Remote Access
Download
Report
Transcript Remote Access
Remote Access
Chapter 4
IEEE 802.1x
An internet standard created to perform
authentication services for remote access to a
central LAN.
Simple Network Management Protocol (SNMP)
A set of protocols for managing complex networks.
It works by sending messages, called protocol data
units (PDUs), to different parts of a network. An
SNMP-compliant device, called an “agent,” stores
data about itself in a Management Information Base
(MIB) and returns this data to an SNMP requester.
IEEE 802.1x
General Topology
IEEE 802.1x
Extensive Authentication Protocol (EAP)
A protocol defined by IEEE 802.1x that supports
multiple authentication methods.
EAP over LAN (EAPOL)
An encapsulation method for sending EAP over a
LAN environment using IEEE 802 frames.
IEEE 802.1x
IEEE 802.1x Conversation
IEEE 802.1x
Telnet
The standard terminal emulation protocol within the
TCP/IP protocol suite defined by RFC 854.
Virtual Private Networks
A remote access method that secures the
connection between the user and the home
office using various different authentication
mechanisms and encryption techniques.
Virtual Private Networks
VPN Diagram
Virtual Private Networks
VPN Options
Included in MS Windows packages.
MS PPTP.
Outsource to service provider.
Encryption does not happen until the data reaches the
provider’s network.
Virtual Private Networks
VPN Drawbacks
Not completely fault tolerant.
Diverse choices for implementing.
Law of diminishing returns.
Each incremental increase in security over a certain point
becomes more and more expensive.
Remote Authentication Dial-In User
Service (RADIUS)
Uses a model of distributed security to
authenticate users on a network.
User Datagram Protocol (UDP)
A connectionless protocol that, like TCP, runs on
top of IP networks. It provides very few error
recovery services, offering instead a direct way to
send and receive datagrams over an IP network.
Remote Authentication Dial-In User
Service (RADIUS)
Authentication with a RADIUS Server
Network Access Server (NAS)
This allows access to the network.
Serial Line Internet Protocol (SLIP)
A method of connecting to the Internet. Another more
common method is PPP.
Remote Authentication Dial-In User
Service (RADIUS)
Authentication
Client
Internet
RADIUS Server
Access request
Access accept (with exec authorization in attributes)
Accounting request (start)
Time
Accounting response to client
Accounting request (stop)
Securing Response to client
Remote Authentication Dial-In User
Service (RADIUS)
Benefits
Greater security.
Scalable architecture.
Open protocols.
Future enhancements.
Terminal Access Controller Access
Control System (TACACS+)
An authentication system developed by Cisco
Systems.
Developed to address the need for a scalable
solution that RADIUS did not provide.
Uses Transmission Control Protocol (TCP)
Offers multiple protocol support
Terminal Access Controller Access
Control System (TACACS+)
Client
Internet
TACACS+ Server
Start (authentication) to connect user
Reply (authentication) to ask client to get username
Continue (authentication) to give server username
Reply (authentication) to ask client to get password
Continue (authentication) to give server password
Time
Reply (authentication) to indicate pass/fail status
Request (accounting) for service=shel
Response (authorization) to indicate pass/fail status
Terminal Access Controller Access
Control System (TACACS+)
Client
Internet
TACACS+ Server
Request (accounting) for start/exec
Response (accounting) that record was received
Request (authorization) for command and command-argument
Response (authorization) to indicate pass/fail status
Request (accounting) for command
Time
Response (accounting) that record was received
Request (accounting) for stop/exec
Response (accounting) that record was received
Point-to-Point Tunneling Protocol
(PPTP)
Built upon Point-to-Point Protocol (PPP) and
Transmission Control Protocol/Internet Protocol
(TCP/IP).
Handshaking
The process by which two devices initiate communications.
Handshaking begins when one device sends a message to
another device indicating that it wants to establish a
communications channel. The two devices then send several
messages back an forth that enable them to agree on a
communications protocol.
Point-to-Point Tunneling Protocol
(PPTP)
Performs the following tasks:
Queries the status of communications servers
Provides in-band management
Allocates channels and places outgoing calls
Notifies Windows NT Server of incoming calls
Transmits and receives user data with bidirectional flow
control
Notifies Windows NT Server of disconnected calls
Assures data integrity, while making the most efficient use of
network bandwidth by tightly coordinating the packet flow
Layer 2 Tunneling Protocol
Expands PPP by allowing both endpoints (layer
two and PPP) to reside on different devices
connected by a paket-switched network like the
Internet.
Allows the processing of PPP packets to happen
separately from the termination of the layer two
circuits.
Secure Shell (SSH)
A program used to log on to another computer over a
network, to execute commands in a remote machine,
and to move files from one machine to another.
Uses a public key authentication method to establish an
encrypted and secure connection from the user’s
machine to the remote machine.
Certificate Revocation List (CRL)
A device used in SSH to manage certificates. Certificates that
are no longer valid are placed on a list and verified by the
SSH engine when authentication occurs.
IP Security Protocol
Internet Engineering Task Force (IETF)
IP Security (IPSec)
The main standards organization for the Internet.
A set of protocols developed by the IETF to
support secure exchange of packets at the IP layer.
IPSec has been deployed widely to implement VPNs.
Secures Layer 3 of the OSI Model
IP Security Protocol
Encapsulating Security Payload (ESP)
Provides a mix of security services in IPv4 and IPv6. It is
used to provide confidentiality, data origin authentication,
connectionless integrity, anti-replay, and limited
confidentiality of the traffic flow.
Security Parameter Index (SPI)
An arbitrary 32-bit number used to specify to the device
receiving the packet not only what group of security
protocols the sender is using to communicate, but which
algorithms and keys are being used, and how long those keys
are valid.
IP Security Protocol
IP Security Protocol
Payload Data
Padding
8 bits – specifies the length of the payload data is padding
Next Header
0 to 255 bytes used to ensure that ciphertext terminates on a 4-byte
boundary
Pad Length
Variable length – this is the data carried by the IP packet
8 bits – an IP protocol number describing the format of the payload data
Authentication Data
Variable length – optional field used by the authentication service
IP Security Protocol
ESP and Encryption Models
ESP can use several encryption protocols. The
sender decides which ones to use.
The current standard for IPSec uses HMAC with
Message Digest 5 (MD5).
Hash Message Authentication Code (HMAC)
A special algorithm defined by RFC 2104 that can be used
in conjunction with many other algorithms, such as SHA1, within the IPSec Encapsulating Security Payload.
Telecommuting Vulnerabilities
Problems with traditional VPNs
Split tunneling – client can route traffic
simultaneously to the corporate intranet and the
Internet.
Sensitive information stored on remote user’s hard
drive.
Lack of logging when client is not connected
Telecommuting Vulnerabilities
Problems with Certificates
Compromised certificate can be used to gain access
to machines within the security perimeter.
SOHO (small office/home office)
Products specifically designed to meet the needs of
professionals who work at home or in small offices.
SOHO firewalls bypass the traditional perimeter
authentication that takes place before a remote user
is granted access to the internal network.
Provides back-door entry for intruders.
Telecommuting Vulnerabilities
Remote Session
Data never leaves the secure intranet perimeter.
Dangers lie in user copying data to their local drive
or printing to a local printer.
Remote Solutions
Citrix Metaframe Access Suite
Microsoft Terminal Server
Virtual Network Computing