Unit08
Download as PPT, PDF1 like568 views
Network security protocols like IPSec, VPNs, Kerberos, and SSL are used to protect data as it travels across networks. IPSec ensures privacy and authentication at the network layer using encryption. VPNs allow private network connections over public networks using protocols like L2TP. Kerberos uses tickets to authenticate users and services between domains. SSL establishes encrypted links between clients and servers using public key cryptography and digital certificates from certificate authorities. Firewalls and proxy servers filter network traffic to control access and enhance security.
Unit08
- 2. Overview • Network Security • IPSec • VPN Protocol • Kerberos • Smart Cards • Firewalls • Proxy Servers
- 3. Network Security • Security protocols protect a computer from attacks • Networks and data are vulnerable to both active attacks, in which information is altered or destroyed, and passive attacks, in which information is monitored • Types of Attacks : – Altering data. – Eavesdropping eg:sniffing – IP/mac address spoofing eg:cheating – Password pilfering eg:guessing – Denial of service – Virus
- 4. IPSec • Based on cryptography /encryption • ensures the privacy of network traffic as well as its authentication. • IPSec functions at the Network layer • The fact that IPSec is a network-layer protocol makes its services transparent to applications • IPSec ensures that data cannot be tampered with while it is traversing any part of the network
- 5. IPSec • Hands On Lab on Ipsec : gpedit.msc • ICMP – Authentication method: – Keberos – PreShared – Certificates
- 6. VPN Protocols • Virtual private networking is a system of creating a private network connection that travels through a public network • One of the top considerations for using a VPN is to reduce costs • L2TP – L2TP is a VPN protocol used along with IPSec to ensure confidentiality of the data transmission – PPTP Point-to-Point Tunneling Protocol courtesy of Microsoft and Cisco’s Layer 2 Forwarding (L2F) protocol
- 7. VPN • Why Use L2TP Instead of PPTP – L2TP client is included in Windows 2000 and later operating systems – L2TP supports both Cisco TACACS+ and Remote Authentication Dial-In User Service (RADIUS) authentication – L2TP was developed to be a standard that is already natively supported by Cisco routers and Windows 2000 servers – offers a much higher level of security than PPTP – L2TP offers a wider variety of protocols than PPTP— supporting not only TCP/IP but also IPX/SPX and Systems Network Architecture (SNA)
- 8. Secure Sockets Layer (SSL) • SSL is a protocol that uses a public key to encrypt the data transmitted across the Internet • SSL runs transparently to applications, because it sits below upper-layer applications and above the IP • Working on behalf of upper-layer protocols, the SSL server authenticates itself using a certificate and public ID to an SSL-enabled client, which includes both Netscape Navigator and Microsoft Internet Explorer Web browsers, and others
- 9. SSL
- 10. SSL • The SSL client ensures that the server’s certificate has been issued by a trusted certificate authority (CA), it authenticates itself back to the server using the same process, and an encrypted link is created between the two • During the ensuing data transmission, SSL enacts a mechanism to ensure that the data is not tampered with before it reaches its destination
- 11. SSL is able to use several different types of ciphers • Data encryption standard (DES) and Triple DES. – DES is a private key exchange that applies a 56-bit key to each 64-bit block of data. Triple DES is the application of three DES keys in succession. • Key Exchange Algorithm (KEA). – KEA enables the client and server to establish mutual keys to use in encryption. • Message Digest version 5 (MD5). – This cipher creates a 128-bit message digest to validate data. • Rivest-Shamir-Adleman (RSA). – This is the most commonly used key exchange for SSL. It works by multiplying two large prime numbers, and through an algorithm determining both public and private keys. The private key does not need to be transmitted across the Internet but is able to decrypt the data transmitted with the public key. • Secure Hash Algorithm (SHA). – SHA produces a message digest of 160 bits using the SHA-1 80-bit key to authenticate the message.
- 12. Client makes certain that the SSL server’s certificate is issued by a trusted CA
- 13. Clients are authenticated by SSL servers
- 14. Kerberos • Kerberos is an authentication protocol that is used to establish trust relationships between domains and verify the identities of users and network services • When an entity attempts to access a Kerberos-protected resource and provides correct authentication information, Kerberos issues a ticket to it • The ticket is actually a temporary certificate • Each process requires a complex mutual authentication, but this is completely transparent to the user
- 15. Kerberos • Kerberos Trust Relationships – Kerberos trust relationships are typically transitive and bidirectional in nature – Wherever a Kerberos trust exists, the users in one domain will be able to access resources in the other domain as long as the administrator has granted those users access
- 16. Smart Cards • A way to ensure secure authentication using a physical key • Smart cards contain chips to store a user’s private key and can also store logon information • Smart cards require Public Key Infrastructure (PKI), a method of distributing encryption keys and certificates
- 17. Firewall • Piece of equipment is actually a router with two interfaces—one leading to the public network and the other to the private network • One of the methods a firewall uses to secure the network is packet filtering • For packets that meet firewall rules, they are either permitted or blocked, depending on how the rule is implemented • Firewalls are useful for protecting the network from unauthorized access to data • A firewall uses an access control list for all the commands to execute packet filters • When implementing a new firewall, you should review every application that must function across the firewall.
- 18. Firewall
- 19. Firewall • Demilitarized Zones – demilitarized zone (DMZ) is an offshoot from a firewall – DMZ is a middle area that offers more freedom of access from the Internet – DMZ is to provide access to certain servers, such as a Web server or e-mail server, yet protects your network
- 20. Proxy Servers • For a more sophisticated and secure method of blocking and permitting traffic, you need to use a proxy server • A proxy server doesn’t permit traffic to pass through it between networks • examine each packet up to the application layer and reassemble a new packet for the other network • the proxy server is able to log traffic and perform audits