network layer Inspect only the IP and TCP & UDP

headers

Application Layer Inspect the Application layer data Can handle complex protocols such as

HTTP, FTP, SIP, H.323 Slower

Scanning Services checks incomingtraffic for problems Emails

Scan for Malware, Spam, Too Large Attachments Web

Scan for Malware FTP

Scan for Malware


45/67

6/10/2011

4

Content Filtering is closely related toscanning services Blocking traffic based on the content of the data

rather than the source Used to filter email and website access Ways to filter content

Block Attachment of a certain type, such as .exeBayesian probability estimatingContent-encodingEmail headersLanguage

PhrasesProximity of words to each otherURLs

Ways to filter content

Block Attachment of a certain type, such as .exe

Bayesian probability estimating

Content-encoding

Email headers

LanguagePhrases

Proximity of words to each other

URLs


46/67

6/10/2011

4

Signature Identification - Look forpatterns in traffic

Similar to intrusion detection

Look for specific patterns, known to be

malicious

Signature need to be updated regularly

New attacks may not be detected

Zones allow policy to be appliedbetween groups of interfaces

E2

E4

E6

Interne

t

Zo

ne

InternalZone A

E0

E1

E7 E8 E9

E12

DMZ Zone1

Guest Wireless Zone

FirewallInternalZone B

E10

DMZ Zone2


47/67

6/10/2011

4

Review Firewall types:

Stateful vs. Stateless Application Layer vs. Network Layer

Scanning Services Content Filtering Signature Identification

Zones

Device Security Issues


48/67

6/10/2011

4


Explain issues that affect device security


What we will cover

Physical Security Restricting Local and Remote Access Secure methods vs. Unsecure Methods


49/67

6/10/2011

4

Physical security

One commonsecurity truism is"Once you have

physical access to abox, all bets are

off."

Physical access control

FencesDoors

LocksMan-trap

Lights


50/67

6/10/2011

5

Surveillance

Securityguards

Guarddogs

Loggingphysicalaccess

tofacility

VideoCameras

ActivityWith your Term or by Yourself

Identifying the risks associated withphysical access to systems


51/67

6/10/2011

5

Restricting local and remote access

Access-Control Principles

Follow the least-privilege model

Separate out administrative duties

Rotate administrator jobs

Utilize implicit denies


52/67

6/10/2011

5

Access-Control Models

Discretionary Access Control (DAC)

Role-Based Access Control (RBAC)

Rule-Based Access Control (RBAC)

Mandatory Access Control (MAD)

SECURE VS. UNSECUREAPPLICATION PROTOCOLS


53/67


54/67

6/10/2011

5

Security Threat MitigationTechniques


Identify common security threats and mitigationtechniques



55/67

6/10/2011

5

What we will cover

Managing User Account and PasswordSecurity

Security Threats Threat Mitigation Techniques

MANAGING USER ACCOUNT ANDPASSWORD SECURITY


56/67

6/10/2011

5

Network Resource-Sharing SecurityModels

Share Level

Security

User Level

Security

Managing User Accounts

Add & Delete Accounts

Disabling Accounts

Modify Account Authorization

Setting Up Anonymous Accounts

Limiting Connections

Renaming the Maintenance Account


57/67

6/10/2011

5

Creating Strong Passwords

Minimum Length

6 to 8 characters

Using Characters to Make a Strong Password

Word in dictionaryNameDateSequence (1234; abcd; qwert)Same charater type letters,numbers, s ymbols

Weak

At least 8 charactersCombination of Upper and Lowercase Letters, Numbers, and Symbols

B^1d&7St

Strong

Password-Management Features

Automatic Account Lockouts

Password Expiration

Password Histories


58/67

6/10/2011

5

SECURITY THREATS


59/67

6/10/2011

5

Malware is the term for all Viruses,Worms, Trojans, etc. Computer viruses Worms Trojan horses Rootkits - designed to hide the fact that a system

has been compromised Spyware Dishonest adware Crimeware - malware designed specifically to

automate cybercrime

A computer virus is a computerprogram that can copy itself

Attaches itself to an executable

Copies itself (infects) other fileswhen the file is opened


60/67

6/10/2011

6

Worms send copies of themselves toother nodes

Denial of Service (DoS) attacks try tooverwhelm the network

Some botnets are estimated to have 500,000 to 10 million slaves/zombies


61/67


62/67

6/10/2011

6

Man in the Middle

Normal Traffic

Man-in-the-Middle

Rogue Access Points

http://blogs.paretologic.com/malwarediaries/index.php/category/wireless-security/


63/67


64/67

6/10/2011

6

Official looking email sent to fool userto click on link to phishers web site

MITIGATION TECHNIQUES


65/67

6/10/2011

6

Policies and Procedures

Security Software and Devices cannot stop all types ofattacks

Security Policies shouldbe created

Security Procedure defines how torespond to any security event

User TrainingIt makes no sense to create all these policies and procedures andnot train the IT staff and the users.


66/67

6/10/2011

6

Patches and Updates ensure that allyour machines have the latest security

patches

Windows Server Update Services(WSUS)


67/67

6/10/2011

Review

Managing User Account and Password

Security

Security Threats

Threat Mitigation Techniques

13 2 network security

Documents