In the previous chapter of [[Security+ Essentials]] we looked at TCP/IP ports and the issue of nonessential services. Clearly a server with all ports blocked and all services disabled would be of little use to anyone except the system administrator sitting at the system console. The simple fact is that in order to be useful computer systems need to be able to communicate with other systems, either on a local area network (LAN) or over wide area networks (WAN) or the internet.
In the previous chapter of [[Security+ Essentials]] we looked at TCP/IP ports and the issue of nonessential services. Clearly a server with all ports blocked and all services disabled would be of little use to anyone except the system administrator sitting at the system console. The simple fact is that in order to be useful computer systems need to be able to communicate with other systems, either on a local area network (LAN) or over wide area networks (WAN) or the internet.
−
The objective a good IT security strategy therefore is not to prevent all communication, but to ensure that all communication takes place as securely as possible,
+
The objective a good IT security strategy therefore is not to prevent all communication, but to ensure that all communication takes place as securely as possible
−
In this chapter we will look at the variety of secure methods for providing remote access, transmitting email and transferring data between systems.
+
In this chapter we will look at the variety of secure methods for providing remote access and transferring data between systems.
== Remote Access ==
== Remote Access ==
−
The first area to be covered in this chapter involves the implementation of secure remote access to servers and services. Remote access falls into a variety of different categories including wireless (Wi-Fi), virtual private network (VPN), dial-up and terminal connections.
+
The first area to be covered in this chapter involves the implementation of secure remote access to servers and services. Remote access falls into a variety of different categories including wireless (Wi-Fi), Virtual Private Network (VPN), dial-up and terminal connections.
Virtual Private Networks (VPN) are used when confidential data needs to be transported over a public network (typically the internet). A VPN provides a secure tunnel through the public network through which data packats are transmitted, usually using authentication and encryption to avoid the data being compromised.
+
Virtual Private Networks (VPN) are used when confidential data needs to be transported over a public network (typically the internet). A VPN provides a secure tunnel through the public network through which data packets are transmitted, usually using authentication and encryption to avoid the data being compromised.
The two primary approaches to VPN based connectivity are Point-to-Point-Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
The two primary approaches to VPN based connectivity are Point-to-Point-Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
== Layer 2 Tunneling Protocol (L2TP) ==
== Layer 2 Tunneling Protocol (L2TP) ==
−
Layer 2 Tunneling Protocol (L2TP) is based on a combination of PPTP and Cisco's L2F technology and uses a two phase authentication process. This process involves first authenticating the computers at each end of the connection, followed by the user. Authentication of the computer is aimed at preventing Man-in-the-Middle attacks (see [[An Overview of IT Security Threats and Attacks]] for more details about Man-in-the-Middle attacks).
+
Layer 2 Tunneling Protocol (L2TP) is based on a combination of PPTP and Cisco's L2F technology and uses a two phase authentication process. This process involves first authenticating the computers at each end of the connection, followed by the authentication of the user. Authentication of the computer is aimed at preventing Man-in-the-Middle attacks (see [[An Overview of IT Security Threats and Attacks]] for more details about Man-in-the-Middle attacks).
−
L2TP operates at the data-link layer of the OSI stack, and such supports a wide range of protocols in addition to TCP/IP.
+
L2TP operates at the data-link layer of the OSI stack, and as such supports a wide range of protocols in addition to TCP/IP.
−
Some advantages of L2TP over PPTP include greater security, support for public key insfrastrcuture (PKI) and header compression.
+
Some advantages of L2TP over PPTP include greater security, support for public key infrastructure (PKI) and header compression.
== Internet Protocol Security (IPSec) ==
== Internet Protocol Security (IPSec) ==
Internet Protocol Security (IPSec) is used for the authentication and encapsulation of communications over a secure Virtual Private Network (VPN) and operates at the Network Layer of the OSI model.
Internet Protocol Security (IPSec) is used for the authentication and encapsulation of communications over a secure Virtual Private Network (VPN) and operates at the Network Layer of the OSI model.
−
IPSec provides authentication and data encapsulation services through the Internet Key Exchange Protocol (IKE). The IKE is a key management standard designed to specify separate key protocols for use during data encryption. IKE works within the Internet Security Association and Key Management Protocol which defines the key and authentication data appended to each transmitted packet.
+
IPSec provides authentication and data encapsulation services through the Internet Key Exchange Protocol (IKE). The IKE is a key management standard designed to specify separate key protocols for use during data encryption. IKE works within the Internet Security Association and Key Management Protocol (ISAKMP) which defines the key and authentication data appended to each transmitted packet.
IPSec provides two key services. The ''Authentication Header'' (AH) service provides a mechanism for checking the authenticity of a data packet header allowing the authentication of the sender to be verified. The ''Encapsulating Security Payload (ESP)'' provides authentication of both the sender in addition to the encryption of the data contained in the packet (i.e the ''payload'').
IPSec provides two key services. The ''Authentication Header'' (AH) service provides a mechanism for checking the authenticity of a data packet header allowing the authentication of the sender to be verified. The ''Encapsulating Security Payload (ESP)'' provides authentication of both the sender in addition to the encryption of the data contained in the packet (i.e the ''payload'').
== 802.11x Wireless Connections ==
== 802.11x Wireless Connections ==
−
802.11x is a set of IEEE standards which define wireless networking better known as WiFi. A number of standards have evolved including 802.11a, 802.11b, 802.11g and 802.11.n. Until recently the concept of wireless networking involved computer systems talking to each other, but recent years have introduced a range of wireless devices (notably the iPhone from Apple) which will switch over from using a cell based wireless connect to wireless access points (WAP) when one comes into range.
+
802.11x covers a set of IEEE standards which define wireless networking better known as Wi-Fi. A number of standards have evolved including 802.11a, 802.11b, 802.11g and 802.11.n. Until recently the concept of wireless networking involved computer systems talking to each other, but recent years have introduced a range of wireless devices (notably the iPhone from Apple) which will switch over from using a carrier based wireless connection to wireless access points (WAP) when they come into range.
Wireless networking is rapidly gaining adoption in commercial enterprises, but is still more common in homes and is subject to a number of potential security threats:
Wireless networking is rapidly gaining adoption in commercial enterprises, but is still more common in homes and is subject to a number of potential security threats:
* '''Clear data''' - Unfortunately a number of Wireless Access Points are shipped with none of the security features activated. This means that all data is transmitted in clear text form, completely unencrypted and easily captured by malicious parties.
* '''Clear data''' - Unfortunately a number of Wireless Access Points are shipped with none of the security features activated. This means that all data is transmitted in clear text form, completely unencrypted and easily captured by malicious parties.
−
* '''Session Hijacking''' - The authentication process used with Wi-Fi is one-way it is possible for a thrid party to break into an existing, previously authenticated session. This is achieved by sending a signal to the client after authentication has completed such that it believes it has been disconnected. The rogue system then continues the session with the access point as if nothing has happened.
+
* '''Session Hijacking''' - The authentication process used with Wi-Fi is one-way making it is possible for a third party to break into an existing, previously authenticated session. This is achieved by sending a signal to the client after authentication has completed such that it believes it has been disconnected. The rogue system then continues the session with the access point as if nothing has happened.
* '''Man-in-the-Middle''' - Such an attack involves the use of a rogue access point which masquerades as the legitimate access point. The rogue WAP accepts the connection from a client and records all data transactions before passing the data on to the original access point.
* '''Man-in-the-Middle''' - Such an attack involves the use of a rogue access point which masquerades as the legitimate access point. The rogue WAP accepts the connection from a client and records all data transactions before passing the data on to the original access point.
−
* '''War Driving''' - War driving involves driving around urban areas with a laptop essentially ''listening'' for wireless access points. Once an access point is located steps are then taken to break into the system. Once this has been achieved the information is typically uploaded to web sites so that others can similarly locate and break into the network. A concept known as ''war chalking'' has also risen in prominence in recent years. This involves a special type of graffiti which tells those in the know that an access point is nearby and providing information on hwo to access it.
+
* '''War Driving''' - War driving involves driving around urban areas with a laptop configured to ''listen'' for wireless access points. Once an access point is located steps are then taken to break into the system. Once this has been achieved the information is typically uploaded to web sites so that others can similarly locate and break into the network. A concept known as ''war chalking'' has also risen in prominence in recent years. This involves a special type of graffiti which tells those in the know that an access point is nearby and providing information on how to access it.
−
The use of Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) features go a long way toward mitigating many of the risks inherent in using wireless networks. There is nop such thing as a truly secure wireless network. The objective, however, is to make it as hard as possible for the network to be breached, thereby causing those with malicious intentions to move on to weaker targets.
+
The use of Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) features go a long way toward mitigating many of the risks inherent in using wireless networks. There is no such thing as a truly secure wireless network. The objective, therefore, is to make it as hard as possible for the network to be breached, thereby causing those with malicious intentions to move on to weaker targets.
== Dial-Up Access ==
== Dial-Up Access ==
== Terminal Access Controller Access Control System (TACACS) ==
== Terminal Access Controller Access Control System (TACACS) ==
