Unit08:

Security Protocols
Overview
• Network Security
• IPSec
• VPN Protocol
• Kerberos
• Smart Cards
• Firewalls
• Proxy Servers
Network Security
• Security protocols protect a computer from attacks
• Networks and data are vulnerable to both active attacks,
in which information is altered or destroyed, and passive
attacks, in which information is monitored
• Types of Attacks :
– Altering data.
– Eavesdropping eg:sniffing
– IP/mac address spoofing eg:cheating
– Password pilfering eg:guessing
– Denial of service
– Virus
IPSec
• Based on cryptography /encryption
• ensures the privacy of network traffic as well as its authentication.
• IPSec functions at the Network layer
• The fact that IPSec is a network-layer protocol makes its services
transparent to applications
• IPSec ensures that data cannot be tampered with while it is
traversing any part of the network
IPSec
• Hands On Lab on Ipsec : gpedit.msc
• ICMP
– Authentication method:
– Keberos
– PreShared
– Certificates
VPN Protocols
• Virtual private networking is a system of creating a
private network connection that travels through a public
network
• One of the top considerations for using a VPN is to
reduce costs
• L2TP
– L2TP is a VPN protocol used along with IPSec to
ensure confidentiality of the data transmission
– PPTP Point-to-Point Tunneling Protocol courtesy of
Microsoft and Cisco’s Layer 2 Forwarding (L2F)
protocol
VPN
• Why Use L2TP Instead of PPTP
– L2TP client is included in Windows 2000 and later
operating systems
– L2TP supports both Cisco TACACS+ and Remote
Authentication Dial-In User Service (RADIUS)
authentication
– L2TP was developed to be a standard that is already
natively supported by Cisco routers and Windows
2000 servers
– offers a much higher level of security than PPTP
– L2TP offers a wider variety of protocols than PPTP—
supporting not only TCP/IP but also IPX/SPX and
Systems Network Architecture (SNA)
Secure Sockets Layer (SSL)
• SSL is a protocol that uses a public key to encrypt the
data transmitted across the Internet
• SSL runs transparently to applications, because it sits
below upper-layer applications and above the IP
• Working on behalf of upper-layer protocols, the SSL
server authenticates itself using a certificate and public
ID to an SSL-enabled client, which includes both
Netscape Navigator and Microsoft Internet Explorer Web
browsers, and others
SSL
SSL
• The SSL client ensures that the server’s certificate has
been issued by a trusted certificate authority (CA), it
authenticates itself back to the server using the same
process, and an encrypted link is created between the
two
• During the ensuing data transmission, SSL enacts a
mechanism to ensure that the data is not tampered with
before it reaches its destination
SSL is able to use several different types
of ciphers
• Data encryption standard (DES) and Triple DES.
– DES is a private key exchange that applies a 56-bit key to each 64-bit
block of data. Triple DES is the application of three DES keys in
succession.
• Key Exchange Algorithm (KEA).
– KEA enables the client and server to establish mutual keys to use in
encryption.
• Message Digest version 5 (MD5).
– This cipher creates a 128-bit message digest to validate data.
• Rivest-Shamir-Adleman (RSA).
– This is the most commonly used key exchange for SSL. It works by
multiplying two large prime numbers, and through an algorithm
determining both public and private keys. The private key does not need
to be transmitted across the Internet but is able to decrypt the data
transmitted with the public key.
• Secure Hash Algorithm (SHA).
– SHA produces a message digest of 160 bits using the SHA-1 80-bit key
to authenticate the message.
Client makes certain that the SSL server’s

certificate is issued by a trusted CA

Clients are authenticated by SSL servers
Kerberos
• Kerberos is an authentication protocol that is used to
establish trust relationships between domains and verify
the identities of users and network services
• When an entity attempts to access a Kerberos-protected
resource and provides correct authentication information,
Kerberos issues a ticket to it
• The ticket is actually a temporary certificate
• Each process requires a complex mutual authentication,
but this is completely transparent to the user
Kerberos
• Kerberos Trust Relationships
– Kerberos trust relationships
are typically transitive and
bidirectional in nature
– Wherever a Kerberos trust
exists, the users in one
domain will be able to
access resources in the
other domain as long as
the administrator has
granted those users access
Smart Cards
• A way to ensure secure authentication using a physical
key
• Smart cards contain chips to store a user’s private key
and can also store logon information
• Smart cards require Public Key Infrastructure (PKI), a
method of distributing encryption keys and certificates
Firewall
• Piece of equipment is actually a router with two interfaces—one
leading to the public network and the other to the private network
• One of the methods a firewall uses to secure the network is packet
filtering
• For packets that meet firewall rules, they are either permitted or
blocked, depending on how the rule is implemented
• Firewalls are useful for protecting the network from unauthorized
access to data
• A firewall uses an access control list for all the commands to
execute packet filters
• When implementing a new firewall, you should review every
application that must function across the firewall.
Firewall
Firewall
• Demilitarized Zones
– demilitarized zone (DMZ) is an offshoot from a firewall
– DMZ is a middle area that offers more freedom of access from
the Internet
– DMZ is to provide access to certain servers, such as a Web
server or e-mail server, yet protects your network
Proxy Servers
• For a more sophisticated and secure method of blocking and
permitting traffic, you need to use a proxy server
• A proxy server doesn’t permit traffic to pass through it between
networks
• examine each packet up to the application layer and reassemble a
new packet for the other network
• the proxy server is able to log traffic and perform audits