Network Security
Three primary goals of network security
- Confidentiality - Integrity - Availability
AAA (Authentication, authorization, and accounting)
Allows a network to have a single repository of user credentials. A network administrator can then, for example, supply the same credentials to log in to various network devices (for example, routers and switches). RADIUS and TACACS+ are protocols commonly used to communicate with a AAA server.
SSO (Single sign-on)
Allows a user to authenticate only once to gain access to multiple systems, without requiring the user to independently authenticate with each system.
Asymmetric Encryption
Asymmetric encryption is slow in comparison to symmetric encryption but balances this slowness with higher security. As its name suggests, asymmetric encryption uses asymmetric (different) keys for the sender and the receiver of a packet.
Confidentiality
Data confidentiality implies keeping data private. This privacy could entail physically or logically restricting access to sensitive data or encrypting traffic traversing a network. A network that provides confidentiality would, as a few examples: #> Designing a network such that only hardened technology is used at an edge. #> Use network-security mechanisms (for example, firewalls and access control lists [ACLs]) to prevent unauthorized access to network resources. #> Require appropriate credentials (such as usernames and passwords) to access specific network resources. #> Encrypt traffic such that any traffic captured off of the network by an attacker could not be deciphered by the attacker.
Integrity
Data integrity ensures that data has not been modified in transit. Also, a data integrity solution might perform origin authentication to verify that traffic is originating from the source that should send the traffic. Examples of integrity violations include the following: => Modifying the appearance of a corporate website => Intercepting and altering an e-commerce transaction => Modifying financial records that are stored electronically
IEEE 802.1X is a type of NAC that can permit or deny a wireless or wired LAN client access to a network.
IEEE 802.1X is a type of NAC that can permit or deny a wireless or wired LAN client access to a network. If IEEE 802.1X is used to permit access to a LAN via a switch port, then IEEE 802.1X is being used for port security. The device seeking admission to the network is called the supplicant. The device to which the supplication connects (either wirelessly or through a wired connection) is called the authenticator. The device that checks the supplicant's credentials and permits or denies the supplicant to access the network is called an authentication server. Usually, an authentication server is a RADIUS server.
TACACS+ (Terminal Access Controller Access-Control System Plus)
Is a Cisco proprietary TCP-based AAA protocol. TACACS+ has 3 separate and distinct sessions or functions for authentication, authorization and accounting.
ICA (Independent Computing Architecture)
Is a Citrix Systems proprietary protocol that allows an application running on one platform (for example, Microsoft Windows) to be seen and controlled from a remote client, independent of the client platform (for example, UNIX).
MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol)
Is a Microsoft-enhanced version A CHAP, offering a collection of additional features not present with CHAP, including two-way authentication.
RADIUS (Remote Authentication Dial-In User Service)
Is a UDP-based protocol used to communicate with a AAA server. Unlike TACACS+, RADIUS does not encrypt an entire authentication packet, but only the password. However, RADIUS does offer more robust accounting features than TACACS+. Also, RADIUS is a standards-based protocol, while TACACS+ is a Cisco proprietary protocol.
PPP (Point-to-Point Protocol)
Is a common Layer 2 protocol that offers features such as multilink interface, looped link detection, error detection, and authentication.
PPPoE (Point-to-Point Protocol over Ethernet)
Is a commonly used protocol between a DSL modem in a home (or business) and a service provider. Specifically, PPPoE encapsulates PPP frames within Ethernet frames. This approach allows an Ethernet connection to leverage the features of PPP, such as authentication.
SSH (Secure Shell)
Is a protocol used to securely connect to a remote host (typically via a terminal emulator).
MD-5 (Message Digest 5)
Length? 128 bit
AES (Advanced Encryption Standard)
Length? 128, 192, or 256
SHA-1 (Secure Hash Algorythm)
Length? 160 bit
3DES (Triple DES)
Length? 168 bit
DES (Data Encryption Standard)
Length? 56 bit
NAC (Network Admission Control)
Network Admission Control (NAC) can permit or deny access to a network based on characteristics of the device seeking admission, rather than just checking user credentials. For example, a client's OS and version of antivirus software could be checked against a set of requirements before allowing the client to access a network. This process of checking a client's characteristics is called posture assessment
CHAP (Challenge-Handshake Authentication Protocol)
Performs a one-way authentication for a remote-access connection. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network. Password Authentication Protocol (PAP) is an unencrypted plain text method for password exchange that should be avoided.
RAS (Remote Access Server)
Predecessor to Microsoft Routing and Remote Access Server (RRAS). RRAS is a Microsoft Windows Server feature that allows Microsoft Windows clients to remotely access a Microsoft Windows network.
TFA (Two-factor authentication)
Requires two types of authentication from a user seeking admission to a network. For example, a user might have to know something (for example, a password) and have something (such as a specific fingerprint, which can be checked with a biometric authentication device).
Multifactor Authentication
Similar to two-factor authentication, multifactor authentication requires two or more types of successful authentication before granting access to a network.
EAP (Extensible Authentication Protocol)
Specifies how authentication is performed by IEEE 802.1X. A variety of EAP types exist: Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), Extensible Authentication Protocol-Message Digest 5 (EAP-MD5), and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).
Kerberos is a client/server authentication protocol - uses trusted third party
Supports mutual authentication between a client and a server. Kerberos uses the concept of a trusted third party (a key distribution center) that hands out tickets that are used instead of a username and password combination.
Availability
The availability of data is a measure of the data's accessibility. For example, if a server was down only 5 minutes per year, the server would have an availability of 99.999 percent (that is, the five nines of availability). A couple of examples of how an attacker could attempt to compromise the availability of a network are as follows: => Send improperly formatted data to a networked device, resulting in an unhandled exception error. => Flood a network system with an excessive amount of traffic or requests, which would consume a system's processing resources and prevent the system from responding to many legitimate requests. This type of attack is referred to as a denial-of-service (DoS) attack.
Symmetric Encryption
The word symmetric in symmetric encryption implies that the same key is used by both the sender and the receiver to encrypt or decrypt a packet.
RDP (Remote Desktop Protocol)
is a Microsoft protocol that allows a user to view and control the desktop of a remote computer.