IS 3423 Secure Network Design - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

IS 3423 Secure Network Design

Description:

Transport layer secure networking proxy protocol. Proxy server computer program that resides on firewall and acts as conduit ... – PowerPoint PPT presentation

Number of Views:237
Avg rating:3.0/5.0
Slides: 37
Provided by: Jan32
Category:

less

Transcript and Presenter's Notes

Title: IS 3423 Secure Network Design


1
IS 3423 Secure Network Design
  • Chapter Two
  • Security Technologies

2
Identity of an entity is based upon
  • Authentication
  • Authorization
  • Access Control

3
Authentication
  • Process of validating the claimed identity of an
    end user of device (client, server, switch,
    router, firewall, etc.)

4
Authorization
  • Process of granting access rights to a user,
    group of users, or specified system

5
Access Control
  • Limiting the flow of information from the
    resources of a system to only the authorized
    persons or systems in the network

6
A. Identity Technologies
  • Primary technologies used to establish identity
    for a host, end-user, or both
  • Secure passwords
  • PPP authentication protocols
  • Protocols using authentication mechanisms

7
Secure Passwords
  • Easily compromised if easy to guess, changed
    rarely, or transmitted in clear text
  • Best to encrypt passwords when transmitted
  • Examples 1) S/Key One Time Password System
    (generated on hash) and token authentication
    systems (need proper password and token)

8
A. PPP Authentication Controls (Point-to-Point
Protocol)
  • Commonly used to establish dial-in connection
    over serial lines or ISDN
  • Standardized encapsulation of IP over PPP links
  • Includes PAP (password authentication protocol),
    CHAP (challenge handshake protocol, and EAO
    (extensible authentication protocol)

9
Protocols Using Authentication Mechanisms
  • Examples TACACS, RADIUS, Kerberos
  • TACACS and RADIUS used in dial-up environment
    for authentication
  • Kerberos secret key network authentication
    protocol uses DES for encryption and
    authentication

10
Application Layer Security Protocols
  • Used as security solutions for specific
    applications, such as VOIP and email
  • SHTTP (secure HTTP)
  • S/MIME (secure MIME)

11
SHTTP
  • Designed for securing messages using HTTP
    protocol
  • Enables request and reply messages to be signed,
    authenticated, and/or encrypted
  • Not used much transport layers security is
    better

12
S/MIME Secure Multipurpose Internet Mail
Extension
  • For securing email
  • Provides for authentication, message integrity
    and non-repudiation of origin (via digital
    signatures), and privacy and data security (via
    encryption)

13
Transport Layer Security Protocols
  • Secure the transport layer and provide methods
    for implementing privacy, authentication, and
    integrity above the transport layer
  • SSL/TLP Protocol (secure socket layer/transport
    layer security)
  • SSH (secure shell)
  • SOCKS (socket security)

14
SSL/TLP Protocol (secure socket layer/transport
layer security
  • Provides data encryption, server authentication,
    message integrity, and optional client
    authorization for a TCP/IP connection

15
SSH Secure Shell Protocol
  • Protocol for secure remote login, secure file
    transfer, and secure forwarding of TCP/IP and X
    Window System traffic over an insecure network
  • Can automatically encrypt, authenticate, and
    compress transmitted data

16
SOCKS Socket Security
  • Transport layer secure networking proxy protocol
  • Proxy server computer program that resides on
    firewall and acts as conduit between your
    computer and WAN (i.e. Internet) acts as
    network guardian and traffic logger
  • Proxy servers either support SOCKS or SSL secure
    tunneling
  • SOCKS is a generic, byte-forwarding gateway
    between client and server

17
Transport Layer Security Summary
  • Transport layer protocols such as SSL/TLS and SSH
    are widely deployed
  • SSL is bundled into many web servers and is de
    facto standard in securing web transactions
  • SSH uses public key cryptography - most often
    used for Telnet or FTP transactions

18
Network Layer Security
  • Pertains to security services at IP layer
  • IPsec (IP security protocol suite) provides
    authentication, integrity, and encryption
  • Allow for end-to-end encryption and
    authentication making TCP/IP communication secure
  • Works for all network types, and is fast,
    economical, and efficient
  • Becoming industry standard for VPN solutions

19
Network Layer Security Summary
  • Depending on vendor implementations, security
    services can be defined based on IP address
  • Can provide different security services based
    upon a combination of IP address, transport
    protocol, and application
  • IPSec supports TCP or UDP
  • Hides transport layer header information (if
    required, as in QoS, could be problematic)

20
Link Layer Security
  • Deal primarily with tunnels enable remotes
    sites and users to securely connect to firm by
    using local dial-up access to the internet
  • L2F (layer 2 forwarding protocol)
  • PPTP (point-to-point tunneling protocol)
  • L2TP (layer2 tunneling protocol)

21
L2F Layer 2 Forwarding Protocol
  • Developed by Cisco
  • Being replaced by L2TP

22
PPTP Point-to-Point Tunneling Protocol
  • Initiated by Microsoft
  • Client-server architecture that allows PPP to be
    tunneled through an IP network
  • Connection-oriented
  • Similar to L2F

23
L2TP Layer 2 Tunneling Protocol
  • Collaboration of Cisco, Microsoft, and others
  • Preferred protocol
  • Provides a secure path, but does not secure the
    data no encryption, authentication, or
    integrity services

24
Dial-Up Security Summary
  • L2 protocols can greatly improve security for
    remote users
  • Must remember that data is not secured just the
    path

25
F. Public Key Infrastructure (PKI)
  • Purpose to provide trusted and efficient key and
    certificate management to support security
    protocols

26
PKI Public Key Infrastructure
  • Pervasive security infrastructure whose services
    are implemented and delivered using public key
    concepts and techniques
  • Most basic component is the certificate vouches
    for identity of subject
  • Public/private key pair is associated with the
    certificate
  • PKI-enabled applications provide authentication,
    integrity of data, confidentiality, and
    non-repudiation security services.

27
PKI
  • Manages generation and distribution of
    public/private key pairs
  • Provides high degree of confidence that
  • Private keys are kept secure
  • Specific public keys are truly linked to specific
    private keys
  • Parties holding public/private keys are who they
    say they are

28
Certificate Services
  • Web authentication and channel privacy such as
    sending credit card info across Internet
  • Signed and encrypted messaging (e-mail with
    S/MIME)
  • Signed transactions and form signing to legally
    bind signer to content of a contract
  • NOS, host, and mainframe authentication of end
    users
  • Remote access using digital certificate in lieu
    of ID and password
  • VPNs authenticate end points
  • File encryption
  • Software code signing certifying updates of
    software

29
Certificate Revocation
  • Required when a CA needs to invalidate a
    certificate prior to its expiration date (I.e.
    certificate holder fired)
  • Need to revoke certificates and notify end
    entities of revocations
  • Certificate Revocation List (CRL) want end
    entities aware ASAP
  • If CRL issued daily, subject may have access to
    revoked certificate for up to 24 hours more
    frequently increases overhead

30
Online Certificate Status Protocol (OSCP)
  • If cannot tolerate lag between revocation and
    application
  • Real time certificate revocation checking
    mechanism
  • Certificate not accepted until OSCP responder
    replies with a message confirming or denying
    revocation status
  • Currently not widely used

31
Certificate Repositories
  • Used to store and distribute certificates and
    CRLs
  • Not required for small implementations just use
    email

32
Time Stamp Authority
  • Time that message is sent may be critical
    (financial transaction)
  • Send message recipient, and message hash to TSA,
    which time stamps it, then sends it back to
    sender
  • Sender and recipient must trust the TSA

33
Cross Certification
  • Process whereby two or more CAs certify each
    other in order to establish a lateral trusted
    relationship.
  • Entities that trust CA1 will also trust CA2 and
    vice-versa

34
Cross-Certification
Trust
CA1
CA2
Alice
Ted
Bob
Carol
35
Certificate Policy (CP)
  • Defines what a certificate can be used for
  • High level document
  • Example, can be used for securing e-mail but not
    for digitally signing contracts

36
Chapter 2 Review Questions
  • Discuss how an entity is identified.
  • Define authentication, authorization, and access
    control
  • Explain why secure passwords arent very secure
  • Discuss the purpose of PPP authentication
    controls.
  • Discuss the purpose of application layer security
    protocols. Discuss either SHTTP or S/MIME
  • Discuss the purpose of transport layer security
    protocols. Discuss one of the following
    SSL/TLP, SSH, or SOCKS
  • Discuss the purpose of network layer security
    protocols Describe IPSec.
  • Discuss the purpose of link layer security
    protocols. Discuss L2TP.
  • What is the purpose of PKI? Describe its major
    characteristics.
  • What is the purpose of the CRL. Provide an
    example of when to utilize it.
  • Why would an organization want a certificate
    policy (CP)?
Write a Comment
User Comments (0)
About PowerShow.com