Chapter 11: Securing TCP/IP
Link Establishment
2. The LCP communicates with the LCP on the other side of PPP link, determining a good link, which, in turn open the...
Message-Digest Algorithm version 5 (MD5)
Arguably the most popular hashing function
Key Distribution Center (KDC)
System for granting authentication in Kerberos
Network Access Servers (NASs)
System that controls the modems in a RADIUS network.
User authentication
The process of authenticating a username and password.
Link Dead
1. This is a nice way to say there isn't a link yet. The modem is turned off, no one is talking. This phase is when all PPP conversations begin. The main player at this (and at a later phase) is the Link Control Protocol (LCP). The LCP's job is to get the connection going. As it starts up we move into the...
Authentication
3. Here is where the authentication takes place. In most cases, authentication is performed by entering a simple user name/password. I'll go into more detail in the next section. For now, once the authentication is complete and successful, the PPP connection goes into...
Network Layer Protocol
4. PPP works with a number of OSI Layer 3 network protocols. Today everyone uses TCP/IP, but PPP still supports long-dead protocols such as NetWare IPX/SPX and Microsoft NetBEUI. LCP uses yet another protocol called Network Control Protocol (CP) to make the proper connections for that protocol. You now have a good connection. To shut down, the LCP inititates a...
Termination
5. When done nicely, the two ends of the PPP connection send each other a few termination packets and the link is closed. If one person is cut off, the LCP will wait for a certain timeout and then terminate on its own side.
Advanced Encryption Standard (AES)
A block cipher created in the late 1990s that uses a 128-bit block size and a 128-, 192-, or 256-bit key size. Practically uncrackable.
Access Control List (ACL)
A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.
Digital Signatures
A encrypted hash of a private encryption key that verifies a sender's identity to those who receive encrypted data or messages.
Multifactor authentication
A form of authentication where a user must use two or more factors to prove his or her identity.
Cipher
A general term for a way to encrypt data
hash
A mathmatical function used in cryptography that is run on a string of binary digits of any length that results in a value of some fixed length. A one way hash, which means it's practically irreversible, meaning there's no way to re-create the data, even if you know the hashing algorithm and the checksum.
Public-key cryptography
A method of encryption and decryption that uses two different keys: A public key for encryption and a private key for decryption.
Secure Hash Algorithm (SHA)
A popular cryptographic hash
Rivest Cipher 4 (RC4)
A popular streaming symmetric-key algorithm.
Single Sign-on
A process whereby a client performs a one-time login to a gateway system. That system, in turn, takes care of the client's authentication to any other connected system which the client is authorized to access.
Lightweight Directory Access Protocol (LDAP)
A protocol used to query and change a database used by the network, also uses TCP port 389 by Default.
Certificate
A public encryption key signed with the digital signature from a trusted third party called a certificate authority (CA). This key serves to validate the identity of its holder when that person or company sends data to other parties.
Challenge Handshake Authentication Protocol (CHAP)
A remote access authentication protocol. It has the serving system challenge the remote client, which must provide an encrypted password.
Mandatory Access Control (MAC) security model
A security model in which every resource is assigned a label that defines its security level. If the user lacks that security level, they do not get access.
OpenSSH
A series of secure programs developed by the OpenBSD organization to fix SSH's limitation of only being able to handle one session per tunnel.
Simple Network Management Protocol (SNMP)
A set of standards for communication with network device (witches, routers, WAPs) connected to a TCP/IP network. Used for network management.
Data Encryption Standard (DES)
A symmetric-key algorithm developed by the U.S. government in the 1970s and formerly in use in a variety of TCP/IP applications. DES used a 64-bit block and a 56-bit key. Over time the 56-bit key made DES susceptible to brute-force attacks.
Authentication, Authorization, and Accounting (AAA)
AAA is designed for the idea of port authentication, the concept of allowing remot users authentication to a particular point-of-entry to another network. Authentication: A computer that is trying to connect to the network must present some form of credential for access to the network. Authorization: Once authenticated, the computer determines what it can or cannot do on the network. Accounting: The authenticating server should do some form of accounting such as recording the number of times a user logs on and off.
Remote Authentication Dial-In User Service (RADIUS)
An AAA standard created to support ISPs with hundreds if not thousands of modems in hundreds of computers to connect to a single central database. RADIUS consists of three devices: the RADIUS server that has access to a database of user names and passwords, a number of network access servers (NASs) that control the modems, and a group of systems that dial into the network.
block ciphers
An encryption algorithm in which data is encrypted in "chunks" of a certain length at a time. Popular in wired networks
Asymmetric-key algorithm
An encryption method in which the key used to encrypt a message and the key used to decrypt it are different, or asymmetrical.
Stream Cipher
An encryption method that encrypts a single bit at a time. Popular when data comes in long streams (such as with older wireless networks or cell phones)
Rivest Shamir Adleman (RSA)
An improved asymmetric cryptography algorithm that enables secure digital signatures.
Symmetric-key algorithm
Any encryption method that uses the same key for both encryption and decryption.
IPsec main protocols
Authentication Header (AH): for authentication Encapsulating Security Payload (ESP): for implementing authentication and encryption. Internet Security Association and Key Management protocol (ISAKMP): for establishing security associations (SAs) that define things like the protocol used for exchanging keys. Internet Key Exchange (KE and IKEv2) and Kerberized Internet Negotiation of Keys (KINK) two widely used key exchanging protocols.
Extensible Authenication Protocol (EAP)
Authentication wrapper that EAP-compliant applications can use to accept one of many types of authentication. While EAP is a general-purpose authentication wrapper, its only substantial use is in wireless networks.
Discretionary Access Control (DAC)
Authorization method based on the idea that there is an owner of a resource who may at his or her discretion assign access to that resource. DAC is considered much more flexible than MAC.
Secure FTP (SFTP)
Designed as a replacement for FTP after many of the inadequacies of SCP (such as the inability to see the files on the other computer) were discovered.
EAP-TLS
EAP with Transport Layer Security (TLS) defines the use of a RADIUS server as well as mutal authentication, requiring certificates on both the server and every client. On the client side, a smart card may be used in lieu of a certificate. EAP-TLS is very robust, but the client -side certificate requirement is an administrative challenge. Even though it's a challenge, the most secure wireless networks all use EAP-TLS. TLS is used heavily on secure Web sites.
EAP-TTLS
EAP-TTLS(Tunneled TLS) is similar to EAP-TLS but only uses a single server-side certificate. EAP-TTLS is very common for more secure wireless networks.
Biometrics
Human physical characteristics that can be measured and saved to be compared as authentication in granting the user access to a network or resource. Common biometrics include fingerprints, facial scans, retinal scans, and voice pattern recognition.
Authentication Server (AS)
In Kerberos, a system that hands out Ticket-Granting Tickets to clients after comparing client hash to its own.
Exam Tip 11.2
In the early days of dial-up, we used the Serial Line Internet Protocol (SLIP) to connect a modem to an Internet Serve Provider (ISP). SLIP was a totally unsecure protocol and thus we migrated to PPP as soon as we could.
Encryption and the OSI model
Layer 1: No common encryption done at this layer. Layer 2: A common place for encryption using proprietary encryption devices. These boxes scramble all of the data in an Ethernet frame except the MAC address information. Devices or software encodes and decodes the information on-the-fly at each end. Layer 3: Only one common protocol encrypts at Layer 3: IPsec. IPsec is typically implemented via software that takes the IP packet and encrypts everything inside the packet, leaving only the IP addresses and a few other fields unencrypted. Layer 4. Neither TCP nor UDP offers any encryption methods, so little happens security wise at Layer 4. Layer 5,6, and 7: Important encryption standards (such as SSL and TLS used in e-commerce) happen within these layers, but don't fit cleanly into the OSI model.
EAP-MS-CHAPv2
More commonly known as Protected Extensible Authentication Protocol (PEAP), EAP-MS-CHAPv2 uses a password function vased on MS-CHAPv2 with the addition of an encrypted TLS tunnel similar to EAP-TLS.
EAP-PSK
Most popular form of authentication used in wireless networks today. EAP-PSK(Personal Shared Key) is nothing more than a shared secret code that's stored on both the wireless access point and the wireless client, encrypted using the powerful AES encryption.
key pair
Name for the two keys generated in asymmetric-key algorithm systems.
Plaintext
Often referred to as cleartext, unencrypted data in an accessible format that can be read without special utilities.
Secure Copy Protocol (SCP)
One of the first SSH-enabled programs to appear after the introduction of SSH. SCP was one of the first protocols used to transfer data securely between two hosts and thus might have replaced FTP. SCP works well but lacks features such as a directory listing.
Internet Authentication Service (IAS)
Popular RADIUS server for Microsoft environments.
Network Time Protocol (NTP)
Protocol that gives the current time.
Exam Tip 10.1
Public-key cryptography is the most popular form of e-mail encryption.
Certificate Revocation Lists (CRLs)
Root authorities, such as VeriSign can generate CRLs, it can be revoked for a number of reasons, but most of the time the reasons are serious such as a compromised private key.
Ticket-Granting Service (TGS)
Sent by an Authentication Server in Kerberos setup if a client's hash matches its own, signaling that the client is authenticated but not yet authorized.
Transport Layer Security (TLS) protocol
TLS is more robust and flexible and works with just about any TCP application while SSL is limited to HTML, FTP, SMTP, and a few older TCP applications.
Note 11.3
Technically, wireless networks don't use aEAP. They use 802.1X which, in turn uses EAP.
Role-based access control (RBAC)
The most popular authentication model used in file sharing, defines a user's access to a resource based on the roles the user plays in the network environment. This leads to the idea of creation of groups. A group in most networks is nothing more than a name that has clearly defined accesses to different resources. User accounts are placed into various groups.df
Public-key infrastructure (PKI)
The system for creating and distributing digital certificates using sites like VeriSign, Thawte, or GoDaddy.
Password Authentication Protocol (PAP)
Thee oldest and most basic form of authentication and also the least safe because it sends all passwords in cleartext.
ACL access models
There are 3 types of ACL access models: Mandatory, Discretionary, and Role based.
EAP-MD5
This is a very simple version of EAP that uses only MD5 hashes for transfer of authentication credentials. EAP-MD5 is weak and the least used of all the versions EAP described.
Authentication
Verify that whoever is trying to access the data is the person you want accessing that data. Most classic form of authentication is the username and password combinations.
802.1X
a port-based authentication network access control mechanism for networks, basically a complete authentication standard designed to force devices to go through a full AAA process to get anywhere past the interface on a gateway system. Prevents attackers from even getting in the door until they were authenticated and authorized. Mainly adopted by wireless networking.
Internet Protocol Security (IPSec)
an authentication and encryption protocol suite that works at the Internet/Network Layer and should become dominant authentication and encryption protocol suite as IPv6 continues to roll out and replace IPv4.
Network Access Control (NAC)
defines a newer series of protection applications that combine the features of what traditionally was done by separate applications. There is no perfect single definition for NAC. NAC usually prevents computers lacking antimalware and patches from accessing the network. NACs also create policies that define what individual systems can do on the network.
Authorization
defines what an authenticated person can do with that data. Different operating systems and applications provide different schemes for authorization, but the classic scheme for Windows is to assign permissions to a user account. An administrator, for example, can do a lot more after being authenticated than a limited user can do.
Point-to-Point Protocol (Protocol)
enables two point-to-point devices to connect, authenticate with a user name and password, and negotiate the network protocol the two devices will use. Today that network protocol is almost always TCP/IP
Lightweight Extensible Authentication Protocol (LEAP)
is a proprietary EAP authentication used almost exclusively by Cisco wireless products. LEAP is an interesting combination of MS-CHAP authentication between a wireless client and a RADIUS server.
Terminal Access Controller Access Control System Plus (TACAS+)
is a protocol developed by Cisco to support AAA in a network with many routers and switches, similar to RADIUS in function, but uses TCP port 49 by default and separates authorization , authentication, and accounting into different parts.
Kerberos
is an authentication protocol that has no connection to PPP. A protocol for TCP/IP networks with many clients all connected to a single authenticating server. no point-to-point. Works nicely in a network, so nicely that Microsoft adopted it as the authentication protocol for all Windows networks using a domain controller.
Tunnel
is an encrypted link between two programs on two seperate computers. Once a link is established, anything entered into the client application is encrypted, sent to the server, decrypted, and then acted upon.
Encryption
scramble, mix up, or change data in such a way that bad guys can't read it. Of course this scrambled up data must also be easily descrambled by the person reading it.
Challenge-Response Authentication Mechanism-Message Digest 5 (CRAM-MD5)
special form of MD5 used for some SMTP servers, as a tool for server authentication.
Algorithm
the mathematical formula that underlies the cipher
Nonrepudiation
the process of making sure data came from the person or entity it was suppose to come from. This prevents others from pretending to be a different entity.
Integrity
the process that guarantees that the data received is the same as the data originally sent.
Token/Access Token
timestamped service ticket, key that the client uses to access any single resource on the entire domain.