IS 3423 – Secure Network Design
Technologies to Real
VPN – Virtual Private Network
• Used to secure end-to-end private network
connections over a public network infrastructure
• Data is tunneled, but it appears as if information is
sent over a dedicated private line
• More secure than traditional Internet transport
• Inexpensive substitute for leased lines
• Basic Premise – secure transfer of data across a public network
• Security of tunnel requires that its endpoints are authentic (must
have accurate authentication scheme)
• Must ensure that data has not been modified in transit (integrity)
• Must be able to manage both the establishment and operation of
• Must be able to restrict unauthorized access to your network
• Must be able to prevent viewing or copying of data as it traverses
the network (confidentiality)
Why Invest in a VPN?
• Cost saving of Internet VPN as compared to
traditional private network of leased lines
Types of VPNs
• Remote access for the mobile workforce
(telecommuters, travelers, etc.)
• Intranet connectivity or site-to-site (link remote
offices, customers, etc.)
• Extranet connectivity or B2B (allow access to
users outside the enterprise) Enables
simultaneous access from multiple remote users
• Refer to Figures 3-1, 3-2, 3-3
Figure 3.1 Corporate VPN Telecommuter
(DSL, Cable Modem or ISDN)
Access VPN Office
Router w/ Firewall
VPN w/ Firewall
Corporate Network Router
w/ Firewall Remote
w/ Firewall Extranet VPN
UTSA Business Partner 6
Figure 3-2. Site-to-Site VPN
VPN Tunnel End-Point VPN Tunnel End-Point
Single Secure VPN Tunnel
Host 1 Host 2 Host 3
Figure 3-3. Client-to-Site VPN
VPN Tunnel 1
Mobile User 1
VPN Tunnel End-Point
Mobile User 2
VPN Tunnel 2 Corporate
Security Policies for VPNs
• Access privileges vary among the different types of
• Authentication generally more stringent on VPN for
intranet than VPN for extranet
• Security – encryption, key management, tunneling, traffic
separation, packet authentication, user authentication,
and access control
• Manageability – network monitoring (central control is
• Interoperability – standardized protocols such as IPSEC,
but different vendors may have different methods of
• Multi-protocol Support
Tunneling Protocols – Table 3
• IPsec – provide integrity and device (not user)
• PPTP –point-to-point tunneling protocol - provides device
and user authentication, no integrity (older protocol)
• L2TP – layer 2 tunneling protocol – device and user
authentication and multi-protocol support, but does not
provide message integrity or data confidentiality
• L2Tp/IPsec – best of both worlds – strong integrity,
privacy, interoperability, multi-protocol support, etc.
• User – typically prompt for user name and
• Device – authenticates device, but the user of the
How to Select a VPN
• Review your security policies
• Compare vendor responses based on security policies
– Do you need remote access?
– Who are you connecting with? How secure does this system
need to be?
– How secure are data streams?
– What bandwidth is required?
– What about latency?
– How will this integrate with existing or planned systems?
• Provide mobility to network users
• Available virtually anywhere
Primary Types of Wireless
• 802.11 – IEEE wireless standard.
– 802.11B (WI-FI) – up to 11 Mbps (most widely
– 802.11a – up to 54 Mbps at 5.8 Ghz
– 802.11g – up to 54 Mbps at 2.4 Ghz, backward
compatible with 802.11a
– Bluetooth – personal area network (PAN) – low
power, short range wireless connectivity (usually
no more than 2 meters – up to speed of 780
Wireless LAN Components
• Access point – associates and authenticates
wireless clients to the network
• NIC – enables a PC or workstation to connect to
the wireless network
• Bridge – may be used to connect multiple WLANs
• Antenna – radiates or receives modulated signal
• Amplifier – increases strength of transmissions
• Wireless clients with compatible NICS
can communicate without an AP (access
point) (Fig. 3-8)
• Coverage area is limited
• No access to wired resources.
Figure 3.8 Peer-to-Peer WLAN
Infrastructure Mode WLAN
• All wireless clients connect through an
AP (fig. 3-9)
• Can extend use of wired network
• If have multiple APs, clients can roam if
the AP coverage overlaps (fig. 3-10)
Figure 3.9 Infrastructure Mode WLAN
Corporate Access Point
Wireless Client Wireless Client
Figure 3.10 WLAN Roaming
802.11 Media Access Control
• CSMA/CA – carrier sense multiple
access with collision avoidance
802.11 Spread Spectrum
• DSSS – Direct sequencing spread spectrum – best
suited for high-speed, client/server applications
where radio interference is minimal (fig. 3-11)
• FHSS – Frequency hopping spread spectrum –
minimal interference, but max speed of 2 Mbps
• OFDM – Orthogonal frequency division
multiplexing – (802.11a) available bandwidth
divided into multiple data carriers, without
guardbands (fig. 3-13)
Figure 3.11 Direct Sequencing
2400 1 2 3 4 5 6 7 8 9 10 11 2483
Figure 3.12 Frequency Hopping
2.400 GHz 2.483 GHz
Figure 3.13 OFDM
• CSMA/CA – carrier sense multiple
• Capability to connect to multiple APs
• Method varies among vendors – usually
done because client is getting out of
range of current AP
SSID – Service Set Identifier
• The name of the WLAN
• All devices on the WLAN must employ the same SSID in
order to communicate. Client can have multiple SSIDs
• Wardrivers scan for SSIDs being broadcast by wireless
LANs, then set that SSID on their client to attempt to join
• Knowing the SSID name does not necessarily mean that
rogue clients will be able to join the network. It depends
on how the network administrator has configured their
Ways to Avoid Rogue Clients
• Change SSID default (Linksys is lynksys, Cisco is
• Don’t broadcast SSID
• Associate clients by MAC address. If incorrect
MAC, connection not allowed – generally suitable
for smaller networks
• WEP encryption – wired equivalent privacy – link
level encryption between client and AP
(symmetric) – vulnerable to attack
• Cryptographic authentication
Physical Security Concerns of
• Many wireless devices are mobile, meaning they
are used outside the network perimeter
• These devices are small and easily stolen
• Need to be concerned about data stored on these
Limitations of PDAs and Mobile
• Battery life
• Small displays
• Limited input methods
• Reduce memory
• Slower CPU processing speeds
• Communications protocol designed for use in personal
area networks (PANs) that require short-range
• Provides physical and data link layer connectivity to the
– Internet Bridge – PC uses a mobile phone to access Internet.
PC communicates with phone via Bluetooth protocol. Mobile
phone dials Internet. Bluetooth protocol support Point-to-Point
protocol (PPP), which in turn can transport IP packets
– Synchronization – create a PAN for purpose of synchronizing
email, calendar, and contact data
– Three-in-one phone – function as 1) cordless phone, 2) intercom
phone for device-to-device communications, and 3) regular cell 33
• Primary limitation - Devices, not users, are trusted
• Small storage and RAM prohibit security checks
on each packet – so upper level applications are
responsible for security after initial connection
VoIP – Voice Over IP
• Also known as IP telephony
• Convergence of voice and data
• Voice traffic carried over a packet switch data
network via IP
Tips for Securing VOIP Traffic
• Encrypt VOIP traffic and run it over a VPN
• Properly configure your firewalls
• Consider segmenting voice and data traffic by using a virtual LAN.
This will limit the threat posed by packet-sniffing tools and minimize
disruption in the event of an attack.
• Consider using proxy servers in front of corporate firewalls to
process incoming and outgoing voice data.
• Make sure that server-based IP PBXs are locked down and
protected against viruses and denial-of-service attacks.
• Do you foresee a need for Bluetooth? How, where? What
level of security will you need? How will you achieve it?
• Where? What level of security will you need? How will
you achieve it?
• Do you foresee a need for WLANs? What level of security
will you need? How will you achieve it?
• What about VoIP?
• What are your risks? How will you mitigate them?
• What new policies will you need? Why?
• What potential regulations are impacted? How do you
Chapter 3 Review Questions
• What is a VPN? Describe how it is used.
• Why would anyone invest in a VPN?
• Compare and contrast the 3 primary VPN classifications.
• Describe the basic features of a VPN
• Compare and contrast the major tunneling protocols.
Why is the combination of L2TP/IPsec considered best?
• Compare and contrast the 3 primary 802.11X IEEE
• Compare and contrast peer-to-peer WLANs with
Infrastructure Mode WLANs.
Chapter 3 Review Questions (cont.)
• Compare and contrast DSSS, FHSS, and OFDM
• Describe the MAC utilized by 802.11
• What is wireless roaming?
• What is the significance of the SSID?
• How can you avoid rogue wireless clients?
• Describe Bluetooth. What are its similarities and
differences with 802.11?
• What is VoIP? Provide tips for securing a VoIP