Chapter 7
Challenge
A random string of text issued from one computer to another in some forms of authentication. A challenge is used, along with the password (or other credential), in a response to verify the computer's credentials.
AES
Advanced Encryption Standard
CIA
Certificate Authority
CIA Triad
Confidentiality, Integrity, Availability
What is DirectAccess?
DirectAccess A service embedded in Windows Server 2008 R2, 2012, and 2012 R2 that can automatically authenticate remote users and computers to
EAPoL
EAP (extensible authentication protocol) over LAN - the IEEE standard the defines port-based security for wireless network access control. it offers a means of authentication and defines the EAP over IEEE 802, and it is often known as 802.1x
ESP
Encapsulated Security Payload
Why is Telnet considered insecure?
Telnet provides little security for establishing a connection (poor authentication) and no security for transmitting data (no encryption).
Brute force attacks.
brute force attack simply means trying numerous possible character combinations to find the correct combination.
HVD
hosted virtual desktop
What is meant by the phrase "data integrity"?
to verify the data has not been altered in transit, which is similar to the purpose of a checksum.
HVD
(hosted virtual desktop) A desktop operating environment hosted virtually on a different physical computer from the one the user interacts with.
Non-repudiation
(similar to confidentiality and authenticity)—Provides proof of delivery (protects the sender) and proof of the sender's identity (protects the receiver).
SSO
(single sign-on) A form of authentication in which a client signs on once to access multiple systems or resources.
802.11i
802.11i uses 802.1X (EAPoL) to authenticate devices and dynamically assigns every transmission its own key.
PuTTY
A Windows based freeware SSH client
Public Key Server
A public key server is a publicly accessible host (such as a server on the Internet) that freely provides a list of users' public keys, much as a telephone book provides a list of peoples' phone numbers.
Solution
A robust word that refers to a product, service, or combination of products and services. The term is commonly used in technology because these products and services often exist specifically to solve problems, and the solution often includes extra features, such as ongoing customer service.
Tunnel
A secured, virtual connection between two nodes on a VPN.
Key
A series of characters that is combined with a block of data during that data's encryption. To decrypt the resulting data, the recipient must also possess the key.
Key Pair
A series of characters that is combined with a block of data during that data's encryption. To decrypt the resulting data, the recipient must also possess the key.
asymmetric encryption
A type of encryption (such as public key encryption) that uses a different key for encoding data than is used for decoding the cipher text.
AH
Authentication Header
AS
Authentication Service
AAA
Authentication, Authorization, and Accounting
List two reasons why CHAP is more secure than PAP
CHAP (Challenge Handshake Authentication Protocol) is another authentication protocol that can operate over PPP. Unlike PAP, CHAP encrypts usernames and passwords for transmission. It also differs from PAP in that it requires three steps to complete the authentication process. Together, these steps use a three-way handshake. Figure 7-17 illustrates the threeway handshake used in CHAP.
Hashed
Data that has been transformed through a particular algorithm that generally reduces the amount of space needed for the data. Hashing data is nearly impossible, mathematically, to reverse.
GRE
Generic Routing Encapsulation
GRE
Generic Routing Encapsulation. A tunneling protocol developed by Cisco Systems.
Collision
In Ethernet networks, the interference of one node's data transmission with the data transmission of another node sharing the same segment. (2) In the context of hashing, a problem that occurs when the input of two different data sets result in the same hash value.
IaaS
Infrastructure as a Service
KDC
Key Distribution Center
L2TP
Layer 2 Tunneling Protocol
SLIP vs PPP
SLIP is an earlier Point-to-Point Protocol that does not support encryption, can carry only IP packets, and works strictly on serial connections. SLIP has been replaced by PPP, which can support several types of Network layer protocols and can provide weak encryption.
SSL and TLS
Secure Sockets layer / Transport Layer Security - An encryption layer of HTTP that uses public key cryptography to establish a secure connection.
Encryption
The use of an algorithm to scramble data into a format that can be read only by reversing the algorithm— that is, by decrypting the data—to keep the information private.
Xen
Virtualization software by Citrix.
Protocols used in WPA vs WPA-2
WPA = TKIP (Temporal Key Integrity Protocol) WPA-2 = AES (Advanced Encryption Standard)
Key management services
key management—The term key management refers to the way in which two nodes agree on common parameters for the keys they will use. This phase primarily includes two services: IKE (Internet Key Exchange)—Negotiates the exchange of keys, including authentication of the keys ISAKMP (Internet Security Association and Key Management Protocol)—Works within the IKE process to establish policies for managing the keys
Algorithm
A set of rules that tells a computer how to accomplish a particular task. For example, a computer uses an algorithm to create an encryption key.
Describe 3 different (general) ways a VPN can be established?
A virtual private network (VPN), which is a virtual connection between a client and a remote network, two remote networks, or two remote hosts over the Internet or other types of networks, to remotely provide network resources.
Compare tunneling protocols.
After connecting to a remote network, a remote client can access files, applications, and other shared resources, such as printers, like any other client on the server, LAN, or WAN. ■ SLIP is an earlier Point-to-Point Protocol that does not support encryption, can carry only IP packets, and works strictly on serial connections. SLIP has been replaced by PPP, which can support several types of Network layer protocols and can provide weak encryption. ■ To ensure a VPN can carry all types of data in a private manner over any kind of connection, special VPN protocols encapsulate higher-layer protocols in a process known as tunneling. ■ A VPN tunneling protocol operates at the Data Link layer to encapsulate the VPN frame into a Network layer packet, no matter what Network layer protocol is used. ■ GRE encapsulates PPP frames to make them take on the temporary identity of IP packets at Layer 3. To the WAN, messages look like inconsequential IP traffic. ■ Unlike PPTP, L2TP is a standard accepted and used by multiple vendors, so it can connect a VPN that uses a mix of equipment types. ■ Remote virtual computing, also called terminal emulation, allows a user on one computer, called the client, to control another computer, called the host or server, across a network connection.
CA
Certificate Authority
Web Services
Cloud computing, also called Web services, refers to the flexible provision of data storage, applications, or services to multiple clients over a network.
private key encryption
In private key encryption, data is encrypted using a single key that only the sender and the receiver know. Private key encryption is also known as symmetric encryption because the same key is used during both the encryption and decryption of the data.
Iaas
Infrastructure as a Service
IETF
Internet Engineering Task Force
IKE
Internet Key Exchange
Key Management
The method whereby two nodes using key encryption agree on common parameters for the keys they will use to encrypt data.
MD5 vs SHA
The primary advantage of SHA over MD5 is its resistance to collisions, although the added security requires more time to perform the hashing process.
DNS Spoofing
a hacker forges name server records to falsify his host's identity
CHAP's three way handshake
1. challenge—The server sends the client a randomly generated string of characters. 2. response—The client adds its password to the challenge and encrypts the new string of characters. It sends this new string of characters in a response to the server. Meanwhile, the server also concatenates the user's password with the challenge and encrypts the new character string, using the same encryption scheme the client used. 3. accept/reject—The server compares the encrypted string of characters it received from the client with the encrypted string of characters it has generated. If the two match, it authenticates the client. But if the two differ, it rejects the client's request for authentication.
A 128-bit key has?
2 x128 possible character combinations.
VPN tunneling protocols operate on which layer of the OSI model?
A VPN tunneling protocol operates at the Data Link layer to encapsulate the VPN frame into a Network layer packet, no matter what Network layer protocol is used.
cipher
A mathematical code used to scramble data into a format that can be read only by reversing the cipher—that is, by deciphering, or decrypting, the data.
Remote Access
A method for connecting and logging on to a server, LAN, or WAN from a workstation that is in a different geographical location.
Symmetric Encryption
A method of encryption that requires the same key to encode the data as is used to decode the cipher text.
Digital Certificate
A small file containing verified identification information about the user and the user's public key. Digital certificates are issued and maintained by a certificate authority, which attaches its own digital signature to the digital certificate to validate the certificate.
Compare authentication protocols.
Authentication protocols vary according to which encryption schemes they rely on and the steps they take to verify credentials. ■ RADIUS can operate as a software application on a remote access server or on a computer dedicated to this type of authentication, called a RADIUS server. ■ MS-CHAPv2 uses stronger encryption than earlier encryption protocols, does not use the same encryption strings for transmission and reception, and requires mutual authentication. ■ EAP only provides the framework for authenticating clients and servers. It does not perform encryption or authentication on its own. Instead, it works with other encryption and authentication schemes to verify the credentials of clients and servers. ■ The 802.1X standard specifies the use of one of many authentication methods, plus EAP, to grant access to and dynamically generate and update authentication keys for transmissions to a particular port. ■ AES uses a more sophisticated family of ciphers than TKIP does, and transforms the data in multiple stages. ■ Kerberos is a cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. ■ For greater security, some systems require clients to supply two or more pieces of information to verify their identity.
How does hashing work?
Data that has been transformed through a particular algorithm that generally reduces the amount of space needed for the data. Hashing data is nearly impossible, mathematically, to reverse.
EAPol
EAP (extensible authentication protocol) over LAN
Benefits of using EAP?
EAP only provides the framework for authenticating clients and servers. It does not perform encryption or authentication on its own. Instead, it works with other encryption and authentication schemes to verify the credentials of clients and servers. ■ The 802.1X standard specifies the use of one of many authentication methods, plus EAP, to grant access to and dynamically generate and update authentication keys for transmissions to a particular port.
ESP
Encapsulating Security Payload
What is endpoint security?
Even if data is encrypted in transit, at some point data is accessed, stored, or otherwise manipulated in its unencrypted form, and this is when vulnerability is greatest.
XaaS
Everything/Anything as a Service
Why might a network administrator configure port forwarding?
For example, you can choose among several types of encryption methods and it can also be configured to perform port forwarding, which means it can redirect traffic that would normally use an insecure port (such as FTP) to an SSH-secured port. This allows you to use SSH for more than simply logging on to a host and manipulating files. With port forwarding, you could, for example, exchange HTTP traffic with a Web server via a secured SSH connection.
What is IPsec? What effect does IPsec have on a packet? Five steps IPsec uses.
IPsec (Internet Protocol Security) is an encryption protocol that defines the rules for encryption, authentication, and key management for TCP/IP transmissions. It is an enhancement to IPv4 and is native to IPv6. IPsec works at the Network layer of the OSI model and adds security information to the header of all IP packets and transforms the data packets. IPsec creates secure connections in five steps, as follows: 1. IPsec initiation—Noteworthy traffic, as defined by a security policy, triggers the initiation of the IPsec encryption process. 2. key management—The term key management refers to the way in which two nodes agree on common parameters for the keys they will use. This phase primarily includes two services: IKE (Internet Key Exchange)—Negotiates the exchange of keys, including authentication of the keys ISAKMP (Internet Security Association and Key Management Protocol)—Works within the IKE process to establish policies for managing the keys 3. security negotiations—IKE continues to establish security parameters and associations that will serve to protect data while in transit. 4. data transfer—After parameters and encryption techniques are agreed on, a secure channel is created, which can be used for secure transmissions until the channel is broken. Data is encrypted and then transmitted. Either AH (authentication header) encryption or ESP (Encapsulating Security Payload) encryption may be used. Both types of encryption provide authentication of the IP packet's data payload through public key techniques. In addition, ESP encrypts the entire IP packet for added security. 5. termination—IPsec requires regular reestablishment of a connection to minimize the opportunity for interference. The connection can be renegotiated and reestablished
Compare encryption protocols.
IPsec (Internet Protocol Security) is an encryption protocol that defines the rules for encryption, authentication, and key management for TCP/IP transmissions. It is an enhancement to IPv4 and is native to IPv6. IPsec works at the Network layer of the OSI model and adds security information to the header of all IP packets and transforms the data packets. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both methods of encrypting TCP/IP transmissions—including Web pages and data entered into Web forms—en route between the client and server using public key encryption technology. The two protocols can work side by side and are widely known as SSL/TLS or TLS/SSL. All browsers today (for example, Google Chrome, Firefox, and Internet Explorer) support SSL/TLS to create secure transmissions of HTTP sessions.
Public Key Encryption
In public key encryption, data is encrypted using two keys: One is a key known only to a user (that is, a private key), and the other is a public key associated with the user. A user's public key can be obtained the old-fashioned way—by asking that user—or it can be obtained from a third-party source, such as a public key server
IPsec
Internet Protocol Security
ISAKMP
Internet Security Association and Key Management Protocol
Terms associated with Kerberos.
KDC (Key Distribution Center)—The server that issues keys to clients during initial client authentication • AS (authentication service)—The process that runs on a KDC to initially validate a client • ticket—A temporary set of credentials that a client uses to prove that its identity has been validated (note that a ticket is not the same as a key, which is used to initially validate its identity) • principal—A Kerberos client, or user
MD5
Message Digest 5
MS-CHAP
Microsoft Challenge Handshake Authentication Protocol
MFA
Multi-Factor Authentication
PAP
Password Authentication Protocol
Paas
Platform as a Service
PTP
Point to point
PPPoE
Point-to-Point Protocol over Ethernet
PPTP
Point-to-Point Tunneling Protocol
Private vs public key encryption
Private key encryption is also known as symmetric encryption because the same key is used during both the encryption and decryption of the data. ■ In public key encryption, a user's public key can be obtained from a third-party source, such as a public key server. But the encrypted message can only be decrypted with the user's private key.
PKI
Public Key Infrastructure
RADIUS operates in what platforms and what layer of the OSI model?
RADIUS (Remote Authentication Dial-In User Service) A popular protocol for providing centralized AAA (authentication, authorization, and accounting) for multiple users. RADIUS runs over UDP and can use one of several authentication protocols.
RADIUS vs TACACS+
Relies on TCP, not UDP, at the Transport layer • Was developed by Cisco Systems, Inc., for proprietary use (which means it only works on Cisco products) • Is typically installed on a router or switch, rather than on a server • Encrypts all information transmitted for AAA (RADIUS only encrypts the password)
RAS
Remote Access Service
RADIUS
Remote Authentication Dial-In User Service
RRAS
Routing and Remote Access Service
SFTP
Secure File Transfer Protocol
SHA
Secure Hashing Algorithm
SSH
Secure Shell
SSTP
Secure Socket Tunneling Protocol
SSL
Secure Sockets Layer
SLIP
Serial Line Internet Protocol
SSO
Single Sign On
SaaS
Software as a Service
TKIP
Temporal Key Integrity Protocol
TACACS+
Terminal Access Controller Access Control System Plus
802.1x
The 802.1X standard, codified by IEEE, specifies the use of one of many authentication methods, plus EAP, to grant access to and dynamically generate and update authentication keys for transmissions to a particular port.
What is EAPol?
The 802.1X standard, codified by IEEE, specifies the use of one of many authentication methods, plus EAP, to grant access to and dynamically generate and update authentication keys for transmissions to a particular port. Although it's primarily used with wireless networks now, it was originally designed for wired LANs; thus, it's also known as EAPoL (EAP over LAN). 802.1X only defines a process for authentication. It does not specify the type of authentication or encryption protocols clients and servers must use. However, 802.1X is commonly used with RADIUS authentication. As you might expect, for nodes to communicate using 802.1X, they must agree on the same authentication method.
Authentication
The process of comparing and matching a client's credentials with the credentials in a client database to enable the client to log on to the network.
ciphertext
The unique data block that results when an original piece of data (such as text) is encrypted (for example, by using a key).
SSL Handshake Protocol
This handshake conversation is similar to the TCP three-way handshake discussed in earlier chapters. Given the scenario of a browser accessing a secure Web site, the SSL/TLS handshake works as follows: 1. The browser, representing the client computer in this scenario, sends a client_hello message to the Web server, which contains information about what level of security the browser is capable of accepting and what type of encryption the browser can decipher. The client_hello message also establishes a randomly generated number that uniquely identifies the client and another number that identifies the SSL session. 2. The server responds with a server_hello message that confirms the information it received from the browser and agrees to certain terms of encryption based on the options supplied by the browser. Depending on the Web server's preferred encryption method, the server may choose to issue to the browser a public key or a digital certificate. 3. If the server requests a certificate from the browser, the browser sends it. Any data the browser sends to the server is encrypted using the server's public key. Session keys used only for this one session are also established. After the browser and server have agreed on the terms of encryption, the secure channel is in place and they begin exchanging data.
TGS
Ticket Granting Service
TGT
Ticket Granting Ticket
How does a VPN work? What is the purpose of a VPN?
To ensure a VPN can carry all types of data in a private manner over any kind of connection, special VPN protocols encapsulate higher-layer protocols in a process known as tunneling.
TLS
Transport Layer Security
TTLS
Tunneled Transport Layer Security
L2TP vs PPTP
Unlike PPTP, L2TP is a standard accepted and used by multiple vendors, so it can connect a VPN that uses a mix of equipment types.
VPN
Virtual Private Network
What is the benefit of using a digital certificate?
With the abundance of private and public keys, not to mention the number of places where each may be kept, users need easier key management. One answer to this problem is to use digital certificates. A person or a business, called the user, can request a digital certificate, which is a small file containing verified identification information about the user and the user's public key. The digital certificate is issued and maintained by an organization called a certificate authority (CA). The CA attaches its own digital signature to the digital certificate to validate the certificate. The use of certificate authorities to associate public keys with certain users is known as PKI (Public-key Infrastructure).
What is the function of IETF?
an organization of volunteers who help develop Internet standards
Explain the three tenets of the CIA triad of the data assurances each provides.
confidentiality—Data can only be viewed by its intended recipient or at its intended destination. • integrity—Data was not modified after the sender transmitted it and before the receiver picked it up. • availability—Data is available and accessible to the intended recipient when needed, meaning the sender is accountable for successful delivery of the data.
What is the purpose of hashing?
data integrity—that is, to verify the data has not been altered in transit, which is similar to the purpose of a checksum.
What are the three categories of authentication factors?
knowledge—something you know, such as a password • possession—something you have, such as an ATM card • inherence—something you are, such as your fingerprint
Services offered by cloud computing.
on-demand service available to the user at any time—Services, applications, and storage in a cloud are available to users at any time, upon the user's request. For example, if you subscribe to Google's Gmail or Google Docs services, you can log on and access your mail and documents whenever you choose. • elastic services and storage—Services and storage capacity can be quickly and dynamically—sometimes even automatically—scaled up or down. In other words, they are elastic. The elasticity of cloud computing means that storage space can be reduced, and that applications and clients can be added or removed, upon demand. For example, if your database server on the cloud needs additional hard disk space, you can upgrade your subscription to expand it yourself, without your having to alert the service provider. To make things even more convenient, a cloud-based server can be configured to require no intervention in this situation. The amount of space you can add and the flexibility with which it can be added depend on your agreement with the service provider. • support for multiple platforms—Clients of all types, including smartphones, laptops, desktops, thin clients, and tablet computers, can access services, applications, and storage in a cloud, no matter what operating system they run or where they are located, as long as they have a network connection. • resource pooling and consolidation—In the cloud, as on host computers that contain multiple virtual machines, resources such as disk space, applications, and services are consolidated. That means a single cloud computing provider can host hundreds of Web sites for hundreds of different customers on just a few servers. This is an example of a multi-tenant model, in which multiple customers share storage locations or services without knowing it. In another example of resource pooling, a single backup program might ensure that the Web sites are backed up several times a day. • metered service—Everything offered by a cloud computing provider, including applications, desktops, storage, and other services, is measured. A provider might limit or charge by the amount of bandwidth, processing power, storage space, or client connections available to customers.
VPN models?
site-to-site VPN client-to-site VPN, also called host-to-site VPN or remote-access VPN host-to-host VPN
SFTP is also called?
sometimes called FTP over SSH or SSH FTP