information security lesson 7 - remote access - eric vanderburg

Information Security

Chapter 7Remote Access

FTP• Download files from a server• Can use a web browser ftp://• FTP clients are also available WSFTPLE• Command line• BlindFTP – FTP with anonymous access• SFTP (Secure FTP) – FTP over SSL• Active FTP – server receives a request on port

21 and then initiates a connection to the data port (1 greater than command port) on the client.

• Passive FTP – client initiates both the command and data connections to the server

Tunneling• Tunneling – encapsulating a packet inside

another• PPTP (Point to Point Tunneling Protocol)

– TCP port 1723– MPPE (Microsoft Point to Point Encryption) used for

encryption– LCP (Link Control Protocol) is used for setting up and

taking down the session and testing it. – Operates only over TCP/IP

• L2TP (Layer 2 Tunneling Protocol) – Combination of Cisco’s L2F (Layer 2 Forwarding) and PPTP. – Supports many protocols– Can use IPSec for encryption

Tunneling• SSH (Secure Shell) – uses a digital

certificates, or Kerberos and encrypted passwords– SSH replaces rsh for sending remote

commands– SSH is a good replacement for telnet– Slogon – replaces rlogon using SSH– Scp replaces rcp for copying files over a

network using SSH– SSH protects against IP spoofing, DNS

spoofing, and the confidentiality of information

Tunneling• IPSec (IP Security) – Securely exchange

packets, layer 3– AH (Authentication Header) – used to encrypt

the header of the packet to verify that the packet was sent from the legitimate sender.

– ESP (Encapsulating Security Payload) – encrypts the entire packet – protects confidentiality

– ISAKMP (Internet Security Association Key Management Protocol) – helps the sender and receiver obtain keys using digital certificates

Tunneling• IPSec

– Transport mode encrypts only the data portion (payload) of each packet, yet leaves the header encrypted

• AH in transport mode – data, header, and AH are encrypted• ESP in transport mode - new ESP header is created for the

data. It is authenticated and the data is encrypted

– Tunnel mode encrypts both the header and the data portion

• AH in tunnel mode – Data, new header, tunneled header and AH are all encrypted

• ESP in tunnel mode – new ESP header is created for the data. It is authenticated and the header, trailer, and data is encrypted

Authentication• 802.1x – blocks ports of unauthenticated

users• Supplicant – client who wants to access

the network• Authenticator – device in between the

supplicant and authentication server• Authentication server – receives

requests and accepts of denies them.

Authentication Protocols• EAP (Extensible Authentication Protocol)• EAP-MD5 (EAP Message Digest 5)

– Does not use certificates– Hashes password using MD5

• LEAP (Lightweight EAP)– Cisco version of EAP without using certificates– Can be cracked easily with ASLEAP

• EAP-FAST (EAP Flexible Authentication via Secure Tunneling)– no use of certificates– Establishes a TLS tunnel– Improves on problems with LEAP

EAP Types (continued)• EAP-SIM (EAP Subscriber Identity Module) – used for

authentication on GSM (Global System for Mobile Communications) devices

• EAP-TLS (Extensible Authentication Protocol Transport Layer Security) – Certificate based– Used in conjunction with a RADIUS server– Supports certificates contained on smartcards

• EAP-TTLS (EAP Tunneled Transport Layer Security)– Entire communication is tunneled. Tunneling begins first.

• PEAP (Protected EAP)– one way use of certificates– MSCHAP v2 mutual authentication

Centralized Authentication• RADIUS (Remote Authentication Dial In

User Service) - Supported on Microsoft systems– UDP ports 1812 & 1813

• TACACS (Terminal Access Control Access Control System) – Supported on UNIX & Linux– TCP port 49

• Provides AAA (Authentication, Authorization, & Auditing)

VPN (Virtual Private Networks)• Remote connections over the Internet can

appear as local connections• VPDN (Virtual Private Dialup Network)• Remote Access VPN• Site to Site VPN• VPN Concentrator – takes many VPN

connections to or from a location and packages them together to conserve bandwidth.

Securing Directory Services• Directory Service – database of all users and resources

and their associated permissions• X.500 – ISO standard for data storage on directory

servers. The standard allows applications to be written for the standard rather than for a specific directory. – DAP (Directory Access Protocol) – standard defining how an

application will interface with an X.500 compliant directory server.

– LDAP (Lightweight Directory Access Protocol) – a subset of DAP that is easier to implement and use. It also runs over TCP/IP.

– DIB (Directory Information Base) – database where directory services data is stored. It consists of objects and their attributes.

– DIT (Directory Information Tree) – The tree-like structure of the DIB.

DAP / LDAP Flaws• Lack of effective authentication

– Vendors often use some other form of authentication. Ex: Windows & kerberos

• Query responses are sent in the clear. – Encrypt database communication through

tunneling technologies discussed earlier.

Wireless• Wireless Uses

– Temporary connections– Redundant connections– Network extension– Roaming– Access in difficult areas– Support for handhelds– Docking– Peripherals

• Network Types– LANs – 802.11a,b,g,n– Extended LANs – Microwave, Satellite– Mobile – Radio or Cellular

The Wireless Spectrum

Figure 3-37: The wireless spectrum

Electromagnetic Fundamentals• Lower frequency = slower, less data,

longer distance• Higher frequency = faster, more data,

shorter distance• Highest frequencies need line of sight &

use tight beams

Frequency Ranges• Radio: 10KHz – 1GHz• Microwave: 1GHz – 500GHz• Infrared: 500GHz – 1THz

Infrared Technologies• Line of Sight• Reflective (central device)• Scatter Infrared

– Bounces signal– Limited to 30 meters

• Broadband Optical Telepoint Networks

Infrared Transmission• Diffused

– The infrared light transmitted by the sender unit fills the area.– The receiver unit located anywhere in that area can receive the

signal. • Directed

– The infrared light is focused before transmitting the signal– Increases the transmission speed.

• Directed point-to-point – Highest transmission speed– Receiver is aligned with the sender unit. The infrared light is then

transmitted directly to the receiver.

Infrared Transmission• Transmitted by frequencies in the 300-

GHz to 300,000-GHz range• Most often used for communications

between devices in same room– Relies on the devices being close to each

other– May require line-of-sight path

Infrared threats• Data could be “beamed” to another device

such as a pda, laptop, or even watch• Secure serial ports and disable infrared on

devices if it is not needed.

Cellular Wireless• 1G – First Generation

– Analog– circuit switching (can only do one thing at a

time with a dedicated link to the other party)– Mid 1980s

Cellular Wireless• 2G – Second Generation

– GSM (Global System for Mobile Communications)• TDMA (Time Division Multiple Access) standard - allows

several users to share the same frequency by dividing it into different timeslots.

• Both signaling and speech channels are digital. Supports advanced phone functions and the ability to do multiple actions at the same time.

• Started in Europe but soon became a global standard– iDEN (Integrated Digital Enhanced Network)

• Supports paging, text messaging, and picture messaging– PDC (Personal Digital Cellular) – Used mainly in

Japan• 3G – Third Generation

– 384kbps – 3Mbps speed– Geared for internet access

Cellular Wireless• WAP (Wireless Application Protocol) – standard

for how internet content should be formatted for portable users (Cell & PDA)

• WAP phones use micro browsers that process WML (Wireless Markup Language) instead of HTML

• WAP Gateway – Converts HTML to WML• WTLS (Wireless Transport Layer Security) –

Confidentiality, Integrity and Authentication for WAP. Provides security between the WAP gateway and the WAP device.

Radio LAN Technologies• Narrow Band• Devices use known single frequency• Unregulated bands (902-928MHz,2.4GHz,5.72-5.85GHz)• No line of sight needed• Range of 70 meters• Possible to eavesdrop• High susceptibility to RFI

Radio LAN Technologies• High powered technologies

– Long range to horizon– Towers used to redirect signal– Much more expensive– FCC licensing required

Spread Spectrum Technologies• Uses multiple frequencies

– Less interference– Redundancy

• Frequency Range: 902-928MHz,2.4GHz, 5GHz• FHSS (Frequency Hopping Spread Spectrum)

– Changes frequencies at regular intervals– Uses high powered signals on only one frequency at a time – Lower bandwidth, more secure (except now scanning devices

can frequency hop very easily)• DSSS (Direct Sequence Spread Spectrum)

– Send different data chunks along multiple frequencies at lower power (just above noise)

• OFDM (Orthogonal Frequency Division Multiplexing)– Higher resistance to interference– More redundant data is spread across multiple frequencies

802.11 WLAN (Wireless Local Area Networks)

• 802.11– 2Mbps– FHSS

• 802.11b– 11Mbps– 2.4GHz– DSSS

• 802.11a– 54Mbps– 5GHz– DSSS

• 802.11g– 54Mbps – 2.4GHz– OFDM

• 802.11n– 300Mbps– 2.4GHz– OFDM

Wireless Encryption– WEP (Wired Equivalency Protocol)

• RC4 (Rivest Cipher 4) – stream cipher• Uses weak key generation techniques• IV (Initialization Vector), 24 bits, and key length (40

or 124 bit) are short– WPA (WiFi Protected Access)

• TKIP (Temporal Key Integrity Protocol) – changes keys per packet

• MIC (Message Integrity Code) – check number or hash

– WPA2 • AES (Advanced Encryption Standard)• Different keys for unicast and broadcast traffic

Ad Hoc Wireless• Broadcasting/Flooding

Everyone except the recipient broadcasts the data to the nodes in their area.

• Temporary Infrastructure In this method, the mobile users set up a temporary infrastructure (mapping). But this method is complicated and it introduces overheads. It is useful only when there is a small number of mobile users.

WLAN Access Devices• PCMCIA• Mini PCI• PCI• CF Card• USB

Wireless• BSA (Basic Service Area)

– Influence of the APs (Access Points)– Depends on:

• Power of the transmitter• Environment

• BSS (Basic Service Set)– Stations belonging to an AP

• IBSS (Independent Basic Service Set)– Ad hoc network

• ESS (Extended Service Set) – multiple APs are used to service a single network. All APs use the same SSID (Service Set Identifier)

Wireless Security• MAC Address filtering• Disable SSID broadcasting• Use Encryption• RADIUS Authentication• Enterprise Wireless Gateways with thin

802.16a Wireless MAN• WiMax (Worldwide Interoperability for

Microwave Access)• 40Mbps per channel• 3-10 Kilometers• Moving car access• Broadband to distant locations• Expect to see notebook cards by 2007

More Microwave technology• CDPD (Cellular Digital Packet Data)

– 19.2kbps– Handheld connections

• Low orbit satellites– 10bps– Continental coverage

Acronyms• AAA, Authentication Authorization & Auditing• AES, Advanced Encryption Standard• AP, Access Point• AH, Authentication Header• BSA, Basic Service Area• BSS, Basic Service Set• CDPD, Cellular Digital Packet Data• CRC, Cyclic Redundancy Check• DAP, Directory Access Protocol• DIB, Directory Information Base• DIT, Directory Information Tree• DSSS, Direct Sequence Spread Spectrum• EAP-MD5, EAP Message Digest 5• EAP-SIM, EAP Subscriber Identity Module

Acronyms• EAP-TLS, Extensible Authentication Protocol Transport

Layer Security• EAP-TTLS, Extensible Authentication Protocol Tunneled

Transport Layer Security• ESP, Encapsulating Security Payload• ESS, Extended Service Set• EAP, Extensible Authentication Protocol• FAST, Flexible Authentication via Secure Tunneling• FHSS, Frequency Hopping Spread Spectrum• GSM, Global System for Mobile Communications• IBSS, Independent Basic Service Set• ISAKMP, Internet Security Association and Key

Management Protocol

Acronyms• IPSec, Internet Protocol Security• L2TP, Layer 2 Tunneling Protocol• LDAP, Lightweight Directory Access Protocol• LEAP, Lightweight Extensible Authentication Protocol• LCP, Link Control Protocol• NAS, Network Access Server• OFDM, Orthogonal Frequency Division Multiplexing• PPP, Point to Point Protocol• PPTP, Point to Point Tunneling Protocol• PEAP, Protected Extensible Authentication Protocol• PRNG, Pseudo Random Number Generator• PSDN, Public Switched Data Network• RADIUS, Remote Authentication Dial In User Service• SSH, Secure Shell

Acronyms• SSID, Service Set Identifier• TKIP, Temporal Key Integrity Protocol• TACACS, Terminal Access Control Access Control

System• VPDN, Virtual Private Dial Up Network• VPN, Virtual Private Network• WPA, WiFi Protected Access• WEP, Wired Equivalent Privacy• WAP, Wireless Application Protocol• WiMAX, Worldwide Interoperability for Microwave Access• WLAN, Wireless Local Area Network• WML, Wireless Markup Language• WTLS, Wireless Transport Layer Security• XOR, Exclusive Or

information security lesson 7 - remote access - eric vanderburg

Technology

computer security primer - eric vanderburg - jurinnov

guide to protecting networks - eric vanderburg

ethical hacking chapter 11 - exploiting wireless networks...

understanding computer attacks and attackers - eric...

server hardening primer - eric vanderburg - jurinnov

information security lesson 9 - keys - eric vanderburg

deconstructing website attacks - eric vanderburg

ethical hacking chapter 9 - linux vulnerabilities - eric...

ethical hacking chapter 5 - physical information gathering...

information security lesson 4 - baselines - eric vanderburg

cybercrime and cyber threats - cbla - eric vanderburg

cisco security agent - eric vanderburg

information security lesson 8 - cryptography - eric...

ethical hacking chapter 1 - overview - eric vanderburg

ethical hacking chapter 7 - enumeration - eric vanderburg

networking concepts lesson 06 - protocols - eric vanderburg

networking concepts lesson 03 - media - eric vanderburg

computer forensics: first responder training - eric...

networking concepts lesson 07 - architectures - eric...

physical security primer - jurinnov - eric vanderburg