Remote Access

Remote Access

Remote Access Overview

Need to choose the best tool for the following:

• Dial-in users who connect via remote access servers.

• Internet users who connect via firewalls .

• Tunnel/VPN users who connect via routers.

• Remote users who connect via outsourced remote

access services from ISPs and other service

providers.

• VoIP users who connect over (Voice over IP)

gateways.

• Wireless LAN users.

Security+ Guide to Network Security 2

Fundamentals, 2e

Overview

• Process of connecting involves two elements:

– Temporary network connection via dial-up, Internet, Wireless

or any other method

– Series of protocols to negotiate privileges and commands

• Once connected, primary issue is identifying the user and

establishing proper privileges (AAA)

• Primary role of protocols is one of network connectivity, of

which security plays a major role. Security is defined in terms of

the CIA triad

– Confidentiality

– Integrity

– Availablility



Security+ Guide to Network Security 3

Fundamentals, 2e

Authentication

Authentication is the process of binding a specific ID to a specific

computer connection.

• What user know (passwords)

– Each user has a ―good‖ password

– Users forced to change password

• Policy choice: ―Safe‖ vs popular

– One time passwords

• Token cards, OTP schemes

• What users have (tokens)

• What users are (biometrics)

• What users do (voice print)



Security+ Guide to Network Security 4

Fundamentals, 2e

Authorization





• Who is allowed to do what

– Time-of-day

– Requested service (Analog, ISDN, multilink, PPP,

SLIP, etc)

– Wireless Access point

– Etc, etc.









Security+ Guide to Network Security 5

Fundamentals, 2e

User Accounting



• In case of dynamic addressing help to trace intruders

• For charging/usage accounts

– Commercial, non-profit and public service

• Storage of data

• Interface to billing/security system









Security+ Guide to Network Security 6

Fundamentals, 2e

Authentication Technologies

• Authenticating a transmission to ensure that it comes

from an approved sender can provide an increased

level of security for remote access users.

– IEEE 802.1x

– RADIUS

– TACACS+









Security+ Guide to Network Security 7

Fundamentals, 2e

IEEE 802.1x

• Based on a standard established by the Institute for

Electrical and Electronic Engineers (IEEE)

• Provides an implementation framework for 802-

based LANs (Ethernet, Token Ring, wireless LANs),

therefore implementation varies from vendor to

vendor

• Port based authentication mechanism for wired and

wireless networks and can be used in conjunction

with upper layer authentication tools

• Support a wide variety of authentication methods and

fits well into existing authentication systems such as

RADIUS and LDAP, doesn’t encrypt

Security+ Guide to Network Security 8

Fundamentals, 2e

IEEE 802.1x (continued)









• Network supporting the 802.1x protocol consists of three elements:

– Supplicant: client device, such as a desktop computer or personal

digital assistant (PDA), which requires secure network access

– Authenticator: serves as an intermediary device between supplicant

and authentication server

– Authentication server: receives request from supplicant through

authenticator

• Secure because supplicant never has direct communication with the

authentication server



Security+ Guide to Network Security 9

Fundamentals, 2e

IEEE 802.1x (continued)

• Common ways of implementing 802.1x:

– EAP-Transport Layer Security (EAP-TLS) – requires use of

certificates to validate a supplicant. Supported by Microsoft.

– Lightweight EAP (LEAP) – Cisco proprietary and provides

authentication based on the Windows userid and password.

Certificates aren’t required, improves wireless

– EAP-Tunneled TLS (EAP-TTLS) – authentication using

tokens

– Protected EAP (PEAP) – uses certificates similar to SSL

– Flexible Authentication via Secure Tunneling (FAST) – sets

up a tunnel without checking digital certificates, but can be

compromised by dictionary attacks.



Security+ Guide to Network Security 10

Fundamentals, 2e

Remote Authentication Dial-In User

Service (RADIUS) vs TACACS+





Campus net Campus net

Encrytped d i gi t a l









Encrytped d i gi t a l









channel channel

modem modem

RADIUS server TACACS+ server

TALK / DATA

TALK RS CS TR RD TD CD

TALK / DATA

TALK RS CS TR RD TD CD



d i gi t a l

d i gi t a l









modem modem

Remote Network Remote Network

TACACS+ client

RADIUS client NAS

d i gi t a l

NAS d i gi t a l









TALK / DATA

TALK RS CS TR RD TD CD

TALK / DATA

TALK RS CS TR RD TD CD









Authorized data PC user Authorized data

PC user

transfers transfers





PPP connection PPP connection



CHAP RADIUS sends CHAP

username and encrypted RESPONSE TACACS+ client START request

RESPONSE

password

TACACS+ server replies with either

RADIUS responds with accept, reject, challenge

1) Complete authentication

2) Client sends CONTINUE and loop until complete

RADIUS client acts upon authentication, authorization, and accounting rules

TACACS+ client and server authorizatgion requests





TACACS+ client acts upon AAA rules to permit access









Security+ Guide to Network Security 11

Fundamentals, 2e

RADIUS vs TACACS+

• RADIUS • TACACS+

– IETF standard – Proprietary

– Multi-vendor – Based on TCP

– Based on UPD – Encrypts all data

– Encrypt only challenged – Separated AAA

responses

– More complex

– Many implementation

– Open for future extensions

– Billing interfaces

– TACACS+ server encrypts

– AAA support the entire message from

client to server whereas

RADIUS only encrypts

password



Security+ Guide to Network Security 12

Fundamentals, 2e

Secure Transmission Protocols









• Tunneling: technique of encapsulating one packet of data within

another type to create a secure link of transportation.

• Originally used to allow networks based on different protocols to

communicate (Apple and TCP/IP)

• Now used for security





Security+ Guide to Network Security 13

Fundamentals, 2e

Tunneling Protocols

• PPTP – Based on PPP which is used for serial communications

– Multiprotocol Support

– Generic Routing Encapsulation (PPP Over IP)

– Microsoft Point to Point Encryption (MPPE)

– Software on client machine

• L2TP – PPTP + L2F

– Multiprotocol - Requires Router Support

– Sufficient for Provider Networks

– Represents a merging of features of PPTP with Cisco’s

Layer 2 Forwarding Protocol (L2F), which itself was originally

designed to address some of the weaknesses of PPTP

– Supports more advanced encryption methods

Security+ Guide to Network Security 14

Fundamentals, 2e

Point-to-Point Tunneling

Protocol (PPTP)









• Most widely deployed tunneling protocol

• Client connects to a network access server (NAS) to initiate connection

• Extension to PPTP is Link Control Protocol (LCP), which establishes,

configures, and tests the connection









Security+ Guide to Network Security 15

Fundamentals, 2e

Secure Shell (SSH)

• One of the primary goals of the ARPANET (which

became today’s Internet) was remote access

• SSH is a UNIX-based command interface and

protocol for securely accessing a remote computer

• Suite of three utilities—slogin, ssh, and scp

• Can protect against:

– IP spoofing

– DNS spoofing

– Intercepting information





Security+ Guide to Network Security 16

Fundamentals, 2e

IP Security (IPSec)



• Different security tools

function at different layers of

the Open System

Interconnection (OSI) model

• Secure/Multipurpose Internet

Mail Extensions (S/MIME)

and Pretty Good Privacy

(PGP) operate at the

Application layer

• Kerberos functions at the

Session layer



Security+ Guide to Network Security 17

Fundamentals, 2e

IP Security (IPSec) (continued)







• IPSec is a set of protocols developed to support the secure

exchange of packets

• Considered to be a transparent security protocol to applications,

users, and software

• Provides three areas of protection that correspond to three

IPSec protocols:

– Authentication

– Confidentiality

– Key management





Security+ Guide to Network Security 18

Fundamentals, 2e

Virtual Private Networks (VPNs)









• Takes advantage of using the public Internet as if it were a private

network

• Allow the public Internet to be used privately

• In terms of hardware a VPN has two endpoints or terminators to

perform encryption, authentication and encapsulation. VPN

transmissions achieved through communicating with endpoints

– An endpoint can be software on a local computer, a dedicated

hardware device such as a VPN concentrator, or even a firewall

Security+ Guide to Network Security 19

Fundamentals, 2e

VPN – Design Considerations

• Host to Host

– Complex to Administer

– Scaling Issues

• Gateway to Gateway

– Site-to-site VPN: multiple

sites can connect to other

sites over the Internet

– Easy to Implement

• Host to Gateway

– Telecommuters

– Remote Users





Security+ Guide to Network Security 20

Fundamentals, 2e

Advantages and Disadvantages

iMac









iMac









Router with

IPSec

TUNNEL







ISP Network Network ISP

Access Point Access Point









iMac









Router with

IPSec

iMac









• Advantages – less expensive than leased lines; scalable

and flexible, all traffic is encrypted, control of configuration

• Disadvantages – can be expensive; uses unregulated and

often unreliable internet, complex; compatibility issues





Security+ Guide to Network Security 21

Fundamentals, 2e

VPN Protocols and Uses

• Should be used when other protocols are not

• IPSec

acceptable





• PPTP

• When a dial-up user has an old system that

doesn’t support L2TP and uses PPP

• L2TP • When a dial-up user needs to establish a VPN





• PPP over SSL • When a UNIX user needs to create a VPN

connection ―on the fly‖

• When a UNIX user needs to create a VPN ―on

• PPP over SSH

the fly‖ over SSH and both parties know the

secret key in advance









Security+ Guide to Network Security 22

Fundamentals, 2e

Protecting Directory Services



• A directory service is a database stored on the network itself and

contains all information about users and network devices

• A directory service contains information such as the user’s name,

telephone extension, e-mail address, and logon name

• To enable interoperability, the X-500 standard was created as a

standard for directory services.

• Primary method for accessing an X.500 directory is through the

Directory Access Protocol (DAP) which is difficult to implement on PCs.

• LDAP contains most commonly used functions and can interface with

X.500 services.

– includes TCP/IP support and simplified client design

• LDAP is not a database of resources itself, but simply a protocol, or

rules, for accessing directory information in a database.





Security+ Guide to Network Security 23

Fundamentals, 2e

LDAP Security Benefits

• Authentication

– Ensures users’ identities

– Three levels

• No authentication

• Simple authentication

• Simple Authentication and Security Layer (SASL), a method for

adding authentication support to connection-based protocols

• Authorization

– Determines network resources the user may access

– Determined by access control lists (ACLs)

• Encryption

– Utilizes other protocols through SASL, which uses SSL

or TLS

Security+ Guide to Network Security 24

Fundamentals, 2e

LDAP Security Vulnerabilities



• LDAP’s centralized nature provides a single target for

hackers to concentrate on to gain entry

• Denial of service

• Man in the middle

• Attacks against data confidentiality – keep patches

and updates regularly









Security+ Guide to Network Security 25

Fundamentals, 2e

Securing Digital Cellular Telephony



• The early use of wireless cellular technology is

known as First Generation (1G)

• 1G is characterized by analog radio frequency (RF)

signals transmitting at a top speed of 96 Kbps

• 1G networks use circuit-switching technology

• Digital cellular technology, which started in the early

1990s, uses digital instead of analog transmissions

• Digital cellular uses packet switching instead of

circuit-switching technology



Security+ Guide to Network Security 26

Fundamentals, 2e

Wireless Application Protocol (WAP)









• Provides standard way to transmit, format, and display Internet

data for devices such as cell phones

• A WAP cell phone runs a microbrowser that uses Wireless

Markup Language (WML) instead of HTML

– WML is designed to display text-based Web content on the

small screen of a cell phone

– Because the Internet standard is HTML, a WAP Gateway (or

WAP Proxy) must translate between WML and HTML

Security+ Guide to Network Security 27

Fundamentals, 2e

Hardening Wireless Local Area

Networks (WLAN)

• By 2007, >98% of all notebooks will be wireless-

enabled

• Serious security vulnerabilities have also been

created by wireless data technology:

– Unauthorized users can access the wireless signal

from outside a building and connect to the network

– Attackers can capture and view transmitted data

– Employees in the office can install personal wireless

equipment and defeat perimeter security measures

– Attackers can crack wireless security with kiddie scripts



Security+ Guide to Network Security 28

Fundamentals, 2e

Basic WLAN Security

• Two areas:

– Basic WLAN security

– Enterprise WLAN security

• Basic WLAN security uses two new wireless tools

and one tool from the wired world:

– Service Set Identifier (SSID) beaconing

– MAC address filtering

– Wired Equivalent Privacy (WEP)







Security+ Guide to Network Security 29

Fundamentals, 2e

Untrusted Network









• The basic WLAN security of SSID beaconing, MAC address

filtering, and WEP encryption is not secure enough for an

organization to use

• One approach to securing a WLAN is to treat it as an untrusted

and unsecure network

• Requires that the WLAN be placed outside the secure perimeter

of the trusted network



Security+ Guide to Network Security 30

Fundamentals, 2e

Trusted Network



• It is still possible to provide security for a WLAN and

treat it as a trusted network

• Wi-Fi Protected Access (WPA) was crafted by the

WECA in 2002 as an interim solution until a

permanent wireless security standard could be

implemented

• WPA encryption addresses the weaknesses of WEP

by using the Temporal Key Integrity Protocol (TKIP).

TKIP mixes keys on a per-packet basis to improve

security.





Security+ Guide to Network Security 31

Fundamentals, 2e

Trusted Network (continued)

• Although WPA provides enhanced security, the IEEE 802.11i

solution is even more secure

• The IEEE 802.11i protocol is the update to 802.11 security that

includes all of the interim measures found in WPA (Wi-Fi

Protected Access), and also adds a longer, strong encryption

key using AES and fast handoff through quick reauthentication

among access points

• 802.1X used with WEP gives per-user, per-session WEP keys

which solves the biggest issue of everyone having the same

key. It also authenticates. The heavy lifting is done on the

supplicant.

• WPA and 802.11i build on 802.1X encryption.



Security+ Guide to Network Security 32

Fundamentals, 2e

Summary

• Authentication technologies

– IEEE 802.1x

– RADIUS

– TACACS+

• Secure transmission protocols

– SSH

– L2TP

– PPTP

– IPSec

– VPN

• Directory Services

• Wireless

Security+ Guide to Network Security 33

Fundamentals, 2e

Secure Remote Access



• Windows NT includes User Manager to allow dial-in

access, while Windows 2003 uses Computer

Management for Workgroup access and Active

Directory for configuring access to the domain

• Windows 2003 Remote Access Policies can lock

down a remote access system to ensure that only

those intended to have access are actually granted it









Security+ Guide to Network Security 34

Fundamentals, 2e