Abraham Torres CIS 534 Advanced Network Security Chapter # Strayer University 01/08/18 Prof Mort Anvari Secure Technology Classes A wide range of security technologies exists to provide solutions for security network access and data transport mechanisms within the corporate network infrastructure Identity technologies Security in TCP/IP structure layers Virtual Private dial-up security technologies (VPM) Public Key Infrastructure and distribution models 01/08/18 Identity Technologies Authentication is an extremely critical element because everything is based on who you are In many corporate networks, you would not grant access to specific parts of the network before established who is trying to gain access to restricted resources How foolproof the authentication method is depends on the technology used 01/08/18 Identity Product Technology  Secure Password Protocol (S/Key)  Token Password Authentication Schemes  Point-to-Point Protocol (PPP)  The TACACS+ Protocol  The RADIUS Protocol  The Kerberos Protocol 01/08/18 Secure Key Password Protocol The S/Key One-Time Password System, released by Bellcore and define in RFC 1760, is a one time password generation scheme based on MD4 and MD5 The S/key protocol is designed to counter a replay attack when a user is attempting to log in to a system Involves three distinct steps Preparation step: The client enters a secret pass phrase This pass phrase is concatenated with the seed that was transmitted from the server in cleartext Generation step: Applies the secure hash function multiple times, producing a 64-bit final output Output Function: Takes the 64-bit one-time password and displays it in readable form 01/08/18 Token Password Authentication Token authentication systems generally require the use of a special smart card or token card Although some implementations are dome using software to alleviate the problem of loosing the smart card or token this types of authentication mechanisms are based on one or two alternatives schemes:  Challenge-Response  Time-Synchronous Authentication 01/08/18 Step for Authentication Step1: The user dials into an authentication server, which then issues a prompt for a user id Step2: The user provides the ID to the server, which then issues a challenge a random number that appears on the user’s screen Step3: The user enters that challenge number into the token or smart card, a credit-card-like device, which then encrypts the challenge with the user’s encryption key and displays a response Step4: The user types this response and sends it to the Authentication server While the user is obtaining a response from the token, the Authentication server calculates what the appropriate response should be based on its database of user keys Step5: When the server receives the user’s response, it compares that response with the one it has calculated 01/08/18 Client User Authentication Server Dial into server Prompt for access code 7968D95 A B 8HAD589 8HAD589 User enters PIN Compare Token card displays digits A B 01/08/18 8HAD589 Time-Synchronous Token Authentication Point-to-Point Protocol The Point-to-Point Protocol (PPP) is most often used to establish a dial connection over serial lines or ISDN PPP authentication mechanism include the Password Authentication Protocol (PAP), The Challenge Handshake Protocol (CHAP), and the Extensible Authentication Protocol (EAP) In all these cases, the peer device is being authenticated rather than the user of the device PPP provides for an optional authentication phase before proceeding to the network-layer protocol phase Point-to-Point Frame Format FLAG 01/08/18 Address Control Protocol Data FCS Flag PPP Authentication Summary Protocol Strength Weakness PAP Easy to implement Does not have strong authentication; password is sent in the clear between client and server; no playback protection CHAP Password encrypted Password must be between client and stored in cleartext on server; both client And server playback protection EAP Flexible, more robust New; may not yet be widely deployed authentication support 01/08/18 10 IPSec    general IP Security mechanisms provides  authentication  confidentiality  key management applicable to use over LANs, across public & private WANs, & for the Internet Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter • is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users if desired 01/08/18 24 IP Security Architecture Specification is quite complex Defined in numerous Request For Common Architectures (RFC) RFC 2401: The IP Security Architecture RFC 2402: The IP Authentication Header (AH) RFC 2406: The IP Encapsulation Security Payload (ESP RFC 2408: The Internet Security and Key Management Protocol (ISAKMP) Many others, grouped by category Mandatory in IPv6, optional in IPv4 01/08/18 25 IPSec Uses 01/08/18 26 IPSec Services       01/08/18 Access control Connectionless integrity Data origin authentication Rejection of replayed packets  a form of partial sequence integrity Confidentiality (encryption) Limited traffic flow confidentiality 27 Virtual Private Dial-up Security Technologies Enable large enterprises to extend their private networks across dial-up lines Instead of incurring large costs to ensure security by dialing into a campus site from any where in the world or lessening security by dialing in locally and using the Internet as the transport to get to the main enterprise campus Dial-Up Protocols Layers The Layer Forwarding (L2F) Protocol Created by Cisco Systems It permits the tunneling of the link layerthat is, High-Level Data Link Control (HDLC), a sync HDLC, or Serial Line Internet Protocol (SLIP) frames –of higher-level protocols 01/08/18 28 Dial-Up Protocols The Point-to-Point Tunneling Protocol Was initiated by Microsoft It is a client/server architecture that allows the Point-to-Point Protocols (PPP) to be tunneled through an IP network and decouples functions that exist in current NASs The Layer Tunneling Protocol (L2TP) Cisco and Microsoft, along with other vendors, have collaborated on a single standard: a track protocol within the IETF, which is now called Layer Tunneling Protocol (L2TP) 01/08/18 29 Public Key Infrastructure The purpose of a Public Key Infrastructure (PKI) is to provide trusted and efficient key and certificate management to support these protocols A PKI is defined by the Internet X.509 Public Key Infrastructure PKIX Roadmap “work in progress” A PKI consists of the following five types of components: The set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke certificates based on public-key cryptography 01/08/18 30 PKI Components  Certification Authorities (CAs) that issue and revoke certificates  Organizational Registration Authorities (ORAs) that vouch for the binding between public keys, certificate holder identities, and other attributes  Certificate holders that are issued certificates and that can sign digital documents  Clients that validated digital signatures and their certification paths from a known public key of a trusted CA  Repositories that store and make available certificates and Certificate Revocation Lists (CRLs) MIST Special Publication 800-15, Minimum Interoperability Specification for PKI Components, Version 1, September 1997, by William Burr, Donna Dodson, Noel 31 01/08/18 Nazario, and W Timothy Polk Functions of a PKI         Registration Initialization Certification Key Pair Recovery Key Generation Key Update Cross-Certification Revocation 01/08/18 32 A Sample Scenario Using a PKI 01/08/18 33 Certificates Certificates are used in the process of validating data Specifies vary according to which algorithm is used, but the general process works as follows: The recipient of signed data verifies that the claimed identity of the user is in accordance with the identity contained in the certificate The recipient validates that no certificate in the path has been revoked, and that all certificates were within their validity periods at the time the data was signed The recipient verifies that the data does not claim to have any attributes for which the certificate indicates that the signer is not authorized The recipient verifies that the data has not been altered since it was signed by using the public key in the certificate 01/08/18 34 The X.509 Certificate The X.509 standard constitutes a widely accepted basis for a PKI infrastructure, defining data formats and procedures related to the distribution of the public keys using certificates digitally signed by CAs RFC 1422 specified the basis of an X.509-based PKI, Targeted primarily at satisfying the needs of Internet privacy enhanced mail (PEM) The current standards define the X.509 Version certificate and Version CRL 01/08/18 35 The X.509 V3 Certificate Every Certificate contains three main fields Version Number Serial Number Issuer Subject Certificate Body Subject’s Public Key (Algorithm, Key) Validity Period (not before, not after) Optional Extensions Signature Algorithm Signature 01/08/18 36 The X.509 V2 CRL X.509 V2 defines one method of certificate revocation This method requires each CA to periodically issue a signed data structure called a Certificate Revocation List (CRL) A CRL is a time stamped list that identifies revoked certificates Each revoked certificate is identified in a CRL by its certificate serial number The lightweight Directory Access Protocol Is used for accessing online directory services LDAP was developed by the University of Michigan in 1995 to make it easier to access LDAP is specially targeted at management applications and browser applications that provide read/write interactive access to directories LDAP is intended to be a complement to the X.500 DAP The LDAP V2 protocol is defined in RFC 1777 01/08/18 37 Summary This chapter detailed many of the current and evolving technologies relating to security One of the most important security considerations is establishing the identity of the entity that wants to access the corporate network This process usually entails authenticating the entity and subsequently authorizing that entity and establishing access controls Some protocols are specifically designed to only authenticate endusers (people) or end-devices (hosts, routers) Frequently, you have to combine the two protocols so that both end-users and the end-devices they are using to access the network are authenticated In addition to establishing identity, you must ensure data integrity and confidentiality; that is, you must protect the data traversing the corporate network Many technologies exist to provide security services for various TCP/IP layers Although Application layer security protocols provide the most flexibility for application-specific parameters, using a different security protocol for every application is not practical Transport security protocols such as SSL and SSH are widely deployed SSL is bundled into many Web servers and clients and has become a de facto standard in securing Web transactions; SSH is most often used for securing Telnet or FTP transactions IPsec is becoming widely deployed and can offer security services for the Transport and Application layer traffic on a per-packet basis IPsec should be able to secure Telnet, FTP, and Web traffic but may be harder to scale until client support is more readily available on many platforms 01/08/18 38 ... interoperable security products to provide flexible, modular security for the networked information systems across the Defense Information Infrastructure (DII) and the National Information Infrastructure... desired 01/08/18 24 IP Security Architecture Specification is quite complex Defined in numerous Request For Common Architectures (RFC) RFC 24 01: The IP Security Architecture RFC 24 02: The IP Authentication... addressing scheme to encompass domain-name and IPv6 addresses 01/08/18 22 Network Layer Security Network Layer security pertains to security services at the IP layer of the TCP/IP protocol stack Many