information security lesson 7 - remote access - eric vanderburg

Information Security © 2006 Eric Vanderburg

Information Security

Chapter 7Remote Access


FTP• Download files from a server• Can use a web browser ftp://• FTP clients are also available WSFTPLE• Command line• BlindFTP – FTP with anonymous access• SFTP (Secure FTP) – FTP over SSL• Active FTP – server receives a request on port

21 and then initiates a connection to the data port (1 greater than command port) on the client.

• Passive FTP – client initiates both the command and data connections to the server


Tunneling• Tunneling – encapsulating a packet inside

another• PPTP (Point to Point Tunneling Protocol)

– TCP port 1723– MPPE (Microsoft Point to Point Encryption) used for

encryption– LCP (Link Control Protocol) is used for setting up and

taking down the session and testing it. – Operates only over TCP/IP

• L2TP (Layer 2 Tunneling Protocol) – Combination of Cisco’s L2F (Layer 2 Forwarding) and PPTP. – Supports many protocols– Can use IPSec for encryption


Tunneling• SSH (Secure Shell) – uses a digital

certificates, or Kerberos and encrypted passwords– SSH replaces rsh for sending remote

commands– SSH is a good replacement for telnet– Slogon – replaces rlogon using SSH– Scp replaces rcp for copying files over a

network using SSH– SSH protects against IP spoofing, DNS

spoofing, and the confidentiality of information


Tunneling• IPSec (IP Security) – Securely exchange

packets, layer 3– AH (Authentication Header) – used to encrypt

the header of the packet to verify that the packet was sent from the legitimate sender.

– ESP (Encapsulating Security Payload) – encrypts the entire packet – protects confidentiality

– ISAKMP (Internet Security Association Key Management Protocol) – helps the sender and receiver obtain keys using digital certificates


Tunneling• IPSec

– Transport mode encrypts only the data portion (payload) of each packet, yet leaves the header encrypted

• AH in transport mode – data, header, and AH are encrypted• ESP in transport mode - new ESP header is created for the

data. It is authenticated and the data is encrypted

– Tunnel mode encrypts both the header and the data portion

• AH in tunnel mode – Data, new header, tunneled header and AH are all encrypted

• ESP in tunnel mode – new ESP header is created for the data. It is authenticated and the header, trailer, and data is encrypted


Authentication• 802.1x – blocks ports of unauthenticated

users• Supplicant – client who wants to access

the network• Authenticator – device in between the

supplicant and authentication server• Authentication server – receives

requests and accepts of denies them.


Authentication Protocols• EAP (Extensible Authentication Protocol)• EAP-MD5 (EAP Message Digest 5)

– Does not use certificates– Hashes password using MD5

• LEAP (Lightweight EAP)– Cisco version of EAP without using certificates– Can be cracked easily with ASLEAP

• EAP-FAST (EAP Flexible Authentication via Secure Tunneling)– no use of certificates– Establishes a TLS tunnel– Improves on problems with LEAP


EAP Types (continued)• EAP-SIM (EAP Subscriber Identity Module) – used for

authentication on GSM (Global System for Mobile Communications) devices

• EAP-TLS (Extensible Authentication Protocol Transport Layer Security) – Certificate based– Used in conjunction with a RADIUS server– Supports certificates contained on smartcards

• EAP-TTLS (EAP Tunneled Transport Layer Security)– Entire communication is tunneled. Tunneling begins first.

• PEAP (Protected EAP)– one way use of certificates– MSCHAP v2 mutual authentication


Centralized Authentication• RADIUS (Remote Authentication Dial In

User Service) - Supported on Microsoft systems– UDP ports 1812 & 1813

• TACACS (Terminal Access Control Access Control System) – Supported on UNIX & Linux– TCP port 49

• Provides AAA (Authentication, Authorization, & Auditing)


VPN (Virtual Private Networks)• Remote connections over the Internet can

appear as local connections• VPDN (Virtual Private Dialup Network)• Remote Access VPN• Site to Site VPN• VPN Concentrator – takes many VPN

connections to or from a location and packages them together to conserve bandwidth.


Securing Directory Services• Directory Service – database of all users and resources

and their associated permissions• X.500 – ISO standard for data storage on directory

servers. The standard allows applications to be written for the standard rather than for a specific directory. – DAP (Directory Access Protocol) – standard defining how an

application will interface with an X.500 compliant directory server.

– LDAP (Lightweight Directory Access Protocol) – a subset of DAP that is easier to implement and use. It also runs over TCP/IP.

– DIB (Directory Information Base) – database where directory services data is stored. It consists of objects and their attributes.

– DIT (Directory Information Tree) – The tree-like structure of the DIB.


DAP / LDAP Flaws• Lack of effective authentication

– Vendors often use some other form of authentication. Ex: Windows & kerberos

• Query responses are sent in the clear. – Encrypt database communication through

tunneling technologies discussed earlier.


Wireless• Wireless Uses

– Temporary connections– Redundant connections– Network extension– Roaming– Access in difficult areas– Support for handhelds– Docking– Peripherals

• Network Types– LANs – 802.11a,b,g,n– Extended LANs – Microwave, Satellite– Mobile – Radio or Cellular


The Wireless Spectrum

Figure 3-37: The wireless spectrum


Electromagnetic Fundamentals• Lower frequency = slower, less data,

longer distance• Higher frequency = faster, more data,

shorter distance• Highest frequencies need line of sight &

use tight beams


Frequency Ranges• Radio: 10KHz – 1GHz• Microwave: 1GHz – 500GHz• Infrared: 500GHz – 1THz


Infrared Technologies• Line of Sight• Reflective (central device)• Scatter Infrared

– Bounces signal– Limited to 30 meters

• Broadband Optical Telepoint Networks


Infrared Transmission• Diffused

– The infrared light transmitted by the sender unit fills the area.– The receiver unit located anywhere in that area can receive the

signal. • Directed

– The infrared light is focused before transmitting the signal– Increases the transmission speed.

• Directed point-to-point – Highest transmission speed– Receiver is aligned with the sender unit. The infrared light is then

transmitted directly to the receiver.


Infrared Transmission• Transmitted by frequencies in the 300-

GHz to 300,000-GHz range• Most often used for communications

between devices in same room– Relies on the devices being close to each

other– May require line-of-sight path


Infrared threats• Data could be “beamed” to another device

such as a pda, laptop, or even watch• Secure serial ports and disable infrared on

devices if it is not needed.


Cellular Wireless• 1G – First Generation

– Analog– circuit switching (can only do one thing at a

time with a dedicated link to the other party)– Mid 1980s


Cellular Wireless• 2G – Second Generation

– GSM (Global System for Mobile Communications)• TDMA (Time Division Multiple Access) standard - allows

several users to share the same frequency by dividing it into different timeslots.

• Both signaling and speech channels are digital. Supports advanced phone functions and the ability to do multiple actions at the same time.

• Started in Europe but soon became a global standard– iDEN (Integrated Digital Enhanced Network)

• Supports paging, text messaging, and picture messaging– PDC (Personal Digital Cellular) – Used mainly in

Japan• 3G – Third Generation

– 384kbps – 3Mbps speed– Geared for internet access


Cellular Wireless• WAP (Wireless Application Protocol) – standard

for how internet content should be formatted for portable users (Cell & PDA)

• WAP phones use micro browsers that process WML (Wireless Markup Language) instead of HTML

• WAP Gateway – Converts HTML to WML• WTLS (Wireless Transport Layer Security) –

Confidentiality, Integrity and Authentication for WAP. Provides security between the WAP gateway and the WAP device.


Radio LAN Technologies• Narrow Band• Devices use known single frequency• Unregulated bands (902-928MHz,2.4GHz,5.72-5.85GHz)• No line of sight needed• Range of 70 meters• Possible to eavesdrop• High susceptibility to RFI


Radio LAN Technologies• High powered technologies

– Long range to horizon– Towers used to redirect signal– Much more expensive– FCC licensing required


Spread Spectrum Technologies• Uses multiple frequencies

– Less interference– Redundancy

• Frequency Range: 902-928MHz,2.4GHz, 5GHz• FHSS (Frequency Hopping Spread Spectrum)

– Changes frequencies at regular intervals– Uses high powered signals on only one frequency at a time – Lower bandwidth, more secure (except now scanning devices

can frequency hop very easily)• DSSS (Direct Sequence Spread Spectrum)

– Send different data chunks along multiple frequencies at lower power (just above noise)

• OFDM (Orthogonal Frequency Division Multiplexing)– Higher resistance to interference– More redundant data is spread across multiple frequencies


802.11 WLAN (Wireless Local Area Networks)

• 802.11– 2Mbps– FHSS

• 802.11b– 11Mbps– 2.4GHz– DSSS

• 802.11a– 54Mbps– 5GHz– DSSS

• 802.11g– 54Mbps – 2.4GHz– OFDM

• 802.11n– 300Mbps– 2.4GHz– OFDM


Wireless Encryption– WEP (Wired Equivalency Protocol)

• RC4 (Rivest Cipher 4) – stream cipher• Uses weak key generation techniques• IV (Initialization Vector), 24 bits, and key length (40

or 124 bit) are short– WPA (WiFi Protected Access)

• TKIP (Temporal Key Integrity Protocol) – changes keys per packet

• MIC (Message Integrity Code) – check number or hash

– WPA2 • AES (Advanced Encryption Standard)• Different keys for unicast and broadcast traffic


Ad Hoc Wireless• Broadcasting/Flooding

Everyone except the recipient broadcasts the data to the nodes in their area.

• Temporary Infrastructure In this method, the mobile users set up a temporary infrastructure (mapping). But this method is complicated and it introduces overheads. It is useful only when there is a small number of mobile users.


WLAN Access Devices• PCMCIA• Mini PCI• PCI• CF Card• USB


Wireless• BSA (Basic Service Area)

– Influence of the APs (Access Points)– Depends on:

• Power of the transmitter• Environment

• BSS (Basic Service Set)– Stations belonging to an AP

• IBSS (Independent Basic Service Set)– Ad hoc network

• ESS (Extended Service Set) – multiple APs are used to service a single network. All APs use the same SSID (Service Set Identifier)


Wireless Security• MAC Address filtering• Disable SSID broadcasting• Use Encryption• RADIUS Authentication• Enterprise Wireless Gateways with thin

APs


802.16a Wireless MAN• WiMax (Worldwide Interoperability for

Microwave Access)• 40Mbps per channel• 3-10 Kilometers• Moving car access• Broadband to distant locations• Expect to see notebook cards by 2007


More Microwave technology• CDPD (Cellular Digital Packet Data)

– 19.2kbps– Handheld connections

• Low orbit satellites– 10bps– Continental coverage


Acronyms• AAA, Authentication Authorization & Auditing• AES, Advanced Encryption Standard• AP, Access Point• AH, Authentication Header• BSA, Basic Service Area• BSS, Basic Service Set• CDPD, Cellular Digital Packet Data• CRC, Cyclic Redundancy Check• DAP, Directory Access Protocol• DIB, Directory Information Base• DIT, Directory Information Tree• DSSS, Direct Sequence Spread Spectrum• EAP-MD5, EAP Message Digest 5• EAP-SIM, EAP Subscriber Identity Module


Acronyms• EAP-TLS, Extensible Authentication Protocol Transport

Layer Security• EAP-TTLS, Extensible Authentication Protocol Tunneled

Transport Layer Security• ESP, Encapsulating Security Payload• ESS, Extended Service Set• EAP, Extensible Authentication Protocol• FAST, Flexible Authentication via Secure Tunneling• FHSS, Frequency Hopping Spread Spectrum• GSM, Global System for Mobile Communications• IBSS, Independent Basic Service Set• ISAKMP, Internet Security Association and Key

Management Protocol


Acronyms• IPSec, Internet Protocol Security• L2TP, Layer 2 Tunneling Protocol• LDAP, Lightweight Directory Access Protocol• LEAP, Lightweight Extensible Authentication Protocol• LCP, Link Control Protocol• NAS, Network Access Server• OFDM, Orthogonal Frequency Division Multiplexing• PPP, Point to Point Protocol• PPTP, Point to Point Tunneling Protocol• PEAP, Protected Extensible Authentication Protocol• PRNG, Pseudo Random Number Generator• PSDN, Public Switched Data Network• RADIUS, Remote Authentication Dial In User Service• SSH, Secure Shell


Acronyms• SSID, Service Set Identifier• TKIP, Temporal Key Integrity Protocol• TACACS, Terminal Access Control Access Control

System• VPDN, Virtual Private Dial Up Network• VPN, Virtual Private Network• WPA, WiFi Protected Access• WEP, Wired Equivalent Privacy• WAP, Wireless Application Protocol• WiMAX, Worldwide Interoperability for Microwave Access• WLAN, Wireless Local Area Network• WML, Wireless Markup Language• WTLS, Wireless Transport Layer Security• XOR, Exclusive Or

information security lesson 7 - remote access - eric vanderburg

Technology