The first area of focus within the communications security realm involves providing remote or mobile clients the ability to connect to necessary resources. Remote access might include a wireless fidelity (Wi-Fi) link supporting a small office or home office network using modern 802.11-compliant wireless networking equipment, or perhaps allowing employees in a mobile sales force to be authenticated as they dial in to a central office using telephony carriers . We focus on several specific areas of concern regarding remote access, including the following:
802.11x Wireless NetworkingThe 802.11 x specification establishes standards for wireless network connectivity. When an 802.11 x -compliant connection is attempted, a wireless client tries to contact a wireless access point (WAP), which then authenticates the client through a basic challenge/response method and opens ports allowed for a wireless connection to the network. This one-way authentication process, broadcast using radio waves, is susceptible to several security concerns:
Virtual Private Network (VPN) ConnectionsWhen data must pass across a public or unsecured network, one popular method of securing the data involves the use of a Virtual Private Network (VPN) connection. VPN connections provide a mechanism for the creation of a secured tunnel through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. This technology allows for a secure, authenticated connection between a remote user and the internal private network of an organization. Additional security may be gained through the use of encryption protocols and authentication methods , such as using the IPSec protocol over the VPN connection. VPN connections may be used to create secured connections between remote offices to allow replication traffic and other forms of intersite communication to occur, without incurring the cost of expensive, dedicated leased circuits or modem bank solutions. Two of the more common protocols used in VPN solutions are PPTP and L2TP. You will learn more about these protocols next .
Point-to-Point Tunneling Protocol (PPTP) ConnectionsOne common Virtual Private Network encapsulation protocol, proposed initially by a group of companies including Microsoft, is the Point-to-Point Tunneling Protocol (PPTP). Connections between remote users and sites may be made using this encapsulation protocol, which creates a secured "tunnel" through which other data can be transferred. Layer 2 Tunneling Protocol (L2TP) ConnectionsThe Layer 2 Tunneling Protocol (L2TP) is an extension of the earlier PPTP and Layer 2 Forwarding (L2F) standards. Proposed by the Cisco Corporation and its partners , this protocol is rapidly replacing PPTP as the standard encapsulation protocol used for VPN connections. L2TP connections are created by first allowing a client to connect to an L2TP access concentrator, which then tunnels individual Point-to-Point Protocol (PPP) frames through a public network to the network access server (NAS), where the frames may then be processed as if generated locally.
Dial-Up User AccessAlthough broadband solutions such as cable modems and Digital Subscriber Line (DSL) connections are becoming increasingly available, the use of an acoustic modem (short for modulator /demodulator) over normal telephone lines remains a common means of remote connectivity. Client systems equipped with a modem can connect using normal dial-up acoustic connections to a properly equipped RAS server, which then functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. Most Internet Service Providers (ISPs) still offer dial-up network connectivity for their users, although many organizations still maintain the use of RAS servers to provide direct connectivity for remote users or administrators and to provide failover fault-tolerant communications in the event of WAN connectivity loss. Demand-dial solutions involving the use of modem technology may even provide on-demand intersite connectivity for replication or communications, without requiring a continuous form of connection between the remote sites. The authentication protocols often found in dial-up infrastructures are TACACS, RADIUS, and TACACS+. The authentication and/or transport services that these protocols offer are discussed in more depth next. Terminal Access Controller Access Control System (TACACS)The Terminal Access Controller Access Control System (TACACS) protocol is an early authentication mechanism used by Unix-based RAS servers to forward dial-up user logon and password values to an authentication server. TACACS does not provide authentication itself but rather is an encryption protocol used to send the logon information to a separate authentication service. Remote Authentication Dial-In User Service (RADIUS) and TACACS+Modern solutions, including the Remote Authentication Dial-In User Service (RADIUS) and TACACS+ protocols, provide for both user authentication and authorization. A RADIUS server functions to authenticate dial-in users using a symmetric key (private key) method and provides authorization settings through a stored user profile. Authentication is managed through a client/server configuration in which the RAS server functions as a client of the RADIUS server, passing dial-in user access information to the RADIUS server, often through a VPN connection between the two systems.
The TACACS+ protocol is an extension of the earlier TACACS form, adding authentication and authorization capabilities similar to the RADIUS authentication method. One important difference between these two is that the TACACS+ protocol relies on Transmission Control Protocol (TCP) connectivity, whereas RADIUS uses the User Datagram Protocol (UDP). Secure Shell (SSH) ConnectionsAs a more secure replacement for the common command-line terminal utility telnet , the Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection. SSH utilizes the asymmetric (public key) Rivest-Shamir-Adleman (RSA) cryptography method to provide both connection and authentication. Data encryption is accomplished using one of the following algorithms:
The Secure Shell suite encapsulates three secure utilities: slogin , ssh , and scp , derived from the earlier nonsecure Unix utilities rlogin , rsh , and rcp . SSH provides a large number of available options that you may be at least somewhat familiar with (see Figure 4.1). Figure 4.1. A Linux version of the ssh utility showing available options.
Like telnet , SSH provides a command-line connection through which an administrator may input commands on a remote server. SSH provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a telnet session. The three utilities within the Secure Shell suite provide the following functionalities:
Internet Protocol Security (IPSec)The Internet Protocol Security (IPSec) authentication and encapsulation standard is widely used to establish secure Virtual Private Network communications. Unlike most security systems that function within the Application layer of the Open Systems Interconnection (OSI) model, the IPSec protocol functions within the Network layer. The OSI model is a logically structured model that encompasses the translation of data entered at the Application layer through increasingly more abstracted layers of data, resulting in the actual binary bits passed at the Physical layer. This process of adding data at different layers is referred to as encapsulation . At the other end of a data transfer, the individual packets of data are ordered and reassembled by passing back through the layers of operation of the OSI model until the original data is reproduced at the Application layer on the receiving system. Here are the layers of the OSI model:
IPSec provides authentication services as well as encapsulation of data through support of the Internet Key Exchange (IKE) protocol. IPSec ServicesThe asymmetric key standard defining IPSec provides two primary security services:
Internet Key Exchange (IKE) ProtocolIPSec supports the Internet Key Exchange (IKE) protocol, which is a key-management standard used to specify separate key protocols to be used during data encryption. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet.
|