Chapter 4 - Remote access. Objectives in this chapter: Understand implications of IEEE 802.1x and how it is used, understand VPN technology and its uses for securing remote access to networks, understand how RADIUS authentication works, understand how TACACS+ operates, understand how PPTP works and when it is used,...
Chapter Remote Access Objectives in this chapter ATHENA Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing remote access to networks Understand how RADIUS authentication works Understand how TACACS+ operates Understand how PPTP works and when it is used Learning Objectives ATHENA Understand how PPTP/ L2TP works and when it is used Understand how SSH operates and when it is used Understand how IPSec works and when it is used Understand the vulnerabilities associated with telecommuting IEEE 802.1x ATHENA Users needing access to networks from remote locations is increasing, along with the associated security issues The need to identify who is trying to access a specific port on a network has lead to the development of the 802.1x standard IEEE 802.1x 802.1x is an internet standard created to perform authentication services for remote access to a central LAN 802.1x specifies a protocol for transmission between devices accessing the LAN as well as protocol requirements between an authenticator and an authentication server ATHENA IEEE 802.1x Uses SNMP to define levels of access control and behavior of ports providing remote access to LAN environment Uses EAP over LAN (EAPOL) encapsulation method The PPP Extensible Authentication Protocol (EAP) is a general protocol for PPP authentication which supports multiple authentication mechanisms ATHENA 802.1x Terminology ATHENA Authenticator - The entity that requires the entity on the other end of the link to be authenticated Supplicant - The entity being authenticated by the Authenticator and desiring access to the services of the Authenticator Port Access Entity (PAE) - The protocol entity associated with a port May support functionality of Authenticator, Supplicant or both Authentication Server - An entity providing authentication service to the Authenticator 802.1x General Topology ATHENA ATHENA Telnet ATHENA Standard terminal emulation protocol within TCP/IP protocol suite defined by RFC 854 Utilizes UDP port 23 to communicate Allows users to log on to remote networks and use resources as if locally connected Some advantages of the L2TP/IPSec combination over PPTP are ATHENA IPSec provides per-packet data origin, data integrity, replay protection, and data confidentiality In contrast, PPTP only provides per-packet data confidentiality L2TP/IPSec connections require two levels of authentication: computer level authentication and userlevel authentication PPP frames exchanged during user-level authentication are never sent unencrypted because the PPP connection process for L2TP/IPSec occurs after the IPSec security association (SA) is established Secure Shell (SSH) ATHENA Secure replacement for remote logon and file transfer programs (Telnet and FTP) that transmit data in unencrypted text How SSH Works Once the server receives the request from the client, the two perform a handshake, which includes the verification of the protocol version Next, session keys are exchanged between the client and server ATHENA IP Security Protocol ATHENA Set of protocols developed by the IETF to support secure exchange of packets at IP layer Deployed widely to implement VPNs Works with existing and future IP standards Transparent to users Promises painless scalability Handles encryption at packet level using Encapsulating Security Payload (ESP) IPSec Security Payload ATHENA ESP and Encryption Models ATHENA Supports many encryption protocols Encryption support is designed for use by symmetric encryption algorithms Provides secure VPN tunneling Telecommuting Vulnerabilities ATHENA Split tunnel – when the remote user is sending traffic to the office network over the VPN, and is also sending traffic to other locations on the Internet (his/her connection to the Internet is not dedicated exclusively to the VPN connection) Telecommuting Vulnerabilities ATHENA If the VPN client has split tunneling enabled, the client is on both the Internet and the central office network at the same time The VPN tunnel can become a direct path for the bad guys into the office network, by-passing your firewall and perimeter defenses Telecommuting Vulnerabilities ATHENA Telecommuting Vulnerabilities ATHENA Telecommuting Vulnerabilities ATHENA Telecommuting Vulnerabilities ATHENA Telecommuting Vulnerabilities ATHENA Remote Solutions ATHENA Microsoft Terminal Server Citrix Metaframe Virtual Network Computing Summary ATHENA Paramount need for remote access security Use of technologies to mitigate some of the risk of compromising the information security of a home network Importance of keeping pace with technology changes ... until data reaches provider’s network ATHENA Site-to-Site VPN ATHENA Remote Access VPN ATHENA Service Provider Tunneling ATHENA Remote Authentication Dial-in User Service (RADIUS) Provides a... Authenticator 802.1x General Topology ATHENA ATHENA Telnet ATHENA Standard terminal emulation protocol within TCP/IP protocol suite defined by RFC 8 54 Utilizes UDP port 23 to communicate... authentication mechanisms ATHENA 802.1x Terminology ATHENA Authenticator - The entity that requires the entity on the other end of the link to be authenticated Supplicant - The entity being