C480 Chapter 12 part 2

verickle's version from 2016-11-01 19:30

Remote-Access Security

Question Answer
RASMicrosoft Remote Access Server (RAS) is the predecessor to Microsoft Routing and Remote Access Server (RRAS). RRAS is a Microsoft Windows Server feature that allows Microsoft Windows clients to remotely access a Microsoft Windows network.
RDPRemote Desktop Protocol (RDP) is a Microsoft protocol that allows a user to view and control the desktop of a remote computer.
PPPoEPoint-to-Point Protocol over Ethernet (PPPoE) is a commonly used protocol between a DSL modem in a home (or business) and a service provider. Specifically, PPPoE encapsulates PPP frames within Ethernet frames. This approach allows an Ethernet connection to leverage the features of PPP, such as authentication.
PPPPoint-to-Point Protocol (PPP) is a common Layer 2 protocol that offers features such as multilink interface, looped link detection, error detection, and authentication.
ICAIndependent Computing Architecture (ICA) is a Citrix Systems proprietary protocol that allows an application running on one platform (for example, Microsoft Windows) to be seen and controlled from a remote client, independent of the client platform (for example, UNIX).
SSHSecure Shell is a protocol used to securely connect to a remote host (typically via a terminal emulator).
KerberosKerberos is a client/server authentication protocol that supports mutual authentication between a client and a server. Kerberos uses the concept of a trusted third party (a key distribution center) that hands out tickets that are used instead of a username and password combination.
AAAAuthentication, authorization, and accounting (AAA) allows a network to have a single repository of user credentials. A network administrator can then, for example, supply the same credentials to log in to various network devices (for example, routers and switches). RADIUS and TACACS+ are protocols commonly used to communicate with a AAA server.
RADIUSRemote Authentication Dial-In User Service (RADIUS) is a UDP-based protocol used to communicate with a AAA server. Unlike TACACS+, RADIUS does not encrypt an entire authentication packet, but only the password. However, RADIUS does offer more robust accounting features than TACACS+. Also, RADIUS is a standards-based protocol, while TACACS+ is a Cisco proprietary protocol.
TACACS+Terminal Access Controller Access-Control System Plus (TACACS+) is a Cisco proprietary TCP-based AAA protocol. TACACS+ has 3 separate and distinct sessions or functions for authentication, authorization and accounting.
NACNetwork Admission Control (NAC) can permit or deny access to a network based on characteristics of the device seeking admission, rather than just checking user credentials. For example, a client's OS and version of antivirus software could be checked against a set of requirements before allowing the client to access a network. This process of checking a client's characteristics is called posture assessment
IEEE 802.1XIEEE 802.1X is a type of NAC that can permit or deny a wireless or wired LAN client access to a network. If IEEE 802.1X is used to permit access to a LAN via a switch port, then IEEE 802.1X is being used for port security. The device seeking admission to the network is called the supplicant. The device to which the supplication connects (either wirelessly or through a wired connection) is called the authenticator. The device that checks the supplicant's credentials and permits or denies the supplicant to access the network is called an authentication server. Usually, an authentication server is a RADIUS server.
CHAPChallenge-Handshake Authentication Protocol (CHAP) performs a one-way authentication for a remote-access connection. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network. Password Authentication Protocol (PAP) is an unencrypted plain text method for password exchange that should be avoided.
MS-CHAPMicrosoft Challenge-Handshake Authentication Protocol (MS-CHAP) is a Microsoft-enhanced version A CHAP, offering a collection of additional features not present with CHAP, including two-way authentication.
EAPAn Extensible Authentication Protocol (EAP) specifies how authentication is performed by IEEE 802.1X. A variety of EAP types exist: Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), Extensible Authentication Protocol-Message Digest 5 (EAP-MD5), and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).
Two-factor authenticationTwo-factor authentication (TFA) requires two types of authentication from a user seeking admission to a network. For example, a user might have to know something (for example, a password) and have something (such as a specific fingerprint, which can be checked with a biometric authentication device).
Multifactor authenticationSimilar to two-factor authentication, multifactor authentication requires two or more types of successful authentication before granting access to a network.
Single sign-onSingle sign-on (SSO) allows a user to authenticate only once to gain access to multiple systems, without requiring the user to independently authenticate with each system.

Virtual Private Networks

Question Answer
Site-to-site VPNinterconnects two sites, as an alternative to a leased line, at a reduced cost
Client-to-site VPNinterconnects a remote user with a site, as an alternative to dial-up or ISDN connectivity, at a reduced cost
Confidentialityprovided by encrypting data. If a third party intercepts the encrypted data, he would not be able to interpret the data.
Integrityensures that data is not modified in transit. For example, routers at each end of a tunnel can calculate a checksum value or a hash value for the data, and if both routers calculate the same value, the data has most likely not been modified in transit.
Authenticationallows parties involved in a conversation to verify that the other party is the party they claim to be
IKEthe protocol used to set up a security association (SA) in the IPsec protocol suite
ISAKMPthe protocol that specifies the mechanics of the key exchange
Transport modeUses a packet's original IP header, as opposed to adding an additional tunnel header. This approach works well in networks where increasing a packet's size might cause an issue.
Tunnel modeencapsulates an entire packet. As a result, the encapsulated packet has a new header (an IPsec header). This new header has source and destination IP address information that reflects the two VPN termination devices at different sites.

IKEv1 Modes

Question Answer
Main modeinvolves three exchanges of information between the Ipsec peers. One peer, called the initiator, sends one or more proposals to the other peer, called the responder. The proposals include supported encryption and authentication protocols and key lifetimes. In addition, the proposals indicate whether or not perfect forward secrecy (PFS) should be used. PFS makes sure that a session key remains secure, even if one of the private keys used to derive the session key becomes compromised.
Aggressive modemore quickly achieves the same results as main mode, using only three packets. The initiator sends the first packet, which contains all the information necessary to establish a security association (SA) (an agreement between the two IPsec peers about the cryptographic parameters to be used in the ISAKMP session). The responder sends the second packet, which contains the security parameters selected by the responder (the proposal, keying material, and its ID). This second packet is used by the responder to authenticate the session. The third and final packet, which is sent by the initiator, finalizes the authentication of the ISAKMP session.
Quick modenegotiates the parameters (the SA) for the IPsec session. This negotiation occurs within the protection of an ISAKMP session.

Examples of VPN Protocols

Question Answer
SSLSecure Sockets Layer (SSL) provides cryptography and reliability for upper layers (Layers 5–7) of the OSI model. SSL, which was introduced in 1995, has largely been replaced by Transport Layer Security (TLS). However, recent versions of SSL (for replaced by Transport Layer Security (TLS). However, recent versions of SSL (for example, SSL 3.3) have been enhanced to be more comparable with TLS. Both SSL and TLS provide secure web browsing via Hypertext Transfer Protocol Secure (HTTPS).
L2TPLayer 2 Tunneling Protocol (L2TP) is a VPN protocol that lacks security features, such as encryption. However, L2TP can still be used for a secure VPN connection if it is combined with another protocol that does provide encryption.
L2FLayer 2 Forwarding (L2F) is a VPN protocol designed (by Cisco Systems) with the intent of providing a tunneling protocol for PPP. Like L2TP, L2F lacks native security features.
PPTPPoint-to-Point Tunneling Protocol (PPTP) is an older VPN protocol (which supported the dial-up networking feature in older versions of Microsoft Windows). Like L2TP and L2F, PPTP lacks native security features. However, Microsoft's versions of PPTP bundled with various versions of Microsoft Windows were enhanced to offer security features.
TLSTransport Layer Security (TLS) has largely replaced SSL as the VPN protocol of choice for providing cryptography and reliability to upper layers of the OSI model. For example, when you securely connect to a website using HTTPS, you are probably using TLS.
TTLSTunneled Transport Layer Security (TTLS) is an Extensible Authentication Protocol (EAP) that provides authentication as strong as TLS without the requirement of issuing each user a certificate. In TTLS only the authentication servers are issued certificates.
GREGeneric Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels. This creates a virtual point-to-point link to various brands of routers at remote points over an Internet Protocol (IP) internetwork.

Intrusion Detection and Prevention

Question Answer
intrusion detection system (IDS)receives a copy of traffic to be analyzed
intrusion prevention system (IPS)resides inline with the traffic
Signature-Based Detectiona string of bytes, in a certain context, that triggers detection
Policy-Based Detectionthe IDS/IPS device needs a specific declaration of the security policy. For example, you could write a network access policy that identified which networks could communicate with other networks. The IDS/IPS device could then recognize out-of-profile traffic that does not conform to the policy, and then report that activity.
Anomaly-Based DetectionThis approach is prone to false positives because a normal condition is difficult to measurably define.
Statistical anomaly detectionThis approach watches network-traffic patterns over a period of time and dynamically builds a baseline. Then, if traffic patterns significantly vary from the baseline, an alarm can be triggered.
Nonstatistical anomaly detectionThis approach allows an administrator to define what traffic patterns are supposed to look like.