Professional Documents
Culture Documents
The answer to the question may seem simple enough because the
computer or person on the other end of the connection has to
identify him/her/itself, right?
Wrong!
Network B Network A
“Public” Network “Private” Network
Router
Internet
7
Virtual Private Network (VPN)
Use a VPN is so a host can traverse an insecure network
(Internet) and become local to the remote network
Secure VLAN at
Dallas Corporate Office
Servers
Internet
Now my host appears
local to the servers.
VPN
My host In
Colorado Secure Server Room
8
Virtual Private Network (VPN)
Use a VPN is so a host can traverse an insecure network
(Internet) and become local to the remote network
9
SSL and SSL VPN
• Secure Sockets Layer (SSL). This security protocol was
developed by Netscape to work with its browser. It’s based
on Rivest, Shamir, and Adleman (RSA) public-key encryption
and used to enable secure Session-layer connections over
the Internet between a web browser and a web server.
Connection Request
Security Capabilities
PC Server
11
Figure 13.5
L2TP and PPTP
• L2TP
– Layer 2 Tunneling Protocol (L2TP) created by the
Internet Engineering Task Force (IETF), supports non-
TCP/IP protocols in VPNs over the Internet.
– L2TP is a combination of Microsoft’s Point-to-Point
Tunneling Protocol (PPTP) and Cisco’s Layer 2
Forwarding (L2F) technologies.
• PPTP
– Point-to-point Tunneling Protocol was developed jointly
by Microsoft, Lucent Technologies, 3COM, and a few
other companies.
– Not sanctioned by the IETF
– PPTP acts by combining an unsecured Point-to-Point
Protocol (PPP) session with a secured session using the
Generic Routing Encapsulation (GRE) protocol.
13
IPSec
IP Security (IPSec) was designed by the IETF for providing
authentication and encryption over the Internet.
It works at the Network layer of the OSI model (Layer 3) and
secures all applications that operate in the layers above it.
14
IPSec – Tunnel Mode
• In tunnel mode, the complete packet is encapsulated
within IPSec.
• ESP gives us both authentication and encryption.
• Tunnel mode is created between two endpoints, such
as two routers or two gateway servers, protecting all
traffic that goes through the tunnel
15
Encryption
16
Encryption Standards
Data Encryption Standard (DES)
• IBM developed the most widely used private-key systems:
Data Encryption Standard (DES).
– It was made a standard in 1977 by the U.S government.
• DES uses lookup and table functions and works much faster
than public-key systems.
• DES uses 56-bit private keys.
17
Encryption Standards (Cont)
Advanced Encryption Standard (AES)
• The Advanced Encryption Standard (also known as
Rijndael) has been the “official” encryption standard in
the United States since 2002.
• AES has key lengths of 128, 192, or 256 bits.
• The United States government has determined that
128-bit security is adequate for things like secure
transactions and all materials deemed Secret
• All Top Secret information must be encoded using 192-
or 256-bit keys.
• The AES standard has proven amazingly difficult to
crack.
18
Public Key Encryption
Original Message Original Message
Encrypted Using Decrypted Using
User Y’s Public Key User Y’s Private Key
Y&Z! milk
8:”>) bread
(hb&gf eggs
%^dcyH cat food
98Y
19
Pretty Good Privacy (PGP)
Encrypted with
Session Key
Encryption
Process
Document
Encrypted with
Key Store
Public Key
Clphertext + Encrypted
Session Key
Encrypted Recipient’s
Session Key Private Key
Decryption
Process
Encrypted
Message
Session Key to
Clphertext Decrypt Clphertext
Document
20
RAS
Remote
Access Server
Remote
Resources
Remote
Access Client
21
Remote Access
RDP
• Remote Desktop Protocol (RDP) allows users to connect
to a computer running Microsoft’s Terminal Services. Most
Windows-based operating systems include an RDP client
• After establishing a connection, the user sees a terminal
window that’s basically a preconfigured window that looks
like a Windows or other operating system’s desktop.
PPP
• Point to Point Protocol (PPP) is a Layer 2 protocol that
provides authentication, encryption, and compression
services to clients logging in remotely.
PPPoE
• Point to Point Protocol over Ethernet (PPPoE) is an
extension of PPP. Its purpose is to encapsulate PPP
frames within Ethernet frames.
22
Remote Access
ICA
• Independent Computing Architecture (ICA) is a protocol
designed by Citrix Systems to provide communication
between servers and clients.
• Citrix’s WinFrame uses ICA to allow administrators to set up
Windows applications on a Windows-based server and then
allow clients with virtually any operating system to access
those applications.
SSH
• Designed as an alternative to command-based
utilities such as Telnet that transmit requests and responses
in clear text
• Creates a secure channel between the devices and provides
confidentiality and integrity of the data transmission. It uses
public-key cryptography to authenticate the remote
computer and allow the remote computer to authenticate the
user, if necessary.
23
User Account and Resource
Security
• Network Resource-Sharing Security Models
– Share-Level Security
– User-Level Security
• Managing User Accounts
– Disabling Accounts
– Setting Up Anonymous Accounts
– Limiting Connections
– Renaming the Maintenance Account
• Managing Passwords
– Minimum Length
– Complexity
24
User-Authentication Methods
Public Key Infrastructure (PKI)
Certificate Authority
Message
Certificate
Mike Jeff
1
2
3
4
27
Authentication, Authorization,
and Accounting (AAA)
RADIUS
• Although its name implies it, Remote Authentication
Dial-In User Service (RADIUS) is not a dial-up server,
it’s evolved into more of a verification service.
• RADIUS is an authentication and accounting service
used for verifying users over various types of links,
including dial-up.
• RADIUS servers are a client-server based
authentication and encryption services and maintains
user profiles in a central database.
• RADIUS is also used in firewalls to verify the
credentials given; if successful, access is granted
28
Authentication, Authorization,
and Accounting (AAA)
TACACS+
• The Terminal Access Controller Access-Control System Plus
(TACACS+) protocol is an alternative AAA method to RADIUS.
• TACACS+ separates the two authentication and authorization
into two profiles (RADIUS uses one profile),.
• TACACS+ utilizes the connection-based TCP protocol
(RADIUS uses UDP).
• TACACS+ is considered more stable and secure than RADIUS.
29
Network Access Control (NAC)
30
Challenge Handshake
Authentication Protocol (CHAP)
• Challenge Handshake Authentication Protocol (CHAP) is a
secure authentication protocol because with CHAP, the
username and password never cross the wire. Instead,
both the client and server are configured with the same
text phrase that’s known as a shared secret.
31
Other AAA
MS-CHAP
• Microsoft has its own variation of CHAP known as Microsoft
Challenge Handshake Authentication Protocol (MS-CHAP).
• Unlike CHAP, which requires the shared secret to be stored
locally in clear text, MS-CHAP encrypts the secret locally.
• MS-CHAP version 2 is capable of mutual authentication so
that the client can be sure the server is legitimate as well.
• Summary
• Exam Essentials Section
• Written Labs
• Review Questions
33