Security + Study Guide Lesson 11C

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Out-of-band

A serial console or modem port on a router is a physically out-of-band management method. Out-of-band management is more secure and means that access to the device is more secure and means that access to the device is preserved when there are problems affecting the production

True or false? A TLS VPN can only provide access to web-based network resources

False- a Transport Layer Security(TLS) VPN uses TLS to encapsulate the private network data and tunnel it over the network. The private network data could be frames or IP-level packets and is not constrained by application layer protocol type

Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with user authentication?

Layer 2 Tunneling Protocol (L2TP)

What is the main advantage of IKE v2 over IKE V1?

Rather than just providing mutual authentication of the host endpoints, IKE v2 supports a user account authentication method, such as Extensible Authentication Protocol (EAP)

What is Microsoft's TLS VPN solution?

The secure sockets tunneling protocol (SSTP)

What bit of information confirms the identity of an SSH server to a client?

The server's public key (host key). Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a certificate authority

What IPSec mode would you use for data confidentiality on a private network?

Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the IP header information, but this is unnecessary on a private network. Authentication Header (AH) provides message authentication and integrity but not confidentiality

Point-to-Point Protocol (PPP)

a widely used remote dial-in protocol. It provides encapsulation for IP traffic plus IP address assignment and authentication via the widely supported challenge Handshake Authentication Protocol (CHAP)

OpenVPN

an open source example of TLS VPN openVPN can work in TAP(bridged) mode to tunnel layer 2 frames or in TUN(routed) mode to forward IP packets

Transport Layer Security (TLS)

applied at the application level, either by using a separate secure port or by using commands in the application protocol to negotiate a secure connection

Remote Desktop Protocol (RDP)

can be used to access a physical machine on a one-to-one basis. Alternatively, the site can operate a remote desktop gateway that facilitates access to virtual desktops or individual apps running on the network servers

public key authentication

each remote user's public key is added to a list of keys authorized for each local account on the SSH server

IKE Phase 1

establishes the identity of the two hosts and performs key agreement using Diffie-Hellman algorithm to create a secure channel. Two methods of authenticating hosts are commonly used: Digital Certificates and pre-shared key (group authentication)

Full tunnel

internet access is mediated by the corporate network, which will alter the clients IP address and DNS servers and may use a proxy

Always-on VPN

means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user's cached credentials to authenticate

Remote Access

means that the user's device does not make a direct cabled or wireless connection to the network

In-band management link

one that shares traffic with other communications on the "production" network

Internet Protocol Security (IPSec)

operates at the network layer (layer 3) of the OSI model, so it can be implemented without having to configure specific application support

Internet Key Exchange (IKE)

protocol handles authentication and key exchange, referred to as Security Associations (SA)

Authentication Header (AH)

protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an integrity check value (ICV)

Encapsulation Security Payload (ESP)

provides confidentiality and/or authentication and integrity. It can be used to encrypt the packet rather than simply calculating an HMAC. ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an integrity check value

Remote access management

refers to the specific use case of using a secure channel to administer a network appliance or server

TLS VPN (sill more commonly referred to as an SSL VPN)

requires a remote access server listening on port 443 (or any arbitrary port number). The client makes a connection to the server using TLS so that the server is authenticated to the client. This creates an encrypted tunnel for the user to submit authentication credentials, which would normally be processed by a RADIUS server

Split tunnel

the client accesses the internet directly using its "native" IP configuration and DNS Servers

username/password

the client submits credentials that are verified by the SSH server either against a local user database or using a RADIUS/TACACS+ server

Kerberos

the client submits the Kerberos credentials (a ticket granting ticket) obtained when the user logged onto the workstation to the server using GSSAPI (Generic Security Services Application Program Interface). The SSH server contacts the Ticket Granting Service (in a windows environment, this will be a domain controller) to validate the credential

Digital Certificates

the hosts use certificates issued by a mutually trusted certificate authority to identify one another

Secure Shell (SSH)

the principal means of obtaining secure remote access to a command-line terminal. The main uses of SSH are for remote administration and secure file transfer (SFTP)

Pre-shared key (group authentication)

the same passphrase is configured on both hosts

IPSec tunnel mode

this mode is used for communications between VPN gateways across an unsecure network(creating a VPN). This is also referred to as a router implementation with ESP, the whole IP packet (header and payload is encrypted and encapsulated as a datagram with a new IP header. Alt has no real use case in tunnel mode, as confidentiality will usually be required

IPSec Transport mode

this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode. the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header

SSH commands

used to connect to hosts and set up authentication methods

IKE phase II

uses the secure channel created in phase 1 to establish which ciphers and key sizes will be used with Alt and/or ESP in the IPSec session

Secure Sockets Tunneling Protocol (SSTP)

works by tunneling Point-to-Point (PPP) layer 2 frames over a TLS session


Kaugnay na mga set ng pag-aaral

ap human geography chapter 1 review

View Set

Texas Statutes and Rules Common to Life and Health Insurance

View Set

The American Legal System- Chapter 7

View Set

Chapter 51: Care of Patients with Ear and Hearing Problems NCLEX Prac Quest

View Set

Study Guide 3- Eating & Sleep-wake Disorders Questions

View Set

Unit 5 "Chemical Reaction Systems": Lesson 7 "Forces and Function"

View Set

[ APES ] Ch 13: Water Resources [ P2 ]

View Set