This Document Contains Chapters 10 to 11 Chapter 10 Virtual Network and Remote Access At a Glance Instructor’s Manual Table of Contents • Overview • Objectives • Teaching Tips • Quick Quizzes • Class Discussion Topics • Additional Projects • Additional Resources • Key Terms Lecture Notes Overview This chapter describes the networking components of virtual environments beyond the virtual LAN or VLAN. It discusses virtualization along with the tools used to provide remote access and various remote access technologies. These technologies cover both network access and remote access to computing resources (desktops or client computers). Chapter Objectives After reading this chapter and completing the exercises, the student will be able to: • Explain virtualization and identify characteristics of virtual network components • Create and configure virtual servers, adapters, and switches as part of a network • Describe techniques for incorporating virtual components in VLANs • Explain methods for remotely connecting to a network, including dial-up networking, virtual desktops, and thin clients • Discuss VPNs (virtual private networks) and the protocols they rely on • Identify the features and benefits of cloud computing and NaaS (Network as a Service) Teaching Tips Virtualization 1. Describe the basic terminology of virtualization. 2. Use Figure 10-1 to describe the components of a virtualization environment. 3. Explain the advantages of virtualization. 4. Explain the disadvantages of virtualization. 5. Explain that all virtualization providers have similar functionality, but differ in features, interfaces, and ease of use. Teaching Tip Ensure that students understand that the use of virtualization is a convenience, but that the convenience comes with a high price and potential for server sprawl caused by virtualization. Virtual Network Components 1. Explain that virtual machines must connect to physical networks and the components that connect virtual machines to the physical network are the virtual network components inside the host machine. Virtual Machines and Adapters 1. Explain that a VM’s software and hardware characteristics are assigned when it is created in the virtualization program. 2. Use Figure 10-2 as an example of specifying the hardware resources of a virtual machine. 3. Explain the purpose of the vNIC. 4. Use Figure 10-3 as an example of a virtual network adapter’s settings. 5. Remind students that every vNIC assigned to a virtual machine has a new MAC address assigned to it at creation. Virtual Switches and Bridges 1. Explain the function of virtual switches and virtual bridges. 2. Use Figure 10-4 to explain the connections between virtual machines via a virtual switch. 3. Explain that the hypervisor controls virtual switches and bridges in the memory of the host computer. 4. Explain that virtual switches offer users the ability to configure the network traffic any way that they need for the various applications that are being run by the user. 5. Use Figure 10-5 to show an example of virtual switches passing traffic through a router. Network Connection Types 1. Explain that whenever you configure a virtual NIC, you will need to select the connection type for the interface. 2. Define the three modes of connection common to virtual connections: bridged, NAT, and host-only. 3. Explain the benefits of the bridged networking mode, such as Internet facing servers. 4. Define the services that one might need to provide on a bridged network connection. 5. Remind students of the disadvantages of a bridged connection. 6. Use Figures 10-6 and 10-7 to explain a bridged connection. 7. Use Figures 10-8 and 10-9 to show an example of a NAT connection. 8. Explain the services that the host provides for a NAT connection. 9. Discuss the advantages and disadvantages of a NAT connection. 10. Explain the circumstances where you might want to use a host-only connection for a guest versus the other types. 11. Use Figure 10-10 to demonstrate a host-only connection. 12. Explain the limitations of a host-only connection. Virtual Appliances 1. Define a virtual appliance. 2. Explain that there are both commercial and non-commercial sources of virtual appliances. 3. Define the advantages of a virtual appliance over installing software on a traditional server. Teaching Tip Have students visit the VMWare Solution Exchange to see a list of potential appliances at https://solutionexchange.vmware.com/store/category_groups/19 Virtual Networks and VLANs 1. Remind students of the function of VLANs from Chapter 6. 2. Explain that physical adapters can present multiple VLANs to a virtual machine host. 3. Explain how VMWare handles VLANs, physical NICs, and port groups. 4. Use Figure 10-11 to explain an example of how you can configure a single NIC to connect multiple VLANs to virtual guests. Teaching Tip Explore the VMWare best practices for using multiple VLANs from VMWare at http://www.vmware.com/technical-resources/virtual-networking/virtual-networks.html Quick Quiz 1 1. True or False: Virtualization is the emulation of a computer, operating system environment, or application on a physical system. Answer: True 2. When multiple virtual machines contend for finite physical resources, one virtual machine could _____ those resources and impair the performance of other virtual machines on the same computer. a. reframe b. repair c. monopolize d. optimize Answer: C 3. The software that allows you to define VMs and manages resource allocation and sharing among them is known as a virtual machine manager, or, more commonly, a(n) ____________________. Answer: hypervisor 4. True or False: VMs that must be available at a specific address, such as mail servers or Web servers, should be assigned host-only network connections. Answer: False 5. In _____ networking mode, VMs on one host can exchange data with each other and with their host, but they cannot communicate with any nodes beyond the host. a. host-only b. bridged c. NAT d. network-only Answer: A 6. True or False: To add VMs to a VLAN defined on a physical network, you modify a switch’s configuration. Answer: False Remote Access and Virtual Computing 1. Explain why a user might need to connect to a remote network for services. 2. Point out that there are a variety of remote access methods that fit various access scenarios. 3. Explain that dial-up networking, Microsoft’s RAS or RRAS, as well as VPNs, are just some of many remote access methods. Dial-Up Networking 1. Define and describe dial-up networking methods. 2. Point out that dial-up networking can use a variety of transmission methods from PSTN to ISDN. 3. Mention that dial-up networking does not provide either the throughput or reliability required for many of today’s modern applications. 4. Describe how dial-up networking requires a great deal of an administrator’s time and energy to properly maintain an appropriate level of service. Teaching Tip Point out that dial-up networking is useful in many scenarios, including a domain logon: http://www.baudlabs.com/archives/100 Remote Access Servers 1. Explain the purpose of a remote access server. 2. Use Figure 10-12 to explain how remote clients connect via a remote access server. 3. Emphasize that remote access servers come in a variety of configurations, including dedicated devices and servers with the remote access role. Remote Access Protocols 1. Define and describe the two most popular remote access protocols, SLIP and PPP. 2. Note that SLIP can only carry IP packets, but that PPP can carry any protocol. 3. Describe the differences between synchronous and asynchronous protocols. 4. Describe the advantages of using PPP over SLIP. 5. Emphasize that the flexibility of PPP has caused many ISPs to adopt it using PPP over Ethernet for many broadband applications. 6. Use Figure 10-16 to explain the placement of PPPoE in the OSI model. Remote Virtual Computing 1. Point out that there are two main uses of remote virtual computing, which include remote assistance and access to remote applications (including whole desktops). 2. Describe the advantages of Remote Desktop. 3. Describe the features of VNC (Virtual Network Computing). 4. Describe the advantages of ICA (Independent Computing Architecture). Teaching Tip Students may find more information about the clients available for ICA from http://www.citrix.com/lang/English/lp/lp_2309126.asp. VPNs (Virtual Private Networks) 1. Note that virtual private networks establish connections between sites or sites and clients over public networks. 2. Explain how VPNs can be used to reduce costs for remote workers. 3. Emphasize that the two most important factors with VPNs are interoperability and security. 4. Review the two classifications of VPNs, client-to-site and site-to-site. 5. Use Figure 10-14 to visualize a site-to-site VPN. 6. Note that the endpoint of each side of a VPN is responsible for encrypting and decrypting the traffic sent over the link. 7. Use Figure 10-15 to describe a client-to-site VPN. 8. Explain the two most popular VPN tunneling protocols, PPTP and L2TP. Cloud Computing 1. Define cloud computing, which has the following characteristics no matter what kind of service is offered. a. Self-service and on demand b. Elastic c. Support for multiple platforms d. Resource pooling and consolidation e. Metered service 2. Explain that Figure 10-16 is an example of a cloud computing model. Teaching Tip Students may find more information various cloud services from Amazon at http://aws.amazon.com/ec2/. Quick Quiz 2 1. True or False: Many remote access methods exist, and they vary according to the type of transmission technology, clients, hosts, and software they can or must use. Answer: True 2. True or False: Traditional dial-up networking can provide the quality required by many network applications. Answer: False 3. ____________________ transmission was designed for communication that happens at random intervals, such as sending the keystrokes of a person typing on a remote keyboard. Answer: Asynchronous 4. True or False: Many types of remote virtual computing software exist, and they differ significantly in their capabilities, security mechanisms, and supported platforms. Answer: False 5. Two important considerations when designing a VPN are _____ and security. a. reliability b. interoperability c. availability d. performance Answer: B Class Discussion Topics 1. Discuss the benefits of cloud computing. 2. Discuss why an organization would want to develop an enterprise-wide approach to remote access via VPNs. Additional Projects 1. Have the student research the available cloud computing services offering infrastructure services. Students should be sure to use the common features of a cloud computing platform to ensure that the service they are reporting on is a cloud computing service according to the text. 2. Have students research policies and procedures at several organizations surrounding either cloud computing or remote access, including remote desktops. Students may also want to research the controversy surrounding companies that want to provide these services commercially for certain popular applications, like Microsoft Office, in the context of what they learn from their policy and procedure research. Additional Resources 1. OpenVPN http://openvpn.net/ 2. PPP and PPPoE http://whatismyipaddress.com/ppp-pppoe 3. PPTP (RFC2637) http://www.ietf.org/rfc/rfc2637.txt 4. Remote Desktop Protocol http://msdn.microsoft.com/en-us/library/windows/desktop/aa383015(v=vs.85).aspx 5. RFB (VNC) Protocol http://www.realvnc.com/docs/rfbproto.pdf Key Terms Anything as a Service See XaaS. authentication The process of comparing and matching a client’s credentials with the credentials in the NOS user database to enable the client to log on to the network. client-to-site VPN A type of VPN in which clients, servers, and other hosts establish tunnels with a private network using a remote access server or VPN gateway. Each client on a client-to-site VPN must run VPN software to create the tunnel for, and encrypt and encapsulate data. cloud computing The flexible provision of data storage, applications, or services to multiple clients over a network. Cloud computing consolidates resources and is elastic, metered, self-service, multiplatform, and available on demand. credentials A user’s unique identifying characteristics that enable him to authenticate with a server and gain access to network resources. The most common credentials are a username and a password. dial-up networking The process of dialing into a remote access server to connect with a network, be it private or public. elastic A characteristic of cloud computing that means services can be quickly and dynamically—sometimes even automatically—scaled up or down. Everything as a Service See XaaS. guest In the context of virtualization, a virtual machine operated and managed by a virtualization program. host In the context of virtualization, the physical computer on which virtualization software operates and manages guests. Hyper-V Microsoft’s virtualization software package. Hyper-V operates with Windows Server 2008 and Windows Server 2008 R2. hypervisor The element of virtualization software that manages multiple guest machines and their connections to the host (and by association, to a physical network). A hypervisor is also known as a virtual machine manager. ICA (Independent Computing Architecture) The software from Citrix Systems, Inc., that, when installed on a client, enables the client to connect with a host computer and exchange keystrokes, mouse clicks, and screen updates. Citrix’s ICA client can work with virtually any operating system or application. Kernel-based Virtual Machine See KVM. KVM (Kernel-based Virtual Machine) An open source virtualization package designed for use with Linux systems. L2TP (Layer 2 Tunneling Protocol) A protocol that encapsulates PPP data, for use on VPNs. L2TP is based on Cisco technology and is standardized by the IETF. It is distinguished by its compatibility among different manufacturers’ equipment; its ability to connect between clients, routers, and servers alike; and also by the fact that it can connect nodes belonging to different Layer 3 networks. Layer 2 Tunneling Protocol See L2TP. multitenant A feature of cloud computing in which multiple customers share storage locations or services without knowing it. NaaS (Network as a Service) A type of cloud computing that offers clients a complete set of networking services—for example, mail, Web, DNS, DHCP, and remote access services, plus LAN and WAN connectivity. Network as a Service See NaaS. open source The term that describes software whose code is publicly available for use and modification. Point-to-Point Protocol See PPP. Point-to-Point Protocol over Ethernet See PPPoE. Point-to-Point Tunneling Protocol See PPTP. PPP (Point-to-Point Protocol) A communications protocol that enables a workstation to connect to a server using a serial connection. PPP can support multiple Network layer protocols and can use both asynchronous and synchronous communications. It performs compression and error correction and requires little configuration on the client workstation. PPPoE (Point-to-Point Protocol over Ethernet) PPP running over an Ethernet network. PPTP (Point-to-Point Tunneling Protocol) A Layer 2 protocol developed by Microsoft that encapsulates PPP data for transmission over VPN connections. PPTP operates with Windows RRAS access services and can accept connections from multiple different clients. It is simple, but less secure than other modern tunneling protocols. private cloud An arrangement in which shared and flexible data storage, applications, or services are managed on and delivered via an organization’s internal network. public cloud An arrangement in which shared and flexible data storage, applications, or services are managed centrally by service providers and delivered over public transmission lines, such as the Internet. Rackspace and Amazon (with its EC2 offering) are leading public cloud service providers. RAS (Remote Access Service) The dial-up networking software provided with Microsoft Windows 95, 98, NT, and 2000 client operating systems. RAS requires software installed on both the client and server, a server configured to accept incoming clients, and a client with sufficient privileges (including username and password) on the server to access its resources. In more recent versions of Windows, RAS has been incorporated into the RRAS (Routing and Remote Access Service). RDP (Remote Desktop Protocol) An Application layer protocol that uses TCP/IP to transmit graphics and text quickly over a remote client-host connection. RDP also carries session, licensing, and encryption information. remote access A method for connecting and logging on to a LAN from a workstation that is remote, or not physically connected, to the LAN. Remote Access Service See RAS. Remote Desktop A feature of Windows operating systems that allows a computer to act as a remote host and be controlled from a client running another Windows operating system. Remote Desktop Protocol See RDP. Routing and Remote Access Service (RRAS) The software included with Windows operating systems that enables a server to act as a router, firewall, and remote access server. Using RRAS, a server can provide network access to multiple remote clients. RRAS See Routing and Remote Access Service. Serial Line Internet Protocol See SLIP. site-to-site VPN A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over a tunnel with other VPN gateways. Meanwhile, clients, servers, and other hosts on a site-to-site VPN communicate with the VPN gateway. SLIP (Serial Line Internet Protocol) A communications protocol that enables a workstation to connect to a server using a serial connection. SLIP can support only asynchronous communications and IP traffic and requires some configuration on the client workstation. SLIP has been made obsolete by PPP. thin client A client that relies on another host for the majority of processing and hard disk resources necessary to run applications and share files over the network. tunnel A secured, virtual connection between two nodes on a VPN. tunneling The process of encapsulating one type of protocol in another. Tunneling is the way in which higher-layer data is transported over VPNs by Layer 2 protocols. virtual adapter See vNIC. virtual appliance An image that includes the appropriate operating system, software, hardware specifications, and application configuration necessary for a prepackaged solution to run properly on a virtual machine. virtual bridge An interface connecting a vNIC with a virtual or physical network, or a port on a virtual switch. virtual desktop A desktop operating environment that is hosted virtually, on a different physical computer from the one the user interacts with. virtual machine See VM. virtual machine manager See hypervisor. Virtual Network Computing See VNC. virtual network interface card See vNIC. virtual private network See VPN. virtual server A server that exists as a virtual machine, created and managed by virtualization software on a host, or physical, computer. virtual switch A logically defined device that is created and managed by virtualization software and that operates at the Data Link layer. Ports on a virtual switch connect virtual machines with a network, whether virtual or physical, through the host’s physical NIC. virtual workstation A workstation that exists as a virtual machine, created and managed by virtualization software on a host, or physical, computer. VirtualBox A virtualization software platform from Oracle. virtualization The emulation of a computer, operating system environment, or application on a physical system. VM (virtual machine) A computer that exists in emulation on a physical computer, or host machine. Multiple VMs may exist on one host where they share the physical computer’s CPU, hard disk, memory, and network interfaces. VMware A vendor that supplies the most popular types of workstation and server virtualization software. Used casually, the term VMware may also refer to the virtualization software distributed by the company. VNC (Virtual Network Computing) An open source system that enables a remote client (or viewer) workstation to manipulate and receive screen updates from a host. Examples of VNC software include RealVNC, TightVNC, and UltraVNC. vNIC (virtual network interface card) A logically defined network interface associated with a virtual machine. VPN (virtual private network) A logically constructed WAN that uses existing public transmission systems. VPNs can be created through the use of software or combined software and hardware solutions. This type of network allows an organization to carve out a private WAN through the Internet, serving only its offices, while keeping the data secure and isolated from other (public) traffic. XaaS (Anything as a Service, or Everything as a Service) A type of cloud computing in which the cloud assumes functions beyond networking, including, for example, monitoring, storage, applications, and virtual desktops. Xen An open source virtualization software platform from Citrix Systems. Chapter 11 Network Security At a Glance Instructor’s Manual Table of Contents • Overview • Objectives • Teaching Tips • Quick Quizzes • Class Discussion Topics • Additional Projects • Additional Resources • Key Terms Lecture Notes Overview As networks have become more geographically distributed and heterogeneous, the risk of their misuse has also increased. Consider the largest, most heterogeneous network in existence: the Internet. Because it contains millions of points of entry, millions of servers, and millions of miles of transmission paths, it is vulnerable to millions of break-ins. Because so many networks connect to the Internet, the threat of an outsider accessing an organization’s network via the Internet, and then stealing or destroying data, is very real. In this chapter, the student will learn how to assess a network’s risks, how to manage those risks, and, perhaps most important, how to convey the importance of network security to the rest of the organization through an effective security policy. Chapter Objectives After reading this chapter and completing the exercises, the student will be able to: • Identify security risks in LANs and WANs and design security policies that minimize risks • Explain security measures for hardware and design, including firewalls, intrusion detection systems, and scanning tools • Understand methods of encryption, such as SSL and IPSec, that can secure data in storage and in transit • Describe how popular authentication protocols, such as RADIUS, TACACS+, Kerberos, PAP, CHAP, and MS-CHAP, function • Use network operating system techniques to provide basic security • Understand wireless security protocols, such as WEP, WPA, and 802.11i Teaching Tips Security Assessments 1. Describe tasks that should be completed prior to spending time and money on network security. 2. Emphasize that different types of organizations have different levels of network security risk. a. Provide examples. 3. Explain the difference between a posture assessment and a security audit. 4. Define and describe a security audit as a means of assessing security risks. 5. Explain who can or should perform the security audit noting any advantages where applicable. Security Risks 1. Explain why students first need to know how to recognize threats that their network could suffer. 2. Describe how security breaches can occur. 3. Discuss three considerations when looking at security threats. Risks Associated with People 1. Point out the significance of looking at risks associated with people. a. Point out that by some estimates, human errors, ignorance, and omissions cause more than half of all security breaches sustained by networks. 2. Introduce the topic of social engineering. a. Define and describe the practice of phishing. 3. Review the variety of risks associated with people. 4. Emphasize that human errors account for so many security breaches because taking advantage of them is the easiest way to circumvent network security. Risks Associated with Transmission and Hardware 1. Introduce the security risks inherent in the Physical, Data Link, and Network layers of the OSI model. 2. Define and describe the risks inherent in network hardware and design. Risks Associated with Protocols and Software 1. Introduce the risks inherent in the Transport, Session, Presentation, and Application layers of the OSI model. 2. Describe risks pertaining to networking protocols and software. Risks Associated with Internet Access 1. Remind students that network security is more often compromised “from the inside”. 2. Point out that new Internet-related security threats arise frequently and need to be addressed. 3. Define and explain common Internet-related security issues. An Effective Security Policy 1. Explain how a thoroughly planned security policy can minimize the risk of break-ins. 2. Define a security policy. 3. Explain what is not included in a security policy. Security Policy Goals 1. Describe and explain the typical goals for security policies. 2. Describe when to devise the security policy and the strategy to attain the goals of the policy. Security Policy Content 1. Explain when the student should outline the policy’s content. 2. Discuss possible subheadings for the policy outline. 3. Emphasize that the security policy should explain to users what they can and cannot do and how these measures protect the network’s security. 4. Provide suggestions for communicating policy contents to the users. 5. Define and describe the term confidential. Response Policy 1. Point out that a security policy should provide for a planned response in the event of a security breach. 2. Explain the contents of a response policy. 3. Review suggested team roles. 4. Note that after resolving a problem, the team reviews what happened, determines how the problem might have been prevented, and then implements measures to prevent future problems. Physical Security 1. Point out that an important element in network security is restricting physical access to its components. 2. Explain that students should consider all points of compromise in physical security. 3. Describe electronic badge access. 4. Use Figure 11-1 to illustrate a badge access security system. 5. Discuss how electronic locks can be combined with key locks. 6. Describe a more expensive physical security solution involving bio-recognition access. 7. Describe how organizations may regulate entrance through physical barriers to their campuses. 8. Explain how many IT departments use closed-circuit TV systems to monitor activity in secured rooms. 9. Review relevant questions that should be included in a security audit. 10. Point out that discarded computers may present a point of data loss and describe how to protect assets from this threat. Teaching Tip Students may learn more about security policies by reviewing material on The SANS Security Policy Project Web site at http://www.sans.org/resources/policies Security in Network Design 1. Introduce the concept of poor LAN and WAN design in contributing to security breaches. 2. Describe optimal and realistic ways to prevent external LAN breaches. Router Access Lists 1. Point out that before a malicious intruder on another network can gain access to files on a network server, he or she must traverse a switch or router. 2. Describe a router’s main function. 3. Define and describe a router ACL (access control list). 4. Discuss the variables an ACL uses to instruct a router to permit or deny traffic. 5. Describe how a router processes packet information. 6. Note that an access list may contain many different statements. 7. Point out that different ACLs may be associated with inbound and outbound traffic. Intrusion Detection and Prevention 1. Define and describe an IDS (intrusion detection system). 2. Describe the technique that an IDS may use to monitor traffic carried by a switch. 3. Compare host-based detection with network-based detection. 4. Discuss how IDS software can be configured to detect many types of suspicious traffic patterns, including those typical of denial-of-service or smurf attacks. 5. Define and describe a DMZ (demilitarized zone). 6. Explain one drawback to using an IDS at a network’s DMZ. 7. Emphasize that an IDS can only detect and log suspicious activity. 8. Define and describe an IPS (intrusion-prevention system). 9. Emphasize that an IPS can react when alerted to suspicious activity. 10. Use Figure 11-2 to illustrate the placement of an IDS/IPS device on a private network that is connected to the Internet. 11. Compare an IPS to a firewall. Teaching Tip Perform an in-class demonstration by navigating to the open-source IDS software sites for TripWire at http://www.tripwire.com and Snort at http://www.snort.org to demonstrate the availability of these products. Firewalls 1. Define and describe a firewall. a. Note that a firewall typically involves a combination of hardware and software. b. Describe where a firewall typically resides in a network. 2. Use Figure 11-3 to illustrate the placement of a firewall between a private network and the Internet. 3. Use Figure 11-4 to illustrate a firewall designed for use in a business with many users. 4. Mention that many forms of firewalls exist. 5. Define and explain a packet-filtering firewall. a. Emphasize how packet filtering firewalls block traffic in and out of a network. 6. Mention that firewalls ship with a default configuration designed to block the most common types of security threats. 7. Note that many network administrators choose to modify default firewall settings. 8. Discuss common criteria a packet-filtering firewall might use to accept or deny traffic. 9. Describe port blocking and discuss its importance in preventing security breaches. 10. Describe the many factors to consider when making decision regarding a firewall that performs functions that are more complex. a. Define and describe content filtering firewalls. b. Define and describe characteristics of stateless and stateful firewalls. 11. Explain to the student that they will have to recognize examples of firewall placement in most VPN architectures. 12. Explain to students that they will have to tailor a firewall to their network’s needs. 13. Explain why packet-filtering firewalls cannot distinguish between a user who is trying to breach the firewall and a user who is authorized to do so. Teaching Tip Perform an in-class demonstration by navigating to the Cisco IOS Firewall Introduction page at http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html to demonstrate and example Cisco firewall material available. Proxy Servers 1. Define and explain a proxy service. 2. Define and explain a proxy server. 3. State the important function of a proxy server - preventing the outside world from discovering the addresses of the internal network. a. Explain why this is important. 4. Use Figure 11-5 to illustrate how a proxy server might fit into a WAN design. 5. Point out that another advantage of proxy servers is in improving network performance by caching files. Scanning Tools 1. Define and explain the nature of scanning tools. 2. Explain the function of NMAP. 3. Explain the function of Nessus. 4. Ensure students understand the legal implications of using scanning tools on networks. Lures 1. Define and explain a honeypot. 2. Define and explain a honeynet. 3. Explain why honeypots and honeynets must be isolate from the rest of the network. 4. Ensure that students understand the utility of these lures and how easily they can be turned against an organization that deploys them. Quick Quiz 1 1. True or False: More often than not, security is compromised from using the Internet. Answer: False 2. ____________________ occurs when a person attempts to glean access or authentication information by posing as someone who needs that information. Answer: Phishing 3. A(n) ____ drives the creation of a security policy. a. security coordinator b. administrator c. IT specialist d. security manager Answer: A 4. True or False: An IDS can react when alerted to suspicious activity. Answer: False 5. True or False: Packet-filtering firewalls cannot distinguish between a user who is trying to breach the firewall and a user who is authorized to do so. Answer: True NOS (Network Operating System) Security 1. Make sure students understand that they can implement basic security by restricting what users are authorized to do on a network. 2. Define and describe the term public rights. 3. Point out to students that network administrators need to group users according to their security levels and assign additional rights that meet the needs of those groups. Logon Restrictions 1. Review additional logon restrictions that network administrators can use to strengthen the security of their networks. Passwords 1. Mention that choosing a secure password is one of the easiest and least expensive ways to guard against unauthorized access. 2. Point out that the preferred, easy to remember password is also easy to guess. 3. Note that password guidelines should be clearly communicated to everyone in an organization through the security policy. 4. Review tips for making and keeping passwords secure. Teaching Tip Student may read more information on password security at http://www.microsoft.com/security/online-privacy/passwords-create.aspx Encryption 1. Define and explain the term encryption. 2. Emphasize to the students that the purpose of encryption is to keep information private. 3. Explain that many forms of encryption exist with some being more secure than others. 4. Emphasize the importance of encryption as the last means of defense against data theft. 5. Review the three assurances encryption provides to protect data. Key Encryption 1. Introduce the concept of key encryption. 2. Define and explain a key. 3. Define and explain the term ciphertext. 4. Describe a brute force attack. 5. Use Figure 11-6 to illustrate a simplified view of key encryption and decryption. 6. Define and describe private key encryption. 7. Use Figure 11-7 to illustrate private key encryption. 8. Introduce and explain DES (Data Encryption Standard). 9. Describe Triple DES. 10. Define and explain AES (Advanced Encryption Standard). 11. Point out the drawback of private key encryption. 12. Define and describe public key encryption. 13. Define and explain a public key server. 14. Define the term key pair. 15. Use Figure 11-8 to illustrate the process of public key encryption. 16. Discuss the various forms of public key encryption and their use. a. Diffie-Hellman b. RAH c. RC4 17. Define and describe a digital certificate and the PKI infrastructure. PGP (Pretty Good Privacy) 1. Define and explain PGP. Teaching Tip Navigate to the PGP site at http://www.pgp.com to illustrate the encryption protection it can provide. SSL (Secure Sockets Layer) 1. Define and explain SSL. a. Include a discussion on HTTPS. 2. Explain a handshake protocol. 3. Define an SSL session. 4. Review the original development of SSL and explain how the IETF is attempting to standardize it. SSH (Secure Shell) 1. Define and explain SSH. 2. Mention the encryption algorithms it can use. 3. Discuss the versions available. 4. Explain its advantages. SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol) 1. Describe the SCP (Secure CoPy) utility. 2. Explain how modern operating systems implement SCP. 3. Discuss one advantage of SCP. 4. Define and explain the proprietary version. IPSec (Internet Protocol Security) 1. Define and explain IPSec. 2. Note how IPSec differs from other methods. 3. Explain how IPSec accomplishes authentication in two phases. 4. Point out that IPSec can be used with any type of TCP/IP transmission. 5. Mention that it is most commonly use in routers. 6. Emphasize that VPNs are used to transmit private data over public networks and require strict encryption and authentication to ensure that data is not compromised. 7. Define and describe a VPN concentrator. 8. Use Figure 11-9 to illustrate the placement of a VPN concentrator on a WAN. Authentication Protocols 1. Review the process of authentication with the class. 2. Explain the concept of authentication protocols noting that several types exist. 3. Mention that the different authentication protocols differ according to which encryption schemes they rely on and the steps they take to verify credentials. RADIUS and TACACS+ 1. Define and explain the use of RADIUS (Remote Authentication Dial-In User Service). 2. Define and explain the use of a RADIUS server. 3. Explain why RADIUS is more secure than a simple remote access solution. 4. Use Figure 11-10 to illustrate a RADIUS server providing centralized authentication. 5. Mention that TACACS+ (Terminal Access Controller Access Control System Plus) is a similar, but modified earlier version of centralized authentication. 6. Explain why RADIUS and TACACS belong to a category of protocols known as AAA (authentication, authorization, and accounting). PAP (Password Authentication Protocol) 1. Review the PPP (Point-to-Point Protocol). a. Note that PPP provides the foundation for connections between remote clients and hosts. b. Emphasize that PPP alone, however, does not secure connections. 2. Point out that several types of authentication protocols can work over PPP including PAP (Password Authentication Protocol). 3. Explain how PAP provides authentication using a two-step authentication process. 4. Use Figure 11-11 to illustrate PAP’s two-step authentication process. 5. Explain why PAP is a simple authentication protocol but not necessarily secure. CHAP and MS-CHAP 1. Explain that CHAP (Challenge Handshake Authentication Protocol) is another authentication protocol that operates over PPP. 2. Explain the difference between the CHAP and PAP protocols. 3. Explain how CHAP provides authentication using a three-step authentication process. 4. Use Figure 11-12 to illustrate the three-way handshake used in CHAP. 5. Describe the benefit of CHAP over PAP. 6. Define MS-CHAP. 7. Describe a potential flaw in CHAP and MS-CHAP authentication. 8. Describe how Microsoft’s MS-CHAPv2 (Microsoft Challenge Authentication Protocol, Version 2) attempts to thwart that flaw. 9. Walk through an example of how to modify a dial-up connection’s supported authentication protocols on a Windows client. EAP (Extensible Authentication Protocol) 1. Explain that EAP (Extensible Authentication Protocol) is another extension to the PPP protocol suite. 2. Explain how EAP differs from the authentication protocols discussed previously. a. Note that it is only a mechanism for authenticating clients and servers; it does not perform encryption or authentication on its own. 3. Note that EAP works with other encryption and authentication schemes to verify the credentials of clients and servers. 4. Explain how EAP requires the authenticator to initiate the authentication process by asking the connected computer to verify itself. 5. Describe an advantage of EAP. 6. Point out that in the case of wireless LANs, EAP is used with older encryption and authentication protocols to form a new, more secure method of connecting to networks from wireless stations. 802.1x (EAPoL) 1. Define and explain the 802.1x standard. 2. Describe where the EAPoL name originated. 3. Emphasize that 802.1x only defines a process for authentication. 4. Explain that 802.1x does not specify the type of authentication or encryption protocols clients and servers must use. 5. Mention that 802.1x is commonly used with RADIUS authentication. 6. Describe what distinguishes 802.1x from other authentication standards. 7. Use Figure 11-13 to illustrate the 802.1x authentication process. Kerberos 1. Define and explain Kerberos. 2. Note that Kerberos is an example of a private key encryption service. 3. Explain the advantages Kerberos provides over simple NOS authentication. 4. Define and explain a KDC (Key Distribution Center). 5. Define and explain an AS (authentication service). 6. Define the term ticket. 7. Define the term principal. 8. Describe the process Kerberos requires for client/server communication. 9. Explain the problem with the original version: a. User had to request a separate ticket each time he or she wanted to use a different service. 10. Describe how this problem was resolved with the TGS (Ticket-Granting Service). Teaching Tip Point out that Kerberos was named after the three-headed dog in Greek mythology who guarded the gates of Hades and was designed at MIT (Massachusetts Institute of Technology). MIT still provides free copies of the Kerberos code. In addition, many software vendors have developed their own versions of Kerberos. Wireless Network Security 1. Emphasize that wireless transmissions are particularly susceptible to eavesdropping. 2. Explain war-driving noting that it is effective for obtaining private information. WEP (Wired Equivalent Privacy) 1. Review the 802.11 protocol standards. 2. Emphasize that by default, the 802.11 standard does not offer any security. 3. Define and describe the WEP (Wired Equivalent Privacy) standard. 4. Walk through an example of editing or adding a WEP key for a wireless connection on a Windows XP client. 5. Use Figure 11-16 to illustrate the entering of a WEP key in the Windows XP wireless network properties dialog box. 6. Discuss the versions of WEP and their network key lengths. 7. Discuss the various flaws of WEP. IEEE 802.11i and WPA (Wi-Fi Protected Access) 1. Describe the 802.11i wireless security protocol. 2. Describe the WPA wireless security protocol. 3. Explain the difference between WPA and 802.11i. Teaching Tip Students may learn more about wireless standards at the Wi-Fi alliance Web site at http://www.wi-fi.org. Quick Quiz 2 1. ____________________ is the use of an algorithm to scramble data into a format that can be read only by reversing the algorithm. Answer: Encryption 2. In key encryption, the scrambled data block is known as ____. a. cleartext b. fuzzytext c. a key pair d. ciphertext Answer: D 3. True or False: In public key encryption, data is encrypted using a single key that only the sender and the receiver know. Answer: False 4. ____ is a public key encryption system that can verify the authenticity of an e-mail sender and encrypt e-mail data in transmission. a. SSL b. PGP c. IPSec d. SSH Answer: B 5. True or False: WPA uses the AES encryption scheme. Answer: False Class Discussion Topics 1. As a class, discuss the implications of security breaches on technology adoption. Are people hesitant to use the Internet or wireless technology for purchases due to security concerns? Are people hesitant to use technology because of privacy concerns? Are these concerns warranted and are they influenced by age, race, or gender? 2. As a class, discuss what the consequences should be for not adhering to security policy guidelines. Where or how should these consequences be communicated to employees? Additional Projects 1. Have the student research companies that specialize in the physical removal or destruction of data on hard disks. The research report should include information on three such companies including the company name, accurate Web site address (if available), physical location, services, and costs. 2. Have students research the currently published security policy or policies for the school and compare those with another school or public organization. Additional Resources 1. Audit Certification http://www.isaca.org/ 2. GIAC Audit Certification http://www.giac.org/certifications/audit/ 3. The Institute of Internal Auditors http://www.theiia.org 4. A Preparation Guide to Information Security Policy http://www.sans.org/reading_room/whitepapers/policyissues/preparation-guide-information-security-policies_503 5. IBM Redbook: Auditing and Accounting on AIX http://www.redbooks.ibm.com/abstracts/sg246020.html 6. The International PGP Home Page http://www.pgpi.org 7. Philip Zimmermann Home page http://www.philzimmermann.com/EN/background/index.html 8. MIT PGP Public Key Server http://pgp.mit.edu 9. The OpenPGP Alliance http://www.openpgp.org 10. Windows Security Center http://www.microsoft.com/windows/windows-vista/features/security-center.aspx 11. Windows Client Security and Encryption http://technet.microsoft.com/en-us/windows/aa905062.aspx Key Terms 3DES See Triple DES. 802.11i The IEEE standard for wireless network encryption and authentication that uses the EAP authentication method, strong encryption, and dynamically assigned keys, which are different for every transmission. 802.11i specifies AES encryption and weaves a key into each packet. 802.1x A vendor-independent IEEE standard for securing transmission between nodes according to the transmission’s port, whether physical or logical. 802.1x, also known as EAPoL, is the authentication standard followed by wireless networks using 802.11i. AAA (authentication, authorization, and accounting) The name of a category of protocols that establish a client’s identity; check the client’s credentials and, based on those, allow or deny access to a system or network; and, finally, track the client’s system or network usage. access control list See ACL. access list See ACL. ACL (access control list) A list of statements used by a router to permit or deny the forwarding of traffic on a network based on one or more criteria. Advanced Encryption Standard See AES. AES (Advanced Encryption Standard) A private key encryption algorithm that weaves keys of 128, 160, 192, or 256 bits through data multiple times. The algorithm used in the most popular form of AES is known as Rijndael. AES has replaced DES in situations such as military communications, which require the highest level of security. AH (authentication header) In the context of IPSec, a type of encryption that provides authentication of the IP packet’s data payload through public key techniques. application gateway See proxy server. Application layer gateway See proxy server. AS (authentication service) In Kerberos terminology, the process that runs on a KDC (Key Distribution Center) to initially validate a client who’s logging on. The authentication service issues a session key to the client and to the service the client wants to access. asymmetric encryption A type of encryption (such as public key encryption) that uses a different key for encoding data than is used for decoding the ciphertext. authentication, authorization, and accounting See AAA. authentication header See AH. authentication protocol A set of rules that governs how servers authenticate clients. Several types of authentication protocols exist. authentication service See AS. authenticator In Kerberos authentication, the user’s time stamp encrypted with the session key. The authenticator is used to help the service verify that a user’s ticket is valid. biorecognition access A method of authentication in which a device scans an individual’s unique physical characteristics (such as the color patterns in her iris or the geometry of her hand) to verify the user’s identity. brute force attack An attempt to discover an encryption key or password by trying numerous possible character combinations. Usually, a brute force attack is performed rapidly by a program designed for that purpose. CA (certificate authority) An organization that issues and maintains digital certificates as part of the Public-key Infrastructure. certificate authority See CA. challenge A random string of text issued from one computer to another in some forms of authentication. It is used, along with the password (or other credential), in a response to verify the computer’s credentials. Challenge Handshake Authentication Protocol See CHAP. CHAP (Challenge Handshake Authentication Protocol) An authentication protocol that operates over PPP and that requires the authenticator to take the first step by offering the other computer a challenge. The requestor responds by combining the challenge with its password, encrypting the new string of characters and sending it to the authenticator. The authenticator matches to see if the requestor’s encrypted string of text matches its own encrypted string of characters. If so, the requester is authenticated and granted access to secured resources. ciphertext The unique data block that results when an original piece of data (such as text) is encrypted (for example, by using a key). client_hello In the context of SSL encryption, a message issued from the client to the server that contains information about what level of security the client’s browser is capable of accepting and what type of encryption the client’s browser can decipher (for example, RSA or Diffie-Hellman). The client_hello message also establishes a randomly generated number that uniquely identifies the client, plus another number that identifies the SSL session. content-filtering firewall A firewall that can block designated types of traffic from entering a protected network. Data Encryption Standard See DES. demilitarized zone See DMZ. denial-of-service attack A security attack in which a system becomes unable to function because it has been inundated with requests for services and can’t respond to any of them. As a result, all data transmissions are disrupted. DES (Data Encryption Standard) A popular private key encryption technique that was developed by IBM in the 1970s. dictionary attack A technique in which attackers run a program that tries a combination of a known user ID and, for a password, every word in a dictionary to attempt to gain access to a network. Diffie-Hellman The first commonly used public, or asymmetric, key algorithm. Diffie-Hellman was released in 1975 by its creators, Whitfield Diffie and Martin Hellman. digital certificate A password-protected and encrypted file that holds an individual’s identification information, including a public key and a private key. The individual’s public key is used to verify the sender’s digital signature, and the private key allows the individual to log on to a third-party authority who administers digital certificates. DMZ (demilitarized zone) The perimeter of a protected, internal network where users, both authorized and unauthorized, from external networks can attempt to access it. Firewalls and IDS/IPS systems are typically placed in the DMZ. DNS spoofing A security attack in which an outsider forges name server records to falsify his host’s identity. EAP (Extensible Authentication Protocol) A Data Link layer protocol defined by the IETF that specifies the dynamic distribution of encryption keys and a preauthentication process in which a client and server exchange data via an intermediate node (for example, an access point on a wireless LAN). Only after they have mutually authenticated can the client and server exchange encrypted data. EAP can be used with multiple authentication and encryption schemes. EAP over LAN See EAPoL. EAPoL (EAP over LAN) See 802.1x. Encapsulating Security Payload See ESP. encryption The use of an algorithm to scramble data into a format that can be read only by reversing the algorithm—decrypting the data—to keep the information private. The most popular kind of encryption algorithm weaves a key into the original data’s bits, sometimes several times in different sequences, to generate a unique data block. encryption devices Computers or specialized adapters inserted into other devices, such as routers or servers, that perform encryption. ESP (Encapsulation Security Payload) In the context of IPSec, a type of encryption that provides authentication of the IP packet’s data payload through public key techniques. In addition, ESP also encrypts the entire IP packet for added security. evil twin An exploit in which a rogue access point masquerades as a legitimate access point, using the same SSID and potentially other identical settings. exploit In the context of network security, the means by which a hacker takes advantage of a vulnerability. Extensible Authentication Protocol See EAP. flashing A security attack in which an Internet user sends commands to another Internet user’s machine that cause the screen to fill with garbage characters. A flashing attack causes the user to terminate her session. FTP bounce A security exploit in which an FTP client specifies a different host’s IP address and port number for the requested data’s destination. By commanding the FTP server to connect to a different computer, a hacker can scan the ports on other hosts and transmit malicious code. To thwart FTP bounce attacks, most modern FTP servers will not issue data to hosts other than the client that originated the request. hacker Traditionally, a person who masters the inner workings of operating systems and utilities in an effort to better understand them. More generally, an individual who gains unauthorized access to systems or networks with or without malicious intent. handshake protocol One of several protocols within SSL, and perhaps the most significant. As its name implies, the handshake protocol allows the client and server to authenticate (or introduce) each other and establishes terms for how they securely exchange data during an SSL session. HIDS (host-based intrusion detection) A type of intrusion detection that runs on a single computer, such as a client or server, that has access to and allows access from the Internet. HIPS (host-based intrusion prevention) A type of intrusion prevention that runs on a single computer, such as a client or server, that has access to and allows access from the Internet. honeynet A network of honeypots. honeypot A decoy system isolated from legitimate systems and designed to be vulnerable to security exploits for the purposes of learning more about hacking techniques or nabbing a hacker in the act. host-based firewall A firewall that only protects the computer on which it’s installed. host-based intrusion detection See HIDS. host-based intrusion prevention See HIPS. HTTP over Secure Sockets Layer See HTTPS. HTTP Secure See HTTPS. HTTPS (HTTP over Secure Sockets Layer) The URL prefix that indicates that a Web page requires its data to be exchanged between client and server using SSL encryption. HTTPS uses the TCP port number 443. IDS (intrusion-detection system) A dedicated device or software running on a host that monitors, flags, and logs any unauthorized attempt to access an organization’s secured resources on a network or host. IKE (Internet Key Exchange) The first phase of IPSec authentication, which accomplishes key management. IKE is a service that runs on UDP port 500. After IKE has established the rules for the type of keys two nodes use, IPSec invokes its second phase, encryption. Internet Key Exchange See IKE. Internet Protocol Security See IPSec. Internet Security Association and Key Management Protocol See ISAKMP. intrusion-detection system See IDS. intrusion-prevention system See IPS. IPS (intrusion-prevention system) A dedicated device or software running on a host that automatically reacts to any unauthorized attempt to access an organization’s secured resources on a network or host. IPS is often combined with IDS. IPSec (Internet Protocol Security) A Layer 3 protocol that defines encryption, authentication, and key management for TCP/IP transmissions. IPSec is an enhancement to IPv4 and is native to IPv6. IPSec is unique among authentication methods in that it adds security information to the header of all IP packets. IP spoofing A security attack in which an outsider obtains internal IP addresses and then uses those addresses to pretend that he has authority to access a private network from the Internet. ISAKMP (Internet Security Association and Key Management Protocol) A service for setting policies to verify the identity and the encryption methods nodes will use in IPSec transmission. KDC (Key Distribution Center) In Kerberos terminology, the server that runs the authentication service and the Ticket-Granting Service to issue keys and tickets to clients. Kerberos A cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. It is an example of a private key encryption service. key A series of characters that is combined with a block of data during that data’s encryption. To decrypt the resulting data, the recipient must also possess the key. Key Distribution Center See KDC. key management The method whereby two nodes using key encryption agree on common parameters for the keys they will use to encrypt data. key pair The combination of a public and private key used to decipher data that was encrypted using public key encryption. man-in-the-middle attack A security threat that relies on intercepted transmissions. It can take one of several forms, but in all cases a person redirects or captures secure data traffic while in transit. metasploit A penetration-testing tool that combines known scanning techniques and exploits to result in potentially new types of exploits. Microsoft Challenge Handshake Authentication Protocol See MS-CHAP. Microsoft Challenge Handshake Authentication Protocol, version 2 See MS-CHAPv2. MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) An authentication protocol provided with Windows operating systems that uses a three-way handshake to verify a client’s credentials and encrypts passwords with a challenge text. MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2) An authentication protocol provided with Windows operating systems that follows the CHAP model, but uses stronger encryption, uses different encryption keys for transmission and reception, and requires mutual authentication between two computers. multifactor authentication An authentication process that requires the client to provide two or more pieces of information, such as a password, fingerprint scan, and security token. mutual authentication An authentication scheme in which both computers verify the credentials of each other. Nessus A penetration-testing tool from Tenable Security that performs sophisticated scans to discover information about hosts, ports, services, and software. network-based firewall A firewall configured and positioned to protect an entire network. network-based intrusion detection See NIDS. network-based intrusion prevention See NIPS. network key A key (or character string) required for a wireless station to associate with an access point using WEP. Network Mapper See NMAP. NIDS (network-based intrusion detection) A type of intrusion detection that occurs on devices that are situated at the edge of the network or that handle aggregated traffic. NIPS (network-based intrusion prevention) A type of intrusion prevention that occurs on devices that are situated at the edge of the network or that handle aggregated traffic. NMAP (Network Mapper) A scanning tool designed to assess large networks quickly and provide comprehensive, customized information about a network and its hosts. NMAP, which runs on virtually any modern operating system, is available for download at no cost at www.nmap.org. OpenSSH An open source version of the SSH suite of protocols. packet-filtering firewall A router that examines the header of every packet of data that it receives to determine whether that type of packet is authorized to continue to its destination. Packet-filtering firewalls are also called screening firewalls. PAP (Password Authentication Protocol) A simple authentication protocol that operates over PPP. Using PAP, a client issues its credentials in a request to authenticate, and the server responds with a confirmation or denial of authentication after comparing the credentials with those in its database. PAP is not very secure and is, therefore, rarely used on modern networks. Password Authentication Protocol See PAP. PGP (Pretty Good Privacy) A key-based encryption system for e-mail that uses a two-step verification process. phishing A practice in which a person attempts to glean access or authentication information by posing as someone who needs that information. PKI (Public-key Infrastructure) The use of certificate authorities to associate public keys with certain users. port authentication A technique in which a client’s identity is verified by an authentication server before a port, whether physical or logical, is opened for the client’s Layer 3 traffic. See also 802.1x. port-based authentication See port authentication. port forwarding The process of redirecting traffic from its normally assigned port to a different port, either on the client or server. In the case of using SSH, port forwarding can send data exchanges that are normally insecure through encrypted tunnels. port mirroring A monitoring technique in which one port on a switch is configured to send a copy of all its traffic to a second port. port scanner Software that searches a server, switch, router, or other device for open ports, which can be vulnerable to attack. posture assessment An assessment of an organization’s security vulnerabilities. Posture assessments should be performed at least annually and preferably quarterly—or sooner if the network has undergone significant changes. For each risk found, it should rate the severity of a potential breach, as well as its likelihood. Pretty Good Privacy See PGP. principal In Kerberos terminology, a user or client. private key encryption A type of key encryption in which the sender and receiver use a key to which only they have access. DES (Data Encryption Standard), which was developed by IBM in the 1970s, is a popular example of a private key encryption technique. Private key encryption is also known as symmetric encryption. proxy See proxy server. proxy server A network host that runs a proxy service. Proxy servers may also be called gateways. proxy service A software application on a network host that acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic and providing one address to the outside world, instead of revealing the addresses of internal LAN devices. public key encryption A form of key encryption in which data is encrypted using two keys: One is a key known only to a user, and the other is a key associated with the user and that can be obtained from a public source, such as a public key server. Some examples of public key algorithms include RSA and Diffie-Hellman. Public key encryption is also known as asymmetric encryption. public-key infrastructure See PKI. public key server A publicly available host (such as an Internet host) that provides free access to a list of users’ public keys (for use in public key encryption). RADIUS (Remote Authentication Dial-In User Service) A popular protocol for providing centralized AAA (authentication, authorization, and accounting) for multiple users. RADIUS runs over UDP and can use one of several authentication protocols. RADIUS server A server that offers centralized authentication services to a network’s access server, VPN server, or wireless access point via the RADIUS protocol. RC4 An asymmetric key encryption technique that weaves a key with data multiple times as a computer issues the stream of data. RC4 keys can be as long as 2048 bits. In addition to being highly secure, RC4 is fast. Remote Authentication Dial-In User Service See RADIUS. RSA An encryption algorithm that creates a key by randomly choosing two large prime numbers and multiplying them together. RSA is named after its creators, Ronald Rivest, Adi Shamir, and Leonard Adleman. RSA was released in 1977, but remains popular today for e-commerce transactions. SCP (Secure CoPy) A method for copying files securely between hosts. SCP is part of the OpenSSH package, which comes with modern UNIX and Linux operating systems. Third-party SCP applications are available for Windows-based computers. Secure CoPy See SCP. Secure File Transfer Protocol See SFTP. Secure Shell See SSH. Secure Sockets Layer See SSL. security audit An assessment of an organization’s security vulnerabilities performed by an accredited network security firm. security policy A document or plan that identifies an organization’s security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. In addition, it specifies how to address security breaches. security token A device or piece of software used for authentication that stores or generates information, such as a series of numbers or letters, known only to its authorized user. server_hello In the context of SSL encryption, a message issued from the server to the client that confirms the information the server received in the client_hello message. It also agrees to certain terms of encryption based on the options the client supplied. Depending on the Web server’s preferred encryption method, the server may choose to issue your browser a public key or a digital certificate at this time. session key In the context of Kerberos authentication, a key issued to both the client and the server by the authentication service that uniquely identifies their session. SFTP (Secure File Transfer Protocol) A protocol available with the proprietary version of SSH that copies files between hosts securely. Like FTP, SFTP first establishes a connection with a host and then allows a remote user to browse directories, list files, and copy files. Unlike FTP, SFTP encrypts data before transmitting it. single sign-on A form of authentication in which a client signs on once to access multiple systems or resources. smurf attack A threat to networked hosts in which the host is flooded with broadcast ping messages. A smurf attack is a type of denial-of-service attack. social engineering The act of manipulating personal relationships to circumvent network security measures and gain access to a system. SSH (Secure Shell) A connection utility that provides authentication and encryption. With SSH, you can securely log on to a host, execute commands on that host, and copy files to or from that host. SSH encrypts data exchanged throughout the session. SSL (Secure Sockets Layer) A method of encrypting TCP/IP transmissions—including Web pages and data entered into Web forms—en route between the client and server using public key encryption technology. SSL session In the context of SSL encryption, an association between the client and server that is defined by an agreement on a specific set of encryption techniques. An SSL session allows the client and server to continue to exchange data securely as long as the client is still connected to the server. SSL sessions are established by the SSL handshake protocol. stateful firewall A firewall capable of monitoring a data stream from end to end. stateless firewall A firewall capable only of examining packets individually. Stateless firewalls perform more quickly than stateful firewalls, but are not as sophisticated. symmetric encryption A method of encryption that requires the same key to encode the data as is used to decode the ciphertext. TACACS+ (Terminal Access Controller Access Control System Plus) A Cisco proprietary protocol for AAA (authentication, authorization, and accounting). Like RADIUS, TACACS+ may use one of many authentication protocols. Unlike RADIUS, TACACS+ relies on TCP at the Network layer and allows for separation of the AAA services. Temporal Key Integrity Protocol See TKIP. Terminal Access Controller Access Control System Plus See TACACS+. TGS (Ticket-Granting Service) In Kerberos terminology, an application that runs on the KDC that issues Ticket-Granting Tickets to clients so that they need not request a new ticket for each new service they want to access. TGT (Ticket-Granting Ticket) In Kerberos terminology, a ticket that enables a user to be accepted as a validated principal by multiple services. three-way handshake An authentication process that involves three steps. ticket In Kerberos terminology, a temporary set of credentials that a client uses to prove that its identity has been validated by the authentication service. Ticket-Granting Service See TGS. Ticket-Granting Ticket See TGT. TKIP (Temporal Key Integrity Protocol) An encryption key generation and management scheme used by 802.11i. TLS (Transport Layer Security) A version of SSL being standardized by the IETF (Internet Engineering Task Force). With TLS, the IETF aims to create a version of SSL that encrypts UDP as well as TCP transmissions. TLS, which is supported by new Web browsers, uses slightly different encryption algorithms than SSL, but otherwise is very similar to the most recent version of SSL. Transport Layer Security See TLS. Triple DES (3DES) The modern implementation of DES, which weaves a 56-bit key through data three times, each time using a different key. two-factor authentication A process in which clients must supply two pieces of information to verify their identity and gain access to a system. VPN concentrator A specialized device that authenticates VPN clients and establishes tunnels for VPN connections. vulnerability A weakness of a system, process, or architecture that could lead to compromised information or unauthorized access to a network. war chalking The use of chalk to draw symbols on a sidewalk or wall within range of an access point. The symbols, patterned after marks that hobos devised to indicate hospitable places for food or rest, indicate the access point’s SSID and whether it’s secured. war driving The act of driving while running a laptop configured to detect and capture wireless data transmissions. WEP (Wired Equivalent Privacy) A key encryption technique for wireless networks that uses keys both to authenticate network clients and to encrypt data in transit. WEP cracking A security exploit in which a hacker uses a program to discover a WEP key. Wi-Fi Alliance An international, nonprofit organization dedicated to ensuring the interoperability of 802.11-capable devices. Wi-Fi Protected Access See WPA. Wired Equivalent Privacy See WEP. WPA (Wi-Fi Protected Access) A wireless security method endorsed by the Wi-Fi Alliance that is considered a subset of the 802.11i standard. In WPA, authentication follows the same mechanism specified in 802.11i. The main difference between WPA and 802.11i is that WPA specifies RC4 encryption rather than AES. WPA2 The name given to the 802.11i security standard by the Wi-Fi Alliance. The only difference between WPA2 and 802.11i is that WPA2 includes support for the older WPA security method. WPA2-Enterprise An authentication scheme for Wi-Fi networks that combines WPA2 with RADIUS. WPA cracking A security exploit in which a hacker uses a program to discover a WPA key. WPA-Enterprise An authentication scheme for Wi-Fi networks that combines WPA with RADIUS. zero-day exploit An exploit that takes advantage of a software vulnerability that hasn’t yet become public, and is known only to the hacker who discovered it. Zero-day exploits are particularly dangerous, because the vulnerability is exploited before the software developer has the opportunity to provide a solution for it. Instructor Manual for Network+ Guide to Networks Tamara Dean 9781133608196, 9781133608257, 9781337569330
Close