Besides securing the authentication event, why is Hypertext Transfer Protocol Secure (HTTPS) much more secure than HTTP?


Even if HTTP had encrypted passwords, the authentication event for HTTP occurs at the beginning of the session, and further authentication occurs only through the network and transport layer functions (IP, sequence, and port numbers). This means that any device capable of successfully spoofing that information can act as though it is the originator of the session. Because HTTPS uses SSL, an encrypted tunnel is built, and each packet is authenticated to ensure that it came from the originator of the session. This is part of the reason 802.1x has issues. The authentication event can be ridiculously strong, but if ongoing authentication is limited to validating a MAC address, you haven't gained very much.


Can network layer authentication be leveraged as a replacement for authenticating a particular application?


Not yet. In a future that includes ubiquitous strong authentication, integrity, and encryption for all network connections, I can see this information being leveraged as an alternative to reauthenticating the client. The unknown variable for me is how such systems will ensure that the user who originally authenticated is the one who is sitting at the computer. Some sort of proximity system will need to be employed for this to be effective.


Which kinds of physical security provide the most benefit if the goal is to reduce the requirements on an authentication system when inside the corporate perimeter?


You can refer to Chapter 6 for more information on this. The biggest thing besides good locks and the basics is a way to avoid tailgaters. If unknown persons are easily able to walk in behind an authorized user, your physical security isn't very strong. Unfortunately, the easiest way to prevent this kind of access is by having only a limited number of access points in the building (easy) and turnstiles/security guards at these points (hard).


When should you deploy a separate AAA server for administrative access versus your general user repository?


Often this is based on the size of the organization. I tend to prefer a separate server whenever financially viable because it makes it much easier to manage user rights. The administrative server (often TACACS+ in Cisco environments) has its own local user repository and can maintain separate passwords to make it clear to IT admins when they are exercising their admin rights rather than their general user rights. Also, the specific AAA extensions used for administrative access often require special configuration that might entail more complexity than you want on your production systems.

Part I. Network Security Foundations

Network Security Axioms

Security Policy and Operations Life Cycle

Secure Networking Threats

Network Security Technologies

Part II. Designing Secure Networks

Device Hardening

General Design Considerations

Network Security Platform Options and Best Deployment Practices

Common Application Design Considerations

Identity Design Considerations

IPsec VPN Design Considerations

Supporting-Technology Design Considerations

Designing Your Security System

Part III. Secure Network Designs

Edge Security Design

Campus Security Design

Teleworker Security Design

Part IV. Network Management, Case Studies, and Conclusions

Secure Network Management and Network Security Management

Case Studies



Appendix A. Glossary of Terms

Appendix B. Answers to Applied Knowledge Questions

Appendix C. Sample Security Policies

INFOSEC Acceptable Use Policy

Password Policy

Guidelines on Antivirus Process


Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net