Anda di halaman 1dari 67

6/10/2011

Network Security

User Authentication

6/10/2011

At the end of this lesson we will be


able to
Explain methods of user authentication

Network+2009 Objective 6.4

What we will cover


Public Key Infrastructure (PKI)
Kerberos
Authentication Authorization Accounting
(AAA)
Network Access Control (NAC)
Challenge Handshake Authentication Protocol
(CHAP)
Extensible Authentication Protocol (EAP)

6/10/2011

NETWORK AUTHENTICATION
METHODS

In order to Secure your Network


Authentication

Verify who is connecting to


your network

Authorization

What are they allowed to


do

Accounting

Log what they have done

6/10/2011

Usernames and passwords


Usernames
Unique identifier

Passwords
Complex passwords use lower and uppercase
letters, numbers, special characters
Minimum password length

Password protection
Use different passwords

Use longer passwords


Use combination of: a-z; A-Z; 0-9; and !@#$%^
special characters
Change frequently
Avoid reusing passwords

6/10/2011

Strong passwords
Balance difficulty of remembering with complexity
Create from first letter of title or phrase pass
phrase
Mix letter cases, add numbers and special characters

Do not using personal information

Authentication factors
Something
you know

Something
you have

Something
you are

Password

Security
token,
Smart Card

Fingerprint,
Retina

6/10/2011

One-factor authentication
Something you know
Windows logon
dialog box
Username and
password
Something you are

Two-factor authentication
Something you know
PLUS
Something you have
Something you are

Token plus a PIN


Something you are
Fingerprint
Voice
Retina

6/10/2011

Three-factor authentication
Something you know
+ something you have
+ something you are
A PIN, a card, and a
fingerprint

Two Minute Activity


Think of scenarios where you
might use one, two, and threefactor authentication

6/10/2011

Public Key Encryption

Cryptography - Science of encryption

Encryption

Convert to Unreadable format

Decryption

Convert back to Readable


format

Algorithm
Cipher

Procedure for Encrypting or


Decrypting

Encryption & Decryption


Algorithm Pair

6/10/2011

The simple ROT13 cipher

Keys are used to Encrypt or Decrypt

Symmetric

Asymmetric

Same key for


encryption
and
decryption

Differing keys
for encryption
and
decryption

6/10/2011

Symmetric encryption in action

Public key cryptography use two keys


Two related keys
What one encrypts, only the other can decrypt
One kept private
One shared (public)

Keys mathematically related

10

6/10/2011

Asymmetric encryption in action

Public Key Cryptography Characteristics

It is mathematically difficult to derive the


private key from the public key
Data encrypted with the public key can
be decrypted with only the private key
Data encrypted with the private key can
be decrypted with only the public key

11

6/10/2011

Public Key Infrastructure (PKI)

Public key infrastructure


Certificate authority (CA)
Registration authority (RA)
Certificate server

12

6/10/2011

Setup and initialization phase


Registration
Key pair generation
Certificate generation
Certificate dissemination

Administration phase
Key storage
Certificate retrieval and validation
Backup or escrow
Recovery

13

6/10/2011

Cancellation and history phase


Expiration

Destruction

Suspension

Renewal

Revocation

14

6/10/2011

Kerberos is a network Authentication


Protocol
Provides Secure Authentication over Insecure
networks
Protects against Eavesdropping and Replay attacks
Works by issuing tickets to users who log in
Authenticates users over open multi-platform network
using single login

Kerberos authentication process

15

6/10/2011

Kerberos security weaknesses


Subject to brute force attacks
Assumes all network devices are physically secure
Compromised passwords enable easy access to

attackers
Vulnerable to DoS attacks
Authenticating devices need to be loosely synchronized
Access to AS allows attacker to impersonate any
authorized user
Authenticating device identifiers shouldnt be reused
on a short-time basis

Authentication

Accounting
Authorization

16

6/10/2011

RADIUS

TACACS+
Authentication

Accounting

Authorization

RADIUS Provides Authentication


on Wired and Wireless Network
Accounting

Access

17

6/10/2011

Terminal Access Controller AccessControl System Plus TACACS+

18

6/10/2011

802.1x - Network Access Control


802.1x

Password Authentication Protocol


(PAP)
PAP send plain-text passwords over the
network
Insecure
Use only as a last resort
Client sends username and password
Server responds with:
authentication-ACK (if credentials are OK)
authentication-NAK (otherwise)

19

6/10/2011

Challenge Handshake Authentication


Protocol (CHAP)

Microsoft Challenge Handshake


Authentication Protocol (MS-CHAP)

MS-CHAPv1

MS-CHAPv2

20

6/10/2011

Extensible Authentication Protocol


(EAP)
Is a Framework
Can use Token Cards, One-Time Passwords,
Certificates, Biometrics
Runs over Data Link layers
Defines formats
LEAP
EAP-TLS
EAP-FAST

Mutual authentication

Client and server authenticate to each other


Also known as two-way authentication
Trust other computers digital certificate
Can block rogue services

21

6/10/2011

Review
Public Key Infrastructure (PKI)
Kerberos
Authentication Authorization Accounting
(AAA)
Network Access Control (NAC)
Challenge Handshake Authentication Protocol
(CHAP)
Extensible Authentication Protocol (EAP)

22

6/10/2011

Network Access Security

At the end of this lesson we will be able to


Explain the methods of network access security

Network+2009 Objective 6.3

23

6/10/2011

What we will cover


Security Filtering
Tunneling and encryption
Remote access

SECURITY FILTERING

24

6/10/2011

Access Control Lists (ACL)


Found on Routers and Firewalls
Controls Traffic In/Out of an Interface
Top-Down List of Permissions
First Match Wins
No Match Drops Packet

MAC filtering
MAC Standard Access List use Source MAC
addresses
MAC Extended Access List use Source and
Destination MAC addresses and optional
protocol type information

25

6/10/2011

IP Filtering
Also know as Packet Filters
Permit or Deny Traffic based on IP address
Can sometimes also use Port Numbers
Called Stateless Filtering

TUNNELING AND ENCRYPTION

26

6/10/2011

What is a Virtual Private Network


(VPN)
Allows information to securely tunnel
through an insecure network
Secure connection to branches
Secure connection for telecommuters

Helps save WAN connection cost

VPN Protocols

PPTP
L2F
L2TP
IPSec
SSL/TLS

27

6/10/2011

Types of VPNs
Remote Access
Site-to-Site
Extranet

IP Security (IPSEC) provides


Authentication and Encryption over
the IP

Authentication Header (AH)

provides data Integrity and Authentication


services only No Encryption

Encapsulating Security Payload (ESP)


provides Encryption as well as data Integrity and
Authentication services

28

6/10/2011

IPSEC Transport and Tunneling Modes


Tunnel Mode

Secure Sockets Layer (SSL)


SSL Connection process
Connection Request

Secure Connection Required

Security Capabilities
Minicomputer

SSL Session Established

29

6/10/2011

SSL VPN allows secure access through


a standard browser

Layer 2 Tunneling Protocol (L2TP)


Supports non-TCP/IP protocols in VPNs over
the Internet
A combination of Microsofts Point-to-Point
Tunneling Protocol (PPTP) and Ciscos Layer 2
Forwarding (L2F)
Works at the Data Link layer (Layer 2)
Does not itself provide any encryption

30

6/10/2011

Point to Point Tunneling Protocol


(PPTP)
Use Generic Routing Encapsulation (GRE)
session to secure PPP frames
tunneled PPP traffic can be authenticated with
PAP, CHAP, Microsoft CHAP V1/V2 or EAP-TLS

The PPP payload is encrypted using Microsoft


Point-to-Point Encryption (MPPE) when using
MSCHAPv1/v2 or EAP-TLS

PPTP versus L2TP


PPTP

L2TP

Encryption

Native PPP
Negotiations in plaintext

IPsec

Authentication

PPP with PAP, CHAP, or MSCHAP

RADIUS, TACACS+

Data protocols

IP

IP, IPX, SNA, NetBEUI

Port

1723 (TCP)

1701 (UDP)

31

6/10/2011

REMOTE ACCESS

Remote Access Services (RAS)


Not a protocol but a combination of hardware
and software required to make a remoteaccess connection

32

6/10/2011

Remote Desktop Protocol (RDP)


Allows connection to a computer using
Microsofts Terminal Services
Graphical desktop-sharing system
Allows remote control of a computer
Keyboard, mouse, and video are sent over the
network

Remote Destop Connection

33

6/10/2011

Virtual Network Computing (VNC)

Graphical desktop-sharing system


Uses the remote frame buffer (RFB) protocol
Allows remote control of a computer
Keyboard, mouse, and video are sent over the
network

34

6/10/2011

Independent Computing Architecture


(ICA)
Protocol designed by Citrix Systems
Allows clients with virtually any operating
system to access applications on Windows
servers
Typically used by Citrixs WinFrame

Point to Point Protocol (PPP)


Layer 2 protocol
Provides authentication, encryption, and
compression services
Allows clients to log in remotely

35

6/10/2011

Point to Point Protocol over Ethernet


(PPPoE)
An extension of PPP
Encapsulates PPP frames within Ethernet
frames
Allows ISP to authenticate DSL and Cable
clients
PPPoE works in two stages: discovery and
session
Use end-point MAC addresses to create
sessions

Summary
Security Filtering
Tunneling and encryption
Remote access

36

6/10/2011

At the end of this lesson we will be


able to
Explain the function of hardware and software
security devices

Network+2009 Objective 6.1

What we will cover


Network Based Firewall
Host Based Firewall
Intrusion Detection Systems
Intrusion Prevention Systems
VPN Concentrator

37

6/10/2011

Network Based Firewall device that


protects network
Protected
Network

I
n
t
e
r
n
e
t

Host Based Firewall software that


protects individual host
I
n
t
e
r
n
e
t

38

6/10/2011

Intrusion Detection Systems monitor


traffic to detect Attacks
Protected
Network

IDS

In Parallel with
Traffic

Firewall

U
N
T
R
U
S
T
E
D

Intrusion Prevention Systems


monitor traffic to block Attacks
Protected
Network

In Line with
Traffic

IPS

Firewall

U
N
T
R
U
S
T
E
D

39

6/10/2011

Intrusion Detection/Prevention
Systems

Network

Host

Based

Based

IDS/IPS

VPN Concentrator
VPN Clients

VPN
Concentrator

Internal
Network

Firewall

Internet

40

6/10/2011

Cisco and Netgear VPN Concentrators

Review
Firewall

Intrusion
Detection
Systems

Intrusion
Prevention
Systems

Network
Based

Network
Based

Network
Based

Host
Based

Host
Based

Host
Based

VPN
Concentrator

41

6/10/2011

Firewall Features

At the end of this lesson we will be


able to
Explain common features of a firewall

Network+2009 Objective 6.2

42

6/10/2011

Agenda

Stateful vs. Stateless


Application Layer vs. Network Layer
Scanning Services
Content Filtering
Signature Identification
Zones

Stateful vs. Stateless


Stateless checks each packet individually
Does not care if part of a message stream
Susceptible to DoS attacks and IP spoofing
Stateful firewall keeps track of the various
data streams passing through it
Better at preventing attacks that exploit
existing connections, or DoS attacks

43

6/10/2011

Application Layer vs. Network Layer


Firewalls

Network layer

Application Layer

Inspect only the IP and TCP & UDP


headers

Inspect the Application layer data


Can handle complex protocols such as
HTTP, FTP, SIP, H.323
Slower

Scanning Services checks incoming


traffic for problems
Emails
Scan for Malware, Spam, Too Large Attachments

Web
Scan for Malware

FTP
Scan for Malware

44

6/10/2011

Content Filtering is closely related to


scanning services
Blocking traffic based on the content of the data
rather than the source
Used to filter email and website access
Ways to filter content
Block Attachment of a certain type, such as .exe
Bayesian probability estimating
Content-encoding
Email headers
Language
Phrases
Proximity of words to each other
URLs

Ways to filter content


Block Attachment of a certain type, such as .exe
Bayesian probability estimating
Content-encoding
Email headers
Language
Phrases
Proximity of words to each other
URLs

45

6/10/2011

Signature Identification - Look for


patterns in traffic
Similar to intrusion detection
Look for specific patterns, known to be
malicious
Signature need to be updated regularly

New attacks may not be detected

Zones allow policy to be applied


between groups of interfaces
DMZ Zone
1
E7
Internal
Zone A

Internal
Zone B

E8

DMZ Zone
2
E9

E10

E2

E0

E4

Firewall
E6

E12

E1

I
n
Z
t
o
e t
n
r
e
n
e

Guest Wireless Zone

46

6/10/2011

Review
Firewall types:
Stateful vs. Stateless
Application Layer vs. Network Layer

Scanning Services
Content Filtering
Signature Identification
Zones

Device Security Issues

47

6/10/2011

At the end of this lesson we will be


able to
Explain issues that affect device security

Network+2009 Objective 6.5

What we will cover


Physical Security
Restricting Local and Remote Access
Secure methods vs. Unsecure Methods

48

6/10/2011

Physical security

One common
security truism is
"Once you have
physical access to a
box, all bets are
off."

Physical access control


Fences
Doors
Locks
Man-trap
Lights

49

6/10/2011

Surveillance

Security
guards

Guard
dogs

Logging
physical
access
to
facility

Video
Cameras

Activity
With your Term or by Yourself
Identifying the risks associated with
physical access to systems

50

6/10/2011

Restricting local and remote access

Access-Control Principles
Utilize implicit denies
Follow the least-privilege model

Separate out administrative duties


Rotate administrator jobs

51

6/10/2011

Access-Control Models
Mandatory Access Control (MAD)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)

Rule-Based Access Control (RBAC)

SECURE VS. UNSECURE


APPLICATION PROTOCOLS

52

6/10/2011

In-Secure vs. Secure Protocols


In-Secure

Telnet
RSH
HTTP
SNMP v1 & v2
FTP
RCP

Secure
SSH

HTTPS
SNMPv3
SFTP
SCP

Review
Physical Security
Restricting Local and
Remote Access
Secure and Unsecure
Application Protocols

53

6/10/2011

Security Threat Mitigation


Techniques

At the end of this lesson we will be


able to
Identify common security threats and mitigation
techniques

Network+2009 Objective 6.6

54

6/10/2011

What we will cover


Managing User Account and Password
Security
Security Threats
Threat Mitigation Techniques

MANAGING USER ACCOUNT AND


PASSWORD SECURITY

55

6/10/2011

Network Resource-Sharing Security


Models

Share Level
Security

User Level
Security

Managing User Accounts


Add & Delete Accounts

Disabling Accounts
Modify Account Authorization
Setting Up Anonymous Accounts

Limiting Connections
Renaming the Maintenance Account

56

6/10/2011

Creating Strong Passwords


Minimum Length
6 to 8 characters

Using Characters to Make a Strong Password


Weak
Word in dictionary
Name
Date
Sequence (1234; abcd; qwert)
Same charater type letters,
numbers, symbols

Strong
At least 8 characters
Combination of Upper and Lower
case Letters, Numbers, and Symbols
B^1d&7St

Password-Management Features
Automatic Account Lockouts

Password Expiration
Password Histories

57

6/10/2011

SECURITY THREATS

58

6/10/2011

Malware is the term for all Viruses,


Worms, Trojans, etc.

Computer viruses
Worms
Trojan horses
Rootkits - designed to hide the fact that a system
has been compromised
Spyware
Dishonest adware
Crimeware - malware designed specifically to
automate cybercrime

A computer virus is a computer


program that can copy itself
Attaches itself to an executable
Copies itself (infects) other files
when the file is opened

59

6/10/2011

Worms send copies of themselves to


other nodes

Denial of Service (DoS) attacks try to


overwhelm the network

Some botnets are estimated to have 500,000 to 10 million slaves/zombies

60

6/10/2011

Smurf attack sends broadcast PINGs to


the victims network
PINGs with Source
Address of Victim;
Destination address Broadcast Address of
Victims Network
All Replies to
Victim

Victim

Other types of DoS attacks are:


ICMP/Ping flood
sends the victim an overwhelming number of
ping packets

SYN Flood
sends a flood of TCP/SYN packets, with a fake
sender address

Teardrop attacks
sends mangled IP fragments with
overlapping, over-sized payloads to the target

61

6/10/2011

Man in the Middle


Normal Traffic

Man-in-the-Middle

Rogue Access Points

http://blogs.paretologic.com/malwarediaries/index.php/category/wireless-security/

62

6/10/2011

Social Engineering
The act of manipulating
people into performing
actions or divulging
confidential information
Usually over the phone
Uses an invented scenario
(the pretext)

What is Phishing?
Phishing:
Creating a replica of an existing Web page in order to
fool visitors into providing Personal, Financial, or
Password information.

63

6/10/2011

Official looking email sent to fool user


to click on link to phishers web site

MITIGATION TECHNIQUES

64

6/10/2011

Policies and Procedures


Security Software and Devices cannot stop all types of
attacks

Security Policies should


be created

Security Procedure defines how to


respond to any security event

User Training
It makes no sense to create all these policies and procedures and
not train the IT staff and the users.

65

6/10/2011

Patches and Updates ensure that all


your machines have the latest security
patches

Windows Server Update Services


(WSUS)

66

6/10/2011

Review
Managing User Account and Password
Security
Security Threats
Threat Mitigation Techniques

67