Instructors Notes

Document Sample
Instructors Notes Powered By Docstoc
					Network+ Guide to Networks, 5th Edition   12-1

Chapter 12
Network Security

At a Glance

Instructor’s Manual Table of Contents
   Overview

   Objectives

   Teaching Tips

   Quick Quizzes

   Class Discussion Topics

   Additional Projects

   Additional Resources

   Key Terms
Network+ Guide to Networks, 5th Edition                                                         12-2

Lecture Notes

As networks have become more geographically distributed and heterogeneous, the risk of their
misuse has also increased. Consider the largest, most heterogeneous network in existence: the
Internet. Because it contains millions of points of entry, millions of servers, and millions of
miles of transmission paths, it is vulnerable to millions of break-ins. Because so many networks
connect to the Internet, the threat of an outsider accessing an organization’s network via the
Internet, and then stealing or destroying data, is very real. In this chapter, the student will learn
how to assess a network’s risks, how to manage those risks, and, perhaps most important, how
to convey the importance of network security to the rest of the organization through an
effective security policy.

Chapter Objectives
After reading this chapter and completing the exercises, the student will be able to:
    Identify security risks in LANs and WANs and design security policies that minimize
    Explain how physical security contributes to network security
    Discuss hardware- and design-based security techniques
    Understand methods of encryption, such as SSL and IPSec, that can secure data in
        storage and in transit
    Describe how popular authentication protocols, such as RADIUS, TACACS, Kerberos,
        PAP, CHAP, and MS-CHAP, function
    Use network operating system techniques to provide basic security
    Understand wireless security protocols, such as WEP, WPA, and 802.11i

Teaching Tips
Security Audits
    1. Describe tasks that should be completed prior to spending time and money on network

    2. Emphasize that different types of organizations have different levels of network security
           a. Provide examples.

    3. Define and describe a security audit as a means of assessing security risks.

    4. Explain who can or should perform the security audit noting any advantages where
Network+ Guide to Networks, 5th Edition                                                       12-3

Security Risks
    1. Explain why students first need to know how to recognize threats that their network
       could suffer.

    2. Describe how security breaches can occur.

    3. Discuss three considerations when looking at security threats.

Risks Associated with People

    1. Point out the significance of looking at risks associated with people.
          a. Point out that by some estimates, human errors, ignorance, and omissions cause
              more than half of all security breaches sustained by networks.

    2. Introduce the topic of social engineering.
           a. Define and describe the practice of phishing.

    3. Review the variety of risks associated with people.

    4. Emphasize that human errors account for so many security breaches because taking
       advantage of them is the easiest way to circumvent network security.

Risks Associated with Transmission and Hardware

    1. Introduce the security risks inherent in the Physical, Data Link, and Network layers of
       the OSI model.

    2. Define and describe the risks inherent in network hardware and design.

Risks Associated with Protocols and Software

    1. Introduce the risks inherent in the Transport, Session, Presentation, and Application
       layers of the OSI model.

    2. Describe risks pertaining to networking protocols and software.

Risks Associated with Internet Access

    1. Remind students that network security is more often compromised “from the inside”.

    2. Point out that new Internet-related security threats arise frequently and need to be

    3. Define and explain common Internet-related security issues.
Network+ Guide to Networks, 5th Edition                                                       12-4

An Effective Security Policy
    1. Explain how a thoroughly planned security policy can minimize the risk of break-ins.

    2. Define a security policy.

    3. Explain what is not included in a security policy.

Security Policy Goals

    1. Describe and explain the typical goals for security policies.

    2. Describe when to devise the security policy and the strategy to attain the goals of the

Security Policy Content

    1. Explain when the student should outline the policy’s content.

    2. Discuss possible subheadings for the policy outline.

    3. Emphasize that the security policy should explain to users what they can and cannot do
       and how these measures protect the network’s security.

    4. Provide suggestions for communicating policy contents to the users.

    5. Define and describe the term confidential.

Response Policy

    1. Point out that a security policy should provide for a planned response in the event of a
       security breach.

    2. Explain the contents of a response policy.

    3. Review suggested team roles.

    4. Note that after resolving a problem, the team reviews what happened, determines how
       the problem might have been prevented, and then implements measures to prevent
       future problems.

Physical Security

    1. Point out that an important element in network security is restricting physical access to
       its components.

    2. Explain that students should consider all points of compromise in physical security.
Network+ Guide to Networks, 5th Edition                                                    12-5

    3. Describe electronic badge access.

    4. Use Figure 12-1 to illustrate a badge access security system.

    5. Discuss how electronic locks can be combined with key locks.

    6. Describe a more expensive physical security solution involving bio-recognition access.

    7. Describe how organizations may regulate entrance through physical barriers to their

    8. Explain how many IT departments use closed-circuit TV systems to monitor activity in
       secured rooms.

    9. Review relevant questions that should be included in a security audit.

    10. Point out that discarded computers may present a point of data loss and describe how to
        protect asses from this threat.

                 Students may learn more about security policies by reviewing material on The
                 SANS Security Policy Project Web site at

Security in Network Design
    1. Introduce the concept of poor LAN and WAN design in contributing to security

    2. Describe the optimal and more realistic ways to prevent external LAN breaches.

Router Access Lists

    1. Point out that before a malicious intruder on another network can gain access to files on
       a network server, he or she must traverse a switch or router.

    2. Describe a router’s main function.

    3. Define and describe a router ACL (access control list).

    4. Discuss the variables an ACL uses to instruct a router to permit or deny traffic.

    5. Describe how a router processes packet information.

    6. Note that an access list may contain many different statements.
Network+ Guide to Networks, 5th Edition                                                     12-6

    7. Point out that different ACLs may be associated with inbound and outbound traffic.

Intrusion Detection and Prevention

    1. Define and describe an IDS (intrusion detection system).

    2. Describe the technique that an IDS may use to monitor traffic carried by a switch.

    3. Discuss how IDS software can be configured to detect many types of suspicious traffic
       patterns, including those typical of denial-of-service or smurf attacks.

    4. Define and describe a DMZ (demilitarized zone).

    5. Explain one drawback to using an IDS at a network’s DMZ.

    6. Emphasize that an IDS can only detect and log suspicious activity.

    7. Define and describe an IPS (intrusion-prevention system).

    8. Emphasize that an IPS can react when alerted to suspicious activity.

    9. Use Figure 12-2 to illustrate the placement of an IDS/IPS device on a private network
       that is connected to the Internet.

    10. Compare an IPS to a firewall.

                 Perform an in-class demonstration by navigating to the open-source IDS
                 software sites for TripWire at and Snort at
        to demonstrate the availability of these products.


    1. Define and describe a firewall.
          a. Note that a firewall typically involves a combination of hardware and software.
          b. Describe where a firewall typically resides in a network.

    2. Use Figure 12-3 to illustrate the placement of a firewall between a private network and
       the Internet.

    3. Use Figure 12-4 to illustrate a firewall designed for use in a business with many users.

    4. Mention that many forms of firewalls exist.

    5. Define and explain a packet-filtering firewall.
          a. Emphasize how packet filtering firewalls block traffic in and out of a network.
Network+ Guide to Networks, 5th Edition                                                          12-7

    6. Mention that firewalls ship with a default configuration designed to block the most
       common types of security threats.

    7. Note that many network administrators choose to modify default firewall settings.

    8. Discuss common criteria a packet-filtering firewall might use to accept or deny traffic.

    9. Describe port blocking and discuss its importance in preventing security breaches.

    10. Describe the many factors to consider when making decision regarding a firewall that
        performs functions that are more complex.
            a. Define and describe content filtering firewalls.
            b. Define and describe characteristics of stateless and stateful firewalls.

    11. Explain to the student that they will have to recognize examples of firewall placement
        in most VPN architectures.

    12. Explain to students that they will have to tailor a firewall to their network’s needs.

    13. Explain why packet-filtering firewalls cannot distinguish between a user who is trying
        to breach the firewall and a user who is authorized to do so.

                 Perform an in-class demonstration by navigating to the Cisco IOS Firewall
Teaching         Introduction page at
Tip     to
                 demonstrate and example Cisco firewall material available.

Proxy Servers

    1. Define and explain a proxy service.

    2. Define and explain a proxy server.

    3. State the important function of a proxy server - preventing the outside world from
       discovering the addresses of the internal network.
           a. Explain why this is important.

    4. Use Figure 12-5 to illustrate how a proxy server might fit into a WAN design.

    5. Point out that another advantage of proxy servers is in improving network performance
       by caching files.

Quick Quiz 1
    1. True or False: More often than not, security is compromised from using the Internet.
Network+ Guide to Networks, 5th Edition                                                    12-8

        Answer: False

    2. ____________________ occurs when a person attempts to glean access or
       authentication information by posing as someone who needs that information.
       Answer: Phishing

    3. A(n) ____ drives the creation of a security policy.
          a. security coordinator
          b. administrator
          c. IT specialist
          d. security manager
       Answer: A

    4. True or False: An IDS can react when alerted to suspicious activity.
       Answer: False

    5. True or False: Packet-filtering firewalls cannot distinguish between a user who is trying
       to breach the firewall and a user who is authorized to do so.
       Answer: True

NOS (Network Operating System) Security
    1. Make sure students understand that they can implement basic security by restricting
       what users are authorized to do on a network.

    2. Define and describe the term public rights.

    3. Point out to students that network administrators need to group users according to their
       security levels and assign additional rights that meet the needs of those groups.

Logon Restrictions

    1. Review additional logon restrictions that network administrators can use to strengthen
       the security of their networks.


    1. Mention that choosing a secure password is one of the easiest and least expensive ways
       to guard against unauthorized access.

    2. Point out that the preferred, easy to remember password is also easy to guess.

    3. Note that password guidelines should be clearly communicated to everyone in an
       organization through the security policy.

    4. Review tips for making and keeping passwords secure.
Network+ Guide to Networks, 5th Edition                                                    12-9

Teaching         Student may read more information on password security at

    1. Define and explain the term encryption.

    2. Emphasize to the students that the purpose of encryption is to keep information private.

    3. Explain that many forms of encryption exist with some being more secure than others.

    4. Emphasize the importance of encryption as the last means of defense against data theft.

    5. Review the three assurances encryption provides to protect data.

Key Encryption

    1. Introduce the concept of key encryption.

    2. Define and explain a key.

    3. Define and explain the term ciphertext.

    4. Describe a brute force attack.

    5. Use Figure 12-6 to illustrate a simplified view of key encryption and decryption.

    6. Define and describe private key encryption.

    7. Use Figure 12-7 to illustrate private key encryption.

    8. Introduce and explain DES (Data Encryption Standard).

    9. Describe Triple DES.

    10. Define and explain AES (Advanced Encryption Standard).

    11. Point out the drawback of private key encryption.

    12. Define and describe public key encryption.

    13. Define and explain a public key server.

    14. Define the term key pair.
Network+ Guide to Networks, 5th Edition                                                    12-10

    15. Use Figure 12-8 to illustrate the process of public key encryption.

    16. Discuss the various forms of public key encryption and their use.
           a. Diffie-Hellman
           b. RAH
           c. RC4

    17. Define and describe a digital certificate and the PKI infrastructure.

PGP (Pretty Good Privacy)

    1. Define and explain PGP.

Teaching         Navigate to the PGP site at to illustrate the encryption
Tip              protection it can provide.

SSL (Secure Sockets Layer)

    1. Define and explain SSL.
          a. Include a discussion on HTTPS.

    2. Explain a handshake protocol.

    3. Define an SSL session.

    4. Review the original development of SSL and explain how the IETF is attempting to
       standardize it.

SSH (Secure Shell)

    1. Define and explain SSH.

    2. Mention the encryption algorithms it can use.

    3. Discuss the versions available.

    4. Explain its advantages.

SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol)

    1. Describe the SCP (Secure CoPy) utility.

    2. Explain how modern operating systems implement SCP.

    3. Discuss the advantage of SCP.
Network+ Guide to Networks, 5th Edition                                                   12-11

    4. Define and explain the proprietary version.

IPSec (Internet Protocol Security)

    1. Define and explain IPSec.

    2. Note how IPSec differs from other methods.

    3. Explain how IPSec accomplishes authentication in two phases.

    4. Point out that IPSec can be used with any type of TCP/IP transmission.

    5. Mention that it is most commonly use in routers.

    6. Emphasize that VPNs are used to transmit private data over public networks and require
       strict encryption and authentication to ensure that data is not compromised.

    7. Define and describe a VPN concentrator.

    8. Use Figure 12-9 to illustrate the placement of a VPN concentrator on a WAN.

Authentication Protocols
    1. Review the process of authentication with the class.

    2. Explain the concept of authentication protocols noting that several types exist.

    3. Mention that the different authentication protocols differ according to which encryption
       schemes they rely on and the steps they take to verify credentials.


    1. Define and explain the use of RADIUS (Remote Authentication Dial-In User Service).

    2. Define and explain the use of a RADIUS server.

    3. Explain why RADIUS is more secure than a simple remote access solution.

    4. Use Figure 12-10 to illustrate a RADIUS server providing centralized authentication.

    5. Mention that TACACS (Terminal Access Controller Access Control System) is a
       similar, but earlier version of centralized authentication.

    6. Explain why RADIUS and TACACS belong to a category of protocols known as AAA
       (authentication, authorization, and accounting).
Network+ Guide to Networks, 5th Edition                                                   12-12

PAP (Password Authentication Protocol)

    1. Review the PPP (Point-to-Point Protocol).
          a. Note that PPP provides the foundation for connections between remote clients
             and hosts.
          b. Emphasize that PPP alone, however, does not secure connections.

    2. Point out that several types of authentication protocols can work over PPP including
       PAP (Password Authentication Protocol).

    3. Explain how PAP provides authentication using a two-step authentication process.

    4. Use Figure 12-11 to illustrate PAP’s two-step authentication process.

    5. Explain why PAP is a simple authentication protocol but not necessarily secure.


    1. Explain that CHAP (Challenge Handshake Authentication Protocol) is another
       authentication protocol that operates over PPP.

    2. Explain the difference between the CHAP and PAP protocols.

    3. Explain how CHAP provides authentication using a three-step authentication process.

    4. Use Figure 12-12 to illustrate the three-way handshake used in CHAP.

    5. Describe the benefit of CHAP over PAP.

    6. Define MS-CHAP.

    7. Describe a potential flaw in CHAP and MS-CHAP authentication.

    8. Describe how Microsoft’s MS-CHAPv2 (Microsoft Challenge Authentication Protocol,
       Version 2) attempts to thwart that flaw.

    9. Walk through an example of how to modify the dial-up connection’s supported
       authentication protocols on a Windows XP client.

    10. Use Figure 12-13 to illustrate the Windows XP Advanced Security Settings dialog box.

    11. Walk through an example of how to modify the dial-up connection’s supported
        authentication protocols on a Windows Vista client.

    12. Use Figure 12-14 to illustrate the Windows Vista Advanced Security Settings dialog
Network+ Guide to Networks, 5th Edition                                                   12-13

EAP (Extensible Authentication Protocol)

    1. Explain that EAP (Extensible Authentication Protocol) is another extension to the PPP
       protocol suite.

    2. Explain how EAP differs from the authentication protocols discussed previously.
          a. Note that it is only a mechanism for authenticating clients and servers; it does
              not perform encryption or authentication on its own.

    3. Note that EAP works with other encryption and authentication schemes to verify the
       credentials of clients and servers.

    4. Explain how EAP requires the authenticator to initiate the authentication process by
       asking the connected computer to verify itself.

    5. Describe an advantage of EAP.

    6. Point out that in the case of wireless LANs, EAP is used with older encryption and
       authentication protocols to form a new, more secure method of connecting to networks
       from wireless stations.

802.1x (EAPoL)

    1. Define and explain the 802.1x standard.

    2. Describe where the EAPoL name originated.

    3. Emphasize that 802.1x only defines a process for authentication.

    4. Explain that 802.1x does not specify the type of authentication or encryption protocols
       clients and servers must use.

    5. Mention that 802.1x is commonly used with RADIUS authentication.

    6. Describe what distinguishes 802.1x from other authentication standards.

    7. Use Figure 12-15 to illustrate the 802.1x authentication process.


    1. Define and explain Kerberos.

    2. Note that it is an example of a private key encryption service.

    3. Explain the advantages Kerberos provides over simple NOS authentication.

    4. Define and explain a KDC (Key Distribution Center).
Network+ Guide to Networks, 5th Edition                                                     12-14

    5. Define and explain an AS (authentication service).

    6. Define the term ticket.

    7. Define the term principal.

    8. Describe the process Kerberos requires for client/server communication.

    9. Explain the problem with the original version:
          a. User had to request a separate ticket each time he or she wanted to use a
              different service.

    10. Describe how this problem was resolved with the TGS (Ticket-Granting Service).

                 Point out that Kerberos was named after the three-headed dog in Greek
                 mythology who guarded the gates of Hades and was designed at MIT
                 (Massachusetts Institute of Technology). MIT still provides free copies of the
                 Kerberos code. In addition, many software vendors have developed their own
                 versions of Kerberos.

Wireless Network Security
    1. Emphasize that wireless transmissions are particularly susceptible to eavesdropping.

    2. Explain war-driving noting that it is effective for obtaining private information.

WEP (Wired Equivalent Privacy)

    1. Review the 802.11 protocol standards.

    2. Emphasize that by default, the 802.11 standard does not offer any security.

    3. Define and describe the WEP (Wired Equivalent Privacy) standard.

    4. Walk through an example of editing or adding a WEP key for a wireless connection on
       a Windows XP client.

    5. Use Figure 12-16 to illustrate the entering of a WEP key in the Windows XP wireless
       network properties dialog box.

    6. Discuss the versions of WEP and their network key lengths.

    7. Discuss the various flaws of WEP.
Network+ Guide to Networks, 5th Edition                                                   12-15

IEEE 802.11i and WPA (Wi-Fi Protected Access)

    1. Describe the 802.11i wireless security protocol.

    2. Describe the WPA wireless security protocol.

    3. Explain the difference between WPA and 802.11i.

                 Students may learn more about wireless standards at the Wi-Fi alliance Web site

Quick Quiz 2
    1. ____________________ is the use of an algorithm to scramble data into a format that
       can be read only by reversing the algorithm.
       Answer: Encryption

    2. In key encryption, the scrambled data block is known as ____.
           a. cleartext
           b. fuzzytext
           c. a key pair
           d. ciphertext
       Answer: D

    3. True or False: In public key encryption, data is encrypted using a single key that only
       the sender and the receiver know.
       Answer: False

    4. ____ is a public key encryption system that can verify the authenticity of an e-mail
       sender and encrypt e-mail data in transmission.
          a. SSL
          b. PGP
          c. IPSec
          d. SSH
       Answer: B

    5. True or False: WPA uses the AES encryption scheme.
       Answer: False
Network+ Guide to Networks, 5th Edition                                                  12-16

Class Discussion Topics
    1. As a class, discuss the implications of security breaches on technology adoption. Are
       people hesitant to use the Internet or wireless technology for purchases due to security
       concerns? Are people hesitant to use technology because of privacy concerns? Are these
       concerns warranted and are they influenced by age, race, or gender?

    2. As a class, discuss what the consequences should be for not adhering to security policy
       guidelines. Where or how should these consequences be communicated to employees?

Additional Projects
    1. Have the student research companies that specialize in the physical removal or
       destruction of data on hard disks. The research report should include information on
       three such companies including the company name, accurate Web site address (if
       available), physical location, services, and costs.

Additional Resources
    1. Audit Certification

    2. GIAC Audit Certification

    3. The Institute of Internal Auditors

    4. The SANS Security Policy Project

    5. Developing a Security Policy

    6. The Basics of an IT Security Policy

    7. IBM Redbook: Auditing and Accounting on AIX

    8. The International PGP Home Page

    9. Philip Zimmermann Home page
Network+ Guide to Networks, 5th Edition                                                   12-17

    10. MIT PGP Public Key Server

    11. The OpenPGP Alliance

    12. Windows Security Center

    13. Windows Client Security and Encryption

Key Terms
     3DES - See Triple DES.
     802.11i - The IEEE standard for wireless network encryption and authentication that
      uses the EAP authentication method, strong encryption, and dynamically assigned keys,
      which are different for every transmission. 802.11i specifies AES encryption and
      weaves a key into each packet.
     802.1x - A vendor-independent IEEE standard for securing transmission between nodes
      according to the transmission’s port, whether physical or logical. 802.1x, also known as
      EAPoL, is the authentication standard followed by wireless networks using 802.11i.
     AAA (authentication, authorization, and accounting) - The name of a category of
      protocols that establish a client’s identity; check the client’s credentials and, based on
      those, allow or deny access to a system or network; and finally, track the client’s system
      or network usage.
     access control list - See ACL.
     access list - See ACL.
     ACL (access control list) - A list of statements used by a router to permit or deny the
      forwarding of traffic on a network based on one or more criteria.
     Advanced Encryption Standard - See AES.
     AES (Advanced Encryption Standard) - A private key encryption algorithm that
      weaves keys of 128, 160, 192, or 256 bits through data multiple times. The algorithm
      used in the most popular form of AES is known as Rijndael. AES has replaced DES in
      situations such as military communications, which require the highest level of security.
     AH (authentication header) - In the context of IPSec, a type of encryption that
      provides authentication of the IP packet’s data payload through public key techniques.
     application gateway - See proxy server.
     Application layer gateway - See proxy server.
     AS (authentication service) - In Kerberos terminology, the process that runs on a KDC
      (Key Distribution Center) to initially validate a client who’s logging on. The
      authentication service issues a session key to the client and to the service the client
      wants to access.
     asymmetric encryption - A type of encryption (such as public key encryption) that
      uses a different key for encoding data than is used for decoding the ciphertext.
     authentication, authorization, and accounting - See AAA.
     authentication header - See AH.
Network+ Guide to Networks, 5th Edition                                                    12-18

     authentication protocol - A set of rules that governs how servers authenticate clients.
      Several types of authentication protocols exist.
     authentication service - See AS.
     authenticator - In Kerberos authentication, the user’s time stamp encrypted with the
      session key. The authenticator is used to help the service verify that a user’s ticket is
     biorecognition access - A method of authentication in which a device scans an
      individual’s unique physical characteristics (such as the color patterns in her iris or the
      geometry of her hand) to verify the user’s identity.
     brute force attack - An attempt to discover an encryption key or password by trying
      numerous possible character combinations. Usually, a brute force attack is performed
      rapidly by a program designed for that purpose.
     CA (certificate authority) - An organization that issues and maintains digital
      certificates as part of the public key infrastructure.
     certificate authority - See CA.
     challenge - A random string of text issued from one computer to another in some forms
      of authentication. It is used, along with the password (or other credential), in a response
      to verify the computer’s credentials.
     Challenge Handshake Authentication Protocol - See CHAP.
     CHAP (Challenge Handshake Authentication Protocol) - An authentication protocol
      that operates over PPP and that requires the authenticator to take the first step by
      offering the other computer a challenge. The requestor responds by combining the
      challenge with its password, encrypting the new string of characters and sending it to
      the authenticator. The authenticator matches to see if the requestor’s encrypted string of
      text matches its own encrypted string of characters. If so, the requester is authenticated
      and granted access to secured resources.
     ciphertext - The unique data block that results when an original piece of data (such as
      text) is encrypted (for example, by using a key).
     client_hello - In the context of SSL encryption, a message issued from the client to the
      server that contains information about what level of security the client’s browser is
      capable of accepting and what type of encryption the client’s browser can decipher (for
      example, RSA or Diffie-Hellman). The client_hello message also establishes a
      randomly generated number that uniquely identifies the client, plus another number that
      identifies the SSL session.
     content-filtering firewall - A firewall that can block designated types of traffic from
      entering a protected network.
     cracker - A person who uses his knowledge of operating systems and utilities to
      intentionally damage or destroy data or systems.
     Data Encryption Standard - See DES.
     demilitarized zone - See DMZ.
     denial-of-service attack - A security attack caused by a deluge of traffic that disables
      the victimized system.
     DES (Data Encryption Standard) - A popular private key encryption technique that
      was developed by IBM in the 1970s.
     dictionary attack - A technique in which attackers run a program that tries a
      combination of a known user ID and, for a password, every word in a dictionary to
      attempt to gain access to a network.
Network+ Guide to Networks, 5th Edition                                                    12-19

     Diffie-Hellman - The first commonly used public, or asymmetric, key algorithm.
      Diffie-Hellman was released in 1975 by its creators, Whitfield Diffie and Martin
     digital certificate - A password-protected and encrypted file that holds an individual’s
      identification information, including a public key and a private key. The individual’s
      public key is used to verify the sender’s digital signature, and the private key allows the
      individual to log on to a third-party authority who administers digital certificates.
     DMZ (demilitarized zone) - The perimeter of a protected, internal network where
      users, both authorized and unauthorized, from external networks can attempt to access
      it. Firewalls and IDS/IPS systems are typically placed in the DMZ.
     DNS spoofing - A security attack in which an outsider forges name server records to
      falsify his host’s identity.
     EAP (Extensible Authentication Protocol) - A Data Link layer protocol defined by
      the IETF that specifies the dynamic distribution of encryption keys and a
      preauthentication process in which a client and server exchange data via an intermediate
      node (for example, an access point on a wireless LAN). Only after they have mutually
      authenticated can the client and server exchange encrypted data. EAP can be used with
      multiple authentication and encryption schemes.
     EAP over LAN - See EAPoL.
     EAPoL (EAP over LAN) - See 802.1x.
     Encapsulating Security Payload - See ESP.
     encryption - The use of an algorithm to scramble data into a format that can be read
      only by reversing the algorithm - decrypting the data - to keep the information private.
      The most popular kind of encryption algorithm weaves a key into the original data’s
      bits, sometimes several times in different sequences, to generate a unique data block.
     ESP (Encapsulation Security Payload) - In the context of IPSec, a type of encryption
      that provides authentication of the IP packet’s data payload through public key
      techniques. In addition, ESP also encrypts the entire IP packet for added security.
     Extensible Authentication Protocol - See EAP.
     flashing - A security attack in which an Internet user sends commands to another
      Internet user’s machine that cause the screen to fill with garbage characters. A flashing
      attack causes the user to terminate her session.
     hacker - A person who masters the inner workings of operating systems and utilities in
      an effort to better understand them. A hacker is distinguished from a cracker in that a
      cracker attempts to exploit a network’s vulnerabilities for malicious purposes.
     handshake protocol - One of several protocols within SSL, and perhaps the most
      significant. As its name implies, the handshake protocol allows the client and server to
      authenticate (or introduce) each other and establishes terms for how they securely
      exchange data during an SSL session.
     host-based firewall - A firewall that only protects the computer on which it’s installed.
     HTTP over Secure Sockets Layer - See HTTPS.
     HTTP Secure - See HTTPS.
     HTTPS (HTTP over Secure Sockets Layer) - The URL prefix that indicates that a
      Web page requires its data to be exchanged between client and server using SSL
      encryption. HTTPS uses the TCP port number 443, rather than port 80 (the port that
      normal HTTP uses).
Network+ Guide to Networks, 5th Edition                                                   12-20

     IDS (intrusion-detection system) - A dedicated device or software running on a host
      that monitors and flags (and sometimes logs) any unauthorized attempt to access an
      organization’s secured resources on a network or host.
     IKE (Internet Key Exchange) - The first phase of IPSec authentication, which
      accomplishes key management. IKE is a service that runs on UDP port 500. After IKE
      has established the rules for the type of keys two nodes use, IPSec invokes its second
      phase, encryption.
     Internet Key Exchange - See IKE.
     Internet Protocol Security - See IPSec.
     intrusion-detection system - See IDS.
     intrusion-prevention system - See IPS.
     IPS (intrusion-prevention system) - A dedicated device or software running on a host
      that automatically reacts to any unauthorized attempt to access an organization’s
      secured resources on a network or host. IPS is often combined with IDS.
     IPSec (Internet Protocol Security) - A Layer 3 protocol that defines encryption,
      authentication, and key management for TCP/IP transmissions. IPSec is an
      enhancement to IPv4 and is native to IPv6. IPSec is unique among authentication
      methods in that it adds security information to the header of all IP packets.
     IP spoofing - A security attack in which an outsider obtains internal IP addresses, then
      uses those addresses to pretend that he has authority to access a private network from
      the Internet.
     KDC (Key Distribution Center) - In Kerberos terminology, the server that runs the
      authentication service and the Ticket-granting service to issue keys and tickets to
     Kerberos - A cross-platform authentication protocol that uses key encryption to verify
      the identity of clients and to securely exchange information after a client logs on to a
      system. It is an example of a private key encryption service.
     key - A series of characters that is combined with a block of data during that data’s
      encryption. To decrypt the resulting data, the recipient must also possess the key.
     Key Distribution Center - See KDC.
     key management - The method whereby two nodes using key encryption agree on
      common parameters for the keys they will use to encrypt data.
     key pair - The combination of a public and private key used to decipher data that was
      encrypted using public key encryption.
     man-in-the-middle attack - A security threat that relies on intercepted transmissions. It
      can take one of several forms, but in all cases a person redirects or captures secure data
      traffic while in transit.
     Microsoft Challenge Handshake Authentication Protocol - See MS-CHAP.
     Microsoft Challenge Handshake Authentication Protocol, version 2 - See MS-
     MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) - An
      authentication protocol offered by Microsoft with its Windows clients and servers.
      Similar to CHAP, MSCHAP uses a three-way handshake to verify a client’s credentials
      and encrypts passwords with a challenge text.
Network+ Guide to Networks, 5th Edition                                                    12-21

     MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2) - An
      authentication protocol provided with Windows XP, 2000, and Server 2003 operating
      systems that follows the CHAP model, but uses stronger encryption, uses different
      encryption keys for transmission and reception, and requires mutual authentication
      between two computers.
     mutual authentication - An authentication scheme in which both computers verify the
      credentials of each other.
     network-based firewall - A firewall configured and positioned to protect an entire
     network key - A key (or character string) required for a wireless station to associate
      with an access point using WEP.
     OpenSSH - An open source version of the SSH suite of protocols.
     packet-filtering firewall - A router that operates at the Data Link and Transport layers
      of the OSI model, examining the header of every packet of data that it receives to
      determine whether that type of packet is authorized to continue to its destination.
      Packet-filtering firewalls are also called screening firewalls.
     PAP (Password Authentication Protocol) - A simple authentication protocol that
      operates over PPP. Using PAP, a client issues its credentials in a request to authenticate,
      and the server responds with a confirmation or denial of authentication after comparing
      the credentials to those in its database. PAP is not very secure and is, therefore, rarely
      used on modern networks.
     Password Authentication Protocol - See PAP.
     PGP (Pretty Good Privacy) - A key-based encryption system for e-mail that uses a
      two-step verification process.
     phishing - A practice in which a person attempts to glean access or authentication
      information by posing as someone who needs that information.
     PKI (public key infrastructure) - The use of certificate authorities to associate public
      keys with certain users.
     port authentication - A technique in which a client’s identity is verified by an
      authentication server before a port, whether physical or logical, is opened for the
      client’s Layer 3 traffic. See also 802.1x.
     port-based authentication - See port authentication.
     port forwarding - The process of redirecting traffic from its normally assigned port to
      a different port, either on the client or server. In the case of using SSH, port forwarding
      can send data exchanges that are normally insecure through encrypted tunnels.
     port mirroring - A monitoring technique in which one port on a switch is configured to
      send a copy of all its traffic to a second port.
     port scanner - Software that searches a server, switch, router, or other device for open
      ports, which can be vulnerable to attack.
     Pretty Good Privacy - See PGP.
     principal - In Kerberos terminology, a user or client.
     private key encryption - A type of key encryption in which the sender and receiver use
      a key to which only they have access. DES (Data Encryption Standard), which was
      developed by IBM in the 1970s, is a popular example of a private key encryption
      technique. Private key encryption is also known as symmetric encryption.
     proxy - See proxy server.
     proxy server - A network host that runs a proxy service. Proxy servers may also be
      called gateways.
Network+ Guide to Networks, 5th Edition                                                 12-22

     proxy service - A software application on a network host that acts as an intermediary
      between the external and internal networks, screening all incoming and outgoing traffic
      and providing one address to the outside world, instead of revealing the addresses of
      internal LAN devices.
     public key encryption - A form of key encryption in which data is encrypted using two
      keys: One is a key known only to a user, and the other is a key associated with the user
      and that can be obtained from a public source, such as a public key server. Some
      examples of public key algorithms include RSA and Diffie-Hellman. Public key
      encryption is also known as asymmetric encryption.
     public key infrastructure - See PKI.
     public key server - A publicly available host (such as an Internet host) that provides
      free access to a list of users’ public keys (for use in public key encryption).
     RADIUS (Remote Authentication Dial-In User Service) - A protocol that runs over
      UDP and provides centralized network authentication and accounting for multiple users.
      RADIUS is commonly used with dial-up networking, VPNs, and wireless connections.
     RADIUS server - A server that offers centralized authentication services to a network’s
      access server, VPN server, or wireless access point via the RADIUS protocol.
     RC4 - An asymmetric key encryption technique that weaves a key with data multiple
      times as a computer issues the stream of data. RC4 keys can be as long as 2048 bits. In
      addition to being highly secure, RC4 is fast.
     Remote Authentication Dial-In User Service - See RADIUS.
     Rijndael - The algorithm used for AES encryption.
     RSA - An encryption algorithm that creates a key by randomly choosing two large
      prime numbers and multiplying them together. RSA is named after its creators, Ronald
      Rivest, Adi Shamir, and Leonard Adleman. RSA was released in 1977, but remains
      popular today for ecommerce transactions.
     SCP (Secure CoPy) - A method for copying files securely between hosts. SCP is part
      of the OpenSSH package, which comes with modern UNIX and Linux operating
      systems. Third party SCP applications are available for Windows-based computers.
     screening firewall - See packet-filtering firewall.
     Secure CoPy - See SCP.
     Secure Shell - See SSH.
     Secure Sockets Layer - See SSL.
     Secure File Transfer Protocol - See SFTP.
     security audit - An assessment of an organization’s security vulnerabilities. A security
      audit should be performed at least annually and preferably quarterly - or sooner if the
      network has undergone significant changes. For each risk found, it should rate the
      severity of a potential breach, as well as its likelihood.
     security policy - A document or plan that identifies an organization’s security goals,
      risks, levels of authority, designated security coordinator and team members,
      responsibilities for each team member, and responsibilities for each employee. In
      addition, it specifies how to address security breaches.
     server_hello - In the context of SSL encryption, a message issued from the server to the
      client that confirms the information the server received in the client_hello message. It
      also agrees to certain terms of encryption based on the options the client supplied.
      Depending on the Web server’s preferred encryption method, the server may choose to
      issue your browser a public key or a digital certificate at this time.
Network+ Guide to Networks, 5th Edition                                                   12-23

     session key - In the context of Kerberos authentication, a key issued to both the client
      and the server by the authentication service that uniquely identifies their session.
     SFTP (Secure File Transfer Protocol) - A protocol available with the proprietary
      version of SSH that copies files between hosts securely. Like FTP, SFTP first
      establishes a connection with a host and then allows a remote user to browse directories,
      list files, and copy files. Unlike FTP, SFTP encrypts data before transmitting it.
     smurf attack - A threat to networked hosts in which the host is flooded with broadcast
      ping messages. A smurf attack is a type of denial-of-service attack.
     social engineering - The act of manipulating personal relationships to circumvent
      network security measures and gain access to a system.
     SSH (Secure Shell) - A connection utility that provides authentication and encryption.
      With SSH, you can securely log on to a host, execute commands on that host, and copy
      files to or from that host. SSH encrypts data exchanged throughout the session.
     SSL (Secure Sockets Layer) - A method of encrypting TCP/IP transmissions—
      including Web pages and data entered into Web forms—en route between the client and
      server using public key encryption technology.
     SSL session - In the context of SSL encryption, an association between the client and
      server that is defined by an agreement on a specific set of encryption techniques. An
      SSL session allows the client and server to continue to exchange data securely as long
      as the client is still connected to the server. SSL sessions are established by the SSL
      handshake protocol.
     stateful firewall - A firewall capable of monitoring a data stream from end to end.
     stateless firewall - A firewall capable only of examining packets individually. Stateless
      firewalls perform more quickly than stateful firewalls, but are not as sophisticated.
     symmetric encryption - A method of encryption that requires the same key to encode
      the data as is used to decode the ciphertext.
     TACACS (Terminal Access Controller Access Control System) - A centralized
      authentication system for remote access servers that is similar to, but older than,
     Temporal Key Integrity Protocol - See TKIP.
     Terminal Access Controller Access Control System - See TACACS.
     TGS (Ticket-Granting Service) - In Kerberos terminology, an application that runs on
      the KDC that issues ticket-granting tickets to clients so that they need not request a new
      ticket for each new service they want to access.
     TGT (Ticket-Granting Ticket) - In Kerberos terminology, a ticket that enables a user
      to be accepted as a validated principal by multiple services.
     three-way handshake - An authentication process that involves three steps.
     ticket - In Kerberos terminology, a temporary set of credentials that a client uses to
      prove that its identity has been validated by the authentication service.
     Ticket-granting service - See TGS.
     ticket-granting ticket - See TGT.
     TKIP (Temporal Key Integrity Protocol) - An encryption key generation and
      management scheme used by 802.11i.
     TLS (Transport Layer Security) - A version of SSL being standardized by the IETF
      (Internet Engineering Task Force). With TLS, the IETF aims to create a version of SSL
      that encrypts UDP as well as TCP transmissions. TLS, which is supported by new Web
      browsers, uses slightly different encryption algorithms than SSL, but otherwise is very
      similar to the most recent version of SSL.
Network+ Guide to Networks, 5th Edition                                             12-24

     Transport Layer Security - See TLS.
     Triple DES (3DES) - The modern implementation of DES, which weaves a 56-bit key
      through data three times, each time using a different key.
     VPN concentrator - A specialized device that authenticates VPN clients and
      establishes tunnels for VPN connections.
     war driving - The act of driving while running a laptop configured to detect and
      capture wireless data transmissions.
     WEP (Wired Equivalent Privacy) - A key encryption technique for wireless networks
      that uses keys both to authenticate network clients and to encrypt data in transit.
     Wi-Fi Alliance - An international, nonprofit organization dedicated to ensuring the
      interoperability of 802.11-capable devices.
     Wi-Fi Protected Access - See WPA.
     Wired Equivalent Privacy - See WEP.
     WPA (Wi-Fi Protected Access) - A wireless security method endorsed by the Wi-Fi
      Alliance that is considered a subset of the 802.11i standard. In WPA, authentication
      follows the same mechanism specified in 802.11i. The main difference between WPA
      and 802.11i is that WPA specifies RC4 encryption rather than AES.
     WPA2 - The name given to the 802.11i security standard by the Wi-Fi Alliance. The
      only difference between WPA2 and 802.11i is that WPA2 includes support for the older
      WPA security method.