Chapter 7

Challenge

A random string of text issued from one computer to another in some forms of authentication. A challenge is used, along with the password (or other credential), in a response to verify the computer's credentials.

AES

Advanced Encryption Standard

CIA

Certificate Authority

CIA Triad

Confidentiality, Integrity, Availability

What is DirectAccess?

DirectAccess A service embedded in Windows Server 2008 R2, 2012, and 2012 R2 that can automatically authenticate remote users and computers to

EAPoL

EAP (extensible authentication protocol) over LAN - the IEEE standard the defines port-based security for wireless network access control. it offers a means of authentication and defines the EAP over IEEE 802, and it is often known as 802.1x

ESP

Encapsulated Security Payload

Why is Telnet considered insecure?

Telnet provides little security for establishing a connection (poor authentication) and no security for transmitting data (no encryption).

Brute force attacks.

brute force attack simply means trying numerous possible character combinations to find the correct combination.

HVD

hosted virtual desktop

What is meant by the phrase "data integrity"?

to verify the data has not been altered in transit, which is similar to the purpose of a checksum.

HVD

(hosted virtual desktop) A desktop operating environment hosted virtually on a different physical computer from the one the user interacts with.

Non-repudiation

(similar to confidentiality and authenticity)—Provides proof of delivery (protects the sender) and proof of the sender's identity (protects the receiver).

SSO

(single sign-on) A form of authentication in which a client signs on once to access multiple systems or resources.

802.11i

802.11i uses 802.1X (EAPoL) to authenticate devices and dynamically assigns every transmission its own key.

PuTTY

A Windows based freeware SSH client

Public Key Server

A public key server is a publicly accessible host (such as a server on the Internet) that freely provides a list of users' public keys, much as a telephone book provides a list of peoples' phone numbers.

Solution

A robust word that refers to a product, service, or combination of products and services. The term is commonly used in technology because these products and services often exist specifically to solve problems, and the solution often includes extra features, such as ongoing customer service.

Tunnel

A secured, virtual connection between two nodes on a VPN.

Key

A series of characters that is combined with a block of data during that data's encryption. To decrypt the resulting data, the recipient must also possess the key.

Key Pair

A series of characters that is combined with a block of data during that data's encryption. To decrypt the resulting data, the recipient must also possess the key.

asymmetric encryption

A type of encryption (such as public key encryption) that uses a different key for encoding data than is used for decoding the cipher text.

AH

Authentication Header

AS

Authentication Service

AAA

Authentication, Authorization, and Accounting

List two reasons why CHAP is more secure than PAP

CHAP (Challenge Handshake Authentication Protocol) is another authentication protocol that can operate over PPP. Unlike PAP, CHAP encrypts usernames and passwords for transmission. It also differs from PAP in that it requires three steps to complete the authentication process. Together, these steps use a three-way handshake. Figure 7-17 illustrates the threeway handshake used in CHAP.

Hashed

Data that has been transformed through a particular algorithm that generally reduces the amount of space needed for the data. Hashing data is nearly impossible, mathematically, to reverse.

GRE

Generic Routing Encapsulation

GRE

Generic Routing Encapsulation. A tunneling protocol developed by Cisco Systems.

Collision

In Ethernet networks, the interference of one node's data transmission with the data transmission of another node sharing the same segment. (2) In the context of hashing, a problem that occurs when the input of two different data sets result in the same hash value.

IaaS

Infrastructure as a Service

KDC

Key Distribution Center

L2TP

Layer 2 Tunneling Protocol

SLIP vs PPP

SLIP is an earlier Point-to-Point Protocol that does not support encryption, can carry only IP packets, and works strictly on serial connections. SLIP has been replaced by PPP, which can support several types of Network layer protocols and can provide weak encryption.

SSL and TLS

Secure Sockets layer / Transport Layer Security - An encryption layer of HTTP that uses public key cryptography to establish a secure connection.

Encryption

The use of an algorithm to scramble data into a format that can be read only by reversing the algorithm— that is, by decrypting the data—to keep the information private.

Xen

Virtualization software by Citrix.

Protocols used in WPA vs WPA-2

WPA = TKIP (Temporal Key Integrity Protocol) WPA-2 = AES (Advanced Encryption Standard)

Key management services

key management—The term key management refers to the way in which two nodes agree on common parameters for the keys they will use. This phase primarily includes two services: IKE (Internet Key Exchange)—Negotiates the exchange of keys, including authentication of the keys ISAKMP (Internet Security Association and Key Management Protocol)—Works within the IKE process to establish policies for managing the keys

Algorithm

A set of rules that tells a computer how to accomplish a particular task. For example, a computer uses an algorithm to create an encryption key.

Describe 3 different (general) ways a VPN can be established?

A virtual private network (VPN), which is a virtual connection between a client and a remote network, two remote networks, or two remote hosts over the Internet or other types of networks, to remotely provide network resources.

Compare tunneling protocols.

After connecting to a remote network, a remote client can access files, applications, and other shared resources, such as printers, like any other client on the server, LAN, or WAN. ■ SLIP is an earlier Point-to-Point Protocol that does not support encryption, can carry only IP packets, and works strictly on serial connections. SLIP has been replaced by PPP, which can support several types of Network layer protocols and can provide weak encryption. ■ To ensure a VPN can carry all types of data in a private manner over any kind of connection, special VPN protocols encapsulate higher-layer protocols in a process known as tunneling. ■ A VPN tunneling protocol operates at the Data Link layer to encapsulate the VPN frame into a Network layer packet, no matter what Network layer protocol is used. ■ GRE encapsulates PPP frames to make them take on the temporary identity of IP packets at Layer 3. To the WAN, messages look like inconsequential IP traffic. ■ Unlike PPTP, L2TP is a standard accepted and used by multiple vendors, so it can connect a VPN that uses a mix of equipment types. ■ Remote virtual computing, also called terminal emulation, allows a user on one computer, called the client, to control another computer, called the host or server, across a network connection.

CA

Certificate Authority

Web Services

Cloud computing, also called Web services, refers to the flexible provision of data storage, applications, or services to multiple clients over a network.

private key encryption

In private key encryption, data is encrypted using a single key that only the sender and the receiver know. Private key encryption is also known as symmetric encryption because the same key is used during both the encryption and decryption of the data.

Iaas

Infrastructure as a Service

IETF

Internet Engineering Task Force

IKE

Internet Key Exchange

Key Management

The method whereby two nodes using key encryption agree on common parameters for the keys they will use to encrypt data.

MD5 vs SHA

The primary advantage of SHA over MD5 is its resistance to collisions, although the added security requires more time to perform the hashing process.

DNS Spoofing

a hacker forges name server records to falsify his host's identity

CHAP's three way handshake

1. challenge—The server sends the client a randomly generated string of characters. 2. response—The client adds its password to the challenge and encrypts the new string of characters. It sends this new string of characters in a response to the server. Meanwhile, the server also concatenates the user's password with the challenge and encrypts the new character string, using the same encryption scheme the client used. 3. accept/reject—The server compares the encrypted string of characters it received from the client with the encrypted string of characters it has generated. If the two match, it authenticates the client. But if the two differ, it rejects the client's request for authentication.

A 128-bit key has?

2 x128 possible character combinations.

VPN tunneling protocols operate on which layer of the OSI model?

A VPN tunneling protocol operates at the Data Link layer to encapsulate the VPN frame into a Network layer packet, no matter what Network layer protocol is used.

cipher

A mathematical code used to scramble data into a format that can be read only by reversing the cipher—that is, by deciphering, or decrypting, the data.

Remote Access

A method for connecting and logging on to a server, LAN, or WAN from a workstation that is in a different geographical location.

Symmetric Encryption

A method of encryption that requires the same key to encode the data as is used to decode the cipher text.

Digital Certificate

A small file containing verified identification information about the user and the user's public key. Digital certificates are issued and maintained by a certificate authority, which attaches its own digital signature to the digital certificate to validate the certificate.

Compare authentication protocols.

Authentication protocols vary according to which encryption schemes they rely on and the steps they take to verify credentials. ■ RADIUS can operate as a software application on a remote access server or on a computer dedicated to this type of authentication, called a RADIUS server. ■ MS-CHAPv2 uses stronger encryption than earlier encryption protocols, does not use the same encryption strings for transmission and reception, and requires mutual authentication. ■ EAP only provides the framework for authenticating clients and servers. It does not perform encryption or authentication on its own. Instead, it works with other encryption and authentication schemes to verify the credentials of clients and servers. ■ The 802.1X standard specifies the use of one of many authentication methods, plus EAP, to grant access to and dynamically generate and update authentication keys for transmissions to a particular port. ■ AES uses a more sophisticated family of ciphers than TKIP does, and transforms the data in multiple stages. ■ Kerberos is a cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. ■ For greater security, some systems require clients to supply two or more pieces of information to verify their identity.

How does hashing work?

Data that has been transformed through a particular algorithm that generally reduces the amount of space needed for the data. Hashing data is nearly impossible, mathematically, to reverse.

EAPol

EAP (extensible authentication protocol) over LAN

Benefits of using EAP?

EAP only provides the framework for authenticating clients and servers. It does not perform encryption or authentication on its own. Instead, it works with other encryption and authentication schemes to verify the credentials of clients and servers. ■ The 802.1X standard specifies the use of one of many authentication methods, plus EAP, to grant access to and dynamically generate and update authentication keys for transmissions to a particular port.

ESP

Encapsulating Security Payload

What is endpoint security?

Even if data is encrypted in transit, at some point data is accessed, stored, or otherwise manipulated in its unencrypted form, and this is when vulnerability is greatest.

XaaS

Everything/Anything as a Service

Why might a network administrator configure port forwarding?

For example, you can choose among several types of encryption methods and it can also be configured to perform port forwarding, which means it can redirect traffic that would normally use an insecure port (such as FTP) to an SSH-secured port. This allows you to use SSH for more than simply logging on to a host and manipulating files. With port forwarding, you could, for example, exchange HTTP traffic with a Web server via a secured SSH connection.

What is IPsec? What effect does IPsec have on a packet? Five steps IPsec uses.

IPsec (Internet Protocol Security) is an encryption protocol that defines the rules for encryption, authentication, and key management for TCP/IP transmissions. It is an enhancement to IPv4 and is native to IPv6. IPsec works at the Network layer of the OSI model and adds security information to the header of all IP packets and transforms the data packets. IPsec creates secure connections in five steps, as follows: 1. IPsec initiation—Noteworthy traffic, as defined by a security policy, triggers the initiation of the IPsec encryption process. 2. key management—The term key management refers to the way in which two nodes agree on common parameters for the keys they will use. This phase primarily includes two services: IKE (Internet Key Exchange)—Negotiates the exchange of keys, including authentication of the keys ISAKMP (Internet Security Association and Key Management Protocol)—Works within the IKE process to establish policies for managing the keys 3. security negotiations—IKE continues to establish security parameters and associations that will serve to protect data while in transit. 4. data transfer—After parameters and encryption techniques are agreed on, a secure channel is created, which can be used for secure transmissions until the channel is broken. Data is encrypted and then transmitted. Either AH (authentication header) encryption or ESP (Encapsulating Security Payload) encryption may be used. Both types of encryption provide authentication of the IP packet's data payload through public key techniques. In addition, ESP encrypts the entire IP packet for added security. 5. termination—IPsec requires regular reestablishment of a connection to minimize the opportunity for interference. The connection can be renegotiated and reestablished

Compare encryption protocols.

IPsec (Internet Protocol Security) is an encryption protocol that defines the rules for encryption, authentication, and key management for TCP/IP transmissions. It is an enhancement to IPv4 and is native to IPv6. IPsec works at the Network layer of the OSI model and adds security information to the header of all IP packets and transforms the data packets. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both methods of encrypting TCP/IP transmissions—including Web pages and data entered into Web forms—en route between the client and server using public key encryption technology. The two protocols can work side by side and are widely known as SSL/TLS or TLS/SSL. All browsers today (for example, Google Chrome, Firefox, and Internet Explorer) support SSL/TLS to create secure transmissions of HTTP sessions.

Public Key Encryption

In public key encryption, data is encrypted using two keys: One is a key known only to a user (that is, a private key), and the other is a public key associated with the user. A user's public key can be obtained the old-fashioned way—by asking that user—or it can be obtained from a third-party source, such as a public key server

IPsec

Internet Protocol Security

ISAKMP

Internet Security Association and Key Management Protocol

Terms associated with Kerberos.

KDC (Key Distribution Center)—The server that issues keys to clients during initial client authentication • AS (authentication service)—The process that runs on a KDC to initially validate a client • ticket—A temporary set of credentials that a client uses to prove that its identity has been validated (note that a ticket is not the same as a key, which is used to initially validate its identity) • principal—A Kerberos client, or user

MD5

Message Digest 5

MS-CHAP

Microsoft Challenge Handshake Authentication Protocol

MFA

Multi-Factor Authentication

PAP

Password Authentication Protocol

Paas

Platform as a Service

PTP

Point to point

PPPoE

Point-to-Point Protocol over Ethernet

PPTP

Point-to-Point Tunneling Protocol

Private vs public key encryption

Private key encryption is also known as symmetric encryption because the same key is used during both the encryption and decryption of the data. ■ In public key encryption, a user's public key can be obtained from a third-party source, such as a public key server. But the encrypted message can only be decrypted with the user's private key.

PKI

Public Key Infrastructure

RADIUS operates in what platforms and what layer of the OSI model?

RADIUS (Remote Authentication Dial-In User Service) A popular protocol for providing centralized AAA (authentication, authorization, and accounting) for multiple users. RADIUS runs over UDP and can use one of several authentication protocols.

RADIUS vs TACACS+

Relies on TCP, not UDP, at the Transport layer • Was developed by Cisco Systems, Inc., for proprietary use (which means it only works on Cisco products) • Is typically installed on a router or switch, rather than on a server • Encrypts all information transmitted for AAA (RADIUS only encrypts the password)

RAS

Remote Access Service

RADIUS

Remote Authentication Dial-In User Service

RRAS

Routing and Remote Access Service

SFTP

Secure File Transfer Protocol

SHA

Secure Hashing Algorithm

SSH

Secure Shell

SSTP

Secure Socket Tunneling Protocol

SSL

Secure Sockets Layer

SLIP

Serial Line Internet Protocol

SSO

Single Sign On

SaaS

Software as a Service

TKIP

Temporal Key Integrity Protocol

TACACS+

Terminal Access Controller Access Control System Plus

802.1x

The 802.1X standard, codified by IEEE, specifies the use of one of many authentication methods, plus EAP, to grant access to and dynamically generate and update authentication keys for transmissions to a particular port.

What is EAPol?

The 802.1X standard, codified by IEEE, specifies the use of one of many authentication methods, plus EAP, to grant access to and dynamically generate and update authentication keys for transmissions to a particular port. Although it's primarily used with wireless networks now, it was originally designed for wired LANs; thus, it's also known as EAPoL (EAP over LAN). 802.1X only defines a process for authentication. It does not specify the type of authentication or encryption protocols clients and servers must use. However, 802.1X is commonly used with RADIUS authentication. As you might expect, for nodes to communicate using 802.1X, they must agree on the same authentication method.

Authentication

The process of comparing and matching a client's credentials with the credentials in a client database to enable the client to log on to the network.

ciphertext

The unique data block that results when an original piece of data (such as text) is encrypted (for example, by using a key).

SSL Handshake Protocol

This handshake conversation is similar to the TCP three-way handshake discussed in earlier chapters. Given the scenario of a browser accessing a secure Web site, the SSL/TLS handshake works as follows: 1. The browser, representing the client computer in this scenario, sends a client_hello message to the Web server, which contains information about what level of security the browser is capable of accepting and what type of encryption the browser can decipher. The client_hello message also establishes a randomly generated number that uniquely identifies the client and another number that identifies the SSL session. 2. The server responds with a server_hello message that confirms the information it received from the browser and agrees to certain terms of encryption based on the options supplied by the browser. Depending on the Web server's preferred encryption method, the server may choose to issue to the browser a public key or a digital certificate. 3. If the server requests a certificate from the browser, the browser sends it. Any data the browser sends to the server is encrypted using the server's public key. Session keys used only for this one session are also established. After the browser and server have agreed on the terms of encryption, the secure channel is in place and they begin exchanging data.

TGS

Ticket Granting Service

TGT

Ticket Granting Ticket

How does a VPN work? What is the purpose of a VPN?

To ensure a VPN can carry all types of data in a private manner over any kind of connection, special VPN protocols encapsulate higher-layer protocols in a process known as tunneling.

TLS

Transport Layer Security

TTLS

Tunneled Transport Layer Security

L2TP vs PPTP

Unlike PPTP, L2TP is a standard accepted and used by multiple vendors, so it can connect a VPN that uses a mix of equipment types.

VPN

Virtual Private Network

What is the benefit of using a digital certificate?

With the abundance of private and public keys, not to mention the number of places where each may be kept, users need easier key management. One answer to this problem is to use digital certificates. A person or a business, called the user, can request a digital certificate, which is a small file containing verified identification information about the user and the user's public key. The digital certificate is issued and maintained by an organization called a certificate authority (CA). The CA attaches its own digital signature to the digital certificate to validate the certificate. The use of certificate authorities to associate public keys with certain users is known as PKI (Public-key Infrastructure).

What is the function of IETF?

an organization of volunteers who help develop Internet standards

Explain the three tenets of the CIA triad of the data assurances each provides.

confidentiality—Data can only be viewed by its intended recipient or at its intended destination. • integrity—Data was not modified after the sender transmitted it and before the receiver picked it up. • availability—Data is available and accessible to the intended recipient when needed, meaning the sender is accountable for successful delivery of the data.

What is the purpose of hashing?

data integrity—that is, to verify the data has not been altered in transit, which is similar to the purpose of a checksum.

What are the three categories of authentication factors?

knowledge—something you know, such as a password • possession—something you have, such as an ATM card • inherence—something you are, such as your fingerprint

Services offered by cloud computing.

on-demand service available to the user at any time—Services, applications, and storage in a cloud are available to users at any time, upon the user's request. For example, if you subscribe to Google's Gmail or Google Docs services, you can log on and access your mail and documents whenever you choose. • elastic services and storage—Services and storage capacity can be quickly and dynamically—sometimes even automatically—scaled up or down. In other words, they are elastic. The elasticity of cloud computing means that storage space can be reduced, and that applications and clients can be added or removed, upon demand. For example, if your database server on the cloud needs additional hard disk space, you can upgrade your subscription to expand it yourself, without your having to alert the service provider. To make things even more convenient, a cloud-based server can be configured to require no intervention in this situation. The amount of space you can add and the flexibility with which it can be added depend on your agreement with the service provider. • support for multiple platforms—Clients of all types, including smartphones, laptops, desktops, thin clients, and tablet computers, can access services, applications, and storage in a cloud, no matter what operating system they run or where they are located, as long as they have a network connection. • resource pooling and consolidation—In the cloud, as on host computers that contain multiple virtual machines, resources such as disk space, applications, and services are consolidated. That means a single cloud computing provider can host hundreds of Web sites for hundreds of different customers on just a few servers. This is an example of a multi-tenant model, in which multiple customers share storage locations or services without knowing it. In another example of resource pooling, a single backup program might ensure that the Web sites are backed up several times a day. • metered service—Everything offered by a cloud computing provider, including applications, desktops, storage, and other services, is measured. A provider might limit or charge by the amount of bandwidth, processing power, storage space, or client connections available to customers.

VPN models?

site-to-site VPN client-to-site VPN, also called host-to-site VPN or remote-access VPN host-to-host VPN

SFTP is also called?

sometimes called FTP over SSH or SSH FTP