Presentation is loading. Please wait.

Presentation is loading. Please wait.

Click to edit Master subtitle style Chapter 13: Authentication and Access Control.

Published byMyrtle Jones Modified over 8 years ago

Similar presentations

Presentation on theme: "Click to edit Master subtitle style Chapter 13: Authentication and Access Control."— Presentation transcript:

1 Click to edit Master subtitle style Chapter 13: Authentication and Access Control

2 Chapter 13 Objectives The Following CompTIA Network+ Exam Objectives Are Covered in This Chapter: 3.3 Given a scenario, implement network hardening techniques Switch port security o MAC address filtering Use secure protocols o TLS/SSL Access lists o IP filtering o Port filtering User authentication o CHAP/MSCHAP o EAP o Kerberos o Multifactor authentication o Two-factor authentication o Single sign-on 2

3 Chapter 13 Objectives (Cont) 5.10 Given a scenario, configure and apply the appropriate ports and protocols 3389 RDP 22 SSH 1.2 Compare and contrast the use of networking services and applications VPN o Site to site/host to site/host to host o Protocols - IPsec - GRE - SSL VPN - PTP/PPTP TACACS/RADIUS RAS Web services Unified voice services Network controllers 3.6 Explain the purpose of various network access control models 802.1x Posture assessment Guest network Persistent vs non-persistent agents Quarantine network Edge vs access control 3

4 Security Filtering 4 How do we know who’s really at the other end of our connections? The answer to the question may seem simple enough because the computer or person on the other end of the connection has to identify him/her/itself, right? Wrong! That’s just not good enough, because people—especially hackers—lie! The first line of defense is called security filtering, which broadly refers to ways to let people securely access your resources.

5 Access Control Lists (ACLs) 5 Firewalls are tools implemented to prevent unauthorized users from gaining access to your private network. Firewalls can either be stand-alone devices or combined with another hardware device like a server or a router. Firewalls can use a lot of various technologies to restrict information flow; the primary method is known as an access control list (ACL). ACLs typically reside on routers to determine which devices are allowed to access them based on the requesting device’s Internet Protocol (IP) address. Network B “Public” Network Network A “Private” Network A can access B, B can access if a secure authenticated connection is detected. Router

6 Tunneling 6 Tunneling is a concept which means encapsulating one protocol within another to ensure that a transmission is secure. Here’s an example: The lion’s share of us use IP, known as a payload protocol, which can be encapsulated within a delivery protocol like Internet Protocol Security (IPSec). If you took a look at each packet individually, you would see that they’re encrypted. Internet Single Private Path or Tunnel Through the Internet

7 Tunneling Protocols 7 There are several tunneling protocols implemented you need to be familiar with: –Virtual Private Network (VPN) –Secure Sockets Layer (SSL) –Secure Sockets Layer Virtual Private Network (SSL VPN) –Layer 2 Tunneling Protocol (L2TP) –Point to Point Tunneling Protocol (PPTP) –Internet Protocol Security (IPSec)Section

8 Virtual Private Network (VPN) 8 Use a VPN is so a host can traverse an insecure network (Internet) and become local to the remote network Internet Now my host appears local to the servers. Secure VLAN at Dallas Corporate Office Servers Secure Server Room VPN My host In Colorado

9 Virtual Private Network (VPN) 9 Remote access VPNs –Remote access VPNs allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to. Site-to-site VPNs –Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive wide area network (WAN) connections like frame relay. Extranet VPNs –Extranet VPNs allow an organization’s suppliers, partners, and customers to be connected to the corporate network in a limited way for business-to- business (B2B) communications. Use a VPN is so a host can traverse an insecure network (Internet) and become local to the remote network

10 SSL and SSL VPN 10 The SSL connection process Secure Sockets Layer (SSL). This security protocol was developed by Netscape to work with its browser. It’s based on Rivest, Shamir, and Adleman (RSA) public- key encryption and used to enable secure Session-layer connections over the Internet between a web browser and a web server. An SSL VPN is really the process of using SSL to create a Virtual Private Network (VPN). Connection Request Secure Connection Needed Security Capabilities SSL Session Established Server PC

11 IPSec – Tunnel Mode 11 In tunnel mode, the complete packet is encapsulated within IPSec. ESP gives us both authentication and encryption. Tunnel mode is created between two endpoints, such as two routers or two gateway servers, protecting all traffic that goes through the tunnel

12 Figure 13.5

13 L2TP and PPTP 13 L2TP –Layer 2 Tunneling Protocol (L2TP) created by the Internet Engineering Task Force (IETF), supports non- TCP/IP protocols in VPNs over the Internet. –L2TP is a combination of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) technologies. PPTP –Point-to-point Tunneling Protocol was developed jointly by Microsoft, Lucent Technologies, 3COM, and a few other companies. –Not sanctioned by the IETF –PPTP acts by combining an unsecured Point-to-Point Protocol (PPP) session with a secured session using the Generic Routing Encapsulation (GRE) protocol.

14 IPSec 14 IPSec works in two modes: transport mode and tunnel mode. Transport mode is the simpler of the two; it creates a secure IP connection between two hosts. The data is protected by authentication and/or encryption IP Security (IPSec) was designed by the IETF for providing authentication and encryption over the Internet. It works at the Network layer of the OSI model (Layer 3) and secures all applications that operate in the layers above it.

15 IPSec – Tunnel Mode 15 In tunnel mode, the complete packet is encapsulated within IPSec. ESP gives us both authentication and encryption. Tunnel mode is created between two endpoints, such as two routers or two gateway servers, protecting all traffic that goes through the tunnel

16 Encryption 16 Encryption works by running the data (which when encoded is represented as numbers) through a special encryption formula called a key that the designated sending and receiving devices both “know.” When encrypted data arrives at its specified destination, the receiving device uses that key to decode the data back into its original form. An encryption key is essentially a table or formula that defines a specific character in the data that translates directly to the key. Encryption keys come in two flavors: public and private.

17 Encryption Standards 17 Data Encryption Standard (DES) IBM developed the most widely used private-key systems: Data Encryption Standard (DES). –It was made a standard in 1977 by the U.S government. DES uses lookup and table functions and works much faster than public-key systems. DES uses 56-bit private keys. Triple Data Encryption Standard (3DES) Triple Data Encryption Standard was originally developed in the late 1970s The recommended method of implementing DES encryption in 1999. 3DES encrypts three times, and it allows us to use one, two, or three separate keys. 3DES is slow.

18 Encryption Standards (Cont) 18 Advanced Encryption Standard (AES) The Advanced Encryption Standard (also known as Rijndael) has been the “official” encryption standard in the United States since 2002. AES has key lengths of 128, 192, or 256 bits. The United States government has determined that 128-bit security is adequate for things like secure transactions and all materials deemed Secret All Top Secret information must be encoded using 192- or 256-bit keys. The AES standard has proven amazingly difficult to crack.

19 Public Key Encryption 19 Public key encryption uses the Diffie-Hellman algorithm employing a public key and a private key to encrypt and decrypt data. The sending machine’s public key is used to encrypt a message to the receiving machine The receiver decrypts the message with its private key. If the original sender doesn’t have a public key, the message can still be sent with a digital certificate, often called a digital ID, which verifies the sender of the message. milk bread eggs cat food Don’t forget the chocolate! Original Message Encrypted Using User Y’s Public Key Original Message Decrypted Using User Y’s Private Key Reply Message Encrypted Using User X’s Public Key Reply Message Decrypted Using User X’s Private Key User X User Y Y&Z!8:” >)(hb& gf%^dc yH98Y >_<l)(+ <&n_(^ utrfytr &(%pG UDOPJ

20 Pretty Good Privacy (PGP) 20 Encryption Process Decryption Process Encrypted Message Encrypted Session Key Encrypted with Session Key Encrypted with Public Key Document Key Store Clphertext + Encrypted Session Key Recipient’s Private Key Session Key to Decrypt Clphertext Document Clphertext

21 RAS 21 Remote Access Services (RAS) is not a protocol but refers to the combination of hardware and software required to make a remote-access connection. The term was popularized by Microsoft when the company began referring to its Windows NT–based remote-access tools under this name. –Users would dial in via a modem. –Be authenticated by the server. –Asked for their username and password as if they were on the local network. –Once logged in, users had access to data on the internal network just as if they were logged in locally. Remote Access Client Remote Access Server Remote Resources

22 Remote Access 22 RDP Remote Desktop Protocol (RDP) allows users to connect to a computer running Microsoft’s Terminal Services. Most Windows-based operating systems include an RDP client After establishing a connection, the user sees a terminal window that’s basically a preconfigured window that looks like a Windows or other operating system’s desktop. PPP Point to Point Protocol (PPP) is a Layer 2 protocol that provides authentication, encryption, and compression services to clients logging in remotely. PPPoE Point to Point Protocol over Ethernet (PPPoE) is an extension of PPP. Its purpose is to encapsulate PPP frames within Ethernet frames.

23 Remote Access 23 ICA Independent Computing Architecture (ICA) is a protocol designed by Citrix Systems to provide communication between servers and clients. Citrix’s WinFrame uses ICA to allow administrators to set up Windows applications on a Windows-based server and then allow clients with virtually any operating system to access those applications. SSH Designed as an alternative to command-based utilities such as Telnet that transmit requests and responses in clear text Creates a secure channel between the devices and provides confidentiality and integrity of the data transmission. It uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.

24 User Account and Resource Security 24 Network Resource-Sharing Security Models –Share-Level Security –User-Level Security Managing User Accounts –Disabling Accounts –Setting Up Anonymous Accounts –Limiting Connections –Renaming the Maintenance Account Managing Passwords –Minimum Length –Complexity

25 User-Authentication Methods 25 Public Key Infrastructure (PKI) is a system that links users to public key that verifies the user’s identity by using a certificate authority (CA). The CA as an online entity responsible for validating user IDs and issuing unique identifiers to confirmed individuals to certify that their identity can really be trusted. Public Key Infrastructure (PKI) Certificate Authority Mike Jeff Jeff can verify that the message with the certificate from Mike is valid if he trusts the CA. Message Certificate

26 Chapter 13 PKI in action Figure 13.12 12 345 This message is for Jenny… This message is for Jenny… Joe creates a message for Jenny. Joe uses Jenny’s Public key to encrypt the message. The data gets sent across the wire. Jenny uses her Private key to decrypt the message. Jenny can read the message. ehyeosy Ayg9us3 el48vye Public Key Encryption at Work

27 User-Authentication Methods 27 Kerberos 2 1 4 3 5 1 2 3 5 4 Request for ticket granting ticket (TGT) TGT returned by authentication service Request for application ticket (authenticated with TGT) Application ticket returned by ticket- granting service Request for service (authenticated with application ticket) Client Authentication ServerApplication Server

28 Authentication, Authorization, and Accounting (AAA) 28 RADIUS Although its name implies it, Remote Authentication Dial-In User Service (RADIUS) is not a dial-up server, it’s evolved into more of a verification service. RADIUS is an authentication and accounting service used for verifying users over various types of links, including dial-up. RADIUS servers are a client-server based authentication and encryption services and maintains user profiles in a central database. RADIUS is also used in firewalls to verify the credentials given; if successful, access is granted

29 Authentication, Authorization, and Accounting (AAA) 29 TACACS+ The Terminal Access Controller Access-Control System Plus (TACACS+) protocol is an alternative AAA method to RADIUS. TACACS+ separates the two authentication and authorization into two profiles (RADIUS uses one profile),. TACACS+ utilizes the connection-based TCP protocol (RADIUS uses UDP). TACACS+ is considered more stable and secure than RADIUS.

30 Network Access Control (NAC) 30 Network Access Control (NAC) is a method of securing network hosts before they’re allowed to access the network. NAC is commonly used in implementations in wireless networking, where nodes are often added to and removed from the network freely. IEEE 802.1x is one of the most common forms of NAC

31 Challenge Handshake Authentication Protocol (CHAP) 31 Challenge Handshake Authentication Protocol (CHAP) is a secure authentication protocol because with CHAP, the username and password never cross the wire. Instead, both the client and server are configured with the same text phrase that’s known as a shared secret.

32 Other AAA 32 MS-CHAP Microsoft has its own variation of CHAP known as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). Unlike CHAP, which requires the shared secret to be stored locally in clear text, MS-CHAP encrypts the secret locally. MS-CHAP version 2 is capable of mutual authentication so that the client can be sure the server is legitimate as well. Extensible Authentication Protocol (EAP) Extensible Authentication Protocol (EAP) is an extension to PPP providing additional authentication methods for remote access clients: –Smart cards –Certificates –Kerberos –Biometric schemes (retinal scans and fingerprint)

33 Summary 33 Summary Exam Essentials Section Written Labs Review Questions

Download ppt "Click to edit Master subtitle style Chapter 13: Authentication and Access Control."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Network Security.

Network Security.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
Remote Networking Architectures

Remote Networking Architectures
Virtual Private Networks

Virtual Private Networks
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Similar presentations

Ads by Google