Lecture Security+ Certification: Chapter 4 - Trung tâm Athena

Chapter 4 - Remote access. Objectives in this chapter: Understand implications of IEEE 802.1x and how it is used, understand VPN technology and its uses for securing remote access to networks, understand how RADIUS authentication works, understand how TACACS+ operates, understand how PPTP works and when it is used,...

Chapter 4

Remote Access

Objectives in this chapter

 Understand implications of IEEE 802.1x and

how it is used

 Understand VPN technology and its uses for

securing remote access to networks

 Understand how RADIUS authentication works

 Understand how TACACS+ operates

 Understand how PPTP works and when it is

used

 Understand implications of IEEE 802.1x and

how it is used

 Understand VPN technology and its uses for

securing remote access to networks

 Understand how RADIUS authentication works

 Understand how TACACS+ operates

 Understand how PPTP works and when it is

used

IEEE 802.1x

 Users needing access to networks from remotelocations is increasing, along with the

associated security issues

 The need to identify who is trying to access aspecific port on a network has lead to the

development of the 802.1x standard

 Users needing access to networks from remotelocations is increasing, along with the

associated security issues

 The need to identify who is trying to access aspecific port on a network has lead to the

development of the 802.1x standard

IEEE 802.1x

 802.1x is an internet standard created to

perform authentication services for remoteaccess to a central LAN

 802.1x specifies a protocol for transmissionbetween devices accessing the LAN as well asprotocol requirements between an

authenticator and an authentication server

ATHENA

 802.1x is an internet standard created to

perform authentication services for remoteaccess to a central LAN

 802.1x specifies a protocol for transmissionbetween devices accessing the LAN as well asprotocol requirements between an

authenticator and an authentication server

802.1x Terminology

 Authenticator - The entity that requires the entity on the

other end of the link to be authenticated.

 Supplicant - The entity being authenticated by the

Authenticator and desiring access to the services of the Authenticator.

 Port Access Entity (PAE) - The protocol entity associated

with a port May support functionality of Authenticator, Supplicant or both.

 Authentication Server - An entity providing

authentication service to the Authenticator.

ATHENA

 Authenticator - The entity that requires the entity on the

other end of the link to be authenticated.

 Supplicant - The entity being authenticated by the

Authenticator and desiring access to the services of the Authenticator.

 Port Access Entity (PAE) - The protocol entity associated

with a port May support functionality of Authenticator, Supplicant or both.

 Authentication Server - An entity providing

authentication service to the Authenticator.

802.1x General Topology

 Standard terminal emulation protocol withinTCP/IP protocol suite defined by RFC 854

 Utilizes UDP port 23 to communicate

 Allows users to log on to remote networks anduse resources as if locally connected

 Standard terminal emulation protocol withinTCP/IP protocol suite defined by RFC 854

 Utilizes UDP port 23 to communicate

 Allows users to log on to remote networks anduse resources as if locally connected

 Username and password are sent cleartext fromthe client to the telnet server (can be sniffed)

 Telnet is one of the ways you can manage

routers and switches (remote management)

ATHENA

Controlling Telnet Access to Routers

and Switches

 Assign enable password as initial line of defense

 Use access lists that define who has access to

what resources based on specific IP addresses

 Use a firewall that can filter traffic based on

ports, IP addresses, etc

 Assign enable password as initial line of defense

 Use access lists that define who has access to

what resources based on specific IP addresses

 Use a firewall that can filter traffic based on

ports, IP addresses, etc

Virtual Private Network

 A virtual private network (VPN) is an encryptedconnection that is carried across a shared publicnetwork in a manner that makes it appear to be

a dedicated and secure link between twocooperating nodes

ATHENA

 A virtual private network (VPN) is an encryptedconnection that is carried across a shared publicnetwork in a manner that makes it appear to be

a dedicated and secure link between twocooperating nodes

Virtual Private Network

 Secures connection between user and homeoffice using authentication mechanisms andencryption techniques

• Encrypts data both directions

 Uses two technologies (currently)

• Encrypts data both directions

 Uses two technologies (currently)

• IPSec

• PPTP

• SSL (new)

VPN Diagram

ATHENA

ATHENA

 Tunneling requires three different protocols:

 Carrier Protocol The protocol used by the

network (IP on the Internet) that theinformation is traveling over

(PPTP, L2TP, IPSec, Secure Shell [SSH]) that iswrapped around the original data

carried

 Tunneling requires three different protocols:

 Carrier Protocol The protocol used by the

network (IP on the Internet) that theinformation is traveling over

(PPTP, L2TP, IPSec, Secure Shell [SSH]) that iswrapped around the original data

carried

VPN Options

 Install/configure client computer to initiate

necessary security communications all the way

to your network

 Outsource VPN to a service provider

• Encryption does not happen until datareaches provider’s network

ATHENA

 Install/configure client computer to initiate

necessary security communications all the way

to your network

 Outsource VPN to a service provider

• Encryption does not happen until datareaches provider’s network

Site-to-Site VPN

Remote Access VPN

ATHENA

Service Provider Tunneling

Remote Authentication Dial-in User Service (RADIUS)

 Provides a client/server security system

 Uses distributed security to authenticate users

on a network

 Includes two pieces

• Authentication server

• Client protocols

 Authenticates users through a series of

communications between client and serverusing UDP

ATHENA

 Provides a client/server security system

 Uses distributed security to authenticate users

on a network

 Includes two pieces

• Authentication server

• Client protocols

 Authenticates users through a series of

communications between client and serverusing UDP

Remote Authentication Dial-in User Service (RADIUS)

 RADIUS is the most popular of all the accesscontrol, authentication, and auditing (AAA)servers

 An RAS must be able to authenticate a user,authorize the authenticated user to performspecified functions, and log (account for) theactions of users for the duration of the

connection

 RADIUS is the most popular of all the accesscontrol, authentication, and auditing (AAA)servers

 An RAS must be able to authenticate a user,authorize the authenticated user to performspecified functions, and log (account for) theactions of users for the duration of the

connection

Remote Authentication Dial-in User

 Password Authentication Protocol (PAP)

 Challenge Handshake Authentication Protocol(CHAP)

 Password Authentication Protocol (PAP)

 Challenge Handshake Authentication Protocol(CHAP)

Authenticating with a RADIUS Server

of RADIUS

 Certain “flavors” of RADIUS servers and Web

servers can be compromised by buffer overflow

attacks A buffer overflow attack occurs when abuffer is flooded with more information than itcan hold.The extra data overflows into

otherbuffers, which may be accessible tohackers

ATHENA

 Certain “flavors” of RADIUS servers and Web

servers can be compromised by buffer overflow

attacks A buffer overflow attack occurs when abuffer is flooded with more information than itcan hold.The extra data overflows into

otherbuffers, which may be accessible tohackers

Terminal Access Controller Access Control System (TACACS+)

 Authentication protocol developed by Cisco

 Uses TCP – a connection-oriented transmission – instead of UDP

 Offers separate acknowledgement that request has been received regardless of speed of authentication mechanism

 Provides immediate indication of a crashed server

 Authentication protocol developed by Cisco

 Uses TCP – a connection-oriented transmission – instead of UDP

 Offers separate acknowledgement that request has been received regardless of speed of authentication mechanism

 Provides immediate indication of a crashed server

Terminal Access Controller Access

Control System (TACACS)

 TACACS is also used in authenticating remoteusers

 TACACS has gone through three major

“generations”, TACACS, XTACACS, andTACACS+

ATHENA

 TACACS is also used in authenticating remoteusers

 TACACS has gone through three major

“generations”, TACACS, XTACACS, andTACACS+

Terminal Access Controller Access

Control System (TACACS)

 TACACS offers authentication and

authorization, it does not offer any accountingtools

 TACACS utilized the User Datagram Protocol(UDP) to handle communications

 TACACS offers authentication and

authorization, it does not offer any accountingtools

 TACACS utilized the User Datagram Protocol(UDP) to handle communications

 Cisco decided to develop a proprietary version

of TACACS known as TACACS+.The drivingfactor behind TACACS+ was to offer networkingprofessionals the ability to manage all remoteaccess components from a centralized location

 TACACS+ is also credited with separating theAAA functions

 TACACS+ uses TCP

ATHENA

 Cisco decided to develop a proprietary version

of TACACS known as TACACS+.The drivingfactor behind TACACS+ was to offer networkingprofessionals the ability to manage all remoteaccess components from a centralized location

 TACACS+ is also credited with separating theAAA functions

 TACACS+ uses TCP

of TACACS+

 One of the biggest complaints regarding

TACACS+ is that it does not offer protection

against replay attacks Replay attacks occur

when a hacker intercepts an encrypted packetand impersonates the client using the

information obtained from the decryptedpacket

 One of the biggest complaints regarding

TACACS+ is that it does not offer protection

against replay attacks Replay attacks occur

when a hacker intercepts an encrypted packetand impersonates the client using the

information obtained from the decryptedpacket

Other common weaknesses of TACACS+

include:

session IDs is not very large, therefore, it isreasonable that two users could have the samesession ID

can fall victim to buffer overflow attacks

 Packet Sniffing The length of passwords can

be easily determined by “sniffing” a network

alter accounting records during transmissionbecause the accounting data is not encryptedduring transport

ATHENA

session IDs is not very large, therefore, it isreasonable that two users could have the samesession ID

can fall victim to buffer overflow attacks

 Packet Sniffing The length of passwords can

be easily determined by “sniffing” a network

alter accounting records during transmissionbecause the accounting data is not encryptedduring transport

Advantages of TACACS+

over RADIUS

 Addresses need for scalable solution

 Separates authentication, authorization, andaccounting

 Offers multiple protocol support

 Considered to be more secure than RADIUS,but less used due to it’s being proprietary

ATHENA

 Addresses need for scalable solution

 Separates authentication, authorization, andaccounting

 Offers multiple protocol support

 Considered to be more secure than RADIUS,but less used due to it’s being proprietary

 PPTP uses TCP and L2TP uses UDP.

 there are several standard tunneling protocoltechnologies in use today

 Two of the most popular are PPTP and L2TP,which are Layer 2 (Data Link Layer)

encapsulation (tunneling) protocols using ports

Point-to-Point Tunneling Protocol

(PPTP)

 PPTP establishes point-to-point connections between two computers by encapsulating the PPP packets being sent.

 PPTP encrypts the data being transmitted, but does not encrypt the information being exchanged during

negotiation In Microsoft implementations, Microsoft Point-to-Point Encryption (MPPE) protocol is used to encrypt the data.

 PPTP is protocol-restrictive, meaning it will only work over IP networks

 PPTP cannot use the added benefit of IPSec

 A Microsoft development

ATHENA

 PPTP establishes point-to-point connections between two computers by encapsulating the PPP packets being sent.

 PPTP encrypts the data being transmitted, but does not encrypt the information being exchanged during

negotiation In Microsoft implementations, Microsoft Point-to-Point Encryption (MPPE) protocol is used to encrypt the data.

 PPTP is protocol-restrictive, meaning it will only work over IP networks

 PPTP cannot use the added benefit of IPSec

 A Microsoft development

The differences between PPTP and L2TP

 L2TP requires IPSec in order to offer encryption.

 L2TP offers RADIUS and TACACS+, where PPTP does not.

 L2TP is often implemented as a hardware solution, where PPTP is not.

 L2TP can run on top of protocols such as IP, IPX, and SNA, where

 PPTP can work only on IP networks.

 Using L2TP with IPSec provides per-packet data origin

authentication (proof that the data was sent by an authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from

interpreting captured packets without an encryption key).

 L2TP/IPSec connections require two levels of authentication:

computer level authentication using certificates or pre-shared keys for IPSec sessions, and user-level authentication using PPP

authentication protocol for the L2TP tunnel.

ATHENA

 L2TP requires IPSec in order to offer encryption.

 L2TP offers RADIUS and TACACS+, where PPTP does not.

 L2TP is often implemented as a hardware solution, where PPTP is not.

 L2TP can run on top of protocols such as IP, IPX, and SNA, where

 PPTP can work only on IP networks.

 Using L2TP with IPSec provides per-packet data origin

authentication (proof that the data was sent by an authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from

interpreting captured packets without an encryption key).

 L2TP/IPSec connections require two levels of authentication:

computer level authentication using certificates or pre-shared keys for IPSec sessions, and user-level authentication using PPP

authentication protocol for the L2TP tunnel.

Some advantages of the L2TP/IPSec

combination over PPTP are

 IPSec provides per-packet data origin, data integrity, replay protection, and data confidentiality In contrast, PPTP only provides per-packet data confidentiality.

 L2TP/IPSec connections require two levels of

authentication: computer level authentication and level authentication.

user- PPP frames exchanged during user-level authentication are never sent unencrypted because the PPP connection process for L2TP/IPSec occurs after the IPSec security association (SA) is established.

 IPSec provides per-packet data origin, data integrity, replay protection, and data confidentiality In contrast, PPTP only provides per-packet data confidentiality.

 L2TP/IPSec connections require two levels of

authentication: computer level authentication and level authentication.

user- PPP frames exchanged during user-level authentication are never sent unencrypted because the PPP connection process for L2TP/IPSec occurs after the IPSec security association (SA) is established.