Your SlideShare is downloading. ×
Chapter 13 Outline (567.0K)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Chapter 13 Outline (567.0K)

292
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
292
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Chapter 13, Network Security |1| Chapter Overview A. Password Protection B. Security Models C. Firewalls D. Security Protocols Chapter 13, Lesson 1 Password Protection |2| 1. Using Passwords A. Passwords are the most common method of securing network resources. B. There are security mechanisms other than passwords. 1. Smart cards a. Credit card-like devices with a magnetic strip b. Must be run through a card reader connected to a computer for a user to access the network 2. Biometric devices a. Identify users by scanning unique physical characteristics, such as thumbprints or retina patterns C. Passwords can be an effective security mechanism, or they can be useless, depending on how they are used. 1. The strength of any password protection is based on the password policies that administrators set. 2. When users create their own passwords, they tend to choose short, simple ones, or use information that is easy to guess, such as birthdays or initials, or they use no password at all. 3. Assigning complex passwords to users can be equally ineffective, because the users might be compelled to write them down and leave them in obvious places. 4. The object is to find a middle ground between these two extremes. D. Most operating systems include tools that enable administrators to impose password policies on users. 1. Users can be forced to a. Choose passwords of a specific length b. Change passwords at regular intervals 2. These tools provide a middle ground that lets users choose effective passwords that they can remember easily. 3. Password policies are typically available in network operating systems that use a directory service to authenticate users and grant them access to network resources. a. You can set password policies on Windows 2000 and Microsoft Windows NT domain controllers and Novell NetWare servers.
  • 2. b. You cannot set password policies in Microsoft Windows Me, Microsoft Windows 98, or Microsoft Windows 95. |3| 2. User Account Password Settings A. When you create a new user account in Windows 2000 or Windows NT, you can use the following check boxes in the New Object – User dialog box to control the basic password policies for the account: 1. User Must Change Password At Next Logon. Allows the administrator to assign the same password to each new user account created and forces the user to change that password during the first logon a. The administrator can password-protect the new accounts without having to track individual password assignments. 2. User Cannot Change Password. Prevents users from changing the password assigned to the account during its creation a. If an administrator elects to assign passwords to users, activating this option on all accounts ensures that he or she retains control over the password assignments. 3. Password Never Expires. Overrides other policies that cause passwords to expire after a specified time a. Users can still change their passwords at will, but they are not required to do so. 4. Account Is Disabled. Allows the administrator to temporarily prevent access to an account, eliminating the need to delete and re-create the account 3. Specifying Password Lengths A. Users tend to choose short passwords, because they are easier to type and remember, or use no password at all. 1. Short passwords are mathematically easier to guess. B. Most network operating systems let the administrator set a minimum password length requirement. 1. Longer passwords are harder to penetrate. 2. Windows 2000 supports passwords of up to 104 characters. 3. Windows NT supports passwords of up to 14 characters. 4. For most networks, a minimum password length of five or six characters is sufficient. a. Higher security might call for eight characters or more. C. In Windows 2000, you set password length restrictions by using the Group Policy feature. |4| 1. You can apply policies to domains, sites, or organizational units. |5| 2. When you activate the Minimum Password Length policy, you specify the minimum number of password characters by using the Security Policy Setting dialog box. 2 Outline, Chapter 13 Network+ Certification, Second Edition
  • 3. 4. Setting Password Change Intervals A. Passwords should be changed regularly. B. Administrators can set a policy that forces users to change their passwords at specified intervals. 1. Typically, the user sees an extra dialog box when logging on after the change interval has expired. a. The dialog box forces the user to specify a new password before being granted access to the network. 2. Some administrators assign an initial password to an account to keep it secure and then force users to change that password during their first logon. |6| C. Windows 2000 has a Group Policy called Maximum Password Age that forces users to change their passwords at intervals of a specified number of days. D. Some users try to circumvent this policy by changing their passwords and then immediately changing them back again. 1. The following additional policies in the Windows 2000 Local Security Policy console can be used to prevent this: a. Enforce Password History. Allows you to specify the number of previous passwords that the operating system remembers for each user (1) When users change their passwords as required by the Maximum Password Age policy, they cannot reuse any of the previous passwords stored in the history. b. Minimum Password Age. Forces users to wait a specified number of days after changing their passwords before they can change them again (1) This prevents users from rapidly changing their passwords several times in a few minutes in an attempt to outmaneuver the history feature. 5. Enforcing Password Complexity A. Complex passwords are more difficult for intruders to guess. B. In most operating systems, passwords are case-sensitive. C. Mixing cases is a good way to make passwords more complex. 1. Example: FluFFy is a much better password than fluffy. D. Adding numbers and symbols to passwords makes them even more complex. 1. Example: FluFFy_9 is a better password than FluFFy. 2. Another technique is to take a sentence and use the first letter of each word to form a password, converting some words to numbers in the process. a. Example: the sentence “I eat fish for dinner every Friday” can become Ief4deF, a password that is extremely difficult to guess. Outline, Chapter 13 3 Network+ Certification, Second Edition
  • 4. |7| E. Windows 2000 and Windows NT have a Passwords Must Meet Complexity Requirements policy that can be used to compel users to select complex passwords. 1. In Windows, a complex password is one that meets all of the following criteria: a. The password must contain at least six characters. b. The password cannot contain any part of the account’s user name. (1) Example: the password for an account with the name abaldwin cannot be abaldwin or contain baldwin, bald, and so forth. c. The password must include three of the following four character types: uppercase letters, lowercase letters, numerals, and symbols. 2. To use this policy in Windows NT, you must install the password filter module (PASSFILT.DLL). 6. Controlling Password Encryption A. Most operating systems store user passwords in encrypted form. B. The encryption algorithm used on the passwords in a Windows 2000 system is not reversible, by default. C. You can modify the default by enabling the Store Password Using Reversible Encryption For All Users In The Domain policy. 1. This causes the system to use an encryption method that can be reversed to recover forgotten passwords. 7. Setting Account Lockout Policies A. The brute force method of penetrating passwords is to keep guessing at the password until you discover it. B. An account lockout policy limits the number of password attempts a user is allowed. |8| C. Windows 2000 has three account lockout policies: 1. Account Lockout Duration. Specifies how long (in minutes) accounts should remain locked when the user exceeds the account lockout threshold a. Setting the value of this policy to 0 causes accounts to remain locked out until an administrator manually releases them. 2. Account Lockout Threshold. Specifies the number of logon attempts that users are allowed before their accounts are locked a. When the account is locked, no future logon attempts are permitted until the account is reset. b. Typographic errors, improper case, or forgotten passwords are common, so you should generally permit users at least three tries before locking the account. c. A value of 0 disables the lockout function. 3. Reset Account Lockout Counter After. Causes the failed logon counter to reset after a specified amount of time (in minutes) a. When a user logs on successfully, the failed logon counter is reset. 4 Outline, Chapter 13 Network+ Certification, Second Edition
  • 5. b. If the user does not log on successfully, the counter that registers the number of failed logon attempts remains in place until this policy resets the counter. Chapter 13, Lesson 2 Security Models 1. Client/Server and Peer-to-Peer Networks A. The primary difference between client/server networks and peer-to-peer networks is the security models they use. |9| B. Client/server networks 1. User accounts are stored in a central location. 2. A user logs on to the network from a computer that transmits the user name and password to a server, which either grants or denies access to the network. 3. Account information can be stored in a centralized directory service or on individual servers. 4. A directory service, such as the Windows 2000 Active Directory service or the Novell Directory Services (NDS), provides authentication services for an entire network. a. A user logs on once and the directory service grants access to shared resources anywhere on the network. |10| C. Peer-to-peer networks 1. Each computer maintains its own security information and performs its own authentications. 2. Computers on this type of network can function as both clients and servers. 3. When a computer functioning as a client attempts to use resources (called shares) on another computer that is functioning as a server, the server itself authenticates the client before granting it access. D. The two basic security models used by Windows and most other operating systems are called user-level security and share-level security. 2. User-Level Security A. Based on individual accounts created for specific users 1. When you want to grant users permission to access resources on a specific computer, you select the users from a list of user accounts and specify the permissions you want to grant them. |11| a. In Windows 2000, you use a Permissions dialog box to assign permissions to specific users. 2. Windows 2000 and Windows NT always use user-level security, whether they are operating in client/server or peer-to-peer mode. |12| B. In peer-to-peer mode, each computer has its own user accounts. 1. When users log on to their computers, they are authenticated against an account on that system. Outline, Chapter 13 5 Network+ Certification, Second Edition
  • 6. 2. If several people use the same computer, each must have a separate user account (or they must share a single account). 3. When users elsewhere on the network attempt to access server resources on that computer, they are also authenticated against the accounts on the computer that hosts the resources. 4. Example: a. Mark Lee must have an account (mlee) on his own computer to log on to it. b. To access other network resources, there must be an mlee account on each computer that he wants to access. c. If Mark attempts to access a network-attached computer on which there is no mlee account, he is prompted to supply the name and password of an account on that computer. d. If there is an mlee account on the network-attached computer, but with a different password, Mark is prompted to supply the correct password for that account. 5. The user-level, peer-to-peer security model is suitable only for relatively small networks because users must have separate accounts on every computer they want to access. a. If users want to change their account passwords, they must change them on every computer on which they have an account. 6. In this model, users typically maintain the accounts on their computers themselves. a. It would be impractical for an administrator to travel to each computer and create a new account for each new user. |13| C. On a client/server network, user-level security is easier to administer and can support networks of almost any size. 1. Administrators create user accounts in a directory service, such as Active Directory in Windows 2000 or a Windows NT domain. 2. When users log on to their computers, the directory service authenticates them. a. The computer sends the account name and password supplied by the user to a domain controller, where the directory service information is stored. b. The domain controller then checks the credentials and indicates to the computer whether the authentication has succeeded or failed. 3. When you want to allow other network users to gain access to resources on your computer, you select their user accounts from a list provided by the domain controller. 4. With all accounts stored in a centralized directory service, administrators and users can make changes more easily. 3. Share-Level Security |14| A. Windows Me, Windows 98, and Windows 95 cannot maintain their own user accounts. 1. These operating systems can employ user-level security only when they are participating in an Active Directory or Windows NT domain. 6 Outline, Chapter 13 Network+ Certification, Second Edition
  • 7. B. In peer-to-peer mode, Windows Me, Windows 98, and Windows 95 operate by using share-level security. 1. In share-level security, users assign passwords to the individual shares they create on their computers. 2. When network users want to access a share on another computer, they must supply the appropriate password. 3. The share passwords are stored on the individual computers. 4. When sharing drives, users can specify two different passwords to provide both read-only access and full control of the share. 5. Disadvantages of share-level security a. It is not as flexible as user-level security. b. It does not provide as much protection as user-level security. (1) Because everyone uses the same password to access a shared resource, it is difficult to keep the passwords secure. c. Changing a password means informing everyone who might have to use that resource. 6. The advantage of share-level security is that even unsophisticated users can learn to set up and maintain their own share passwords. a. This eliminates the need for constant attention from a network administrator. Chapter 13, Lesson 3 Firewalls |16| 1. What Is a Firewall? A. A firewall is a hardware or software product designed to protect a network from unauthorized access by outside parties. 1. Networks that are connected to the Internet must have some sort of firewall to protect them from Internet intruders. 2. Firewalls can also protect one section of the network from the rest of the network. B. A firewall is a barrier between two networks that evaluates all incoming or outgoing traffic to determine whether it should be permitted to pass to the other network. 1. Firewalls can be a. Dedicated hardware devices (essentially routers with additional software that monitors incoming and outgoing traffic) b. Software products that run on a standard computer 2. At one time, all firewalls were complex, extremely expensive, and used only in professional network installations. a. Today, there are also inexpensive firewall software products designed to protect a small network or even an individual computer from unauthorized access through an Internet connection. |17| 2. Packet Filtering A. The most basic type of firewall Outline, Chapter 13 7 Network+ Certification, Second Edition
  • 8. B. Functions 1. Examines arriving packets 2. Decides whether to allow the packets access to the network, based on the information found in the protocol headers used to construct the packets C. Packet filtering can occur at several layers of the Open Systems Interconnection (OSI) reference model. characteristics: 1. Hardware addresses a. Packet filtering based on hardware addresses enables only certain computers to transmit data to the network. b. Not used to protect networks from unauthorized Internet access c. Use this technique in an internal firewall to permit only specific computers to access a particular network. 2. IP addresses a. Permit only traffic destined to or originating from specific addresses to pass through to the network b. If you have a public Web server on your network, you can configure a firewall to admit only the Internet traffic that is destined for that server’s IP address. (1) Prevents Internet users from accessing any of the other computers on the network 3. Protocol identifiers a. Filter packets based on the protocol that generated the information carried within an IP datagram, such as the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), or the Internet Control Message Protocol (ICMP) 4. Port numbers a. Filter packets based on the source or destination port number specified in a packet’s transport layer protocol header (1) Called service-dependent filtering b. Port numbers identify the application or service that generated the packet or service that the packet is destined for. c. You can configure a firewall to permit network users to access the Internet using ports 110 and 25 (the well-known port numbers used for incoming and outgoing e-mail) but deny them Internet access using port 80 (the port number used to access Web servers). E. The strength of the protection provided by packet filtering is its ability to combine the various types of filters. 1. Example: you might want to permit Telnet traffic into your network from the Internet, so that network support personnel can remotely administer certain computers. a. However, leaving port 23 (the Telnet port) open to all Internet users is a potentially disastrous security breach. b. Therefore, you can combine the port number filter with an IP address filter to permit only certain computers (those of the network administrators) to access the network using the Telnet port. 8 Outline, Chapter 13 Network+ Certification, Second Edition
  • 9. F. Packet filtering capabilities are usually provided with a standard router. 1. Windows 2000 includes its own basic packet filtering mechanism. G. Packet filtering usually does not have a major effect on the router’s throughput, unless you create a large number of filtering rules. 1. The router must process each packet individually against the filtering rules you create, so a very complex system of filters can conceivably slow the network down. H. The main drawback of packet filtering is that it requires a detailed understanding of TCP/IP communications and the techniques that potential intruders use. 1. You must be ready to modify your filters to counteract new techniques developed by intruders. |19| 3. NAT A. NAT is the acronym for network address translation. B. A network layer technique that protects the computers on your network from Internet intruders by masking their IP addresses 1. If you connect a network to the Internet without firewall protection, you must use registered IP addresses. a. Registered IP addresses are visible from the Internet. b. Any user on the Internet can access your network’s computers and their resources. C. Allows you to assign unregistered IP addresses to your computers 1. These addresses fall into a range of addresses designated for use on private networks. 2. The addresses are not registered to any Internet user, and are therefore not visible from the Internet, preventing outside users from accessing them. a. An Internet server cannot send packets to your network, so your users can send traffic to the Internet but cannot receive it. D. To make normal Internet communications possible, the router that provides Internet access can use NAT. 1. When one of the computers on your network attempts to access an Internet server by using a Web browser, the Hypertext Transfer Protocol (HTTP) request packet it generates contains its own private IP address in the IP header’s Source IP Address field. 2. When this packet reaches the router, the NAT software substitutes its own registered IP address for the client computer’s private address and sends the packet on to the designated server. 3. When the server responds, it addresses its reply to the NAT router’s IP address. 4. The router inserts the original client’s private address into the Destination IP Address field and sends the packet on to the client system. E. The NAT router functions as an intermediary between the private network and the Internet. Outline, Chapter 13 9 Network+ Certification, Second Edition
  • 10. 1. Because only the router’s registered IP address is visible to the Internet, it is the only computer that is vulnerable to attack. F. NAT is implemented in numerous firewall products, ranging from high- end routers used on large corporate networks to inexpensive Internet connection-sharing solutions designed for small networks. 1. The Internet Connection Sharing (ICS) feature included with the latest versions of Windows is based on the principle of NAT. |20| 4. Proxy Servers A. Similar to NAT routers, except that they function at the application layer of the OSI reference model B. A proxy server acts as an intermediary between the clients on a private network and the Internet resources they want to access. 1. Clients send their requests to the proxy server, which sends a duplicate request to the desired Internet server. 2. The Internet server replies to the proxy server, which relays the response to the client. C. A proxy server renders the private network invisible to the Internet and also provides other features. 1. Proxy servers can cache the information they receive from the Internet. a. If another client requests the same information, the proxy can supply it immediately from its cache instead of issuing another request to the Internet server. 2. Administrators can configure proxy servers to filter the traffic they receive, blocking users on the private network from accessing certain services. a. You can configure most Web proxy servers to permit user access only to specific Web sites. D. The main problem with proxy servers is that you sometimes must configure applications to use them. |21| 1. Configuring a client computer to use proxies for a variety of applications can be time-consuming. 2. Some proxy clients and servers now have automatic detection capabilities that enable a client application to discover the proxy servers on the network and use them. E. Generally, proxy servers are the preferred solution when you want to impose greater restrictions on your users’ Internet access. 1. NAT provides more general Internet access without any unusual client configuration and still provides a similar degree of protection. Chapter 13, Lesson 4 Security Protocols 1. Security Protocol Standards A. Applications and operating systems use security protocols to protect data transmitted over the network. 10 Outline, Chapter 13 Network+ Certification, Second Edition
  • 11. B. Security protocols include 1. IPSec 2. Layer 2 Tunneling Protocol (L2TP) 3. Secure Sockets Layer (SSL) 4. Kerberos C. Functions 1. Implement specific types of data encryption 2. Define how the communicating computers exchange the information needed to read each other’s encrypted transmissions |22| 2. IPSec A. IPSec is the acronym for Internet Protocol Security. B. Colloquial term for a series of draft standards published by the Internet Engineering Task Force (IETF) C. Defines a methodology that uses authentication and encryption to secure data transmitted over a local area network (LAN) 1. Most security protocols that encrypt data transmitted over a network are designed for use on the Internet or for specialized traffic between specific types of clients and servers. 2. IPSec is a standard to protect data as it is transmitted over a LAN. D. IPSec consists of two separate protocols that provide different levels of security protection. 1. IP Authentication Header (AH) 2. IP Encapsulating Security Payload (ESP) 3. Using the two protocols together provides the best security IPSec can offer. |23| E. IP AH protocol 1. Provides authentication and guaranteed integrity of IP datagrams 2. Adds an extra header, right after the IP header, to the datagrams generated by the transmitting computer 3. When you use AH, the Protocol field in the IP header identifies the AH protocol instead of the transport layer protocol contained in the datagram. 4. The AH header contains the following: a. A sequence number that prevents unauthorized computers from replying to a message b. An integrity check value (ICV) that the receiving computer uses to verify that incoming packets have not been altered |24| F. IP ESP protocol 1. Provides datagram encryption 2. Encapsulates the transport layer data in each datagram, using its own header and trailer 3. Encrypts all of the data following the ESP header 4. Also contains a sequence number and an ICV G. Using IPSec on a LAN Outline, Chapter 13 11 Network+ Certification, Second Edition
  • 12. 1. Both the transmitting and receiving systems must support the protocols. 2. Because all of the information that IPSec adds to packets appears inside the datagram, intermediate systems such as routers do not have to support the protocols. 3. Many of the major network operating systems support IPSec, including Windows 2000 and various forms of UNIX. 4. In Windows 2000, you configure the TCP/IP client to use IPSec in the Options tab of the Advanced TCP/IP Properties dialog box. a. After you select IP Security and clicking Properties, the IP Security dialog box appears. b. After you select the Use This IP Security Policy option, you can choose from the following policies: (1) Client (Respond Only). Configures the computer to use IPSec only when another computer requests it (2) Secure Server (Require Security). Configures the computer to require IPSec for all communications; denies connection attempts from computers that do not support IPSec (3) Server (Request Security). Configures the computer to request the use of IPSec for all communications but to allow connections without IPSec when the other computer does not support it H. IPSec can operate in two modes: transport mode and tunnel mode. 1. The IPSec functionality described in the previous section (section G) refers to transport mode operation. a. The upper layer data carried inside a datagram is protected by authentication or encryption. I. Tunnel mode operation 1. Intended for gateway-to-gateway communications, such as those used in virtual private networks (VPNs) 2. When two computers establish a VPN link across the Internet, the transmitting computer that originally generated the packet sends a normal datagram to a gateway (or router) that provides access to the Internet. 3. The gateway, operating in tunnel mode, then encapsulates each entire datagram (including the IP header) within another datagram, and IPSec encrypts and authenticates the entire construction. a. The outer datagram functions as an encrypting “tunnel” through which the upper layer data travels in complete safety. 4. After passing through the Internet and on reaching the gateway leading to the destination computer, the outer datagram is stripped away and the data inside is authenticated and decrypted. 5. The gateway then forwards the original (unencrypted) datagram to the destination end system. a. For this type of communication, the end systems involved in the transaction do not even need to support IPSec. 12 Outline, Chapter 13 Network+ Certification, Second Edition
  • 13. 3. L2TP |25| A. L2TP characteristics 1. L2TP is the acronym for Layer 2 Tunneling Protocol. 2. Derived from the Cisco Systems Layer 2 Forwarding protocol and the Microsoft Point-to-Point Tunneling Protocol (PPTP) 3. Now defined by an IETF document 4. IPSec can operate in tunnel mode independently or with L2TP. B. L2TP creates a tunnel by encapsulating Point-to-Point Protocol (PPP) frames inside UDP packets. 1. Even if the PPP frame contains connection-oriented TCP data, it can be carried inside a connectionless UDP datagram. 2. The PPP frame can even contain Internetwork Packet Exchange (IPX) or NetBIOS Extended User Interface (NetBEUI) data. C. L2TP has no encryption capabilities of its own. 1. L2TP uses the IPSec ESP protocol to encapsulate and encrypt the entire UDP datagram containing the PPP frame. D. By the time the data is transmitted over the network, each packet consists of the original upper layer application data encapsulated within a PPP frame. 1. The PPP frame in turn is encapsulated by an L2TP frame, a UDP datagram, an ESP frame, an IP datagram, and finally another PPP frame. a. At this point the packet is ready for transmission. 4. SSL |26| A. SSL characteristics 1. SSL is the acronym for Secure Sockets Layer. 2. A special-purpose security protocol that is designed to protect the data transmitted between Web servers and their client browsers 3. Virtually all of the Web servers and browsers available today support SSL. a. Example: when you access a secured site on the Internet to purchase a product with a credit card, your browser is probably using SSL to communicate with the server. b. If your browser displays the protocol heading https:// in its address field instead of http://, then you are connecting to a secured site. 4. Like IPSec, SSL provides authentication and encryption services. a. Authentication is performed by the SSL Handshake Protocol (SSLHP), which also negotiates the method to be used to encrypt the data. b. The SSL Record Protocol (SSLRP) packages the data in preparation for its encryption. 5. When a Web browser connects to a secured server, the server transmits a digital certificate to the client that it has obtained from a third-party certificate authority (CA). Outline, Chapter 13 13 Network+ Certification, Second Edition
  • 14. a. The client then uses the CA’s public key, which is part of its SSL implementation, to extract the server’s public key from the certificate. b. When the browser has the server’s public key, it can decipher the encrypted data sent to it by that server. 5. Kerberos |27| A. Kerberos characteristics 1. Kerberos is an authentication protocol typically used by directory services, such as Active Directory, to provide users with a single network logon capability. 2. Developed at the Massachusetts Institute of Technology and now standardized by the IETF 3. When a server running Kerberos (called an authentication server) authenticates a client, the server grants that client the credentials needed to access resources anywhere on the network. 4. Windows 2000 and other operating systems rely heavily on Kerberos to secure their client/server network exchanges. B. The Kerberos authentication sequence 1. When a client logs on to a network that uses Kerberos, it sends a request message to an authentication server, which already possesses the account name and password associated with that client. 2. The authentication server responds by sending a ticket-granting ticket (TGT) to the client, which is encrypted using a key based on the client’s password. 3. Once the client receives the TGT, it prompts the user for the password and uses it to decrypt the TGT. a. Because only that user (presumably) has the password, this process serves as an authentication. 4. Now that the client possesses the TGT, it can access network resources by sending a request to a ticket-granting server (TGS) containing an encrypted copy of the TGT. a. The TGS may or may not be the same as the authentication server. 5. The TGS, on decrypting the TGT and verifying the user’s status, creates a server ticket and transmits it to the client. a. The server ticket allows a specific client to access a specific server for a limited length of time. b. The ticket also includes a session key, which the client and the server can use to encrypt the data transmitted between them, if necessary. 6. The client transmits the server ticket (which the TGS encrypted with a key that the server already possesses) to that server. a. Upon decrypting the ticket, the server grants the client access to the desired resource. |28| Chapter Summary A. Password policies ensure that users choose effective passwords. 14 Outline, Chapter 13 Network+ Certification, Second Edition
  • 15. B. User-level security requires a separate account for each user. C. In share-level security, all users access shares by using the same passwords. D. A firewall is a hardware or software product that protects a network from unauthorized access, using techniques such as packet filtering, NAT, or proxy servers. E. Applications and operating systems use security protocols, such as IPSec, L2TP, SSL, and Kerberos, to protect their data as it is transmitted over the network. Outline, Chapter 13 15 Network+ Certification, Second Edition