Security Protocols


Any discussion of remote access is sure to include security, and for a good reason: Remote access opens your network to remote users. Although you'd like to think that only authorized users would try to connect from remote locations, the reality is that an equal number of illegitimate users will probably attempt to connect. Because many of the methods used to establish remote access are over public networks, securing the data you send and the points at which you connect at an important consideration. A significant element of this security is encryption.

Encryption is the process of encoding data so that it can be securely sent over remote connections. As well as encrypting the data itself, the usernames and passwords used to gain access to the remote network are also typically encrypted. In practical terms, encryption is the process of encoding data using a mathematical algorithm that makes it difficult for unauthorized users to read the data if they are able to intercept it. The algorithm used in the encryption is actually a mathematical value known as a key. The key is required in order to read the encrypted data. Encryption techniques use public and private keys; public keys can be shared, and private keys cannot.

IP Security (IPSec)

IPSec was created by the Internet Engineering Task Force (IETF) and can be used on both IPv4 and IPv6 networks. It is designed to encrypt data and authenticate users. IPSec encryption ensures that data on a network cannot be viewed, accessed, or modified by those who should not have access to it. IPSec provides security for both internal and external networks. It might seem that protection on an internal network is less necessary than on an external network; however, much of the data you send across networks has little or no protection, allowing unwanted eyes to access it.

IPSec provides several key security services:

  • Data verification and authentication It verifies that the data received is from the intended source.

  • Protection from data tampering It ensures that the data has not been tampered with and changed between the sending and receiving devices.

  • Private transactions It ensures that the data sent between the sending and receiving devices is unreadable by any other devices.

IPSec operates at the network layer of the Open Systems Interconnect (OSI) model and provides security for protocols that operate at higher layers of the OSI model. Thus, by using IPSec, you can secure practically all TCP/IP-related communications.

Layer 2 Tunneling Protocol (L2TP)

The Layer 2 Tunneling Protocol (L2TP) is a combination of PPTP and Cisco's L2F technology. L2TP utilizes tunneling to deliver data. It authenticates the client in a two-phase process: It first authenticates the computer and then the user. By authenticating the computer, it prevents the data from being intercepted, changed, and returned to the user in what is known as a man-in-the-middle attack. L2TP assures both parties that the data they are receiving is the data sent by the originator.

L2TP operates at the data-link layer, making it protocol independent. This means that an L2TP connection can support protocols such as IPX and AppleTalk.

L2TP and PPTP are both tunneling protocols, so you might be wondering which you should use. Here is a quick list of some of the advantages of each, starting with PPTP:

  • PPTP has been around the longest; it offers more interoperability than L2TP.

  • PPTP is easier to configure than L2TP because L2TP uses digital certificates.

  • PPTP has less overhead than L2TP.

The following are some of the advantages of L2TP:

  • L2TP offers greater security than PPTP.

  • L2TP supports common public key infrastructure technology.

  • L2TP provides support for header compression.

Secure Sockets Layer (SSL)

SSL is a security protocol that is used on the Internet. Originally developed by Netscape for use with its Navigator browser, SSL uses public key encryption to establish secure connections over the Internet. SSL provides three key services:

  • Server authentication SSL allows a user to confirm a server's identity. For example, you can use this ability when you are purchasing something online with a credit card but first want to verify the server's identity.

  • Client authentication SSL allows a server to confirm a user's identity. This functionality is often used when a server is sending sensitive informationsuch as banking information or sensitive documentsto a client system and wants to verify the client's identity.

  • Encrypted connections It is possible to configure SSL to require all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software. Doing this establishes private and secure communication between two devices. In addition, SSL has a mechanism to determine whether the data sent has been tampered with or altered in transit.

You can see SSL security on the Web when you access a secure universal resource locator (URL). Secure websites begin with https:// instead of the http://. Hypertext Transfer Protocol over SSL (HTTPS) connections require a browser with built-in security features to establish a secure connection.

WEP

WEP was the first attempt to keep wireless networks safe. WEP was designed to be easy to configure and implement. Originally, it was hoped that WEP would provide the same level of security to wireless networks as was available to wired. It was soon discovered that WEP had significant shortcomings.

WEP is an IEEE standard, introduced in 1997, designed for securing 802.11 networks. With WEP enabled, each data packet transmitted over the wireless connection would be encrypted. Originally, the data packet was combined with a secret 40-bit number key as it passed through an encryption algorithm known as RC4. The packet was scrambled and sent across the airwaves. On the receiving end, the data packet passed through the RC4 backward, and the host received the data as it was intended. WEP originally used a 40-bit number key, but later specified 128-bit encryption, making WEP that much more robust.

WEP was designed to provide security by encrypting data from the sending and receiving devices. In a short period of time, however, it was discovered that WEP encryption was not nearly as secure as hoped. Part of the problem was that when the 802.11 standards were being written, security was not the major concern it is today. As a result, WEP security was easy to crack with freely available hacking tools. From this point, wireless communication was regarded as a potentially insecure transmission media.

WPA

Security weaknesses associated with WEP provided administrators with a very valid reason to be concerned with wireless security. The need for increased wireless security was important for wireless networking to reach its potential and to bring a sense of confidence for those with sensitive data to use wireless communications. In response, the Wi-Fi Protected Access (WPA) was created. WPA was designed to improve on the security weaknesses of WEP and to be backward compatible with older devices using the WEP standard. WPA addressed two main security concerns:

  • Enhanced data encryption WPA uses a Temporal Key Integrity Protocol (TKIP), which scrambles encryption keys using a hashing algorithm. Then the keys are issued an integrity check to verify that they have not been modified or tampered with during transit.

  • Authentication WPA uses the Extensible Authentication Protocol (EAP). WEP regulates access to a wireless network based on a computer's hardware-specific MAC address, which is relatively simple to be sniffed out and stolen. EAP is built on a more secure public-key encryption system to ensure that only authorized network users can access the network.

802.1x

802.1x is an IEEE standard specifying port-based network access control. 802.1x was not specifically designed for wireless networksrather, it provides authenticated access for both wired and wireless networks. Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port in cases in which the authentication process fails.

During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An authentication server, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.

The authenticator's port-based network access control defines two logical access points to the LAN through one physical LAN port. The first logical access point, the uncontrolled port, allows data exchange between the authenticator and other computers on the LAN, regardless of the computer's authorization state. The second logical access point, the controlled port, allows data exchange between an authenticated LAN user and the authenticator.



    Network+ Exam Cram 2
    Network+ Exam Cram 2
    ISBN: 078974905X
    EAN: N/A
    Year: 2003
    Pages: 194

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net