Network guide to networks 5 th edition
Download
1 / 102

- PowerPoint PPT Presentation


  • 717 Views
  • Updated On :

Network+ Guide to Networks 5 th Edition. Network Security. Objectives. Identify security risks in LANs and WANs and design security policies that minimize risks Explain how physical security contributes to network security Discuss hardware- and design-based security techniques

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - tobit


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Network guide to networks 5 th edition l.jpg

Network+ Guide to Networks5th Edition

Network Security


Objectives l.jpg
Objectives

  • Identify security risks in LANs and WANs and design security policies that minimize risks

  • Explain how physical security contributes to network security

  • Discuss hardware- and design-based security techniques

  • Understand methods of encryption, such as SSL and IPSec, that can secure data in storage and in transit


Objectives cont d l.jpg
Objectives (cont’d.)

  • Describe how popular authentication protocols, such as RADIUS, TACACS, Kerberos, PAP, CHAP, and MS-CHAP, function

  • Use network operating system techniques to provide basic security

  • Understand wireless security protocols, such as WEP, WPA, and 802.11i


Security audits l.jpg
Security Audits

  • Examine network’s security risks

    • Consider effects

  • Different organization types

    • Different network security risk levels

  • Security audit

    • Thorough network examination

      • Determine possible compromise points

    • Performed in-house

      • By IT staff

    • Performed by third party



Security risks6 l.jpg
Security Risks

  • Recognize network threats

  • Breaches caused by:

    • Network technology manipulation

    • Careless or malicious insiders

    • Undeveloped security policies

  • Security threat considerations

    • How to prevent

    • How it applies to your network

    • How it relates to other security threats


Risks associated with people l.jpg
Risks Associated with People

  • Half of all security breaches

    • Human errors, ignorance, omissions

  • Social engineering

    • Strategy to gain password

    • Phishing

      • Getting access, authentication information

      • Pose as someone needing information

      • Usually with a deceptive email


Phishing iq test l.jpg
Phishing IQ Test

  • Link Ch 12a


Risks associated with people9 l.jpg
Risks Associated with People

Attackers using social engineering or snooping to obtain passwords

Administrator incorrectly assigning user IDs and rights

Administrators overlooking security flaws

Lack of proper documentation or communication of security policies

Dishonest or disgruntled employees

Unused computers left on and connected to the network


Risks associated with people10 l.jpg
Risks Associated with People

Users choosing easily-guessed passwords

Computer room doors left open or unlocked

Discarding disks, tapes, or manuals in public trash containers

Administrators neglecting to remove accounts for employees who have left the organizations

Users posting passwords in public places, like Post-it notes, or telling other users their passwords


Risks associated with transmission and hardware l.jpg
Risks Associated with Transmission and Hardware

  • Physical, Data Link, Network layer security risks

    • Require more technical sophistication

  • Risks inherent in network hardware and design

    • Transmission interception

      • Man-in-the-middle attack

    • Eavesdropping

      • Networks connecting to Internet via leased public lines

    • Sniffing

      • Network hubs broadcasting traffic over entire segment


Risks inherent in network hardware and design cont d l.jpg
Risks inherent in network hardware and design (cont’d.)

  • Unused hub, switch, router, server physical ports not secured

  • Software ports not secured, can be found with a port scanner like nmap

  • Router attack

    • Routers not configured to drop suspicious packets


Risks inherent in network hardware and design cont d13 l.jpg
Risks inherent in network hardware and design (cont’d.)

  • Dial-in security holes

    • Modems accept incoming calls

    • Dial-in access servers not secured, monitored

  • General public computer access may be on same network as computers hosting sensitive data

  • Insecure passwords for routers, switches, and other network hardware

    • Easily guessable, default values


Risks associated with protocols and software l.jpg
Risks Associated with Protocols and Software

  • This list includes Transport, Session, Presentation, and Application layers

  • Networking protocols and software risks

    • TCP/IP security flaws

    • Trust relationships between servers

    • NOS back doors, security flaws

    • NOS allows server operators to exit to command prompt

    • Administrators default security options

    • Transactions between applications interceptable


Risks associated with internet access l.jpg
Risks Associated with Internet Access

  • Network security compromise

    • More often “from the inside”

  • Outside threats still very real

    • Web browsers permit scripts to access systems

    • Users providing information to sites


Common internet related security issues l.jpg
Common Internet-related security issues

  • Improperly configured firewall

    • Outsiders obtain internal IP addresses: IP spoofing

  • Telnets or FTP

    • Transmit user ID, password in plain text

  • Newsgroups, mailing lists, forms

    • Provide hackers user information

  • Chat session flashing

  • Denial-of-service attack

    • Floods a network with useless traffic



An effective security policy18 l.jpg
An Effective Security Policy

  • Minimizes break-in risk

    • Communicates with and manages users

  • Security policy

    • Identifies security goals, risks, authority levels, designated security coordinator, and team members

      • Team member and employee responsibilities

    • Specifies how to address security breaches

  • Not included in policy:

    • Hardware, software, architecture, and protocols

    • How hardware and software is installed and configured


Security policy goals l.jpg
Security Policy Goals

  • Ensure authorized users have appropriate resource access

  • Prevent unauthorized user access

  • Protect unauthorized sensitive data access

    • Inside and outside

  • Prevent accidental hardware and software damage

  • Prevent intentional hardware or software damage

  • Create secure environment

    • Withstand, respond to, and recover from threat

  • Communicate employee’s responsibilities


Security policy goals cont d l.jpg
Security Policy Goals (cont’d.)

  • Strategy

    • Form committee

      • Involve as many decision makers as possible

      • Assign security coordinator to drive policy creation

    • Understand risks

      • Conduct security audit

    • Address threats


Security policy content l.jpg
Security Policy Content

  • Password policy

  • Software installation policy

  • Confidential and sensitive data policy

  • Network access policy

  • Email use policy

  • Internet use policy

  • Modem and remote access policy

  • Policies for laptops and loaner machines

  • Computer room access policy

  • And more…


Security policy content22 l.jpg
Security Policy Content

Explain to users:

What they can and cannot do

How measures protect network’s security

User communication

Security newsletter

User security policy section

Define what "confidential" means to the organization


Response policy l.jpg
Response Policy

  • Security breach occurrence

    • Provide planned response

  • Identify response team members

    • Understand security policy, risks, measures in place

    • Accept role with certain responsibilities

    • Regularly rehearse defense

      • Security threat drill


Response policy cont d l.jpg
Response Policy (cont’d.)

  • Suggested team roles

    • Dispatcher

      • Person on call, first notices, alerted to problem

    • Manager

      • Coordinates resources

    • Technical support specialist

      • One focus: solve problem quickly

    • Public relations specialist

      • Official spokesperson to public

  • After problem resolution

    • Review process



Physical security26 l.jpg
Physical Security

  • Restricting physical access network components

    • At minimum

      • Only authorized personnel can access computer room

  • Consider compromise points

    • Wiring closet switches, unattended workstation, equipment room, entrance facility, and storage room

  • Locks: physical, electronic

    • Electronic access badges

    • Locks requiring entrants to punch numeric code

    • Bio-recognition access--like iris pattern or fingerprint


Physical security cont d l.jpg

Figure 12-1 Badge access security system

Physical Security (cont’d.)


Physical security cont d28 l.jpg
Physical Security (cont’d.)

  • Physical barriers

    • Gates, fences, walls, and landscaping

  • Closed-circuit TV systems monitor secured rooms

  • Surveillance cameras

    • Computer rooms, Telco rooms, supply rooms, data storage areas, and facility entrances

    • Central security office

      • Display several camera views at once

      • Switch from camera to camera

    • Video footage for investigation and prosecution


Physical security cont d29 l.jpg
Physical Security (cont’d.)

  • Security audit

    • Ask questions related to physical security checks

  • Consider losses from salvaged and discarded computers

    • Hard disk information stolen

    • Solution

      • Run specialized disk sanitizer program

      • Remove disk and use magnetic hard disk eraser

      • Pulverize or melt disk



Security in network design31 l.jpg
Security in Network Design

  • Breaches may occur due to poor LAN or WAN design

    • Address though intelligent network design

  • Preventing external LAN security breaches

    • Optimal solution

      • Do not connect to outside world

    • Realistic solution

      • Restrict access at every point where LAN connects to outside world


Router access lists l.jpg
Router Access Lists

  • Control traffic through routers

  • Routers main function

    • Examine packets, determine where to send

      • Based on Network layer addressing information

  • ACL (access control list)

    • Known as access list

    • Routers decline to forward certain packets


Router access lists cont d l.jpg
Router Access Lists (cont’d.)

  • ACL instructs router

    • Permit or deny traffic according to variables:

      • Network layer protocol (IP, ICMP)

      • Transport layer protocol (TCP, UDP)

      • Source IP address

      • Destination IP address

      • TCP, UDP port number


Router access lists cont d34 l.jpg
Router Access Lists (cont’d.)

  • Router receives packet, examines packet

    • Refers to ACL for permit, deny criteria

    • Drops packet if characteristics match

      • Flagged as deny

  • Access list statements

    • Deny all traffic from certain source addresses

    • Deny all traffic destined for TCP port 23

  • Separate ACL’s for:

    • Interfaces

    • Inbound and outbound traffic


Intrusion detection and prevention l.jpg
Intrusion Detection and Prevention

  • Provides more proactive security measure

    • Detecting suspicious network activity

  • IDS (intrusion detection system)

    • Software monitoring traffic

      • On dedicated IDS device

      • On another device performing other functions

    • Port mirroring

    • Detects many suspicious traffic patterns

      • Denial-of-service, smurf attacks


Intrusion detection and prevention cont d l.jpg
Intrusion Detection and Prevention (cont’d.)

  • DMZ (demilitarized zone)

    • Network’s protective perimeter

    • IDS sensors installed at network edges

  • IDS at DMZ drawback

    • Number of false positives logged

  • IDS can only detect and log suspicious activity

  • IDS Example: Snort


Intrusion detection and prevention cont d37 l.jpg
Intrusion Detection and Prevention (cont’d.)

  • IPS (intrusion-prevention system)

    • Reacts to suspicious activity

      • When alerted

    • Detect threat and prevent traffic from flowing to network

      • Based on originating IP address

    • Compared to firewalls

      • IPS originally designed as more comprehensive traffic analysis, protection tool

      • Differences now diminished


Intrusion detection and prevention cont d38 l.jpg

Figure 12-2 Placement of an IDS/IPS on a network

Intrusion Detection and Prevention (cont’d.)


Firewalls l.jpg
Firewalls

  • Specialized device and computer installed with specialized software

    • Selectively filters, blocks traffic between networks

    • Involves hardware, software combination

    • Resides

      • Between two interconnected private networks

      • Between private network and public network

      • Network-based firewall

        • Protects a whole network

      • Host-based firewall

        • Protects one computer


Firewalls cont d l.jpg

Figure 12-3 Placement of a firewall between a private network and the Internet

Firewalls (cont’d.)


Firewalls cont d41 l.jpg

Figure 12-4 Firewall network and the Internet

Firewalls (cont’d.)


Firewalls cont d42 l.jpg
Firewalls (cont’d.) network and the Internet

  • Packet-filtering firewall (screening firewall)

    • Simplest firewall

    • Blocks traffic into LAN

      • Examines header

    • Blocks traffic attempting to exit LAN

      • Stops spread of worms

  • Firewall default configuration

    • Block most common security threats

      • Preconfigured to accept, deny certain traffic types

    • Network administrators often customize settings


Firewalls cont d43 l.jpg
Firewalls (cont’d.) network and the Internet

  • Common packet-filtering firewall criteria

    • Source, destination IP addresses

    • Source, destination ports

    • Flags set in the IP header

    • Transmissions using UDP or ICMP protocols

    • Packet’s status as first packet in new data stream, subsequent packet

    • Packet’s status as inbound to, outbound from private network


Firewalls cont d44 l.jpg
Firewalls (cont’d.) network and the Internet

  • Port blocking

    • Prevents connection to and transmission completion through ports

  • Firewall may have more complex functions

    • Encryption

    • User authentication

    • Central management

    • Easy rule establishment

    • Filtering

      • Content-filtering firewalls, layer 7 firewalls, deep packet inspection


Firewalls cont d45 l.jpg
Firewalls (cont’d.) network and the Internet

  • Firewall may have more complex functions (cont’d.)

    • Logging, auditing capabilities

    • Protect internal LAN’s address identity

    • Monitor data stream from end to end

      • Yes: stateful firewall

      • If not: stateless firewall

  • Tailor firewall to needs

    • Consider traffic to filter (takes time)

    • Consider exceptions to rules

  • Cannot distinguish user trying to breach firewall and authorized user


Proxy servers l.jpg
Proxy Servers network and the Internet

  • Proxy service

    • Network host software application

      • Intermediary between external, internal networks

      • Screens all incoming and outgoing traffic

  • Proxy server

    • Network host running proxy service

    • Application layer gateway, application gateway, and proxy

    • Manages security at Application layer


Proxy servers cont d l.jpg
Proxy Servers (cont’d.) network and the Internet

  • Fundamental functions

    • Prevent outside world from discovering internal network the addresses

  • Improves performance

    • Caching files

  • Examples

    • Squid on Linux

    • Microsoft Internet Security and Acceleration (ISA) Server


Proxy servers cont d48 l.jpg

Figure 12-5 A proxy server used on a WAN network and the Internet

Proxy Servers (cont’d.)


Nos network operating system security l.jpg

NOS (Network Operating System) Security network and the Internet


Nos network operating system security50 l.jpg
NOS (Network Operating System) Security network and the Internet

  • Restrict user authorization

    • Access to server files and directories

    • Public rights

      • Conferred to all users

      • Very limited

    • Group users according to security levels

      • Assign additional rights


Logon restrictions l.jpg
Logon Restrictions network and the Internet

  • Additional restrictions

    • Time of day

    • Total time logged on

    • Source address

    • Unsuccessful logon attempts


Passwords l.jpg
Passwords network and the Internet

  • Choosing secure password

    • Guards against unauthorized access

    • Easy, inexpensive

  • Communicate password guidelines

    • Use security policy

    • Emphasize company financial, personnel data safety

  • Do not back down


Passwords cont d l.jpg
Passwords (cont’d.) network and the Internet

  • Tips

    • Change system default passwords

    • Do not use familiar information or dictionary words

  • Dictionary attack

    • Use long passwords

      • Letters, numbers, special characters

    • Do not write down or share

    • Change frequently

    • Do not reuse

    • Use different passwords for different applications


Password managers l.jpg
Password Managers network and the Internet

  • Save your passwords in an encrypted database

  • Much safer than reusing passwords, or remembering some series of passwords

  • Free password managers

    • KeePass

    • Password Safe


Encryption l.jpg

Encryption network and the Internet


Encryption56 l.jpg
Encryption network and the Internet

  • Use of algorithm to scramble and unscramble data

  • Purpose

    • Information privacy

  • Many encryption forms exist


Encryption cont d l.jpg
Encryption (cont’d.) network and the Internet

  • Last means of defense against data theft

  • Provides three assurances

    • Data not modified after sender transmitted it

      • Before receiver picked it up

    • Data viewed only by intended recipient

    • All data received at intended destination:

      • Truly issued by stated sender

      • Not forged by intruder


Key encryption l.jpg
Key Encryption network and the Internet

  • Popular encryption

    • Weaves key into original data’s bits

      • Generates unique data block

  • Key

    • Random string of characters

    • Longer key is better

  • Ciphertext

    • Scrambled data block

  • Brute force attack

    • Attempt to discover key

      • Trying numerous possible character combinations


Key encryption cont d l.jpg

Figure 12-6 Key encryption and decryption network and the Internet

Key Encryption (cont’d.)


Private key encryption l.jpg
Private Key Encryption network and the Internet

  • Data encrypted using single key

    • Known by sender and receiver

  • Symmetric encryption

    • Same key used during both encryption and decryption

  • DES (Data Encryption Standard)

    • Most popular private key encryption

    • IBM developed (1970s)

    • 56-bit key: secure at the time

  • Triple DES

    • Weaves 56-bit key three times


Private key encryption cont d l.jpg
Private Key Encryption (cont’d.) network and the Internet

  • AES (Advanced Encryption Standard)

    • Weaves 128, 160, 192, 256 bit keys through data multiple times

    • Uses Rijndael algorithm

      • More secure than DES

      • Much faster than Triple DES

    • Replaced DES in high security level situations

  • Private key encryption drawback

    • Sender must somehow share key with recipient


Public key encryption l.jpg
Public Key Encryption network and the Internet

  • Data encrypted using two keys

    • Private key: user knows

    • Public key: anyone may request

  • Public key server

    • Publicly accessible host

    • Freely provides users’ public keys

  • Key pair

    • Combination of public key and private key

  • Asymmetric encryption

    • Requires two different keys


Slide63 l.jpg

Figure 12-8 Public key encryption network and the Internet


Public key encryption cont d l.jpg
Public Key Encryption (cont’d.) network and the Internet

  • Diffie-Hellman (1975)

    • First public key algorithm

  • RSA

    • Most popular

    • Key creation

      • Choose two large prime numbers, multiplying together

    • May be used in conjunction with RC4

      • Weaves key with data multiple times, as computer issues data stream


Public key encryption cont d65 l.jpg
Public Key Encryption (cont’d.) network and the Internet

  • RC4

    • Key up to 2048 bits long

    • Highly secure, fast

    • E-mail, browser program use

      • Lotus Notes, Netscape

  • Digital certificate

    • Password-protected, encrypted file

    • Holds identification information

      • Public key


Public key encryption cont d66 l.jpg
Public Key Encryption (cont’d.) network and the Internet

  • CA (certificate authority)

    • Issues, maintains digital certificates

    • Example: Verisign

  • PKI (public key infrastructure)

    • Use of certificate authorities to associate public keys with certain users


Pgp pretty good privacy l.jpg
PGP (Pretty Good Privacy) network and the Internet

  • Secures e-mail transmissions

  • Developed by Phil Zimmerman (1990s)

  • Public key encryption system

    • Verifies e-mail sender authenticity

    • Encrypts e-mail data in transmission

  • Administered at MIT

  • Freely available

    • Open source and proprietary

  • Also used to encrypt storage device data


Ssl secure sockets layer l.jpg
SSL (Secure Sockets Layer) network and the Internet

  • Encrypts TCP/IP transmissions

    • Web pages, Web form data entered into Web forms

      • En route between client and server

    • Using Public key encryption technology

  • Web pages using HTTPS

    • HTTP over Secure Sockets Layer, HTTP Secure

    • Data transferred from server to client (vice versa)

      • Using SSL encryption

  • HTTPS uses TCP port 443


Ssl cont d l.jpg
SSL (cont’d.) network and the Internet

  • SSL session

    • Association between client and server

      • Defined by agreement

      • Specific set of encryption techniques

    • Created by SSL handshake protocol

    • Handshake protocol

      • Allows client and server to authenticate

  • SSL

    • Netscape originally developed it

    • IETF attempted to standardize

      • TLS (Transport Layer Security) protocol


Ssh secure shell l.jpg
SSH (Secure Shell) network and the Internet

  • Collection of protocols

  • Provides Telnet capabilities with security

  • Guards against security threats

    • Unauthorized host access

    • IP spoofing

    • Interception of data in transit

    • DNS spoofing

  • Encryption algorithm (depends on version)

    • DES, Triple DES, RSA, Kerberos


Ssh cont d l.jpg
SSH (cont’d.) network and the Internet

  • Developed by SSH Communications Security

    • Version requires license fee

  • Open source versions available: OpenSSH

  • Secure connection requires SSH running on both machines

  • Requires public and private key generation

  • Highly configurable

    • Use one of several encryption types

    • Require client password

    • Perform port forwarding


Scp secure copy and sftp secure file transfer protocol l.jpg
SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol) network and the Internet

  • SCP (Secure CoPy) utility

    • Extension to OpenSSH

    • Allows copying of files from one host to another securely

    • Replaces insecure file copy protocols (FTP)

      • Does not encrypt user names, passwords, data

  • UNIX, Linux, and Macintosh OS X operating systems

    • Include SCP utility

  • Freeware SSH programs available for Windows

    • May requires freeware SCP applications: WinSCP


Scp and sftp cont d l.jpg
SCP and SFTP (cont’d.) network and the Internet

  • SCP simple to use

  • Proprietary SSH version (SSH Communications Security)

    • Requires SFTP (Secure File Transfer Protocol) to copy files

      • Slightly different from SCP (does more than copy files)


Ipsec internet protocol security l.jpg
IPSec (Internet Protocol Security) network and the Internet

  • Defines encryption, authentication, key management

    • For TCP/IP transmissions

  • Enhancement to IPv4

  • Native IPv6 standard

  • Difference from other methods

    • Encrypts data

      • By adding security information to all IP packet headers

    • Transforms data packets

    • Operates at Network layer (Layer 3)


Ipsec cont d l.jpg
IPSec (cont’d.) network and the Internet

  • Two phase authentication

    • First phase: key management

      • Way two nodes agree on common parameters for key use

      • IKE (Internet Key Exchange) runs on UDP port 500

    • Second phase: encryption

      • AH (authentication header)

      • ESP (Encapsulating Security Payload)

  • Used with any TCP/IP transmission

    • Most commonly

      • Routers, connectivity devices in VPN context


Ipsec cont d76 l.jpg
IPSec (cont’d.) network and the Internet

  • VPN concentrator

    • Specialized device

      • Positioned at the edge of the private network

      • Establishes VPN connections

    • Authenticates VPN clients

    • Establish tunnels for VPN connections


Ipsec cont d77 l.jpg

Figure 12-9 Placement of a VPN concentrator on a WAN network and the Internet

IPSec (cont’d.)


Authentication protocols l.jpg

Authentication Protocols network and the Internet


Authentication protocols79 l.jpg
Authentication Protocols network and the Internet

  • Authentication

    • Process of verifying a user’s credentials

      • Grant user access to secured resources

  • Authentication protocols

    • Rules computers follow to accomplish authentication

  • Several authentication protocol types

    • Vary by encryption scheme

    • Steps taken to verify credentials


Radius and tacacs l.jpg
RADIUS and TACACS network and the Internet

  • Used when many users are making simultaneous dial-up connections

    • Manages user IDs and passwords

  • Defined by IETF

  • Runs over UDP

  • Provides centralized network authentication, accounting for multiple users

  • RADIUS server

    • Does not replace functions performed by remote access server


Radius and tacacs cont d l.jpg
RADIUS and TACACS (cont’d.) network and the Internet

  • RADIUS server

    • Does not replace functions performed by remote access server

    • Highly scalable

    • Used by Internet service providers

    • More secure than simple remote access solution

  • TACACS (Terminal Access Controller Access Control System)

    • Similar, earlier centralized authentication version

  • Radius and TACACS are AAA servers

    • Authentication, Authorization, and Accounting


Radius and tacacs cont d82 l.jpg

Figure 12-10 A RADIUS server providing centralized authentication

RADIUS and TACACS (cont’d.)


Pap password authentication protocol l.jpg
PAP (Password Authentication Protocol) authentication

  • PPP does not secure connections

    • Requires an authentication protocol

  • PAP (Password Authentication Protocol)

    • Operates over PPP

    • Uses two-step authentication process

    • Simple

    • Not secure

      • Sends client’s credentials in clear text


Pap cont d l.jpg

Figure 12-11 Two-step authentication used in PAP authentication

PAP (cont’d.)


Chap and ms chap l.jpg
CHAP and MS-CHAP authentication

  • Another authentication protocol

    • Operates over PPP

    • Encrypts user names, passwords

    • Uses three-way handshake

      • Requires three steps to complete authentication process

  • Benefit over PAP

    • Password never transmitted alone

    • Password never transmitted in clear text


Chap and ms chap cont d l.jpg

Figure 12-12 Three-way handshake used in CHAP authentication

CHAP and MS-CHAP (cont’d.)


Chap and ms chap cont d87 l.jpg
CHAP and MS-CHAP (cont’d.) authentication

  • MS-CHAP (Microsoft Challenge Authentication Protocol)

    • Similar authentication protocol

      • Windows-based computers

  • Potential CHAP, MS-CHAP authentication flaw

    • Eavesdropping could capture character string encrypted with password, then decrypt

    • Because it used the weak LANMAN Hashes

      • Link Ch 12e


Chap and ms chap cont d88 l.jpg
CHAP and MS-CHAP (cont’d.) authentication

  • Solution to flaw

    • MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2)

      • Uses stronger encryption

      • Does not use same encryption strings for transmission, reception

      • Requires mutual authentication

  • Mutual authentication

    • Both computers verify credentials of the other

  • Examples

    • Modify dial-up connection’s for XP and Vista




Eap extensible authentication protocol l.jpg
EAP (Extensible Authentication Protocol) box

  • Another authentication protocol

    • Operates over PPP

  • Works with other encryption, authentication schemes

    • Verifies client, server credentials

  • Requires authenticator to initiate authentication process

    • Ask connected computer to verify itself

  • EAP’s advantages: flexibility


802 1x eapol l.jpg
802.1x (EAPoL) box

  • Codified by IEEE

    • Uses of one of many authentication methods plus EAP

    • Generates authentication keys

    • Grant access to a particular port

  • Primarily used with wireless networks

    • Originally designed for wired LAN

      • EAPoL (EAP over LAN)

  • Only defines process for authentication

  • Commonly used with RADIUS authentication


802 1x eapol cont d l.jpg

Figure 12-15 802.1x authentication process box

802.1x (EAPoL) (cont’d.)

  • Distinguishing feature

    • Applies to communication with a particular port


Kerberos l.jpg
Kerberos box

  • Cross-platform authentication protocol

    • Uses key encryption

      • Verifies client identity

      • Securely exchanges information after client logs on

  • Private key encryption service

  • Provides significant security advantages over simple NOS authentication


Kerberos cont d l.jpg
Kerberos (cont’d.) box

  • Terms

    • KDC (Key Distribution Center)

    • AS (authentication service)

    • Ticket

    • Principal

  • Original process Kerberos requires for client/server communication

    • Problem

      • User request separate ticket for different service

    • Solution

      • TGS (Ticket-Granting Service)



Wireless network security97 l.jpg
Wireless Network Security box

  • Susceptible to eavesdropping

    • War driving

      • Driving while scanning for wireless networks

      • Effective for obtaining private information


Wep wired equivalent privacy l.jpg
WEP (Wired Equivalent Privacy) box

  • 802.11 standard security

    • None by default

    • Access points

      • No client authentication required prior to communication

    • SSID: only item required

  • WEP

    • Uses keys

      • Authenticate network clients

      • Encrypt data in transit


Wep cont d l.jpg
WEP (cont’d.) box

  • Network key

    • Character string required to associate with access point

  • Example

    • Edit, add WEP key for wireless connection on Windows XP client

  • WEP implementations

    • First: 64-bit keys

    • Current: 128-bit, 256-bit keys

  • WEP is very insecure—it can be cracked in a few minutes



Ieee 802 11i and wpa wi fi protected access l.jpg
IEEE 802.11i and WPA (Wi-Fi Protected Access) network properties dialog box

  • 802.11i uses 802.1x (EAPoL)

    • Authenticate devices

      • Dynamically assign every transmission its own key

    • Relies on TKIP (Temporal Key Integrity Protocol)

      • Encryption key generation, management scheme

    • Uses AES encryption

  • WPA (Wi-Fi Protected Access)

    • Subset of 802.11i

    • Same authentication as 802.11i

    • Uses RC4 encryption

  • WPA and WPA-2 are reasonably secure to use


ad