Transcript Network Access Server

Remote Authentication Dial-In User Service
(RADIUS)




RADIUS systems authenticate users on a
client/server network
Used for dial-in, wireless, and Internet access
The server that hosts RADIUS is referred to as
the Network Access Server (NAS)
The NAS stores user names and passwords
and records user activity on the network
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Rogue Wireless Access Points

Rogue access point An unauthorized WAP that is installed
on a network system.

can compromise wireless network security
Can be prevented by using a wireless intrusion
prevention system (WIPS) or setting up an
802.1x system

© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Authentication, Authorization,
and Accounting (AAA)



Standard that is most common model used for
network access
They dominant client/server security models that
support AAA are RADIUS, TACACS+, and
Diameter
Terminal Access Controller Access Control
System) is an older authentication protocol
common to UNIX networks that allows a remote
access server to forward a user's logon password
to an authentication server to determine
whether access can be allowed to a given system.
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Challenge Handshake Authentication
Protocol (CHAP)


CHAP was designed to be used with PPP(Point to
Point Protocol)- is a data link protocol used to
establish a direct connection between two nodes.
Microsoft Challenge Handshake Authentication
Protocol (MS-CHAP) is an enhanced version of
CHAP and can only be used on Microsoft
operating systems
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
How CHAP Works
1. Client connects to a remote system using PPP
2. Server sends a challenge to the client
3. Server (authentication agent) sends a key to the
client so it can encrypt its user name and
password
4. Client responds with a key that represents its
user name and password
5. Server accepts or rejects client user name and
password based on a matching encryption key
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Kerberos


Client and server authenticated to each other
Encryption key (encodes data) and decryption key
(decrypts data) used for privacy
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Extensible Authentication Protocol (EAP)




Used for network access and authentication in a
client/server environment when IP is not available
Sends clear text messages
Originally developed to be used with PPP
Also used for 802.1x wireless connections and for
access and authentication to network switches
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Protected Extensible Authentication Protocol
(PEAP)



Extension of EAP
Works by first establishing a secure connection
using Transport Layer Security (TLS)
TLS provides encryption for the EAP connection
and ensures data integrity
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Lightweight Extensible Authentication
Protocol (LEAP)



An improved EAP standard developed by Cisco
Systems for its line of Wireless Access Points
(WAPs)
LEAP periodically re-authenticates the wireless
connection
This ensures client is still the original
authenticated client and connection has not been
hijacked
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Security Implementations

Various measures include:




Installing latest software updates and patches
Setting up an account for daily administrative tasks
Changing the default administrator’s name
Educating system users in security practices
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Software Patches

Should be applied:




Immediately after installing new software
As they become available
Contain fixes that close security holes and fix
software bugs
Periodically, Microsoft releases a service pack for
its software and operating systems
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Administrator Account



User provides password for default administrator
account
Default administrator account name should be
changed to better secure network
Ability to delete or rename the administrator
account varies according to operating system
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
User Account Passwords

To make passwords more secure administrators
should:


Set defaults for password histories, age, and length
Educate users about poor and secure passwords
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Poor Passwords

Poor passwords contain:





Words that are found in a dictionary
Names familiar to the password owner
Keyboard patterns
Social security numbers
Secure passwords are less vulnerable to hashing
techniques
A technique that relies on an algorithm or encryption device
based on mathematical algorithms for guessing a password.
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Windows Server 2008 Password Policies
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Firewall



Can consist of hardware, software, or a
combination
Servers, routers, and PCs may be used
Designed to filter inbound and outbound flow of
network packets based on factors such as





IP address
Port number
Software application
Packet contents
Protocol
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Firewall Example
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Windows Firewall with Advanced Security
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Packet Filter

Stateless packet inspection
Does not take into account packet sequence or
missing packets
 Aligns with layer 3 of the OSI model


Stateful packet inspection
Applies a filter based on packet sequence
 Detects missing packets
 Aligns with layer 3 and 4 of the OSI model

© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Application Gateway
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Content Filter



Configured to block specific Web sites or packet
contents that contain specific terms
Administrator can control the list of terms
Can also incorporate protection from malware
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Circuit-Level Gateway


After connection is established, packet can flow
freely between the two hosts
Packet sequence is encoded, making it difficult
for intruders to access stream of data
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Demilitarized Zone (DMZ)


Can be created with a router or a server with
three network adapters installed
When configured with a server



One network adapter connects to the Internet
A second network adapter connects to the DMZ
The third network adapter connects to the private
section of the network
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Proxy Server

Can be configured to allow packets to flow into
and out of the network if they meet certain
conditions




Specific IP addresses
Certain protocols
Server names or URLs
May cache frequently visited Web sites, making
it faster to access those Web sites
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
Security Tools
Identify network security weaknesses
 Probe network, searching for vulnerabilities
 Some security tools used are

GFI LANguard
 Netstat utility
 Audit tools
 Self-hack tools
 Protocol analyzer
 Packet sniffer

© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
GFI LANguard
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.
In class lab
1. Apply for a trial version of a digital
certificate from a CA such as Verisign. After
obtaining the digital certificate try it out with
a classmate.
2. Labsim 8.34
3. Roberts Lab 74
NEXT CLASS
Labsim Homework 8.4.1-8.4.3
© Goodheart-Willcox Co., Inc.
Permission granted to reproduce for educational use only.