Security+ - An Overview of Communications Security
Previous | Table of Contents | Next |
Identifying Common and Nonessential Services | The Basics of Email and Web Security |
Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99 |
In the previous chapter of Security+ Essentials we looked at TCP/IP ports and the issue of nonessential services. Clearly a server with all ports blocked and all services disabled would be of little use to anyone except the system administrator sitting at the system console. The simple fact is that in order to be useful computer systems need to be able to communicate with other systems, either on a local area network (LAN) or over wide area networks (WAN) or the internet.
The objective a good IT security strategy therefore is not to prevent all communication, but to ensure that all communication takes place as securely as possible
In this chapter we will look at the variety of secure methods for providing remote access and transferring data between systems.
Remote Access
The first area to be covered in this chapter involves the implementation of secure remote access to servers and services. Remote access falls into a variety of different categories including wireless (Wi-Fi), Virtual Private Network (VPN), dial-up and terminal connections.
Virtual Private Network (VPN) Communications
Virtual Private Networks (VPN) are used when confidential data needs to be transported over a public network (typically the internet). A VPN provides a secure tunnel through the public network through which data packets are transmitted, usually using authentication and encryption to avoid the data being compromised.
The two primary approaches to VPN based connectivity are Point-to-Point-Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
Point-to-Point-Tunneling Protocol (PPTP)
The Point-to-Point-Tunneling Protocol (PPTP) provides a secure tunnel between two points on a network. PPTP works in conjunction with PPP using authentication methods such as PAP, CHAP and MS-CHAP. Using port 1723 on the server and a dynamically allocated port on the client data is encapsulated in a secure tunnel between the two systems.
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Tunneling Protocol (L2TP) is based on a combination of PPTP and Cisco's L2F technology and uses a two phase authentication process. This process involves first authenticating the computers at each end of the connection, followed by the authentication of the user. Authentication of the computer is aimed at preventing Man-in-the-Middle attacks (see An Overview of IT Security Threats and Attacks for more details about Man-in-the-Middle attacks).
L2TP operates at the data-link layer of the OSI stack, and as such supports a wide range of protocols in addition to TCP/IP.
Some advantages of L2TP over PPTP include greater security, support for public key infrastructure (PKI) and header compression.
Internet Protocol Security (IPSec)
Internet Protocol Security (IPSec) is used for the authentication and encapsulation of communications over a secure Virtual Private Network (VPN) and operates at the Network Layer of the OSI model.
IPSec provides authentication and data encapsulation services through the Internet Key Exchange Protocol (IKE). The IKE is a key management standard designed to specify separate key protocols for use during data encryption. IKE works within the Internet Security Association and Key Management Protocol (ISAKMP) which defines the key and authentication data appended to each transmitted packet.
IPSec provides two key services. The Authentication Header (AH) service provides a mechanism for checking the authenticity of a data packet header allowing the authentication of the sender to be verified. The Encapsulating Security Payload (ESP) provides authentication of both the sender in addition to the encryption of the data contained in the packet (i.e. the payload).
802.11x Wireless Connections
Wireless networking is rapidly gaining adoption in commercial enterprises, but is still more common in homes and is subject to a number of potential security threats:
- Clear data - Unfortunately a number of Wireless Access Points are shipped with none of the security features activated. This means that all data is transmitted in clear text form, completely unencrypted and easily captured by malicious parties.
- Session Hijacking - The authentication process used with Wi-Fi is one-way making it possible for a third party to break into an existing, previously authenticated session. This is achieved by sending a signal to the client after authentication has completed such that it believes it has been disconnected. The rogue system then continues the session with the access point as if nothing has happened.
- Man-in-the-Middle - Such an attack involves the use of a rogue access point which masquerades as the legitimate access point. The rogue WAP accepts the connection from a client and records all data transactions before passing the data on to the original access point.
- War Driving - War driving involves driving around urban areas with a laptop configured to listen for wireless access points. Once an access point is located steps are then taken to break into the system. Once this has been achieved the information is typically uploaded to web sites so that others can similarly locate and break into the network. A concept known as war chalking has also risen in prominence in recent years. This involves a special type of graffiti which tells those in the know that an access point is nearby and providing information on how to access it.
The use of Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) features go a long way toward mitigating many of the risks inherent in using wireless networks. There is no such thing as a truly secure wireless network. The objective, therefore, is to make it as hard as possible for the network to be breached, thereby causing those with malicious intentions to move on to weaker targets.
Dial-Up Access
Despite the wide availability of broadband internet access we still haven't quite fully escaped from the confines of dial-up access. The primary authentication protocols used on dial-up connections are Terminal Access Controller Access Control System (TACACS), TACACS+ and Remote Authentication Dial-In User Service (RADIUS).
Terminal Access Controller Access Control System (TACACS)
An early UNIX based Remote Access Server (RAS) technology, TACACS is designed to transmit encrypted authentication data to a separate authentication server. TACACS does not itself provide an authentication service.
Remote Authentication Dial-In User Service (RADIUS)
A User Datagram Protocol (UDP) based protocol designed to provide both authentication and authorization services. Authentication functions are provided by a RADIUS server using a symmetric private key. Authorization is provided through stored user profiles.
Terminal Access Controller Access Control System Plus (TACACS+)
The TACACS+ extends the basic TACACS protocol by adding authentication and authorization functionality similar to that provided by RADIUS. Unlike RADIUS, TACACS+ is Transmission Control Protocol (TCP) rather than UDP based.
Secure Shell (SSH)
Many years ago, before we started having to worry about network and internet security a tool called telnet was used to gain remote command-line based access to systems. The big problem with telnet is that it sends both the authentication information and all subsequent data in plain text making it extremely easy for the session to be compromised.
Secure Shell (SSH) is a secure alternative which is now used almost exclusively in place of telnet. SSH establishes a secure, authenticated and encrypted connection between the client and the server using asymmetric public keys using Rivest-Shamir-Adleman cryptography. Data encryption is achieved using IDEA, Blowfish or DES encryption.
Unlike telnet which consisted of a single tool, SSH is actually a suite of tools consisting of the following utilities:
- slogin/ssh - The Secure Login tools. Both of these tools enable a user to establish a secure connection with a remote system. On most systems invoking slogin actually simply invokes the ssh tool.
- scp - A Secure Copy tool. Used to securely transfer files between systems.
Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99 |
Previous | Table of Contents | Next |
Identifying Common and Nonessential Services | The Basics of Email and Web Security |