Remote AccessRemote AccessChapter 4Chapter 4
IEEE 802.1xIEEE 802.1x An internet standard created to perform An internet standard created to perform
authentication services for remote access authentication services for remote access to a central LAN.to a central LAN.
Simple Network Management Protocol Simple Network Management Protocol (SNMP)(SNMP) A set of protocols for managing complex A set of protocols for managing complex
networks. It works by sending messages, networks. It works by sending messages, called protocol data units (PDUs), to different called protocol data units (PDUs), to different parts of a network. An SNMP-compliant parts of a network. An SNMP-compliant device, called an “agent,” stores data about device, called an “agent,” stores data about itself in a Management Information Base (MIB) itself in a Management Information Base (MIB) and returns this data to an SNMP requester.and returns this data to an SNMP requester.
IEEE 802.1xIEEE 802.1x General TopologyGeneral Topology
IEEE 802.1xIEEE 802.1x Extensive Authentication Protocol Extensive Authentication Protocol
(EAP)(EAP) A protocol defined by IEEE 802.1x that A protocol defined by IEEE 802.1x that
supports multiple authentication supports multiple authentication methods.methods.
EAP over LAN (EAPOL)EAP over LAN (EAPOL) An encapsulation method for sending An encapsulation method for sending
EAP over a LAN environment using EAP over a LAN environment using IEEE 802 frames.IEEE 802 frames.
IEEE 802.1xIEEE 802.1x IEEE 802.1x ConversationIEEE 802.1x Conversation
IEEE 802.1xIEEE 802.1x TelnetTelnet
The standard terminal emulation The standard terminal emulation protocol within the TCP/IP protocol protocol within the TCP/IP protocol suite defined by RFC 854.suite defined by RFC 854.
Virtual Private NetworksVirtual Private Networks A remote access method that A remote access method that
secures the connection between the secures the connection between the user and the home office using user and the home office using various different authentication various different authentication mechanisms and encryption mechanisms and encryption techniques.techniques.
Virtual Private NetworksVirtual Private Networks VPN DiagramVPN Diagram
Virtual Private NetworksVirtual Private Networks VPN OptionsVPN Options
Included in MS Windows packages.Included in MS Windows packages. MS PPTP.MS PPTP. Outsource to service provider.Outsource to service provider.
Encryption does not happen until the data Encryption does not happen until the data reaches the provider’s network.reaches the provider’s network.
Virtual Private NetworksVirtual Private Networks VPN DrawbacksVPN Drawbacks
Not completely fault tolerant.Not completely fault tolerant. Diverse choices for implementing.Diverse choices for implementing. Law of diminishing returns.Law of diminishing returns.
Each incremental increase in security over Each incremental increase in security over a certain point becomes more and more a certain point becomes more and more expensive.expensive.
Remote Authentication Remote Authentication Dial-In User Service Dial-In User Service
(RADIUS)(RADIUS) Uses a model of distributed security Uses a model of distributed security
to authenticate users on a network.to authenticate users on a network. User Datagram Protocol (UDP)User Datagram Protocol (UDP)
A connectionless protocol that, like A connectionless protocol that, like TCP, runs on top of IP networks. It TCP, runs on top of IP networks. It provides very few error recovery provides very few error recovery services, offering instead a direct way services, offering instead a direct way to send and receive datagrams over an to send and receive datagrams over an IP network.IP network.
Remote Authentication Remote Authentication Dial-In User Service Dial-In User Service
(RADIUS)(RADIUS) Authentication with a RADIUS Authentication with a RADIUS
ServerServer Network Access Server (NAS)Network Access Server (NAS)
This allows access to the network.This allows access to the network. Serial Line Internet Protocol (SLIP)Serial Line Internet Protocol (SLIP)
A method of connecting to the Internet. A method of connecting to the Internet. Another more common method is PPP.Another more common method is PPP.
Remote Authentication Remote Authentication Dial-In User Service Dial-In User Service
(RADIUS)(RADIUS) AuthenticationAuthentication
Client RADIUS ServerInternet
Access request
Access accept (with exec authorization in attributes)Accounting request (start)
Accounting response to clientAccounting request (stop)
Securing Response to clientTim
e
Remote Authentication Remote Authentication Dial-In User Service Dial-In User Service
(RADIUS)(RADIUS) BenefitsBenefits
Greater security.Greater security. Scalable architecture.Scalable architecture. Open protocols.Open protocols. Future enhancements.Future enhancements.
Terminal Access Controller Terminal Access Controller Access Control System Access Control System
(TACACS+)(TACACS+) An authentication system developed An authentication system developed
by Cisco Systems.by Cisco Systems. Developed to address the need for a Developed to address the need for a
scalable solution that RADIUS did scalable solution that RADIUS did not provide.not provide.
Uses Transmission Control Protocol Uses Transmission Control Protocol (TCP)(TCP)
Offers multiple protocol supportOffers multiple protocol support
Terminal Access Controller Terminal Access Controller Access Control System Access Control System
(TACACS+)(TACACS+)Client TACACS+ ServerInternet
Start (authentication) to connect userReply (authentication) to ask client to get usernameContinue (authentication) to give server username
Reply (authentication) to ask client to get passwordContinue (authentication) to give server passwordReply (authentication) to indicate pass/fail status
Request (accounting) for service=shelResponse (authorization) to indicate pass/fail statusTi
me
Terminal Access Controller Terminal Access Controller Access Control System Access Control System
(TACACS+)(TACACS+)Client TACACS+ ServerInternet
Request (accounting) for start/execResponse (accounting) that record was received
Request (authorization) for command and command-argument
Response (authorization) to indicate pass/fail statusRequest (accounting) for command
Response (accounting) that record was receivedRequest (accounting) for stop/exec
Response (accounting) that record was receivedTim
e
Point-to-Point Tunneling Point-to-Point Tunneling Protocol (PPTP)Protocol (PPTP)
Built upon Point-to-Point Protocol (PPP) and Built upon Point-to-Point Protocol (PPP) and Transmission Control Protocol/Internet Transmission Control Protocol/Internet Protocol (TCP/IP).Protocol (TCP/IP).
HandshakingHandshaking The process by which two devices initiate The process by which two devices initiate
communications. Handshaking begins when one communications. Handshaking begins when one device sends a message to another device device sends a message to another device indicating that it wants to establish a indicating that it wants to establish a communications channel. The two devices then communications channel. The two devices then send several messages back an forth that enable send several messages back an forth that enable them to agree on a communications protocol.them to agree on a communications protocol.
Point-to-Point Tunneling Point-to-Point Tunneling Protocol (PPTP)Protocol (PPTP)
Performs the following tasks:Performs the following tasks: Queries the status of communications serversQueries the status of communications servers Provides in-band managementProvides in-band management Allocates channels and places outgoing callsAllocates channels and places outgoing calls Notifies Windows NT Server of incoming callsNotifies Windows NT Server of incoming calls Transmits and receives user data with Transmits and receives user data with
bidirectional flow controlbidirectional flow control Notifies Windows NT Server of disconnected callsNotifies Windows NT Server of disconnected calls Assures data integrity, while making the most Assures data integrity, while making the most
efficient use of network bandwidth by tightly efficient use of network bandwidth by tightly coordinating the packet flowcoordinating the packet flow
Layer 2 Tunneling Layer 2 Tunneling ProtocolProtocol
Expands PPP by allowing both Expands PPP by allowing both endpoints (layer two and PPP) to endpoints (layer two and PPP) to reside on different devices connected reside on different devices connected by a paket-switched network like the by a paket-switched network like the Internet.Internet.
Allows the processing of PPP packets Allows the processing of PPP packets to happen separately from the to happen separately from the termination of the layer two circuits.termination of the layer two circuits.
Secure Shell (SSH)Secure Shell (SSH) A program used to log on to another computer A program used to log on to another computer
over a network, to execute commands in a over a network, to execute commands in a remote machine, and to move files from one remote machine, and to move files from one machine to another.machine to another.
Uses a public key authentication method to Uses a public key authentication method to establish an encrypted and secure connection establish an encrypted and secure connection from the user’s machine to the remote machine.from the user’s machine to the remote machine.
Certificate Revocation List (CRL)Certificate Revocation List (CRL) A device used in SSH to manage certificates. A device used in SSH to manage certificates.
Certificates that are no longer valid are placed on a list Certificates that are no longer valid are placed on a list and verified by the SSH engine when authentication and verified by the SSH engine when authentication occurs.occurs.
IP Security ProtocolIP Security Protocol Internet Engineering Task Force (IETF)Internet Engineering Task Force (IETF)
The main standards organization for the The main standards organization for the Internet.Internet.
IP Security (IPSec)IP Security (IPSec) A set of protocols developed by the IETF to A set of protocols developed by the IETF to
support secure exchange of packets at the support secure exchange of packets at the IP layer. IPSec has been deployed widely IP layer. IPSec has been deployed widely to implement VPNs.to implement VPNs.
Secures Layer 3 of the OSI ModelSecures Layer 3 of the OSI Model
IP Security ProtocolIP Security Protocol Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)
Provides a mix of security services in IPv4 and Provides a mix of security services in IPv4 and IPv6. It is used to provide confidentiality, data IPv6. It is used to provide confidentiality, data origin authentication, connectionless integrity, origin authentication, connectionless integrity, anti-replay, and limited confidentiality of the anti-replay, and limited confidentiality of the traffic flow.traffic flow.
Security Parameter Index (SPI)Security Parameter Index (SPI) An arbitrary 32-bit number used to specify to the An arbitrary 32-bit number used to specify to the
device receiving the packet not only what group of device receiving the packet not only what group of security protocols the sender is using to security protocols the sender is using to communicate, but which algorithms and keys are communicate, but which algorithms and keys are being used, and how long those keys are valid.being used, and how long those keys are valid.
IP Security ProtocolIP Security Protocol
IP Security ProtocolIP Security Protocol Payload DataPayload Data
Variable length – this is the data carried by the IP packetVariable length – this is the data carried by the IP packet PaddingPadding
0 to 255 bytes used to ensure that ciphertext terminates 0 to 255 bytes used to ensure that ciphertext terminates on a 4-byte boundaryon a 4-byte boundary
Pad LengthPad Length 8 bits – specifies the length of the payload data is padding8 bits – specifies the length of the payload data is padding
Next HeaderNext Header 8 bits – an IP protocol number describing the format of 8 bits – an IP protocol number describing the format of
the payload datathe payload data Authentication DataAuthentication Data
Variable length – optional field used by the authentication Variable length – optional field used by the authentication serviceservice
IP Security ProtocolIP Security Protocol ESP and Encryption ModelsESP and Encryption Models
ESP can use several encryption protocols. ESP can use several encryption protocols. The sender decides which ones to use.The sender decides which ones to use.
The current standard for IPSec uses HMAC The current standard for IPSec uses HMAC with Message Digest 5 (MD5).with Message Digest 5 (MD5).
Hash Message Authentication Code (HMAC)Hash Message Authentication Code (HMAC) A special algorithm defined by RFC 2104 that A special algorithm defined by RFC 2104 that
can be used in conjunction with many other can be used in conjunction with many other algorithms, such as SHA-1, within the IPSec algorithms, such as SHA-1, within the IPSec Encapsulating Security Payload.Encapsulating Security Payload.
Telecommuting Telecommuting VulnerabilitiesVulnerabilities
Problems with traditional VPNsProblems with traditional VPNs Split tunneling – client can route traffic Split tunneling – client can route traffic
simultaneously to the corporate intranet simultaneously to the corporate intranet and the Internet.and the Internet.
Sensitive information stored on remote Sensitive information stored on remote user’s hard drive.user’s hard drive.
Lack of logging when client is not Lack of logging when client is not connectedconnected
Telecommuting Telecommuting VulnerabilitiesVulnerabilities
Problems with CertificatesProblems with Certificates Compromised certificate can be used to gain Compromised certificate can be used to gain
access to machines within the security access to machines within the security perimeter.perimeter.
SOHO (small office/home office)SOHO (small office/home office) Products specifically designed to meet the needs Products specifically designed to meet the needs
of professionals who work at home or in small of professionals who work at home or in small offices.offices.
SOHO firewalls bypass the traditional perimeter SOHO firewalls bypass the traditional perimeter authentication that takes place before a remote authentication that takes place before a remote user is granted access to the internal network.user is granted access to the internal network.
Provides back-door entry for intruders.Provides back-door entry for intruders.
Telecommuting Telecommuting VulnerabilitiesVulnerabilities
Remote SessionRemote Session Data never leaves the secure intranet Data never leaves the secure intranet
perimeter.perimeter. Dangers lie in user copying data to their Dangers lie in user copying data to their
local drive or printing to a local printer.local drive or printing to a local printer. Remote SolutionsRemote Solutions
Citrix Metaframe Access SuiteCitrix Metaframe Access Suite Microsoft Terminal ServerMicrosoft Terminal Server Virtual Network ComputingVirtual Network Computing