Abraham
Torres
CIS 534
Advanced Network Security
Chapter # 2

Strayer University
01/08/18

Prof. Mort Anvari
1


Secure Technology Classes
A wide range of security technologies exists to provide solutions for
security network access and data transport mechanisms within the
corporate network infrastructure.

Identity technologies
Security in TCP/IP structure layers
Virtual Private dial-up security technologies (VPM)
Public Key Infrastructure and distribution models

01/08/18

2


Identity Technologies
Authentication is an extremely critical element because
everything is based on who you are. In many corporate

networks, you would not grant access to specific parts
of the network before established who is trying to gain
access to restricted resources

How foolproof the authentication method is depends
on the technology used

01/08/18

3


Identity Product Technology


Secure Password Protocol (S/Key)



Token Password Authentication Schemes



Point-to-Point Protocol (PPP).



The TACACS+ Protocol.




The RADIUS Protocol.



The Kerberos Protocol

01/08/18

4


Secure Key Password Protocol
The S/Key One-Time Password System, released by Bellcore and define
in RFC 1760, is a one time password generation scheme based on MD4
and MD5. The S/key protocol is designed to counter a replay attack
when a user is attempting to log in to a system.
Involves three distinct steps
Preparation step: The client enters a secret pass phrase. This pass
phrase is concatenated with the seed that was transmitted from the
server in cleartext.
Generation step: Applies the secure hash function multiple times,
producing a 64-bit final output
Output Function: Takes the 64-bit one-time password and displays it
in readable form.
01/08/18

5



Token Password Authentication
Token authentication systems generally require the use of a special
smart card or token card. Although some implementations are dome
using software to alleviate the problem of loosing the smart card or
token this types of authentication mechanisms are based on one or
two alternatives schemes:



Challenge-Response



Time-Synchronous Authentication

01/08/18

6


Step for Authentication
Step1: The user dials into an authentication server, which then issues a
prompt for a user id.
Step2: The user provides the ID to the server, which then issues a challenge
a random number that appears on the user’s screen.
Step3: The user enters that challenge number into the token or smart card,
a credit-card-like device, which then encrypts the challenge with the user’s
encryption key and displays a response.
Step4: The user types this response and sends it to the Authentication
server. While the user is obtaining a response from the token, the

Authentication server calculates what the appropriate response should be
based on its database of user keys.
Step5: When the server receives the user’s response, it compares that
response with the one it has calculated
01/08/18

7


Client User
Authentication
Server

Dial into server
Prompt for access code
7968D95
1

2

3

4

5

6

7


8

9

A 0

B

8HAD589

8HAD589

User enters PIN

Compare
Token card displays digits

1 2 3
4 5 6
7 8 9
A 0 B
01/08/18

8HAD589

Time-Synchronous Token
Authentication
8



Point-to-Point Protocol
The Point-to-Point Protocol (PPP) is most often used to establish a
dial connection over serial lines or ISDN. PPP authentication
mechanism include the Password Authentication Protocol (PAP), The
Challenge Handshake Protocol (CHAP), and the Extensible
Authentication Protocol (EAP). In all these cases, the peer device is
being authenticated rather than the user of the device. PPP provides
for an optional authentication phase before proceeding to the
network-layer protocol phase

Point-to-Point Frame Format
FLAG

01/08/18

Address

Control

Protocol

Data

FCS

9

Flag



PPP Authentication Summary
Protocol

Strength

Weakness

PAP

Easy to implement

Does not have strong authentication;
password is sent in the clear between
client and server; no playback protection

CHAP

Password encrypted

Password must be between client and
stored in cleartext on server; both client
And server playback protection

EAP

Flexible, more robust

New; may not yet be widely deployed

authentication support


01/08/18

10


TACACS + Protocol
The TACACS+ protocol is the latest generation of TACACS. TACACS is a
simple UDP-based access control protocol originally developed by BBN for
the MILNET. Cisco has enhanced (extended) TACACS several times, and
Cisco’s implementation, based on the original TACACS, is referred to as
XTACACS

Fundamental Differences
•TACACS: Combined authentication and authorization process.
•XTACACS: Separated authentication, authorization, and accounting.
•TACAS+: XTACAS with extended attributed control and accounting

01/08/18

11


RADIUS Protocol
The Remote Address Dial-In User Service protocol was developed by
Livingston Enterprises, Inc. as an access server authentication and
accounting protocol. In June 19966, the RADIUS protocol
specifications was submitted to the IETF. The RADIUS specification
(RFC2058) and RADIUS accounting standard (RFC 2059) are now
proposed standard protocols


RADIUS Authentication: Server can support a variety of methods to
authenticated a user, can support PPP, PAP,CHAP, UNIX and other
authentication mechanisms
RADIUS Authorization: The authentication and authorization
functionalities are coupled together, typical parameters include
service type (shell or frame), protocol type, IP address to assign the
user (static or dynamic), access list to apply, or the static route in the
NAS
12
01/08/18


RADIUS Protocol

RADIUS Accounting: Allows data to be sent at the start and end of
sessions, indicating the amount of resources (such as time, packets,
bytes, and so on) used during the session.
RADIUS Transactions: Transactions between the client and RADIUS
server are authenticated through the use of a shared secret, which
is never sent over the network. In addition, any user passwords are
sent encrypted between the client and RADIUS server to eliminate
the possibility that someone snooping on an unsecured network
RADIUS Client

RADIUS Server

Modem

No encryption

01/08/18

Encryption of Applicable
TACACS+/RADIUS parameters
13


The Kerberos Protocol
Kerberos is a secret-key network authentication protocol, develop a
Massachusetts Institute of Technology (MIT), that uses the Data
Encryption Standard (DES) Cryptographic algorithm for encryption and
authentication. The Kerberos Version 5 protocol is an Internet standard
specified by RFC 1510

Client

Shared key between
KDC and client
KDC

Key client

Shared Key between
KDC and server

Server

Key server

When the client wants to create an association with a particular

application server, the client uses the authentication request and
response to first obtain a ticket and a session key from the KDC.
01/08/18

14


The FORTEZZA
Multilevel Information Systems Security Initiative (MISSI) is a network
Security initiative, under the leadership of the National Security
Agency (NSA). MISSI provides a framework for the development and
evolution of interoperable security products to provide flexible,
modular security for the networked information systems across the
Defense Information Infrastructure (DII) and the National Information
Infrastructure (MII). Netscape has a build-in browser that links SSl.
MISSI Building Blocks
•FORTEZZA and FORTEZZA Plus.
•Firewalls
•Guards.
•Inline encryptors.
•Trusted computing
01/08/18

15


Mayor Types of FORTEZA
Electronic Messaging: Can secure e-mail, electronic data
interchange (EDI), electronic commerce, and facsimile to provide
message encryption, authentication, and data integrity.



World Wide Web: Can protect secure Web transactions using
strong identification and authentication and secure-sockets-layer
(SSL) interactions.


File and Media Encryptors: These encryptors are applications
written to enable FORTEZZA to secure user files on strong media.


Identification and Authentication: After the FORTEZZA card has
been installed in the workstation and the PIN has been correctly
entered, the identity of the user is known and trusted.


01/08/18

16


Security in TCP/IP Layers
Application
Presentation
Session
Transport

TELNET

FTP


SMTP

DNS

SNMP

DHCP

RIP
RTP
RTCP

Transmission
Control Protocol

User Datagram
Protocol

IGMP
Network

OSPF

ICMP
Internet Protocol
ARP

Data link
Physical

01/08/18

Ethernet

Token Bus

FDDI

Token Ring
17


TCP/IP Application Layer
Provides access to network for end-user. User’s capabilities are
determined by what items are available on this layer Logic needed to
support various applications each type of application (file transfer,
remote access) requires different software on this layer.
FTP: Protocol for copying files between hosts
HTTP: Primary protocol used to implement the WWW.
Telnet: Remote terminal protocol enabling any terminal to log in to any
host
NNTP: Protocol used to transmit and received network news.
SMTP: Protocol used for managing network resources, e-mail
SHTTP: Protocol designed for the used of secure Web Transactions
01/08/18

18


Transport Layer

Concerned with reliable transfer of information between applications.
Independent of the nature of the application. Includes aspects like flow
control and error checking.
Isolates messages from lower and upper layers.
Breaks down message size.
Monitors quality of communications channel.
Selects most efficient communication service necessary for a given
Transmission.
Also called host-to-host layer.
Uses TCP protocols for transmission.
01/08/18

19


Secure Socket Layer Protocol
The Secure Socket Layer (SSL) is an open protocol designed by
Netscape; it specifies a mechanism for providing data security layered
between Application protocols (such as HTTP, Telnet, NNTP, or FTP)
and TCP/IP. It provides data encryption, server authentication,
message integrity, and optional client authentication for a TCP/IP
connection.

Goals of SSL
The Handshake Protocol: This protocol negotiates the cryptographic
parameters to be used between the client and the server.
The Record Protocol: This protocol is used to exchange Application
layer data, messages are fragmented into manageable blocks,
optional compressed, and a MAC is applied; the result is encrypted
and transmitted.

The Alert Protocol: This protocol is used to indicate when errors have
occurred or when a session between two hosts is being terminated
01/08/18

20


The Secure Shell Protocol
The Secure Shell (SSH) is a protocol for secure remote login and
other
secure network services over an insecure network. It provides
support for secure remote login, secure file transfer, and the secure
forwarding of TCP/IP and X Windows system traffic.

SSH three major components
1. The Transport layer protocol, which provides server authentication,
confidentiality, and integrity with perfect forward secrecy.
Optionally, it may also provide compression
2. The user authentication protocol, which authenticates the client to
the server.
3. The connection protocol, which multiplexes the encrypted tunnel
into several logical channels.
01/08/18

21


The SOCKS Protocol
Is a transport layer-based secured networking proxy protocol. It is
designed to provide a framework for client/server applications in both

the TCP and UDP domains to conveniently and securely use the
services of a network Firewall. SOCKS was originally developed by
David and Michelle Koblas; the code was made freely available on the
Internet.

SOCKS version 4; provides for unsecured firewall traversal for TCPbased client/server applications including Telnet, FTP, and the
popular information discovery protocols such as HTTP, WAIS, and
Gopher.
SOCKS Version 5; defined in RFC 1928, extends the SOCKS version 4
model to include UDP, extends the framework to include provisions
for generalized strong authentication schemes, and extends the
addressing scheme to encompass domain-name and IPv6 addresses
01/08/18

22


Network Layer Security
Network Layer security pertains to security services at the IP layer
of the TCP/IP protocol stack. Many years of work have produce a set
of standards from the IETF that, collectively, define how to secure
services at the IP Network layer

IP Security
• have considered some application specific security mechanisms
- eg. S/MIME, PGP, Kerberos, SSL/HTTPS
• however there are security concerns that cut across protocol
layers
• would like security implemented by the network for all
applications


01/08/18

23


IPSec





general IP Security mechanisms
provides
 authentication
 confidentiality
 key management
applicable to use over LANs, across public & private WANs, & for the
Internet

Benefits of IPSec
• in a firewall/router provides strong security to all traffic crossing the

perimeter.
• is resistant to bypass
• is below transport layer, hence transparent to applications
• can be transparent to end users
• can provide security for individual users if desired
01/08/18


24


IP Security Architecture
Specification is quite complex.
Defined in numerous Request For Common Architectures (RFC)
RFC 2401: The IP Security Architecture.
RFC 2402: The IP Authentication Header (AH).
RFC 2406: The IP Encapsulation Security Payload (ESP.
RFC 2408: The Internet Security and Key Management Protocol
(ISAKMP).
Many others, grouped by category
Mandatory in IPv6, optional in IPv4
01/08/18

25