Transcript chap09
Guide to Operating
System Security
Chapter 9
Web, Remote Access, and
VPN Security
Objectives
Understand Internet security using protocols
and services
Configure Web browsers for security
Configure remote access services for security
Configure virtual private network services for
security
Guide to Operating System Security
2
Internet Security
Protocols and services must be kept secure
To ensure privacy of information
To discourage the spread of malicious software
Guide to Operating System Security
3
Internet Protocols and Services
Hypertext Transfer Protocol (HTTP)
Secure HTTP (S-HTTP) and Hypertext
Transfer Protocol Secure (HTTPS)
File Transfer Protocol (FTP)
Network File System (NFS)
Samba and Server Message Block (SMB)
Guide to Operating System Security
4
HTTP
TCP/IP-compatible application protocoltransports information over the Web
Most recent version: HTTP/1.1
Increases reliability of communications
Enables caching
Can send message responses before full control
information from a request is received
Permits multiple communications over a single
connection
Guide to Operating System Security
5
S-HTTP and HTTPS
Forms of HTTP used for more secure
communications
S-HTTP
Standards-based protocol that enables use of a variety of
security measures (including CMS and MOSS)
HTTPS
Essentially proprietary, but more compatible with
encryption for IP-level communications
Uses SSL as a subprotocol
Guide to Operating System Security
6
File Transfer Protocol (FTP)
TCP/IP protocol that transfers files in bulk data
streams
Uses two TCP ports (20 and 21)
Supports transmission of binary or ASCII
formatted files
Commonly used on the Internet
Downloading files can be risky
Guide to Operating System Security
7
File Transfer Protocol (FTP)
Guide to Operating System Security
8
Network File System (NFS)
Designed for UNIX/Linux systems for file
sharing
Connection-oriented protocol that runs within
TCP
Uses remote procedure calls via TCP port 111
Sends data in record streams
For security, let only authorized computers use
NFS on host computer
Guide to Operating System Security
9
Samba and Server Message
Block
Samba
Available for UNIX and Linux computers
Enables exchange of files and printer sharing with
Windows-based computers through SMB protocol
Server Message Block
Used by Windows-based systems
Enables sharing files and printers
Employed by Samba
Guide to Operating System Security
10
Using Samba
Guide to Operating System Security
11
Configuring Web Browsers for
Security
Applying security measures to popular Web
browsers
Internet Explorer
Mozilla
Netscape Navigator
Guide to Operating System Security
12
Configuring Internet Explorer
Security
Used with Windows and Mac OS X
Configure version of HTTP, use of HTTPS,
FTP, and download access
Configure security by zones
Internet
Local intranet
Trusted sites
Restricted sites
Guide to Operating System Security
13
Internet Explorer Security
Settings
Guide to Operating System Security
14
Configuring Internet Explorer
Security
Internet Explorer Enhanced Security
Configuration (Windows Server 2003)
Applies default security to protect server
Uses security zones and security parameters
preconfigured for each zone
Guide to Operating System Security
15
Installing IE Enhanced Security
Configuration
Guide to Operating System Security
16
Configuring Mozilla Security
Open-source Web browser
Can run on
Linux (by default with GNOME desktop)
UNIX
Mac OS X
OS/2
Windows-based systems
Security configuration is combined with
privacy configuration options
Guide to Operating System Security
17
Mozilla Security Categories
Guide to Operating System Security
18
Privacy & Security Option in Mozilla
Guide to Operating System Security
19
Configuring Netscape Navigator
Security
Nearly identical to Mozilla; GUI offers:
A buddy list
Link to Netscape channels
Different sidebar presentation
Guide to Operating System Security
20
Netscape Navigator in Windows
2000 Server
Guide to Operating System Security
21
Privacy & Security Options in
Netscape
Guide to Operating System Security
22
Configuring Remote Access
Services for Security
Remote access
Ability to access a workstation or server through a
remote connection (eg, dial-up telephone line and
modem)
Commonly used by telecommuters
Guide to Operating System Security
23
Microsoft Remote Access
Services
Enables off-site workstations to access a server
through telecommunications lines, the Internet,
or intranets
Guide to Operating System Security
24
Microsoft RAS
Guide to Operating System Security
25
Microsoft RAS - Supported
Clients
MS-DOS
Windows 3.1 and 3.11
Windows NT/95/98
Windows Millennium
Windows 2000
Windows Server 2003 and XP Professional
Guide to Operating System Security
26
Microsoft RAS
Supports different types of modems and
communications equipment
Compatible with many network transport and
remote communications protocols
Guide to Operating System Security
27
Microsoft RAS – Supported
Connections (Continued)
Asynchronous modems
Synchronous modems
Null modem communications
Regular dial-up telephone lines
Leased telecommunication lines (eg, T-carrier)
Guide to Operating System Security
28
Microsoft RAS – Supported
Connections (Continued)
ISDN lines (and “digital modems”)
X.25 lines
DSL lines
Cable modem lines
Frame relay lines
Guide to Operating System Security
29
Microsoft RAS – Supported
Protocols
NetBEUI
TCP/IP
NWLink
PPP
PPTP
L2TP
Guide to Operating System Security
30
Understanding Remote Access
Protocols
Transport protocols
TCP/IP
IPX
NetBEUI
Remote access protocols
Serial Line Internet Protocol (SLIP)
•
CSLIP
Point-to-Point Protocol (PPP)
•
•
PPTP
L2TP
Guide to Operating System Security
31
Configuring a RAS Policy
Employ callback security options (No
Callback, Set by Caller, Always Callback to)
Install Internet Authentication Service (IAS)
Can be employed with Remote Authentication
Dial-In User Service (RADIUS) and RADIUS
server
Add participating RAS and VPN servers
Guide to Operating System Security
32
Remote Access Policies Objects in
the IAS Tree
Guide to Operating System Security
33
Granting Remote Access
Permission to RAS
Guide to Operating System Security
34
Enabling Access for a User’s
Account via Remote Access Policy
Guide to Operating System Security
35
Configuring a RAS Policy
Use Remote Access Policies to configure
security types
Authentication
Encryption
Dial-in constraints
Guide to Operating System Security
36
RAS Authentication Types (Continued)
Challenge Handshake Authentication Protocol
(CHAP)
Extensible Authentication Protocol (EAP)
MS-CHAP v1 (aka CHAP with Microsoft
extensions)
MS-CHAP v2 (aka CHAP with Microsoft
extensions version 2)
Guide to Operating System Security
37
RAS Authentication Types (Continued)
Password Authentication Protocol (PAP)
Shiva Password Authentication Protocol
(SPAP)
Unauthenticated
Guide to Operating System Security
38
RAS Encryption Options
Guide to Operating System Security
39
RAS Dial-in Constraints Options
Idle and session timeouts
Day and time restrictions
Whether access is restricted to a single number
Whether access is restricted based on media
used
Guide to Operating System Security
40
Security on a Virtual Private
Network
VPN
An intranet designed for restricted access by
specific clients based on subnets, IP addresses,
user accounts, or a combination
Apply same remote access policies as to RAS
servers
Guide to Operating System Security
41
Summary
Protocols and services that enable Internet
security
Configuring Web browsers for security
Internet Explorer
Mozilla
Netscape Navigator
How to configure a server’s remote access
services to enforce security
Applying security options to a VPN
Guide to Operating System Security
42