Network + Chapter 13
SSL and IPsec
2 important port numbers of security protocols to know.
FTP and Telnet
2 protocols that don't have the ability to encrypt passwords.
Usernames and passwords
2 things that are vital to network security because their whole purpose is to control initial access to it.
Expire
The way passwords should be managed so that users can change their password every 30 to 45 days.
Password
A credential that must be managed, composed of a combination of alphanumeric and special characters.
Port filtering
ACL can also provide this type of filtering on port numbers as well as IP addresses.
ISAKMP
Ability to provide safely transferring key and authentication data independent of the key generation technique, encryption algorithm, and authentication mechanism. It's integrated into IPsec.
Password Management features
Built in features such as Automatic Account Lockouts, and Password expiration. They help ensure your system remains secure and that passwords cannot be easily hacked with crack programs.
Strong password
Combination of numbers, letters, and special characters is used to make a password a?
PPTP
Combines an unsecured PPP session with a secured session using the GRE protocol.
RADIUS
Combines user authentication and authorization into one profile. It uses UDP
ICA
Downside of this protocol is that it tends to be slow because of the huge amount of translation required to enable the client and server to communicate with each other properly.
3DES
Has a key length of 168 bits but due to an attack known as man-in-the-middle, it really provides only 112 bits and arms you with 80 bits of effective security. Problem is that it's slow.
ISAKMP (Internet Security Association and Key Management Protocol)
Defines procedures and packet formats to establish, negotiate, modify, and delete security associations.
Multifactor Authentication
Designed to add an additional level of security to the authentication process by verifying more than one characteristic of a user before allowing access to a resource.
Security
Difference between VPN and LAN (VLAN) and WAN.
ESP
IPsec protocol that provides both authentication and encryption abilities.
Authentication Header (AH)
IPsec protocol that serves up authentication services only no encryption.
Private key
In PGP encryption a matching encryption key that is needed that the recipient has that can decrypt the session key and decrypt the document.
Private key
In SSH this cryptographic key is kept in secret, its never transferred through the network during authentication.
Digital certificate
Known also as a digital ID which verifies the sender of the message when the original sender does not have a public key so the message can be sent anyway.
PPP (Point-to-Point Protocol)
Layer 2 protocol that provides authentication, encryption, and compression services to clients logging in remotely.
VPN
Tunneling protocol that makes your local host part of the remote by using the WAN link that connects you to the remote LAN, and have access to remote LANs resources and that access is very secure.
PPTP
Tunneling protocol that uses two different protocols, and actually opens up two different network sessions. Not secure.
L2TP
Tunneling protocol that works at Layer 2 (Data Link Layer) implemented if you happen to have two non TCP/IP networks that need to be connected via the Internet.
WAN
Two or more remote LANs connected together.
IPsec
Two protocols Authentication Header (AH) and Encapsulating Security Payload (ESP) work with this feature.
Discovery and session
Two stages that PPPoE works in.
IP addresses and MAC addresses
Two types of addresses that Access Control Lists can filter.
Public and Private
Two types of encryption keys.
Anonymous or Guest
Type of account that allows limited access for a large number of users who all log in under the same username. Used in FTP as a username.
IP spoofing attack
Type of attack when someone pretends to have a network address on the inside of a firewall to gain network access. For example when a user in Network B pretends to be located in Network A.
PKI
Type of authentication used to perform transactions.
VPN
Type of security tunneling protocol that fits between a LAN and WAN, many time it's just a WAN link because your computer, on one LAN connects to a different, remote LAN and uses its resources remotely.
RADIUS
Type of server used to store usernames and passwords of clients in a central spot through which connections are configured to pass authentication requests.
PPP
Used by ISPs and RAS to authenticate clients and as an authentication protocol.
Remote Access
Used by companies to allow employees to connect to the internal network and access resources that aren't in the office. Great for users who work from home.
PGP (Pretty Good Privacy)
Used by email systems that don't come with encryption abilities of their own.
SA (Security Association)
Used in ISAKMP that contains information required to execute security services such as header authentication and payload encapsulation.
Terminal window
Used in RDP after establishing a connection that is a configured window that looks like a Windows or other OSs desktop. The client accesses applications and files available to them.
Public key
Used in SSH cryptographic key placed on any computer that must allow access to the owner of a matching private key.
TACACS+
Used in firewalls when a user wants to access a particular TCP/IP port, they must provide a username and password.
PKI
Used to establish confidentiality and to ensure message integrity without knowing anything about the other party prior to their conversation. Also used to verify the digital signature of a private keys owner.
Group policies
Used to manage access for accounts. Can be used to manage access on anonymous accounts.
PKI
User authentication method that uses a public key and private key pair.
TACACS+
User authentication method that utilizes TCP protocol.
RADIUS
User authentication method that utilizes UDP protocol.
Owner
User who has access to the private key in an authentication system that uses private and public keys.
Firewalls
Uses ACL (Access Control List) as it's primary weapon.
Citrix WinFrame
Uses ICA to setup Windows applications on a Windows based server and then use to allow clients with virtually any OS to access those applications.
CHAP
Uses MD5 algorithm, replaced PAP that sends usernames and passwords in clear text and this protocol does not.
Inbound and outbound
Where separate ACLs should be placed on the router to ensure that the data that is leaving your network comes from a different source than the data that's coming into it.
Disabling accounts
Needs to be done to a user account when a user leaves the organization. This could give you sometime to think and make a decision about the best option for that account instead of deleting it. It could just be renamed for a new hire.
802.1x
Network access security method commonly used in wireless networks.
Single sign on
Never need to provide another password as long as the token is verified.
RAS (Remote Access Server)
Not a protocol but refers to the combination of hardware and software required to make a remote access connection.
1
Number of times a user should be logged in with their account.
802.1x
Open framework designed to support multiple authentication schemes. Used to authenticate wireless users.
SSL VPN
Process to using SSL to create a VPN.
SSH (Secure Shell)
Protocol designed as an alternative to Telnet. It creates a secure channel between the devices and provides confidentiality and integrity of the data transmission.
ICA (Independent Computing Architecture)
Protocol that provides communication between servers.
CHAP
Protocol that requires the shared secret to be stored locally.
Telnet
Protocol that transmits request and responses in clear text. It's insecure.
TACACS+
Protocol that's also a AAA method and an alternative to RADIUS. Capable of performing authentication on behalf of multiple wireless APs, RAS servers, and LAN switches that are 802.1x capable.
AH
Protocol used in IPsec not compatible with networks running NAT.
IPsec
Provides authentication and encryption over the Internet. Works at the Network Layer (Layer 3) and secures all applications that operate in the layers above it.
PGP
Public key encryption designed to encrypt data for email transmission. Encrypts the document with a session key which is then encrypted with the public key of the recipient.
Symmetrical key
Public key were its different at each end.
TLS (Transport Layer Security)
SSL merged with other Transport Layer security protocols to form?
VPN
Secured connection between two systems that would otherwise have to connect to each other through a non-secured network.
Kerberos
Security system that employs strong encryption for all transactions and communication, also issues tickets to users who log in.
Kerberos
Security system that should be implemented on more than one authentication server for redundancy otherwise having one of these servers in a failed state will not allow anyone to log in.
Firewalls
Security tool that can be either stand alone devices or combined with another hardware device like a server or a router.
SSL (Secure Sockets Layer)
Security tunneling protocol based on RSA public key encryption and used to enable secure Session Layer connections over the Internet between a web browser and a web server.
VPN
Security tunneling protocol used when data that is being sent within the private network will not be seen by everyone on that network.
PAP (Password Authentication Protocol)
Sends usernames and passwords in clear text.
TACACS+
Separates authentication and authorization into two separate files. Uses TCP.
RADIUS
Server that manages PPPoE connections.
RADIUS
Servers that are client-server based authentication and encryption services maintaining user profiles in a central database.
Limiting Location
Should be done so that users that move around should be limited to where they login.
Time period
Should be resetted to something other than the default expiration time in accordance with your security policy.
HTTP or Windows server
Should be used to secure documents instead of renaming the Internet user account or set a password because if you do the general public won't be able to view your website.
CHAP (Challenge Handshake Authentication Protocol)
A secure authentication protocol because the username and password never cross the wire. Both client and server are configured with the same text phrase known as shared secret.
Tunnel
A single private path through the internet.
Anonymous
Accounts that cannot be tracked through regular network access. It's recommended that they be disabled.
Local host
Address 127.0.0.0/8
127.0.0.0/8
Address of the local host.
IP addresses
Addresses that are easier to deal with IP addresses or MAC addresses?
MAC addresses
Addresses that can be allowed or denied by ACLs other than IP addresses. This type of address is known as a hardware address.
PKI
Allows people to communicate with each other with confidence, that they're talking to who they think they are talking to.
RDP
Allows users to connect to a computer running remote desktop services from a different location. Current version is 7.1
Symmetrical key
Also know as public key.
Administrator account
Also known as network maintenance account that should be renamed from the default name to ensure security.
RADIUS
An authentication server that allows for domain level authentication on both wired and wireless networks.
Kerberos
An entire security system that establishes a users identity when they first log on to a system that's running it.
PPPoE (Point-to-Point Protocol over Ethernet)
An extension of PPP. It's purpose is to encapsulate PPP frames with Ethernet frames. Deals with the massive increase in high speed internet connections.
No
Answer you should give when performing a transaction where a pop-up notifies you that a certain sites certificate or key has expired and asks you if you want to proceed.
Side channel attack
Attack used currently to try and crack AES encryption. It gathers information from the physical implementation of a security system.
RADIUS
Authentication and accounting service used for verifying users over various types of links, including dial-up.
Kerberos
Authentication method that relies on tickets to grant access to resources.
AAAA
Authentication, Authorization, Accounting, and Auditing. Robust version that adds auditing.
AAA
Authentication, Authorization, and Accounting. Used to manage network security through one central location.
Private key
Cryptography key used to sign a document electronically when a digital signature is needed.
Asymmetric cryptography
Cryptography that PKI uses which is a different key to encrypt and decrypt the message.
Symmetric cryptography
Cryptography that uses the same key to encrypt and decrypt. This makes it less secure.
Public key
Cryptography used in SSH to authenticate the remote computer and allow the remote computer to authenticate the user.
64 bit
Current encryption bit strength used. US banks use higher more secure encryption methods.
Tunneling
Encapsulating one protocol within another to ensure that a transmission is secure.
Symmetrical encryption keys
Encryption key were both the sender and receiver have the same key and use it to encrypt and decrypt all messages. The downside is that it's hard to maintain the security of the key.
AES (Advanced Encryption Standard)
Encryption known as 'rijndel' has been the official encryption standard in the US since 2002.
SSL VPN
Encryption protocol or standard that allows you to create a private network on an intranet.
IPsec
Encryption protocol that works with both IPv4 and IPv6.
AES
Encryption that provides 128, 192, or 256 bits of encryption. Difficult to crack.
DES (Data Encryption Standard)
Encryption that uses lookup and table functions, and it actually works much faster than more complex systems. It uses 56 bit keys which is too short.
Public key encryption
Encryption that uses the Diffie-Hellman- algorithm which employs a public key and a private key to encrypt and decrypt data.
Public key encryption
Encryption where the sending machine's public key is used to encrypt a message that the receiving machine uses to decrypt the message with its private key.
RSA encryption
Encryption with a public key algorithm, encryption software used in electronic commerce protocol.
3DES (Triple Data Encryption Standard)
Encrypts 3 times, allows you to use 1,2 or 3 separate keys. Using all 3 keys gives you the highest level of security. It has a key length of 168 bits (56x3).
EAP-TLS
Enhanced form of EAP that provides mutual authentication.
EAP-TTLS
Enhanced form of EAP-TLS that provides mutual authentication and tunneling, creates a secure tunnel through which password based versions like EAP-MD5 can run.
Security filtering
Ensures that only authorized computers get to enter your network and making sure data your sending back and forth between networks is secured so it can't be intercepted and translated by hackers.
Tunneling
Example of this concept when IP also known as payload protocol is encapsulated within a delivery protocol like IPsec and they are encrypted.
Automatic Account Lockout
Feature that locks your account after a few unsuccessful attempts, some will disable the account.
Automatic Account Lockout
Feature that prevents a potential hacker from running an automated script to crack account passwords by continuously attempting to log in.
Port filtering
Firewalls provide this type of filtering on port numbers but it's important to know the port numbers of all traffic that needs to be allowed through the firewall.
User accounts
First step in managing access to network resources and the rights you assign to the network resources. These accounts are maintained on the daily basis they get renamed, you can set password and account expiration and login.
PKI (Public Key Infrastructure)
It's a system that links users to public keys and verifies the users identity by using a certificate authority (CA).
EAP (Extensible Authentication Protocol)
It's an extension of PPP that provides a host of additional authentication methods for remote-access clients such as smart cards, certificates, Kerberos, retinal scans, fingerprint, etc.
15
Maximum number of characters that a password should have.
Network Access Control (NAC)
Method of securing network hosts before they're allowed to access the network. 802.1x is the most common of this method.
8
Minimum number of characters that a password should have.
Transport mode
Mode in IPsec that creates a secure tunnel between two devices end to end. The packet or data is protected by authentication and or encryption but not both.
Tunnel mode
Mode in IPsec that uses both AH and ESP two authenticate and encryption at the same time on the packet. Transport mode cannot use both.
Tunnel mode
Mode in IPsec that uses both authentication and encryption(AH/ESP) on the data or packet.
Transport mode
Mode in IPsec that uses either AH or ESP to either Authenticate or encrypt the packet but cannot use both at the same time like tunnel mode can.
Tunnel mode
Mode in IPsec were a tunnel is created between two endpoints such as 2 routers or two gateway servers, protecting all traffic that goes through the tunnel.
Administrator
Password reset can be done automatically by network OS but should be done manually instead by the only person that should reset passwords for security, who should be able to this?
Administrator
Person that should have 2 accounts one for day-to-day administration, and one account with different name to be used for administrative purposes instead.
Administrator
Personnel that unlocks an administrators account when he gets locked out.
Discovery
Phase in PPPoE were the MAC address of each of the connections endpoints are given to each other so that a secure PPP connection can be made.
ACL
Prevents users on Network B from accessing on Network A.
Encryption key
Random string of characters that is used in conjunction with the encryption algorithm. Unique to each transaction.
RAS
Remote access were tunneling such as PPTP can be set up and use authentication such as MS-CHAP or EAP.
RAS
Remote access were users dial in via a modem, be authenticated by the server, and then be asked for their username and password as of they were on the local network.
PPTP
Replaced by L2TP and IPsec. Vulnerable to spoofing attacks.
ACL
Reside on routers to determine which packets are allowed to route through them based on the requesting devices source or destination IP address. Also used by firewalls as their primary weapon.
VLAN
Solution for networks that are physically local.
VPN
Solution for networks that are physically remote that span a WAN.
Session
Stage in PPPoE were a session ID is created used to facilitate further data transmission during the session. When the MAC address of each endpoint are known to each other a Point-to-Point connection is created and this stage begins.
L2TP
Supports non TCP/IP protocols in VPNs over the Internet. A combination of PPTP and L2F.
Security filtering
The first line of defense that refers to ways to let people securely access your resources.
Firewalls
Tool that helps prevent any unauthorized users roaming around on public networks from gaining access to your private network.
Site-to-Site VPN
VPN known as intranet VPN, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead requiring more expensive WAN connections like Frame Relay.
PPTP
VPN protocol that allows encryption to be done at the application level and allows secure access to a VPN.
PPTP
VPN protocol that runs at port 1723.
Extranet VPN
VPN that allows an organizations suppliers, partners, and customers to be connected to the corporate network in a limited way for business to business (B2B) communications.
Remote access VPN
VPN that allows remote users like telecommuters to securely access the corporate network wherever and whenever they need to.
SSL VPN
VPN that can be used with a tunneling protocol, anything sent from my PC to my corporate office would be locked up nice and secure.
Denied
What should be configured on ACLs for these addresses that should never be allowed to enter your internetwork: 1.addresses from your internal networks. 2. Local host address (127.0.0.0/8). 3. Reserved private addresses. 4. Any addresses in the IP multicast address range (224.0.0.0/4).
Limiting connection
What should be done to all users to avoid having multiple logins with the same credentials, because someone is probably using their account at the same time.
Two-factor Authentication
When 2 factors of authentication are being tested.
Multifactor Authentication
When more than two (Sometimes just 3) factors of authentication are being tested. Prevents loss of passwords.
Single sign on
When the users logs into the domain, the domain controller issues an access token. The access token contains a list of all the resources (folders, drives, websites, databases) to which they have access.
Encryption
Works by running data through a special encryption formula called a key that the designated sending and receiving devices both know. When the data arrives at its destination the receiving device uses the key to decode data back into its original form.
IPsec
Works in two modes transport and tunneling.
MS-CHAP
Works the same way as CHAP except it encrypts the secret locally. It uses DES for encryption ,and it's capable of mutual authentication.