Part05 communication security

321 views

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
321
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Part05 communication security

  1. 1. 3/7/2012Company ContentsLOGO Remote Access Technology Email Security Internet Security Directory Security Communication Security Wireless IT Falcuty – DaLat University March - 2012 2 Remote Access Technology Virtual Private Network (VPN)Virtual Private Network (VPN)  A virtual private network (VPN) is aRemote Authentication Dial-In User communication tunnel between two Service (RADIUS) entities across an intermediary networkTerminal Access Controller Access  VPNs can be used to connect two Control System (TACACS) networks across the Internet or to allowSecure Shell (SSH) distant clients to connect into an office LAN across the InternetInternet Protocol Security (IPSec) 3 Phan Thi Thanh Nga 4 Phan Thi Thanh Nga Virtual Private Network (VPN) Virtual Private Network (VPN) 5 Phan Thi Thanh Nga 6 Phan Thi Thanh Nga 1
  2. 2. 3/7/2012 Virtual Private Network (VPN) Virtual Private Network (VPN)Once a VPN link is established, the net- VPNs provide four critical functions work connectivity for the VPN client is  Access control: Restricts users from exactly the same as a LAN connected by a accessing resources on a network cable connection.  Authentication: Proves the identity ofThe only difference between a direct LAN communication partners cable connection and a VPN link is speed.  Confidentiality: Prevents unauthorized disclosure of secured data  Data integrity: Prevents unwanted changes of data while in transit 7 Phan Thi Thanh Nga 8 Phan Thi Thanh Nga Virtual Private Network (VPN) RADIUSVPN links are established using VPN  RADIUS is a centralized authentication protocols. There are several VPN system protocols, but the three you should  RADIUS is known as an AAA server recognize are:  Point-to-Point Tunneling Protocol (PPTP)  Layer 2 Tunneling Protocol (L2TP)  Internet Protocol Security (IPSec)As with any type of remote access connection, VPN clients can be authenticated through RADIUS. 9 Phan Thi Thanh Nga 10 Phan Thi Thanh Nga TACACS TACACSTerminal Access Controller Access Control System (TACACS) is another example of an AAA serverTACACS is a centralized remote access authentication solution similar to RADIUS; it uses ports TCP 49 and UDP 49 11 Phan Thi Thanh Nga 12 Phan Thi Thanh Nga 2
  3. 3. 3/7/2012 Secure Shell (SSH) Internet Protocol Security (IPSec)Secure Shell (SSH) is a secure Internet Protocol Security ( IPSec) is both replacement for Telnet, rlogon, rsh, and a stand-alone VPN protocol and a module rcp that can be used with L2TP.SSH transmits both authentication traffic IPSec can use in dial-up or network-to- and data in a secured encrypted form network connections.SSH operates over TCP port 22More details: student’s presentation 13 Phan Thi Thanh Nga 14 Phan Thi Thanh NgaInternet Protocol Security (IPSec) Internet Protocol Security (IPSec)Two of the primary protocols of IPSec are IPSec can operate in two modes: tunnel Authentication Header (AH) and mode and transport mode . encapsulating Security Payload (ESP).  AH provides authentication of the sender’s data  ESP provides encryption of the transferred data as well as limited authenticationIPSec operates at the OSI Model layer 3 15 Phan Thi Thanh Nga 16 Phan Thi Thanh Nga Email Security Email SecurityInternet-based e-mail relies primarily on a  several encryption options have been single protocol: Simple Mail Transport developed to add security to e-mail used Protocol (SMTP) over the Internet: S/MIME and PGPSMTP has proven itself over the last 20+ years as a reliable e-mail delivery systemBut, it’s nearly complete lack of security. SMTP doesn’t offer encryption for transmitted messages. 17 Phan Thi Thanh Nga 18 Phan Thi Thanh Nga 3
  4. 4. 3/7/2012 S/MIME S/MIMES/MIME is an Internet standard for Restriction: all communication partners encrypting email. must have compatible S/MIME productsS/MIME uses RSA (an asymmetric installed and use a common or compatible encryption scheme) to encrypt and protect source for their asymmetric encryption key e-mail pairs. Pretty Good Privacy’s (PGP) digital signature feature is much more popular. 19 Phan Thi Thanh Nga 20 Phan Thi Thanh Nga PGP Internet SecurityPGP uses RSA or Diffie-Hellman SSL/TLS asymmetric cryptography solutions HTTP/HTTPSAnother popular feature of PGP is digital FTP/ S/FTP /FTP with SSL (FTPS) signatures 21 Phan Thi Thanh Nga 22 Phan Thi Thanh Nga SSL/TLS SSL/TLSSecure Sockets Layer (SSL) and To establish the secured session a six- Transport Layer Security (TLS) are used step handshake process must be to encrypt traffic between a web browser completed and a web server SSL uses symmetric keys as the session SSL and TLS can make web transactions keys. private and secure The session keys are available in 40-bitSSL can also be used to provide and 128-bit strengths. encrypted sessions for other application layer protocols, such as Telnet, FTP, and e-mail 23 Phan Thi Thanh Nga 24 Phan Thi Thanh Nga 4
  5. 5. 3/7/2012 HTTP/HTTPS HTTP/HTTPSHTTP is the standard foundational  S-HTTP: protocol used on the Web. It operates over  Doesn’t use SSL TCP port 80.  It encrypts individual web page elementsHTTP is a plain text or clear text rather than the entire web communication communication protocol  it offers no session security or privacy to transactions.   S-HTTP is less secure than HTTPSWhen SSL or TLS is used to secure transactions, this is known as Hypertext Transfer Protocol over SSL (HTTPS) 25 Phan Thi Thanh Nga 26 Phan Thi Thanh Nga Web vulnerabilities Web vulnerabilitiesWeb vulnerabilities Javascript  JavaScript  A scripting programming language that can be  ActiveX embedded directly into the HTML of a web  Buffer overflows page  Cookies  It’s executed by the web browser and can be used to perform a wide range of functions,  Signed applets both benign and malicious 27 Phan Thi Thanh Nga 28 Phan Thi Thanh Nga Web vulnerabilities Web vulnerabilities ActiveX Buffer overflow  A mobile code technology developed by  Occurs when a program receives input that is Microsoft larger that it was designed to accept or  ActiveX controls or components are stand- process alone programs that can be attached to or  The result: such as a program crash, a embedded in web documents to perform a system freeze or crash, opening a port, wide range of functions disabling a service, creating a user account,  The ActiveX component is saved to the hard elevating the privileges of an existing user drive and can be accessed at a later time  account, accessing a website, or executing a significant security issue utility 29 Phan Thi Thanh Nga 30 Phan Thi Thanh Nga 5
  6. 6. 3/7/2012 Web vulnerabilities Web vulnerabilitiesCookies Signed Applets  A tracking mechanism developed for web  A piece of mobile code that has been digitally servers to monitor and respond to a user’s signed using the creator’s or owner’s serial viewing of multiple web pages certificate  Cookies are a common means of violating  A signed applet only proves the applet’s your privacy by gathering information about identity or source; it provides no guarantee as your identity, logon credentials, surfing habits, to the reliability or quality of the applet  work habits, … problem 31 Phan Thi Thanh Nga 32 Phan Thi Thanh Nga File Transfer Protocols Directory SecurityFile Transport Protocol (FTP) is an in-the-  Lightweight Directory Access Protocol clear file exchange solution (LDAP)S/FTP encrypts both authentication and  LDAP is a standardized protocol that data traffic between the client and server; enables clients to access resources within it employs SSH to provide secure FTP a directory service . communications. A directory service is a network service that provides access to a central database of information 33 Phan Thi Thanh Nga 34 Phan Thi Thanh Nga Directory Security Directory Security Clients can interact with directory service resources through LDAP by using authentication that is at least a minimum of a username and password.It can employ SSL or TLS to provide authentication and data encryption securityLDAP operates over TCP ports 389 and 636 35 Phan Thi Thanh Nga 36 Phan Thi Thanh Nga 6
  7. 7. 3/7/2012 Wireless Security Wireless Transport Layer Security (WTLS) WTLS The security layer for the Wireless 802.11 Application Protocol (WAP) WEP Provides the security services of privacy, WAP integrity, and authentication for WAP- supporting networks  Based on TLS 37 Phan Thi Thanh Nga 38 Phan Thi Thanh NgaWireless Transport Layer Security (WTLS) 802.11 and 802.11x  802.11 is the IEEE standard for wireless network communications Various versions of the standard have been implemented in wireless networking hardware, including 802.11a, 802.11b, and 802.11g 802.11x is often used to collectively refer to all of these specific implementations as a group 39 Phan Thi Thanh Nga 40 Phan Thi Thanh Nga WEP WAP  Wired Equivalent Privacy (WEP) is defined by Wireless Application Protocol (WAP) is the IEEE 802.11 standard often deployed to support wireless Provides protection from packet sniffing and handheld devices like PDAs and cell eavesdropping against wireless transmissions. phones It can be configured to prevent unauthorized WAP employs WTLS for security access to the wireless network  WEP uses a predefined shared secret key  The shared key is static and shared among all wireless access points and device interfaces  A hash value is used to verify that received packets weren’t modified or corrupted while in transit 41 Phan Thi Thanh Nga 42 Phan Thi Thanh Nga 7
  8. 8. 3/7/2012 References James Michael Stewart, Security+ Fass Pass, Sybex, 2004 43 Phan Thi Thanh Nga 8

×