Title: IS 3423 Secure Network Design
1IS 3423 Secure Network Design
- Chapter Two
- Security Technologies
2Identity of an entity is based upon
- Authentication
- Authorization
- Access Control
3Authentication
- Process of validating the claimed identity of an
end user of device (client, server, switch,
router, firewall, etc.)
4Authorization
- Process of granting access rights to a user,
group of users, or specified system
5Access Control
- Limiting the flow of information from the
resources of a system to only the authorized
persons or systems in the network
6A. Identity Technologies
- Primary technologies used to establish identity
for a host, end-user, or both - Secure passwords
- PPP authentication protocols
- Protocols using authentication mechanisms
7Secure Passwords
- Easily compromised if easy to guess, changed
rarely, or transmitted in clear text - Best to encrypt passwords when transmitted
- Examples 1) S/Key One Time Password System
(generated on hash) and token authentication
systems (need proper password and token)
8A. PPP Authentication Controls (Point-to-Point
Protocol)
- Commonly used to establish dial-in connection
over serial lines or ISDN - Standardized encapsulation of IP over PPP links
- Includes PAP (password authentication protocol),
CHAP (challenge handshake protocol, and EAO
(extensible authentication protocol)
9Protocols Using Authentication Mechanisms
- Examples TACACS, RADIUS, Kerberos
- TACACS and RADIUS used in dial-up environment
for authentication - Kerberos secret key network authentication
protocol uses DES for encryption and
authentication
10Application Layer Security Protocols
- Used as security solutions for specific
applications, such as VOIP and email - SHTTP (secure HTTP)
- S/MIME (secure MIME)
11SHTTP
- Designed for securing messages using HTTP
protocol - Enables request and reply messages to be signed,
authenticated, and/or encrypted - Not used much transport layers security is
better
12S/MIME Secure Multipurpose Internet Mail
Extension
- For securing email
- Provides for authentication, message integrity
and non-repudiation of origin (via digital
signatures), and privacy and data security (via
encryption)
13Transport Layer Security Protocols
- Secure the transport layer and provide methods
for implementing privacy, authentication, and
integrity above the transport layer - SSL/TLP Protocol (secure socket layer/transport
layer security) - SSH (secure shell)
- SOCKS (socket security)
14SSL/TLP Protocol (secure socket layer/transport
layer security
- Provides data encryption, server authentication,
message integrity, and optional client
authorization for a TCP/IP connection
15SSH Secure Shell Protocol
- Protocol for secure remote login, secure file
transfer, and secure forwarding of TCP/IP and X
Window System traffic over an insecure network - Can automatically encrypt, authenticate, and
compress transmitted data
16SOCKS Socket Security
- Transport layer secure networking proxy protocol
- Proxy server computer program that resides on
firewall and acts as conduit between your
computer and WAN (i.e. Internet) acts as
network guardian and traffic logger - Proxy servers either support SOCKS or SSL secure
tunneling - SOCKS is a generic, byte-forwarding gateway
between client and server
17Transport Layer Security Summary
- Transport layer protocols such as SSL/TLS and SSH
are widely deployed - SSL is bundled into many web servers and is de
facto standard in securing web transactions - SSH uses public key cryptography - most often
used for Telnet or FTP transactions
18Network Layer Security
- Pertains to security services at IP layer
- IPsec (IP security protocol suite) provides
authentication, integrity, and encryption - Allow for end-to-end encryption and
authentication making TCP/IP communication secure - Works for all network types, and is fast,
economical, and efficient - Becoming industry standard for VPN solutions
19Network Layer Security Summary
- Depending on vendor implementations, security
services can be defined based on IP address - Can provide different security services based
upon a combination of IP address, transport
protocol, and application - IPSec supports TCP or UDP
- Hides transport layer header information (if
required, as in QoS, could be problematic)
20Link Layer Security
- Deal primarily with tunnels enable remotes
sites and users to securely connect to firm by
using local dial-up access to the internet - L2F (layer 2 forwarding protocol)
- PPTP (point-to-point tunneling protocol)
- L2TP (layer2 tunneling protocol)
21L2F Layer 2 Forwarding Protocol
- Developed by Cisco
- Being replaced by L2TP
22PPTP Point-to-Point Tunneling Protocol
- Initiated by Microsoft
- Client-server architecture that allows PPP to be
tunneled through an IP network - Connection-oriented
- Similar to L2F
23L2TP Layer 2 Tunneling Protocol
- Collaboration of Cisco, Microsoft, and others
- Preferred protocol
- Provides a secure path, but does not secure the
data no encryption, authentication, or
integrity services
24Dial-Up Security Summary
- L2 protocols can greatly improve security for
remote users - Must remember that data is not secured just the
path
25F. Public Key Infrastructure (PKI)
- Purpose to provide trusted and efficient key and
certificate management to support security
protocols
26PKI Public Key Infrastructure
- Pervasive security infrastructure whose services
are implemented and delivered using public key
concepts and techniques - Most basic component is the certificate vouches
for identity of subject - Public/private key pair is associated with the
certificate - PKI-enabled applications provide authentication,
integrity of data, confidentiality, and
non-repudiation security services.
27PKI
- Manages generation and distribution of
public/private key pairs - Provides high degree of confidence that
- Private keys are kept secure
- Specific public keys are truly linked to specific
private keys - Parties holding public/private keys are who they
say they are
28Certificate Services
- Web authentication and channel privacy such as
sending credit card info across Internet - Signed and encrypted messaging (e-mail with
S/MIME) - Signed transactions and form signing to legally
bind signer to content of a contract - NOS, host, and mainframe authentication of end
users - Remote access using digital certificate in lieu
of ID and password - VPNs authenticate end points
- File encryption
- Software code signing certifying updates of
software
29Certificate Revocation
- Required when a CA needs to invalidate a
certificate prior to its expiration date (I.e.
certificate holder fired) - Need to revoke certificates and notify end
entities of revocations - Certificate Revocation List (CRL) want end
entities aware ASAP - If CRL issued daily, subject may have access to
revoked certificate for up to 24 hours more
frequently increases overhead
30Online Certificate Status Protocol (OSCP)
- If cannot tolerate lag between revocation and
application - Real time certificate revocation checking
mechanism - Certificate not accepted until OSCP responder
replies with a message confirming or denying
revocation status - Currently not widely used
31Certificate Repositories
- Used to store and distribute certificates and
CRLs - Not required for small implementations just use
email
32Time Stamp Authority
- Time that message is sent may be critical
(financial transaction) - Send message recipient, and message hash to TSA,
which time stamps it, then sends it back to
sender - Sender and recipient must trust the TSA
33Cross Certification
- Process whereby two or more CAs certify each
other in order to establish a lateral trusted
relationship. - Entities that trust CA1 will also trust CA2 and
vice-versa
34Cross-Certification
Trust
CA1
CA2
Alice
Ted
Bob
Carol
35Certificate Policy (CP)
- Defines what a certificate can be used for
- High level document
- Example, can be used for securing e-mail but not
for digitally signing contracts
36Chapter 2 Review Questions
- Discuss how an entity is identified.
- Define authentication, authorization, and access
control - Explain why secure passwords arent very secure
- Discuss the purpose of PPP authentication
controls. - Discuss the purpose of application layer security
protocols. Discuss either SHTTP or S/MIME - Discuss the purpose of transport layer security
protocols. Discuss one of the following
SSL/TLP, SSH, or SOCKS - Discuss the purpose of network layer security
protocols Describe IPSec. - Discuss the purpose of link layer security
protocols. Discuss L2TP. - What is the purpose of PKI? Describe its major
characteristics. - What is the purpose of the CRL. Provide an
example of when to utilize it. - Why would an organization want a certificate
policy (CP)?