Unit 2: Cyber Security Part 2 Network Appliances, Protecting the Network (Authenication, Encryption, Digital Certificates, Cookies, Captchas, Network Segmentation, VLAN, )

Network Appliances Smart network Appliances - devices that use routers and switches are being integrated into smart switches, or even coupled with a traditional operating system Offer significant firewall capability but many are specialized and focus on a single task such as – , spam or anti-virus and malware detection. These devices can offer a strong ___________ of tools against attacks and ease the chore of managing access and network security.

Data Security Protecting the Network Data security is deployed to prevent data misdirection through ____________ or live capture. prevents scanning of incoming packets or files, monitoring and scanning of data on a computer after it has been accepted.

Data Encryption Protecting the Network Encryption ensures that data is ______ intercepted by a third party and used inappropriately. Most required step in securing any network Banks and companies that exchange any kind of financial or detailed personal information used encryption.

Authentication Authentication a way to know the _________ of a user through some means. After a user is authenticated we will generally want to determine their authorization, which essentially involves the resources that the authenticated user has permission to access, and what actions they can perform. Credentials and permissions are stored in some sort of database Authentications are stored in simple text files. The security of these files and databases are critical aspects of network security.

Single Factor Authentication ______________ authentication-t he most well-known authentication The user is able to browse available access points with a password or authentication key for connect. single factor authentication is the lowest level of security available good for restricting access to resources

Multifactor Authentication Two-factor authentication involves asking for _________ authentication component. Ideally, one factor is something physical or in the user’s possession. or if they possess some physical characteristic, such as: an RFID key a USB key dongle a card swiped a fingerprint or iris scanned Authentication factors can be added to the login sequence to increase security and make it less likely for an attack. The more challenging login sequences, users will become dissatisfied and resort to scribbling credentials on sticky notes and desktop calendars, or just simply not using the service. This is a huge challenge for any website engineer where user satisfaction is an issue.

IP and MAC Authentication ____________ control lists are commonly used by servers and routers to grant a certain amount of access. When all that’s required is to ensure that access to a system is only granted to users from a particular network (or through a particular piece of hardware) then IP address authentication or MAC address authentication can be effective. However, be aware of IP address spoofing where IP packets are created with a header containing a forged source IP address. Generally this is done to conceal the source of a denial-of- service or other attack but this can also be a way of defeating IP address authentication.

Authentication Protocols (rules) Password Authentication Protocol (PAP) is a standard _____________ and password combination scheme that operates with or without an encrypted password. With both parameters set and rarely, if ever, changed, this leaves the system subject to simple guessing especially if the username is easily obtainable as is the case with addresses and sequential ID usernames. Challenge-Handshake Authentication Protocol ( CHAP ) creates a random string, a challenge phrase, or a secret. The requestor, in turn hashes the string and returns the result. The server then checks to see that the hashed result is correct and authenticates or denies the requestor.

Authentication Protocols Kerberos (mythological three-headed dog) because it involves a trusted _________ party Ticket Granting Server ( TGS ) to authenticate client/server interaction.

Authentication Protocols Authentication Server (AS) uses ________ shared with the client to encrypt messages that include keys shared between the AS and the TGS.

Password Authenticated Key Agreement Password-Authenticated Key Agreement (PAKE) is an encrypted ____________________ using shared keys of multiple servers; it allows users to visit other servers using the same authentication. Secure Remote Password Secure Remote Password ( SRP ) protocol is an augmented form of PAKE that uses a large private shared key derived from a random number. The random number is partially generated by the client and partially generated by the server, which makes the number unique to each login attempt. This prevents attackers from simply brute-force guessing passwords, even if the server is hacked.

Lightweight Directory Access Protocol (LDAP) The Lightweight Directory Access Protocol (LDAP ) is a directory service ___________ that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search and modify Internet directories. The LDAP directory service is based on a client server model It is popular protocol often used for authentication in enterprise networks. LDAP offers a single login system that can lead to access to many services. A non-standard Secure LDAP version is available that offers LDAP over SSL.

Encryption Encryption the _____________ of electronic _______ into a form called cipher text. It is applying a secret code, called a cipher, to the data to produce a scrambled message that cannot be understood without the knowledge of the cipher that was used to create it. It won’t matter how secure the password is if a third party can easily captured it electronically.

Cryptography Cryptography describes the concepts and methods for __________ information. Cryptographic techniques use keys - a secret data string known only to the software. It is used to encrypt or decrypt information. It is a combination of known and random factors.

Public Key Cryptography Public-key cryptography uses asymmetric keys incorporating a _________ key and a private key (or secret key ). Public and private keys are different but the private key may be calculated from the public key. Conversely, the public key is nearly impossible to calculate from the private key. The initial authentication process typically involves processing some credential with the private key to produce a digital signature. Subsequent verification is then done by processing the public key against this signature to validate the original credential or message.

Symmetric Key Ciphers Technique for encrypting information Symmetric-key ciphers also called “secret key encryption” uses the same _______ to encrypt and decrypt messages. are vulnerable to brute-force attacks where the attacker systematically guesses the key based on a known list or a predictive mathematical scheme and so the authentication scheme should try to identify these activities and automatically employ appropriate measures to thwart them.

Digital Certificates Digital certificates, (public key certificates) are to verify that a user sending a message is who he or she __________________, and to provide the receiver with the means to encode a reply. They are digital verifications that the sender of an encrypted message is who they claim to be. Verifications can be in form of an , company document or personal interview. To obtain a digital certificate you must apply to a trusted Certificate Authority ( CA ). The applicant must create a private key and provide a Certificate Signing Request ( CSR ) to the CA.

Cookies-a privacy nuisance Cookies a small text ________ created by a Web site that is stored in the users computer. They provide a way for the website to recognize you and keep track of your preferences. Due to privacy concerns users decide that cookies are a bad thing and simply block them in their browser. This can cause inability to login to private areas or even the creation of a requirement to constantly re-enter simple identity data. Popup windows are sometime used to load cookies. While blocking popups can help, educating users about the pitfalls of aggressive clicking before thinking is a more effective way to prevent these issues. n-US:IE- address&biw=1366&bih=652&source=lnms&tbm=isch&sa=X&ved=0CAcQ_AUoAmoVChMIqu zj-N2hyAIVx02QCh2hyQrs#imgrc=JsgwWFYSiczITM%3A

Super Cookies (Trackers) -a privacy nuisance Super Cookies is a type of browser cookie that is designed to be ___________ stored on a user computer. A third-party cookies that are harder to remove than other types of cookies. These Flash Cookies and Super Cookies heighten the already bad reputation of cookies now control these storage options.

Captchas A Security Measure Captchas (Completely Automated Public Tuning Test) used to tell computers and ________ apart. They make it hard for attackers Can be a way to carry out brute-force password attacks where an automated device might repeatedly try different credentials to obtain access or used on authentication forms to thwart automated attacks. They are form input request for a word or phrase or maybe even random characters and numbers but can also be a simple request to perform a simple test that cannot easily be automated such as – identifying colors by name. CAPTCHAs feature obscured text making it hard for automated tools to interpret them.

Network Segmentation-A Security Concept Splitting computer network up into subnetworks Network segmentation (zoning) can be a useful concept for multiple reasons. It is essentially the separation of the network into sub-networks each of which becomes a segment and serves to eliminate traffic. It is typically considered when connecting them in different geographical areas, when interconnecting different network topologies (such as Ethernet and FDDI), or when extending a network that has reached limitations in numbers of nodes or cable length From a security perspective the main reason to deploy network segmentation is to limit the access capabilities of intruders.

Network Segmentation In business Payment Card Industry Security Standard ( PCI-DSS ) a standard that requires the use of _________ and other security concepts, such as network segmentation, to insure that all stored credit card information is securely stored both physically and electronically. This requirement even impacts businesses that don’t ever store credit card data but accept credit cards using a point-of-sale device. To achieve PCI-DSS compliance, all Point of Sales ( POS )all vendors that used credit cards terminals and all stored cardholder data must be on a network completely separated from any network area where third parties might have access. It is also critical in the medical field where network administrators must deal with Health Insurance Portability Accountability Act ( HIPAA ) compliance to ensure the confidentiality of patient medial information.

Blacklisting/Whitelisting Controlling Access to network Access control list, where only users matching some ________ or authentication are allowed access-Whitelisting. Blacklisting- when access is only denied to users matching given criteria. It is far less secure. You should always try to whitelist an ACL rather than blacklist it.

Intersegment Controls Control Accessibility Segmentation can also be used to ______________ _______ between zones by internal users. Business Example: Sales people may not need to be given access to a server used by the accounting department. However, the accounting staff may need to access sales data on the sales server. These zones need to be connected with each other, but by implementing segmentation access between zones can be controlled. When allowing outside users into a network, always use the principles of “ least-privilege ” and “ need-to-know ” to establish access levels. Give each user the least amount of access possible and only to the areas of the network they must have.

Network Virtualization A way to segment network Network virtualization is achieved by installing _________ and services to manage the sharing of storage, computing cycles, and applications. Computer platforms allow us to simulate or duplicate hardware platforms such as servers, routers and most any other network resource using software. Virtual instances have the ability to function like the original host hardware. They can be enabled as needed to handle demand and scalability, or to provide tremendous amounts of portability.

Network Virtualization Network virtualization segments networks by creating overlay networks, (essentially a network built on ______ of another, physical or underlay, network). It is possible to use white box switches (generic routing and switching hardware) in these overlay networks. Network virtualization can provide a virtual network completely separate from other network resources creating a zone just as you would with traditional network hardware. Network virtualization can also be used to implement software-driven virtual network storage units. This is seen in storage area network ( SAN ) deployments.

VLANs A Virtual LAN A VLAN, ( Virtual LAN ) is any broadcast domain that is partitioned and _________ in a computer network at the data link layer (OSI layer 2) to subdivide a local area network into a virtual LAN. A software configured network where hosts will behave as if they are all connected to the same physical network even when they are not. This allows several networks or broadcast domains to work, virtually, as a single LAN-Local area network that interconnects computer within a limited area such as a residence, school, laboratory or office building and broadcast domain. This reduces latency and can often make network segmentation much simpler to understand and maintain. Security issues the spread of viruses and malware across your new logical network rather than within a single physical network.

VLANs

Network Address Translation Network Address Translation ( NAT ) is simply the translation of an ---- _______ address used in one network to an IP address known within another network. Typically this is used to map an IP address from outside a network to an address inside a network.

Network Address Translation Network Address Translation is a methodology of remapping one I/P address space into another by modifying network address information in the Internet Protocol datagram packet headers while they are in transit across a traffic routing device. At the time when this translation occurs, the network device performing it ( generally a ________ or firewall ) can also authenticate the request or block it. This mapping may be guided by a NAT table that dictates the specific translation, or using a dynamic scheme that assigns translated IP addresses from an available pool of addresses.

Port Address Translation Port Address Translation is a function that allows multiple _______ within a private network to make use of minimal number of I.p address. Its basic function is to share a single IP public address between multiple clients who need to use the Internet publicly. It is an extension to NAT, Port Address Translation ( PAT ) that supports the concept of mapping multiple inside (or private) devices or IPs to a single outside (or public) IP address. The router assigns a port number that is appended to the IP address, effectively making each address a unique address, even though they share an IP address.

Port Scanning Prevention Port Scanning is using modern ___________ devices stateful packet inspection or dynamic packet filtering to analyze the packets further – looking at IP addresses, port numbers and more. They track this information so they can control their ports, only allowing them to be opened when an internal request asks for it. ALERT : When a hacker knows which ports are in use, they can focus their exploits on the services commonly associated with those ports.

VPNs Virtual Private Network V irtual Private Network (VPN) is a network that is constructed by using ____________ wires- usually the Internet –to connect to a private network like the company’s internal network. A remote user can connect to a private network over a public network, such as the Internet, and then authenticate and perform tasks on the private network as if they were connected directly.

VPN Protocols and Encryption VPNs may be established using a variety of protocols and encryption and can be one of the more complex things a network administrator has to deal with. Many VPNs are simply __________________ connections over IP or MPLS and do not support Layer 2 protocols such as Ethernet. Most networking is limited to TCP/IP but newer VPN variants like Virtual Private LAN Service ( VPLS ) or Layer 2 Tunneling Protocol ( L2TP can provide Ethernet-based communication.

VPN Types 2 Types of VPN : 1. _____________ VPNs do not use cryptographic tunneling but rather trust the underlying network to handle security beyond authentication. 2. Secure VPNs handle the encryption of the connection. The most widely used protocol is the Point-to-Point Tunneling Protocol ( PPTP )does not provide any encryption and uses the simple password authentication taken from the Point-to-Point Protocol ( PPP ). Layer 2 Tunneling Protocol ( L2TP ) also uses PPP and is unencrypted but can pass another encryption protocol in the tunnel.

IPSec Internet Protocol Security ( IPsec ) is an open standard commonly used in VPNs that actually employs a suite of protocols for ___________ and authenticating IP communications. Protocols in this suite include: Authentication Headers ( AH ) provides data integrity and origin authentication to protect against replay attacks (attacks where a recorded transmission is replayed by an attacker to gain access). Encapsulating Security Payloads ( ESP ) offers origin authentication as well as encryption. ESP encrypts and encapsulates the entire TCP/UDP datagram within an ESP header that does not include any port information. This means that ESP won’t pass through any device using port address translation. Security Associations ( SAs ) offer a number of algorithms and frameworks for authentication and key exchange. Internet Key Exchange ( IKE ) is the protocol used to setup a security association in IPsec.

Port Forwarding/Mapping The strongest feature of NAT/PAT is that by default nothing is _________ or forwarded through the device. To move packets through the device, a rule must be explicitly created on the device to forward (or map) the desired protocol port to a private IP address and port in the local area network. This translation process is transparent in that external clients are unaware of the forwarding.