Network Security
SHA1
160 bit hash In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST.[2] SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long.
PAP
A password authentication protocol (PAP) is an authentication protocol that uses a password. PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. Almost all network operating system remote servers support PAP. PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP (the latter is actually a framework).
Race Condition
A race condition or race hazard is the behavior of an electronic, software or other system where the output is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. The term originates with the idea of two signals racing each other to influence the output first.
Wireless: Rogue AP
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.
Amplified Attack
A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publically accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target's address. When the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect.
Fraggle Attack
A Fraggle Attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. It is very similar to a Smurf Attack, which uses spoofed ICMP traffic rather than UDP traffic to achieve the same goal.
Host-Based Firewall
A host-based firewall is a piece of software running on a single host that can restrict incoming and outgoing network activity for that host only. They can prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts. Software would protect computers on the same subnet in a lab that needs to communicate with each otehr using p2p communication
Anti-Malware Software
Deploy in addition to AV Can be host-based, server based, network based
IP filtering
IP filtering is simply a mechanism that decides which types of IP datagrams will be processed normally and which will be discarded. By discarded we mean that the datagram is deleted and completely ignored, as if it had never been received.
evidence/data collection (order)
In order of volatility: CPU Register CPU Cache Memory (RAM) ARP Cache Swap File Hard Drive Optical Media Remote Logs Paper Documentation
IV
Initialization Vector
Stateless Inspection
Only looks at packet header A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections.
Network-Based Firewall
Perimeter Security See also: INFW
DNSSEC
Prevent DNS Spoof: The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks.
Critical Nodes
Protect by multipathing
Reflector Attack
Reflector - Reflective DoS attacks Reflection Denial of Service attacks makes use of a potentially legitimate third party component to send the attack traffic to a victim, ultimately hiding the attackers' own identity. The attackers send packets to the reflector servers with a source IP address set to their victim's IP therefore indirectly overwhelming the victim with the response packets. The reflector servers used for this purpose could be ordinary servers not obviously compromised, which makes this kind of attack particularly difficult to mitigate. A common example for this type of attack is Reflective DNS Response attack.
SFTP
SFTP, which stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection. Compared to the SCP protocol, which only allows file transfers, the SFTP protocol allows for a range of operations on remote files which make it more like a remote file system protocol. An SFTP client's extra capabilities include resuming interrupted transfers, directory listings, and remote file removal. [1]
SHA2
Secure Hash Algorithm 2 Family includes 224, 256, 384, 512 bits
SHA3
Secure Hash Algorithm, Round 3 Sponge construction algorithm Family includes 224, 256, 384, 512 bits
TKIP
TKIP and the related WPA standard implement three new security features to address security problems encountered in WEP protected networks. First, TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP related key attacks.[5] Second, WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point. Finally, TKIP implements a 64-bit Message Integrity Check (MIC).[6]
TFTP
UDP 69 - useful. Could be replaced by SFTP (secure shell FTP) or SFPS (FTP over SSL) Trivial File Transfer Protocol (TFTP) is a simple, lockstep, File Transfer Protocol which allows a client to get a file from or put a file onto a remote host.
WPA Versions
WPA1 uses RC4 but with longer initialization vector (IV). uses TKIP to change beginning of encryption key every minute. WPA2 uses AES instead of RC4. Uses CCMP instead of TKIP. Dynamically changes entire encryption key. Enterprise WPA uses RADIUS and 802.1x Personal WPA uses PSK
WPA2
WPA2 uses AES instead of RC4. Uses CCMP instead of TKIP. Dynamically changes entire encryption key.
User Authentication
What you know What you have What you are
x.509
X.509 is an important standard for a public key infrastructure (PKI) to manage digital certificates[1] and public-key encryption[2] and a key part of the Transport Layer Security protocol used to secure web and email communication. An ITU-T standard, X.509 specifies formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
ACL
another word for stateless firewall
DMZ
home surveillance should be placed in DMZ
SLIP
should be replaced by PPP The Serial Line Internet Protocol (also SLIP) is an encapsulation of the Internet Protocol designed to work over serial ports and modem connections
IPSec
AH to provide authentication, non-repudiation, and integrity. ESP for enryption IKE manages security associations and key exchange Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications that works by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. AH Authentication Header provides data integrity and origin authentication, protects against replay ESP Encapsulating Security Payloads provide confidentiality, authentication, integrity SA Security Associations provide standard for authentication/etc ISAKMP ISA Key Management Protocol provides framework for authentication and key exchange
Posture Assessment
AKA Compliance Also: Network access control (NAC) will often inspect the "health" of clients when they connect. Health is based on pre-configured conditions and can be considered a posture assessment, or assessing the current state of the client. For example, when a computer connects, NAC can inspect the computer to determine if patches are up-to-date, if antivirus software is installed, running, and has up-to-date signatures, and if the firewall is enabled. If the computer passes all these tests it passes the assessment and is given a health certificate. The computer can use this health certificate to access the network. If the computer doesn't meet the assessment, it doesn't get a health certificate and is only granted limited access to the network. In some cases, it will be granted access to a quarantined network where it can access resources to get healthy.
ARP Poisoning
ARP Poisoning (also known as ARP Spoofing) is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the pairings in its IP to MAC address table. ARP Protocol translates IP addresses into MAC addresses. Because the ARP protocol was designed purely for efficiency and not for security, ARP Poisoning attacks are extremely easy to carry out as long as the attacker has control of a machine within the target LAN or is directly connected to it.
Spoofing
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.
Access Lists
Access lists may be used for purposes filtering IP traffic, defining traffic to Network Address Translate (NAT) or encrypt, or filtering non-IP protocols such as AppleTalk ,IPX etc. Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of those protocols as the packets pass through a router.
Port filtering
Allowing or blocking network packets into or out of a device or the network based on their application (port number). See TCP/IP port and opening a port. Only certain MAC addresses can connect to certain ports
Wireless: Evil Twin
An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate, set up to eavesdrop on wireless communications.
Implicit Deny
Anything not specifically allowed is automatically blocked. Generally last rule on a firewall.
MAC filtering
Assigned MAC to designated port only In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.
CHAP
Challenge Handshake Authentication Protocol Sends challenge. Client hashes with pwd. Server does same and authenticates initially as well as at random intervals. Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).[2] After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer. The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined. The authenticator checks the response against its own calculation of the expected hash value. If the values matches, the authenticator acknowledges the authentication; otherwise it should terminate the connection. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.
ARP inspection
Checks validity of ARP packet based on IP to MAC bindings contained in trusted DHCP snooping binding database. Requires DHCP Snooping. Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors
DHCP Snooping
DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities: •Validates DHCP messages received from untrusted sources and filters out invalid messages. •Rate-limits DHCP traffic from trusted and untrusted sources. •Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses. •Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts. Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database. DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs. The DHCP snooping feature is implemented in software on the route processor (RP). Therefore, all DHCP messages for enabled VLANs are intercepted in the PFC and directed to the RP for processing.
Edge vs. Access Control
Edge: Controlling entry into the network (ACL) Access: Controlling access to particular areas or based on more in-depth analysis of the device entering
EAP
Extensible Authentication Protocol uses MFA Framework, not a specific mechanism EAP is an authentication framework for providing the transport and usage of keying material and parameters generated by EAP methods.[1] There are many methods defined by RFCs and a number of vendor specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol's messages.
Firewall Placement
External primary, but also INFW to protect strategic points
Reflective Attack on Authentication (pass the response)
In computer security, a reflection attack is a method of attacking a challenge-response authentication system that uses the same protocol in both directions. That is, the same challenge-response protocol is used by each side to authenticate the other side. The essential idea of the attack is to trick the target into providing the answer to its own challenge. The general attack outline is as follows: The attacker initiates a connection to a target. The target attempts to authenticate the attacker by sending it a challenge. The attacker opens another connection to the target, and sends the target this challenge as its own. The target responds to the challenge. The attacker sends that response back to the target on the original connection. If the authentication protocol is not carefully designed, the target will accept that response as valid, thereby leaving the attacker with one fully authenticated channel connection (the other one is simply abandoned).
TOCTOU
In software development, time of check to time of use (TOCTTOU or TOCTOU, pronounced "TOCK too") is a class of software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. This is one example of a race condition.
Routed Firewall
Inspect OSPF, RIP, BGP traffic as well as 802.1Q VLAN traffic
INFW
Internal Network Firewall. Sits as strategic points protecting assets.
Application aware firewall
L7 deep packet inspection Stateful inspection
Quarantine Network
Limiting access until validated (or "healthy")
MD5
Message Digest 5 128 bit hash
NAC
Network Access Control - computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network.[citation needed] NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed. A basic form of NAC is the 802.1X standard. Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.
NTP
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use.
SOHO firewall
Often have: VPN, AV, content filtering, intrusion detection, DoS protection
Security Policies
Password complexity, account lockout, incidence response, mandatory vacation, separation of duties, least privilege, BYOD, wireless policies. Also disable unneeded network services, use secure protocols.
Phlashing Attack
Phlashing is a permanent denial of service (DoS) attack that exploits a vulnerability in network-based firmware updates
FTP
Port 20/21 should be replaced by SSH that has SCP and SFTP, port 22
WEP
Pre-shared key. 24 bit initialization vector concatenated with 40-bit key Easy to break In Shared Key authentication, the WEP key is used for authentication in a four-step challenge-response handshake: The client sends an authentication request to the Access Point. The Access Point replies with a clear-text challenge. The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request. The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply. After the authentication and association, the pre-shared WEP key is also used for encrypting the data frames using RC4.
TSIG
Prevent DNS Spoof: TSIG (Transaction SIGnature) is a computer networking protocol defined in RFC 2845. It is used primarily by the Domain Name System (DNS) to provide a means of authenticating updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server.
TEMPEST
RF emanation Tempest is the name of a technology involving the monitoring (and shielding) of devices that emit electromagnetic radiation (EMR) in a manner that can be used to determine contents
Critical Assets
Redudancies: RAID, clustered servers, backup generators
SSH
SLogin (SSH login), SCP (SSH Copy), SFTP (SSH FTP) SSHFS (SSH mounting remote filesystem) Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.[1] The best known example application is for remote login to computer systems by users. SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server.[2] Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.
SNMPv3
Secure network monitoring SNMPv3 focuses on two main aspects, namely security and administration. The security aspect is addressed by offering both strong authentication and data encryption for privacy. The administration aspect is focused on two parts, namely notification originators and proxy forwarders. SNMPv3 defines a number of security-related capabilities. The initial specifications defined the USM and VACM, which were later followed by a transport security model that provided support for SNMPv3 over SSH and SNMPv3 over TLS and DTLS. SNMPv3 provides important security features:[12] Confidentiality - Encryption of packets to prevent snooping by an unauthorized source. Integrity - Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism. Authentication - to verify that the message is from a valid source.
Duties of First Responder
Secure the area and begin chain of custody. Escalate when additional expertise is required.
Network segmentation
Separate VLANs and separating DMZ from internal network
Guest Network
Should be separated from production network, allow internet only
Software vs Hardware Firewall
Software = host. Hardware = network.
TELNET
TCP 23 should be replaced by SSH TCP 22
HTTP
TCP 80 should be replaced by HTTPS TCP 443
TLS
TLS provides mutual authentication and checks claimed certificate owners against DNS A record More secure than SSL. Requires mutual authentication and checks certificate owner against DNS A record. The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications. TLS has a variety of security measures: Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite. Numbering subsequent Application records with a sequence number and using this sequence number in the message authentication codes (MACs). Using a message digest enhanced with a key (so only a key-holder can check the MAC). The HMAC construction used by most TLS cipher suites is specified in RFC 2104 (SSL 3.0 used a different hash-based MAC). The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by both parties. The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together to create the MAC. This provides protection even if one of these algorithms is found to be vulnerable. [1]:3 When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) have one or more of the following properties: The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session (see TLS handshake protocol). The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see Algorithm below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected). The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server). The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.[1]:3
ICMP
The Internet Control Message Protocol (ICMP) is one of the main protocols of the internet protocol suite. It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached.
Smurf Attack
The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.
Wireless: Bluejacking
Throwing unsolicited messages onto a smart phone
Stateful Inspection
Tracks every connection of the firewall at all layers of the OSI model
TTLS
Tunneled TLS is a strong VPN with EAP and mutual authentication EAP-TTLS is an EAP (Extensible Authentication Protocol) method that encapsulates a TLS (Transport Layer Security) session, consisting of a handshake phase and a data phase. During the handshake phase, the server is authenticated to the client (or client and server are mutually authenticated) using standard TLS procedures, and keying material is generated in order to create a cryptographically secure tunnel for information exchange in the subsequent data phase. During the data phase, the client is authenticated to the server (or client and server are mutually authenticated) using an arbitrary authentication mechanism encapsulated within the secure tunnel. The encapsulated authentication mechanism may itself be EAP, or it may be another authentication protocol such as PAP, CHAP, MS-CHAP, or MS- CHAP-V2. Thus, EAP-TTLS allows legacy password-based authentication protocols to be used against existing authentication databases, while protecting the security of these legacy protocols against eavesdropping, man-in-the-middle, and other attacks. The data phase may also be used for additional, arbitrary data exchange.
UTM
Unified Threat Management. Firewall with additional security features such as: intrusion prevention, AV, VPN, content filtering, data leakage protection In theory, UTM is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single system: network firewalling, network intrusion prevention and gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data loss prevention and on-appliance reporting.
WPA1
WPA1 uses RC4 but with longer initialization vector (IV). uses TKIP to change beginning of encryption key every minute.
Switch Port Security
You can use port security with dynamically learned and static MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port. A security violation occurs in either of these situations: •When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode. •If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode.
eDiscovery
electronic discovery locates, secures, searches, and analyzes digital data for criminal investigation and evidence presentation in a courtroom
Virtual Wire
firewalls mirror ports without switching or routing to enable inspection and control of all traffic In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports together and should be used only when no switching or routing is needed. A virtual wire deployment allows the following conveniences: Simplifies installation and configuration. Does not require any configuration changes to surrounding or adjacent network devices.
Wireless: Bluesnarfing
grabbing data from user's smartphone
802.1X
port-based extensible authentication protocol (EAP). only single port is opened until authentication is successful. Used with RADIUS, as well as wired and wireless APs. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802,[1][2] which is known as "EAP over LAN" or EAPOL.[3]
SNMPv1 and v2
replace with SNMPv3 Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP)
VLAN assignment
separate VLAN for VoIP, SCADA, sensitive hosts by category Static and Dynamic VLAN Assignment. Static: On a Cisco switch, ports are assigned to a single VLAN. These ports are referred to as access ports and provide a connection for end users or node devices, such as a router or server. By default all devices are assigned to VLAN 1, known as the default VLAN. After creating a VLAN, you can manually assign a port to that VLAN and it will be able to communicate only with or through other devices in the VLAN. Configure the switch port for membership in a given VLAN as follows: Dynamic: Although static VLANs are the most common form of port VLAN assignments, it is possible to have the switch dynamically choose a VLAN based on the MAC address of the device connected to a port. To achieve this, you must have a VTP database file, a VTP server, a VTP client switch, and a dynamic port. After you have properly configured these components, a dynamic port can choose the VLAN based on whichever device is connected to that port. Use the following steps to configure dynamic VLANs: VLANs are assigned to individual switch ports. Ports can be statically assigned to a single VLAN or dynamically assigned to a single VLAN. All ports are assigned to VLAN 1 by default Ports are active only if they are assigned to VLANs that exist on the switch. Static port assignments are performed by the administrator and do not change unless modified by the administrator, whether the VLAN exists on the switch or not. Dynamic VLANs are assigned to a port based on the MAC address of the device plugged into a port. Dynamic VLAN configuration requires a VLAN Membership Policy Server (VMPS) client, server, and database to operate properly.
MS-CHAPv2
stronger than CHAP, mutual authentication MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. MS-CHAP is used as one authentication option in Microsoft's implementation of the PPTP protocol for virtual private networks. It is also used as an authentication option with RADIUS servers which are used for WiFi security using the WPA-Enterprise protocol. It is further used as the main authentication option of the Protected Extensible Authentication Protocol (PEAP). Compared with CHAP, MS-CHAP: - is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3, Authentication Protocol - provides an authenticator-controlled password change mechanism - provides an authenticator-controlled authentication retry mechanism - defines failure codes returned in the Failure packet message field MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.
Unsecure Protocols (list)
telnet, http, SLIP, FTP, TFTP, SNMPv1, SNMPv2
Kerberos
uses tickets for authentication. Clock must be synchronized in Kerberos so tickets expire correctly. Prevents replay attacks. Kerberos /ˈkərbərɒs/ is a computer network authentication protocol that works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. designers aimed it primarily at a client-server model and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication.[1] Kerberos uses UDP port 88 by default. The client authenticates itself to the Authentication Server (AS) which forwards the username to a key distribution center (KDC). The KDC issues a ticket-granting ticket (TGT), which is time stamped, encrypts it using the user's password and returns the encrypted result to the user's workstation. This is done infrequently, typically at user logon; the TGT expires at some point, though may be transparently renewed by the user's session manager while they are logged in. When the client needs to communicate with another node ("principal" in Kerberos parlance) the client sends the TGT to the ticket-granting service (TGS), which usually shares the same host as the KDC. After verifying the TGT is valid and the user is permitted to access the requested service, the TGS issues a ticket and session keys, which are returned to the client. The client then sends the ticket to the service server (SS) along with its service request.
