SlideShare uma empresa Scribd logo

A Guide to Secure Remote Access - Eric Vanderburg

Transferir como PPTX, PDF
Eric Vanderburg
Eric Vanderburg

A Guide to Secure Remote Access - Eric Vanderburg

Tecnologia
1 de 38
A GUIDE TO SECURE REMOTE ACCESS ERIC VANDERBURG
TUNNELING PROTOCOLS • Tunneling: technique of encapsulating one packet of data within another type to create a secure link of transportation 2
POINT-TO-POINT TUNNELING PROTOCOL (PPTP) • Most widely deployed tunneling protocol • Connection is based on the Point-to-Point Protocol (PPP), widely used protocol for establishing connections over a serial line or dial-up connection between two points • Client connects to a network access server (NAS) to initiate connection • Extension to PPTP is Link Control Protocol (LCP), which establishes, configures, and tests the connection 3
LAYER 2 TUNNELING PROTOCOL (L2TP) • Represents a merging of features of PPTP with Cisco’s Layer 2 Forwarding Protocol (L2F), which itself was originally designed to address some of the weaknesses of PPTP • Unlike PPTP, which is primarily implemented as software on a client computer, L2TP can also be found on devices such as routers 4
AUTHENTICATION TECHNOLOGIES • Authenticating a transmission to ensure that it comes from an approved sender can provide an increased level of security for remote access users 5
IEEE 8021X • Based on a standard established by the Institute for Electrical and Electronic Engineers (IEEE) • Gaining wide-spread popularity • Provides an authentication framework for 802-based LANs (Ethernet, Token Ring, wireless LANs) • Uses port-based authentication mechanisms 6 • Switch denies access to anyone other than an authorized user attempting to connect to the network through that port
IEEE 8021X • Network supporting the 8021x protocol consists of three elements: 7 • Supplicant: client device, such as a desktop computer or personal digital assistant (PDA), which requires secure network access • Authenticator: serves as an intermediary device between supplicant and authentication server • Authentication server: receives request from supplicant through authenticator
IEEE 8021X • Several variations of EAP can be used with 8021x: 8 • EAP-Transport Layer Security (EAP-TLS) • Lightweight EAP (LEAP) • EAP-Tunneled TLS (EAP-TTLS) • Protected EAP (PEAP) • Flexible Authentication via Secure Tunneling (FAST)
REMOTE AUTHENTICATION DIAL-IN USER SERVICE (RADIUS) • Originally defined to enable centralized authentication and access control and PPP sessions • Requests are forwarded to a single RADIUS server • Supports authentication, authorization, and auditing functions • After connection is made, RADIUS server adds an accounting record to its log and acknowledges the request • Allows company to maintain user profiles in a central database that all remote servers can share 9
TERMINAL ACCESS CONTROL ACCESS CONTROL SYSTEM (TACACS+) • Industry standard protocol specification that forwards username and password information to a centralized server • Whereas communication between a NAS and a TACACS+ server is encrypted, communication between a client and a NAS is not 10
SECURE SHELL (SSH) 11 • One of the primary goals of the ARPANET (which became today’s Internet) was remote access • SSH is a UNIX-based command interface and protocol for securely accessing a remote computer • Suite of three utilities—slogin, ssh, and scp • Can protect against: • IP spoofing • DNS spoofing • Intercepting information
IP SECURITY (IPSEC) • Different security tools function at different layers of the Open System Interconnection (OSI) model • Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP) operate at the Application layer • Kerberos functions at the Session layer 12
IP SECURITY (IPSEC) 13 • IPSec is a set of protocols developed to support the secure exchange of packets • Considered to be a transparent security protocol • Transparent to applications, users, and software • Provides three areas of protection that correspond to three IPSec protocols: • Authentication • Confidentiality • Key management
IP SECURITY (IPSEC) • Supports two encryption modes: 14 • Transport mode encrypts only the data portion (payload) of each packet, yet leaves the header encrypted • Tunnel mode encrypts both the header and the data portion • IPSec accomplishes transport and tunnel modes by adding new headers to the IP packet • The entire original packet is then treated as the data portion of the new packet
IP SECURITY (IPSEC) • Both Authentication Header (AH) and Encapsulating Security Payload (ESP) can be used with Transport or Tunnel mode, creating four possible transport mechanisms: 15 • AH in transport mode • AH in tunnel mode • ESP in transport mode • ESP in tunnel mode
VIRTUAL PRIVATE NETWORKS (VPNS) • Takes advantage of using the public Internet as if it were a private network • Allow the public Internet to be used privately • Prior to VPNs, organizations were forced to lease expensive data connections from private carriers so employees could remotely connect to the organization’s network 16
VIRTUAL PRIVATE NETWORKS (VPNS) • Two common types of VPNs include: 17 • Remote-access VPN or virtual private dial-up network (VPDN): user-to- LAN connection used by remote users • Site-to-site VPN: multiple sites can connect to other sites over the Internet • VPN transmissions achieved through communicating with endpoints • An endpoint can be software on a local computer, a dedicated hardware device such as a VPN concentrator, or even a firewall
PROTECTING DIRECTORY SERVICES • A directory service is a database stored on the network itself and contains all information about users and network devices • A directory service contains information such as the user’s name, telephone extension, e-mail address, and logon name • The International Standards Organization (ISO) created a standard for directory services known as X500 18
PROTECTING DIRECTORY SERVICES • Purpose of X500 was to standardize how data was stored so any computer system could access these directories • Information is held in a directory information base (DIB) • Entries in the DIB are arranged in a directory information tree (DIT) 19
PROTECTING DIRECTORY SERVICES • The X500 standard defines a protocol for a client application to access the X500 directory called the Directory Access Protocol (DAP) • The DAP is too large to run on a personal computer • The Lightweight Directory Access Protocol (LDAP), or X500 Lite, is a simpler subset of DAP 20
SECURING DIGITAL CELLULAR TELEPHONY 21 • The early use of wireless cellular technology is known as First Generation (1G) • 1G is characterized by analog radio frequency (RF) signals transmitting at a top speed of 96 Kbps • 1G networks use circuit-switching technology • Digital cellular technology, which started in the early 1990s, uses digital instead of analog transmissions • Digital cellular uses packet switching instead of circuit-switching technology
WIRELESS APPLICATION PROTOCOL (WAP) 22 • Provides standard way to transmit, format, and display Internet data for devices such as cell phones • A WAP cell phone runs a microbrowser that uses Wireless Markup Language (WML) instead of HTML • WML is designed to display text-based Web content on the small screen of a cell phone • Because the Internet standard is HTML, a WAP Gateway (or WAP Proxy) must translate between WML and HTML
WIRELESS TRANSPORT LAYER SECURITY (WTLS) • Security layer of the WAP • Provides privacy, data integrity, and authentication for WAP services • Designed specifically for wireless cellular telephony • Based on the TLS security layer used on the Internet • Replaced by TLS in WAP 20 23
HARDENING WIRELESS LOCAL AREA NETWORKS (WLAN) • Serious security vulnerabilities have also been created by wireless data technology: 24 • Unauthorized users can access the wireless signal from outside a building and connect to the network • Attackers can capture and view transmitted data • Employees in the office can install personal wireless equipment and defeat perimeter security measures • Attackers can crack wireless security with kiddie scripts
IEEE 80211 STANDARDS • A WLAN shares same characteristics as a standard data-based LAN with the exception that network devices do not use cables to connect to the network • RF is used to send and receive packets • Sometimes called Wi-Fi for Wireless Fidelity, network devices can transmit 11 to 108 Mbps at a range of 150 to 375 feet • 80211a has a maximum rated speed of 54 Mbps and also supports 48, 36, 24, 18, 12, 9, and 6 Mbps transmissions at 5 GHz 25
IEEE 80211 STANDARDS • In September 1999, a new 80211b High Rate was amended to the 80211 standard • 80211b added two higher speeds, 55 and 11 Mbps • With faster data rates, 80211b quickly became the standard for WLANs • At same time, the 80211a standard was released 26
WLAN COMPONENTS • Each network device must have a wireless network interface card installed • Wireless NICs are available in a variety of formats: 27 • Type II PC card – Mini PCI • CompactFlash (CF) card – USB device • USB stick
WLAN COMPONENTS • An access point (AP) consists of three major parts: 28 • An antenna and a radio transmitter/receiver to send and receive signals • An RJ-45 wired network interface that allows it to connect by cable to a standard wired network • Special bridging software
BASIC WLAN SECURITY • Two areas: 29 • Basic WLAN security • Enterprise WLAN security • Basic WLAN security uses two new wireless tools and one tool from the wired world: • Service Set Identifier (SSID) beaconing • MAC address filtering • Wired Equivalent Privacy (WEP)
SERVICE SET IDENTIFIER (SSID) BEACONING • A service set is a technical term used to describe a WLAN network • Three types of service sets: 30 • Independent Basic Service Set (IBSS) • Basic Service Set (BSS) • Extended Service Set (ESS) • Each WLAN is given a unique SSID
MAC ADDRESS FILTERING 31 • Another way to harden a WLAN is to filter MAC addresses • The MAC address of approved wireless devices is entered on the AP • A MAC address can be spoofed • When wireless device and AP first exchange packets, the MAC address of the wireless device is sent in plaintext, allowing an attacker with a sniffer to see the MAC address of an approved device
WIRED EQUIVALENT PRIVACY (WEP) • Optional configuration for WLANs that encrypts packets during transmission to prevent attackers from viewing their contents • Uses shared keys―the same key for encryption and decryption must be installed on the AP, as well as each wireless device • A serious vulnerability in WEP is that the IV is not properly implemented • Every time a packet is encrypted it should be given a unique IV 32
UNTRUSTED NETWORK • The basic WLAN security of SSID beaconing, MAC address filtering, and WEP encryption is not secure enough for an organization to use • One approach to securing a WLAN is to treat it as an untrusted and unsecure network • Requires that the WLAN be placed outside the secure perimeter of the trusted network 33
TRUSTED NETWORK • It is still possible to provide security for a WLAN and treat it as a trusted network • Wi-Fi Protected Access (WPA) was crafted by the WECA in 2002 as an interim solution until a permanent wireless security standard could be implemented • Has two components: 34 • WPA encryption • WPA access control
TRUSTED NETWORK • WPA encryption addresses the weaknesses of WEP by using the Temporal Key Integrity Protocol (TKIP) • TKIP mixes keys on a per-packet basis to improve security • Although WPA provides enhanced security, the IEEE 80211i solution is even more secure • 80211i is expected to be released sometime in 2004 35
SUMMARY 36 • The FTP protocol has several security vulnerabilities—it does not natively use encryption and is vulnerable to man-in-the-middle attacks • FTP can be hardened by using secure FTP (which encrypts using SSL) • Protecting remote access transmissions is particularly important in today’s environment as more users turn to the Internet as the infrastructure for accessing protected information
SUMMARY 37 • Authenticating a transmission to ensure it came from the sender can provide increased security for remote access users • SSH is a UNIX-based command interface and protocol for securely accessing a remote computer • A directory service is a database stored on the network itself and contains all the information about users and network devices • Digital cellular telephony provides various features to operate on a wireless digital cellular device • WLANs have a dramatic impact on user access to data
FOR ASSISTANCE OR ADDITIONAL INFORMATION • Phone: 216-664-1100 • Web: www.jurinnov.com • Email: Eric.Vanderburg@jurinnov.com JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115

Recomendados

Amit
AmitAmit
Amit
Vikas Jagtap
 
Unit07
Unit07Unit07
Unit07
Nurul Nadirah
 
CNIT 141 13. TLS
CNIT 141 13. TLSCNIT 141 13. TLS
CNIT 141 13. TLS
Sam Bowne
 
MVA slides lesson 8
MVA slides lesson 8MVA slides lesson 8
MVA slides lesson 8
Fabio Almeida- Oficina Eletrônica
 
Chapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating SystemChapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating System
newbie2019
 
Hp a5500
Hp a5500Hp a5500
Hp a5500
Michel Hidalgo
 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne
 
Bluetooth and Raspberry Pi
Bluetooth and Raspberry PiBluetooth and Raspberry Pi
Bluetooth and Raspberry Pi
Damien Magoni
 

Recomendados

Amit
AmitAmit
Amit
Vikas Jagtap
 
Unit07
Unit07Unit07
Unit07
Nurul Nadirah
 
CNIT 141 13. TLS
CNIT 141 13. TLSCNIT 141 13. TLS
CNIT 141 13. TLS
Sam Bowne
 
MVA slides lesson 8
MVA slides lesson 8MVA slides lesson 8
MVA slides lesson 8
Fabio Almeida- Oficina Eletrônica
 
Chapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating SystemChapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating System
newbie2019
 
Hp a5500
Hp a5500Hp a5500
Hp a5500
Michel Hidalgo
 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne
 
Bluetooth and Raspberry Pi
Bluetooth and Raspberry PiBluetooth and Raspberry Pi
Bluetooth and Raspberry Pi
Damien Magoni
 
MVA slides lesson 6
MVA slides lesson 6MVA slides lesson 6
MVA slides lesson 6
Fabio Almeida- Oficina Eletrônica
 
It nv51 instructor_ppt_ch10
It nv51 instructor_ppt_ch10It nv51 instructor_ppt_ch10
It nv51 instructor_ppt_ch10
newbie2019
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2
Anne Starr
 
Raga_SDN_NSX_1
Raga_SDN_NSX_1Raga_SDN_NSX_1
Raga_SDN_NSX_1
Ranjith Kumar
 
Comprehensive survey on routing protocols for IoT
Comprehensive survey on routing protocols for IoTComprehensive survey on routing protocols for IoT
Comprehensive survey on routing protocols for IoT
sulaiman_karim
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
Daniel Vinyar
 
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
Waqas Ahmed Nawaz
 
It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11
newbie2019
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
jyoti_lakhani
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
Eric Vanderburg
 
Internet connectivity
Internet connectivityInternet connectivity
Internet connectivity
FabMinds
 
IoT RF Protocols
IoT RF ProtocolsIoT RF Protocols
IoT RF Protocols
APNIC
 
Topic22
Topic22Topic22
Topic22
Anne Starr
 
Software defined networks and openflow protocol
Software defined networks and openflow protocolSoftware defined networks and openflow protocol
Software defined networks and openflow protocol
Mahesh Mohan
 
Geef Industry 4.0 een boost
Geef Industry 4.0 een boostGeef Industry 4.0 een boost
Geef Industry 4.0 een boost
Howest_ENM
 
LoRa application for detecting the harmful gases
LoRa application for detecting the harmful gasesLoRa application for detecting the harmful gases
LoRa application for detecting the harmful gases
PARNIKA GUPTA
 
Securityic2
Securityic2Securityic2
Securityic2
Anne Starr
 
CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: Cryptography
Sam Bowne
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOV
Eric Vanderburg
 
null Pune meet - Evading Firewalls: Tunneling
null Pune meet - Evading Firewalls: Tunnelingnull Pune meet - Evading Firewalls: Tunneling
null Pune meet - Evading Firewalls: Tunneling
n|u - The Open Security Community
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
Eric Vanderburg
 

Mais conteúdo relacionado

Mais procurados

gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2
Anne Starr
 

Mais procurados (19)

MVA slides lesson 6
MVA slides lesson 6MVA slides lesson 6
MVA slides lesson 6
 
It nv51 instructor_ppt_ch10
It nv51 instructor_ppt_ch10It nv51 instructor_ppt_ch10
It nv51 instructor_ppt_ch10
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2
 
Raga_SDN_NSX_1
Raga_SDN_NSX_1Raga_SDN_NSX_1
Raga_SDN_NSX_1
 
Comprehensive survey on routing protocols for IoT
Comprehensive survey on routing protocols for IoTComprehensive survey on routing protocols for IoT
Comprehensive survey on routing protocols for IoT
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
 
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
CCNA (R & S) Module 04 - Scaling Networks - Chapter 5
 
It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
 
Internet connectivity
Internet connectivityInternet connectivity
Internet connectivity
 
IoT RF Protocols
IoT RF ProtocolsIoT RF Protocols
IoT RF Protocols
 
Topic22
Topic22Topic22
Topic22
 
Software defined networks and openflow protocol
Software defined networks and openflow protocolSoftware defined networks and openflow protocol
Software defined networks and openflow protocol
 
Geef Industry 4.0 een boost
Geef Industry 4.0 een boostGeef Industry 4.0 een boost
Geef Industry 4.0 een boost
 
LoRa application for detecting the harmful gases
LoRa application for detecting the harmful gasesLoRa application for detecting the harmful gases
LoRa application for detecting the harmful gases
 
Securityic2
Securityic2Securityic2
Securityic2
 
CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: Cryptography
 

Destaque

Correct the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric VanderburgCorrect the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric Vanderburg
Eric Vanderburg
 

Destaque (17)

Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOV
 
null Pune meet - Evading Firewalls: Tunneling
null Pune meet - Evading Firewalls: Tunnelingnull Pune meet - Evading Firewalls: Tunneling
null Pune meet - Evading Firewalls: Tunneling
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
 
Untangled Conference - November 8, 2014 - Security Awareness
Untangled Conference - November 8, 2014 - Security AwarenessUntangled Conference - November 8, 2014 - Security Awareness
Untangled Conference - November 8, 2014 - Security Awareness
 
Correct the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric VanderburgCorrect the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric Vanderburg
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
 
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgCountering malware threats - Eric Vanderburg
Countering malware threats - Eric Vanderburg
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOV
 
Physical security primer - JURINNOV - Eric Vanderburg
Physical security primer - JURINNOV - Eric VanderburgPhysical security primer - JURINNOV - Eric Vanderburg
Physical security primer - JURINNOV - Eric Vanderburg
 
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOV
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOVUnderstanding computer attacks and attackers - Eric Vanderburg - JURINNOV
Understanding computer attacks and attackers - Eric Vanderburg - JURINNOV
 
Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information S...
Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information S...Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information S...
Preventing Fraud from Top to Bottom - Vanderburg, Gaddamanugu - Information S...
 
Security Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVSecurity Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOV
 
Ransomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware ThreatRansomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware Threat
 
Modem technology
Modem technologyModem technology
Modem technology
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 

Semelhante a A Guide to Secure Remote Access - Eric Vanderburg

Wireless lan electronics and communication engineering
Wireless lan electronics and communication engineeringWireless lan electronics and communication engineering
Wireless lan electronics and communication engineering
eceb9198
 
Recent Trends in Wireless communication
Recent Trends in Wireless communicationRecent Trends in Wireless communication
Recent Trends in Wireless communication
JigsAshley
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IP
Piero Fraternali
 

Semelhante a A Guide to Secure Remote Access - Eric Vanderburg (20)

98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8
 
Information Security Lesson 7 - Remote Access - Eric Vanderburg
Information Security Lesson 7 - Remote Access - Eric VanderburgInformation Security Lesson 7 - Remote Access - Eric Vanderburg
Information Security Lesson 7 - Remote Access - Eric Vanderburg
 
Network Concepts
Network ConceptsNetwork Concepts
Network Concepts
 
VPN & FIREWALL
VPN & FIREWALLVPN & FIREWALL
VPN & FIREWALL
 
internet network for o level
internet network for o level internet network for o level
internet network for o level
 
Wireless lan electronics and communication engineering
Wireless lan electronics and communication engineeringWireless lan electronics and communication engineering
Wireless lan electronics and communication engineering
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Unit08
Unit08Unit08
Unit08
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
Recent Trends in Wireless communication
Recent Trends in Wireless communicationRecent Trends in Wireless communication
Recent Trends in Wireless communication
 
Internet of Things Protocol - Session 2
Internet of Things Protocol - Session 2Internet of Things Protocol - Session 2
Internet of Things Protocol - Session 2
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
 
The Theoretical Network
The Theoretical NetworkThe Theoretical Network
The Theoretical Network
 
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
 
Wireless personal area networks(PAN)
Wireless personal area networks(PAN)Wireless personal area networks(PAN)
Wireless personal area networks(PAN)
 
Vision
VisionVision
Vision
 
UNIT 7-UNDERSTANDING LARGER NETWORKS.pptx
UNIT 7-UNDERSTANDING LARGER NETWORKS.pptxUNIT 7-UNDERSTANDING LARGER NETWORKS.pptx
UNIT 7-UNDERSTANDING LARGER NETWORKS.pptx
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IP
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptx
 
06-Networks-Software.pdf
06-Networks-Software.pdf06-Networks-Software.pdf
06-Networks-Software.pdf
 

Mais de Eric Vanderburg

Mais de Eric Vanderburg (15)

GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should Have
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
 
Mobile Forensics and Cybersecurity
Mobile Forensics and CybersecurityMobile Forensics and Cybersecurity
Mobile Forensics and Cybersecurity
 
Emerging Technologies: Japan’s Position
Emerging Technologies: Japan’s PositionEmerging Technologies: Japan’s Position
Emerging Technologies: Japan’s Position
 
Principles of technology management
Principles of technology managementPrinciples of technology management
Principles of technology management
 
Japanese railway technology
Japanese railway technologyJapanese railway technology
Japanese railway technology
 
Evaluating japanese technological competitiveness
Evaluating japanese technological competitivenessEvaluating japanese technological competitiveness
Evaluating japanese technological competitiveness
 
Japanese current and future technology management challenges
Japanese current and future technology management challengesJapanese current and future technology management challenges
Japanese current and future technology management challenges
 
Technology management in Japan: Robotics
Technology management in Japan: RoboticsTechnology management in Japan: Robotics
Technology management in Japan: Robotics
 
Incident response table top exercises
Incident response table top exercisesIncident response table top exercises
Incident response table top exercises
 
Deconstructing website attacks - Eric Vanderburg
Deconstructing website attacks - Eric VanderburgDeconstructing website attacks - Eric Vanderburg
Deconstructing website attacks - Eric Vanderburg
 
The security professional's guide to programming - Eric Vanderburg
The security professional's guide to programming - Eric VanderburgThe security professional's guide to programming - Eric Vanderburg
The security professional's guide to programming - Eric Vanderburg
 
Ethical hacking Chapter 12 - Encryption - Eric Vanderburg
Ethical hacking Chapter 12 - Encryption - Eric VanderburgEthical hacking Chapter 12 - Encryption - Eric Vanderburg
Ethical hacking Chapter 12 - Encryption - Eric Vanderburg
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

A Guide to Secure Remote Access - Eric Vanderburg

  • 1. A GUIDE TO SECURE REMOTE ACCESS ERIC VANDERBURG
  • 2. TUNNELING PROTOCOLS • Tunneling: technique of encapsulating one packet of data within another type to create a secure link of transportation 2
  • 3. POINT-TO-POINT TUNNELING PROTOCOL (PPTP) • Most widely deployed tunneling protocol • Connection is based on the Point-to-Point Protocol (PPP), widely used protocol for establishing connections over a serial line or dial-up connection between two points • Client connects to a network access server (NAS) to initiate connection • Extension to PPTP is Link Control Protocol (LCP), which establishes, configures, and tests the connection 3
  • 4. LAYER 2 TUNNELING PROTOCOL (L2TP) • Represents a merging of features of PPTP with Cisco’s Layer 2 Forwarding Protocol (L2F), which itself was originally designed to address some of the weaknesses of PPTP • Unlike PPTP, which is primarily implemented as software on a client computer, L2TP can also be found on devices such as routers 4
  • 5. AUTHENTICATION TECHNOLOGIES • Authenticating a transmission to ensure that it comes from an approved sender can provide an increased level of security for remote access users 5
  • 6. IEEE 8021X • Based on a standard established by the Institute for Electrical and Electronic Engineers (IEEE) • Gaining wide-spread popularity • Provides an authentication framework for 802-based LANs (Ethernet, Token Ring, wireless LANs) • Uses port-based authentication mechanisms 6 • Switch denies access to anyone other than an authorized user attempting to connect to the network through that port
  • 7. IEEE 8021X • Network supporting the 8021x protocol consists of three elements: 7 • Supplicant: client device, such as a desktop computer or personal digital assistant (PDA), which requires secure network access • Authenticator: serves as an intermediary device between supplicant and authentication server • Authentication server: receives request from supplicant through authenticator
  • 8. IEEE 8021X • Several variations of EAP can be used with 8021x: 8 • EAP-Transport Layer Security (EAP-TLS) • Lightweight EAP (LEAP) • EAP-Tunneled TLS (EAP-TTLS) • Protected EAP (PEAP) • Flexible Authentication via Secure Tunneling (FAST)
  • 9. REMOTE AUTHENTICATION DIAL-IN USER SERVICE (RADIUS) • Originally defined to enable centralized authentication and access control and PPP sessions • Requests are forwarded to a single RADIUS server • Supports authentication, authorization, and auditing functions • After connection is made, RADIUS server adds an accounting record to its log and acknowledges the request • Allows company to maintain user profiles in a central database that all remote servers can share 9
  • 10. TERMINAL ACCESS CONTROL ACCESS CONTROL SYSTEM (TACACS+) • Industry standard protocol specification that forwards username and password information to a centralized server • Whereas communication between a NAS and a TACACS+ server is encrypted, communication between a client and a NAS is not 10
  • 11. SECURE SHELL (SSH) 11 • One of the primary goals of the ARPANET (which became today’s Internet) was remote access • SSH is a UNIX-based command interface and protocol for securely accessing a remote computer • Suite of three utilities—slogin, ssh, and scp • Can protect against: • IP spoofing • DNS spoofing • Intercepting information
  • 12. IP SECURITY (IPSEC) • Different security tools function at different layers of the Open System Interconnection (OSI) model • Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP) operate at the Application layer • Kerberos functions at the Session layer 12
  • 13. IP SECURITY (IPSEC) 13 • IPSec is a set of protocols developed to support the secure exchange of packets • Considered to be a transparent security protocol • Transparent to applications, users, and software • Provides three areas of protection that correspond to three IPSec protocols: • Authentication • Confidentiality • Key management
  • 14. IP SECURITY (IPSEC) • Supports two encryption modes: 14 • Transport mode encrypts only the data portion (payload) of each packet, yet leaves the header encrypted • Tunnel mode encrypts both the header and the data portion • IPSec accomplishes transport and tunnel modes by adding new headers to the IP packet • The entire original packet is then treated as the data portion of the new packet
  • 15. IP SECURITY (IPSEC) • Both Authentication Header (AH) and Encapsulating Security Payload (ESP) can be used with Transport or Tunnel mode, creating four possible transport mechanisms: 15 • AH in transport mode • AH in tunnel mode • ESP in transport mode • ESP in tunnel mode
  • 16. VIRTUAL PRIVATE NETWORKS (VPNS) • Takes advantage of using the public Internet as if it were a private network • Allow the public Internet to be used privately • Prior to VPNs, organizations were forced to lease expensive data connections from private carriers so employees could remotely connect to the organization’s network 16
  • 17. VIRTUAL PRIVATE NETWORKS (VPNS) • Two common types of VPNs include: 17 • Remote-access VPN or virtual private dial-up network (VPDN): user-to- LAN connection used by remote users • Site-to-site VPN: multiple sites can connect to other sites over the Internet • VPN transmissions achieved through communicating with endpoints • An endpoint can be software on a local computer, a dedicated hardware device such as a VPN concentrator, or even a firewall
  • 18. PROTECTING DIRECTORY SERVICES • A directory service is a database stored on the network itself and contains all information about users and network devices • A directory service contains information such as the user’s name, telephone extension, e-mail address, and logon name • The International Standards Organization (ISO) created a standard for directory services known as X500 18
  • 19. PROTECTING DIRECTORY SERVICES • Purpose of X500 was to standardize how data was stored so any computer system could access these directories • Information is held in a directory information base (DIB) • Entries in the DIB are arranged in a directory information tree (DIT) 19
  • 20. PROTECTING DIRECTORY SERVICES • The X500 standard defines a protocol for a client application to access the X500 directory called the Directory Access Protocol (DAP) • The DAP is too large to run on a personal computer • The Lightweight Directory Access Protocol (LDAP), or X500 Lite, is a simpler subset of DAP 20
  • 21. SECURING DIGITAL CELLULAR TELEPHONY 21 • The early use of wireless cellular technology is known as First Generation (1G) • 1G is characterized by analog radio frequency (RF) signals transmitting at a top speed of 96 Kbps • 1G networks use circuit-switching technology • Digital cellular technology, which started in the early 1990s, uses digital instead of analog transmissions • Digital cellular uses packet switching instead of circuit-switching technology
  • 22. WIRELESS APPLICATION PROTOCOL (WAP) 22 • Provides standard way to transmit, format, and display Internet data for devices such as cell phones • A WAP cell phone runs a microbrowser that uses Wireless Markup Language (WML) instead of HTML • WML is designed to display text-based Web content on the small screen of a cell phone • Because the Internet standard is HTML, a WAP Gateway (or WAP Proxy) must translate between WML and HTML
  • 23. WIRELESS TRANSPORT LAYER SECURITY (WTLS) • Security layer of the WAP • Provides privacy, data integrity, and authentication for WAP services • Designed specifically for wireless cellular telephony • Based on the TLS security layer used on the Internet • Replaced by TLS in WAP 20 23
  • 24. HARDENING WIRELESS LOCAL AREA NETWORKS (WLAN) • Serious security vulnerabilities have also been created by wireless data technology: 24 • Unauthorized users can access the wireless signal from outside a building and connect to the network • Attackers can capture and view transmitted data • Employees in the office can install personal wireless equipment and defeat perimeter security measures • Attackers can crack wireless security with kiddie scripts
  • 25. IEEE 80211 STANDARDS • A WLAN shares same characteristics as a standard data-based LAN with the exception that network devices do not use cables to connect to the network • RF is used to send and receive packets • Sometimes called Wi-Fi for Wireless Fidelity, network devices can transmit 11 to 108 Mbps at a range of 150 to 375 feet • 80211a has a maximum rated speed of 54 Mbps and also supports 48, 36, 24, 18, 12, 9, and 6 Mbps transmissions at 5 GHz 25
  • 26. IEEE 80211 STANDARDS • In September 1999, a new 80211b High Rate was amended to the 80211 standard • 80211b added two higher speeds, 55 and 11 Mbps • With faster data rates, 80211b quickly became the standard for WLANs • At same time, the 80211a standard was released 26
  • 27. WLAN COMPONENTS • Each network device must have a wireless network interface card installed • Wireless NICs are available in a variety of formats: 27 • Type II PC card – Mini PCI • CompactFlash (CF) card – USB device • USB stick
  • 28. WLAN COMPONENTS • An access point (AP) consists of three major parts: 28 • An antenna and a radio transmitter/receiver to send and receive signals • An RJ-45 wired network interface that allows it to connect by cable to a standard wired network • Special bridging software
  • 29. BASIC WLAN SECURITY • Two areas: 29 • Basic WLAN security • Enterprise WLAN security • Basic WLAN security uses two new wireless tools and one tool from the wired world: • Service Set Identifier (SSID) beaconing • MAC address filtering • Wired Equivalent Privacy (WEP)
  • 30. SERVICE SET IDENTIFIER (SSID) BEACONING • A service set is a technical term used to describe a WLAN network • Three types of service sets: 30 • Independent Basic Service Set (IBSS) • Basic Service Set (BSS) • Extended Service Set (ESS) • Each WLAN is given a unique SSID
  • 31. MAC ADDRESS FILTERING 31 • Another way to harden a WLAN is to filter MAC addresses • The MAC address of approved wireless devices is entered on the AP • A MAC address can be spoofed • When wireless device and AP first exchange packets, the MAC address of the wireless device is sent in plaintext, allowing an attacker with a sniffer to see the MAC address of an approved device
  • 32. WIRED EQUIVALENT PRIVACY (WEP) • Optional configuration for WLANs that encrypts packets during transmission to prevent attackers from viewing their contents • Uses shared keys―the same key for encryption and decryption must be installed on the AP, as well as each wireless device • A serious vulnerability in WEP is that the IV is not properly implemented • Every time a packet is encrypted it should be given a unique IV 32
  • 33. UNTRUSTED NETWORK • The basic WLAN security of SSID beaconing, MAC address filtering, and WEP encryption is not secure enough for an organization to use • One approach to securing a WLAN is to treat it as an untrusted and unsecure network • Requires that the WLAN be placed outside the secure perimeter of the trusted network 33
  • 34. TRUSTED NETWORK • It is still possible to provide security for a WLAN and treat it as a trusted network • Wi-Fi Protected Access (WPA) was crafted by the WECA in 2002 as an interim solution until a permanent wireless security standard could be implemented • Has two components: 34 • WPA encryption • WPA access control
  • 35. TRUSTED NETWORK • WPA encryption addresses the weaknesses of WEP by using the Temporal Key Integrity Protocol (TKIP) • TKIP mixes keys on a per-packet basis to improve security • Although WPA provides enhanced security, the IEEE 80211i solution is even more secure • 80211i is expected to be released sometime in 2004 35
  • 36. SUMMARY 36 • The FTP protocol has several security vulnerabilities—it does not natively use encryption and is vulnerable to man-in-the-middle attacks • FTP can be hardened by using secure FTP (which encrypts using SSL) • Protecting remote access transmissions is particularly important in today’s environment as more users turn to the Internet as the infrastructure for accessing protected information
  • 37. SUMMARY 37 • Authenticating a transmission to ensure it came from the sender can provide increased security for remote access users • SSH is a UNIX-based command interface and protocol for securely accessing a remote computer • A directory service is a database stored on the network itself and contains all the information about users and network devices • Digital cellular telephony provides various features to operate on a wireless digital cellular device • WLANs have a dramatic impact on user access to data
  • 38. FOR ASSISTANCE OR ADDITIONAL INFORMATION • Phone: 216-664-1100 • Web: www.jurinnov.com • Email: Eric.Vanderburg@jurinnov.com JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115