Comp tia n+_session_09

CompTIA N+ Certification: Network Security and Remote Networking
Installing Windows XP Professional Using Attended Installation

Objectives

In this session, you will learn to:
Identify network authentication methods.
Identify major data encryption methods and
technologies.
Identify the primary techniques used to secure Internet
connections.
Identify the major architectures in remote networking
implementations.
Identify common terminal services network
implementations.

Ver. 1.0 Session 9 Slide 1 of 38


Network Authentication Methods

In a network environment, the security settings control how
users and computers authenticate to the network.
Authentication is the first line of defense against attack or
intrusion into network systems.
The various network authentication methods are:
Strong Passwords
Kerberos
Extensible Authentication Protocol (EAP)



Strong Passwords

• A strong password is a password that meets complexity
requirements that are set by a system administrator and
documented in a password policy by specifying:
Minimum length

Special characters !Pass1234
Uppercase
letters Numbers

Lowercase letters

• Authentication based entirely on a user name/password
combination is sometimes called authentication by
assertion.



Kerberos

• Kerberos is an Internet standard authentication protocol
that links a user name and password to an authority that
can certify that the user is valid and also verify the user’s
ability to access resources.
KAS

Authenticates
Trusts KAS
with KAS

Uses credentials
to access resources

Resource
User01 server



The Kerberos Process

A Kerberos client uses a Kerberos authentication process to
establish a secure connection with a service.
1

Credentials
2

KAS
User01 TGT
5 3

TGT
4

Session
Session

Resource server



Extensible Authentication Protocol (EAP)

• Extensible Authentication Protocol (EAP) is an
authentication protocol that enables systems to use
hardware-based identifiers, such as fingerprint scanners or
smart card readers, for authentication.

EAP enables hardware-based authentication

Fingerprint scanner

Smart card reader



Activity 11-4

Activity Examining
Strong Passwords



Data Encryption

• Data encryption is a way to secure client information.
• The various data encryption methods and technologies are:
Key-Based Encryption Systems
Data Encryption Standard (DES)
Digital Certificates
Public Key Infrastructure (PKI)
The Certificate Encryption Process
The Certificate Authentication Process
IP Security (IPSec)
IPSec Levels
IPSec Policies
Secure Sockets Layer (SSL)
The SSL Process




• Key-based encryption system uses a key to control how
information is encoded and decoded.
• Types of key-based encryption:
Shared-key or symmetric system
Key-pair or asymmetric system with two keys:
• A public key
• A private key
The following figure depicts the shared-key encryption system:

Encrypts data Decrypts
data

Same key on both sides



Key-Based Encryption Systems (Contd.)

The following figure depicts the private-key encryption
system:
1 Exchange public keys

Public key A

Computer A Computer B
Public key B

2 Data encrypted using public key B 3 Data decrypted with private key B

Computer A Computer B Computer A Computer B



Activity 11-5

Encrypting Data with EFS




• DES is a shared-key encryption standard that is based on a
56-bit encryption key that includes an additional 8 parity
bits.
56 bits 8 parity bits

Shared DES key

Triple encoding

Triple encoding

3 DES keys



Activity 11-6

Examining Default
IPSec Policies




• A digital certificate is an electronic document that
associates credentials with a public key.
• A server called a Certificate Authority (CA) issues
certificates and the associated public/private key pairs.
• Both users and devices can hold certificates.

CA
Issues Trusts CA and
certificate accepts
certificate

Presents
certificate

Certificate holder Resource



Activity 11-7

Installing a Root Certificate
Authority (CA)




• PKI is a hierarchical authentication and validation system
that is composed of CAs, certificates, software, services,
and other cryptographic components.
• PKI issues and maintains public/private key pairs and
certificates.
Server
certificate

Certificates
and key pair

User01

Root CA Issuing CA
Certificates
and key pair

User02




• Certificate Encryption Process :

CA

1 3

2

4

User01 User02

• The Encrypting File System (EFS) is a file-encryption tool
available on Windows systems that have partitions
formatted with NTFS.




• The Certificate Authentication Process:

User01 public
key decrypts

Private key
encrypts signature

User01 User02

• Digital signature is a small piece of encrypted data that is
attached to a message to verify the sender’s identify.



IP Security (IPSec)

• IPSec is a versatile, nonproprietary suite of security
standards that provides end-to-end authentication and
encryption for secure communications sessions on IP
networks. Negotiate Security
Association (SA)

Negotiate encryption

Communicate securely



IPSec Levels

There are three IPSec levels:
Client
Server
Secure Server

Require security
Secure Server

Request security
Server

Respond only
Client



IPSec Policies

IPSec policies are composed of rules, and each rule has
five component, as shown in the following figure:

Components of
Rules in the a rule
policy



The SSL Process

Secure Sockets Layer (SSL) is a security protocol that
combines digital certificates for authentication with RSA
public-key data encryption.
The SSL is a server driven process which works, as shown
in the following figure:
Request secure https: connection

Send certificate and public key

Negotiate encryption



Network Address Translation (NAT)

• Network address translation (NAT) is a form of Internet
security that conceals internal addressing schemes from the
public Internet.

NAT Server

24.96.83.120

192.168.12.20 192.168.12.30

192.168.12.100

NAT is implemented as:
Software such as ICS in Windows systems.
Hardware such as cable modems and DSL routers.



Activity 11-8

Examining Proxy Settings



The NAT Process

The NAT process translates external and internal addresses
based on port numbers following the steps:
• Step-1: Client request
• Step-2: Source address conversion
• Step-3: Data return
• Step-4: Internal source identification
• Step-5: Data deliver

192.168.12.40:80 24.96.83.120:23,040

Client NAT server Web server

Port# Internal address
23,040 192.168.12.40:80

Address translation table



Firewalls

• A firewall is a software program or hardware device that
protects networks from unauthorized data by blocking
unsolicited traffic.

Approved traffic

Firewall

Unapproved traffic



Demilitarized Zones (DMZs)

• DMZ is a small section of a private network that is located
between two firewalls and made available for public access.

DMZ

Web server



Internet Proxies

• An Internet proxy is a system that isolates internal
networks from the Internet by downloading and storing
Internet files on behalf of internal clients.



Website Caching

The caching process enables Web proxies to cache web
data for clients by following the steps:

1 Client requests site Proxy forwards request

Proxy returns site to client Website responds to proxy

2 New request

Proxy responds from cache



Web Proxy Features

Web proxies can incorporate a number of enhanced
features, such as:
User security
Gateway services
Auditing
Remote access services
Content filtering



Remote Network Architectures

The various components of a remote network
implementation :
Remote Networking
Remote Access Networking
Remote Access Services (RAS) Servers
Remote Control Networking
Terminal Services



Remote Networking

• Remote networking is a type of network communication
that enables users to access resources that are not at their
physical locations.
PSTN

Modem Modem
Remote Remote
computer access server

Established connectcion mechanism Network resources

• The biggest limitation to remote networks is the connection
bandwidth.



Activity 12-1

Configuring Windows RRAS
as a Dial-Up Server



Remote Access Networking

In remote access networking, a remote node uses a remote
connection to attach to a network.
Most remote access connections are made to:
Dial-in server
Remote access server:
• Provides security
• Provides log users



Activity 12-2

Enabling and Creating
Remote Desktop Connections



Remote Control Networking

Remote control uses a special software package that
enables a remote client to take over a host computer on the
network.
Host client should be a
dedicated machine

Remote Host client
Client



Terminal Services Implementations

• Terminal services enable companies to deploy
applications thus providing flexible functionality to remote
users.
• The common terminal services components and network
implementations are:
Thin Clients
Thin Client Components
Microsoft Terminal Services
Windows Terminal Services Features
Citrix MetaFrame
Web-Based Remote Access



Thin Clients

• A thin client is any machine that uses a thin client protocol
to connect to a server in order to access and run
applications.
• Thin client is configured as to various operating systems,
such as:
UNIX PC running thin client
software has more
Session 2
Windows hardware
and an OS installed

Dedicated thin client has
minimal hardware and no
OS installed
Emulates a
Application complete
Client 1 Client 2 server Session 1 computing
environment



Activity 12-4

Installing Microsoft
Terminal Server




The thin client consists of four basic parts, as shown in the
following figure:

Connects to server

Input device
Output device Downloads OS
Network connection
Client software
Launches a session
Thin client
Application
server




Terminal services provides client access to all Windows-
compatible applications by opening a user session on the
server.
Windows 2000
Professional and Remote
Desktop for Session 2
Administration

Windows XP Professional and Provides Client 2 access
Remote Desktop Connection to administrative tools and
functionality

Terminal
Client 1 Client 2 Session 1
Server

Provides Client 1 access
to a shared application



Citrix MetaFrame

• Citrix MetaFrame is a terminal services application that
provides client connectivity for Windows, Linux, Macintosh,
and UNIX desktops.

Server with Server with
32 connections 32 connections

Server farm supports Can add servers without
64 connections changing existing farm




Web-based remote access means providing access to
services and data through web browsers.
Remote user accesses applications
via a web browser Terminal Server enables
remote administration

Remote administrator manages
application servers via a web browser Web server hosts
applications



Summary

In this session, you learned that:
• Network authentication methods such as Strong Passwords,
Kerberos, and Extensible Authentication Protocol (EAP) are the
first line of defense against attack or intrusion into network
systems.
• The major data encryption methods and technologies are:
IP Security (IPSec)
IPSec Policies
Secure Sockets Layer (SSL)
The SSL Process



Summary

The primary techniques used to secure Internet connections
are:
Network Address Translation (NAT)
The NAT Process
Firewalls
Demilitarized Zones (DMZs)
Internet Proxies
Website Caching
Web Proxy Features



Summary (Contd.)

The major architectures in remote networking
implementations:
• Remote Networking
• Remote Access Networking
• Remote Access Services (RAS) Servers
• Remote Control Networking
• Terminal Services
The common terminal services network implementations:
Thin Clients
Windows Terminal Services Features
Citrix MetaFrame


Comp tia n+_session_09

More Related Content

What's hot (19)

Viewers also liked (20)

Similar to Comp tia n+_session_09 (20)

More from Niit Care (20)

Recently uploaded (20)

Comp tia n+_session_09

Editor's Notes