Security + Study Guide Lesson 11C
Out-of-band
A serial console or modem port on a router is a physically out-of-band management method. Out-of-band management is more secure and means that access to the device is more secure and means that access to the device is preserved when there are problems affecting the production
True or false? A TLS VPN can only provide access to web-based network resources
False- a Transport Layer Security(TLS) VPN uses TLS to encapsulate the private network data and tunnel it over the network. The private network data could be frames or IP-level packets and is not constrained by application layer protocol type
Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with user authentication?
Layer 2 Tunneling Protocol (L2TP)
What is the main advantage of IKE v2 over IKE V1?
Rather than just providing mutual authentication of the host endpoints, IKE v2 supports a user account authentication method, such as Extensible Authentication Protocol (EAP)
What is Microsoft's TLS VPN solution?
The secure sockets tunneling protocol (SSTP)
What bit of information confirms the identity of an SSH server to a client?
The server's public key (host key). Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a certificate authority
What IPSec mode would you use for data confidentiality on a private network?
Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the IP header information, but this is unnecessary on a private network. Authentication Header (AH) provides message authentication and integrity but not confidentiality
Point-to-Point Protocol (PPP)
a widely used remote dial-in protocol. It provides encapsulation for IP traffic plus IP address assignment and authentication via the widely supported challenge Handshake Authentication Protocol (CHAP)
OpenVPN
an open source example of TLS VPN openVPN can work in TAP(bridged) mode to tunnel layer 2 frames or in TUN(routed) mode to forward IP packets
Transport Layer Security (TLS)
applied at the application level, either by using a separate secure port or by using commands in the application protocol to negotiate a secure connection
Remote Desktop Protocol (RDP)
can be used to access a physical machine on a one-to-one basis. Alternatively, the site can operate a remote desktop gateway that facilitates access to virtual desktops or individual apps running on the network servers
public key authentication
each remote user's public key is added to a list of keys authorized for each local account on the SSH server
IKE Phase 1
establishes the identity of the two hosts and performs key agreement using Diffie-Hellman algorithm to create a secure channel. Two methods of authenticating hosts are commonly used: Digital Certificates and pre-shared key (group authentication)
Full tunnel
internet access is mediated by the corporate network, which will alter the clients IP address and DNS servers and may use a proxy
Always-on VPN
means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user's cached credentials to authenticate
Remote Access
means that the user's device does not make a direct cabled or wireless connection to the network
In-band management link
one that shares traffic with other communications on the "production" network
Internet Protocol Security (IPSec)
operates at the network layer (layer 3) of the OSI model, so it can be implemented without having to configure specific application support
Internet Key Exchange (IKE)
protocol handles authentication and key exchange, referred to as Security Associations (SA)
Authentication Header (AH)
protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an integrity check value (ICV)
Encapsulation Security Payload (ESP)
provides confidentiality and/or authentication and integrity. It can be used to encrypt the packet rather than simply calculating an HMAC. ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an integrity check value
Remote access management
refers to the specific use case of using a secure channel to administer a network appliance or server
TLS VPN (sill more commonly referred to as an SSL VPN)
requires a remote access server listening on port 443 (or any arbitrary port number). The client makes a connection to the server using TLS so that the server is authenticated to the client. This creates an encrypted tunnel for the user to submit authentication credentials, which would normally be processed by a RADIUS server
Split tunnel
the client accesses the internet directly using its "native" IP configuration and DNS Servers
username/password
the client submits credentials that are verified by the SSH server either against a local user database or using a RADIUS/TACACS+ server
Kerberos
the client submits the Kerberos credentials (a ticket granting ticket) obtained when the user logged onto the workstation to the server using GSSAPI (Generic Security Services Application Program Interface). The SSH server contacts the Ticket Granting Service (in a windows environment, this will be a domain controller) to validate the credential
Digital Certificates
the hosts use certificates issued by a mutually trusted certificate authority to identify one another
Secure Shell (SSH)
the principal means of obtaining secure remote access to a command-line terminal. The main uses of SSH are for remote administration and secure file transfer (SFTP)
Pre-shared key (group authentication)
the same passphrase is configured on both hosts
IPSec tunnel mode
this mode is used for communications between VPN gateways across an unsecure network(creating a VPN). This is also referred to as a router implementation with ESP, the whole IP packet (header and payload is encrypted and encapsulated as a datagram with a new IP header. Alt has no real use case in tunnel mode, as confidentiality will usually be required
IPSec Transport mode
this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode. the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header
SSH commands
used to connect to hosts and set up authentication methods
IKE phase II
uses the secure channel created in phase 1 to establish which ciphers and key sizes will be used with Alt and/or ESP in the IPSec session
Secure Sockets Tunneling Protocol (SSTP)
works by tunneling Point-to-Point (PPP) layer 2 frames over a TLS session