fundamentals of network security preparation for security+ certification essential for any...
TRANSCRIPT
Fundamentals of Network Security
Preparation for Security+ Certification
Essential for any Information Technology professional
3
CNIT 123: Ethical Hacking and Network DefenseHas been taught since Spring 2007 (four times)
Face-to-face and Online sections available Fall 2008CNIT 124: Advanced Ethical Hacking
Taught for the first time in Spring 2008
4
Projects from recent research Students get extra credit by attending
conferences
5
CNIT 123 and 124 prepare students for CEH Certification
CISSP – the most respected certificate in information security
Analyze computers for evidence of crimes
Defend networks
Ch 1: Ch 1: Mastering the Basics of Security Mastering the Basics of Security
CompTIA Security+: CompTIA Security+: Get Certified Get Get Certified Get Ahead: SY0-301 Ahead: SY0-301
Study GuideStudy Guide
Darril GibsonDarril Gibson
Exploring Core Security Exploring Core Security PrinciplesPrinciples
The CIA of SecurityThe CIA of Security
Confidentiality
Integrity Availability
ConfidentialityConfidentiality
Prevents unauthorized disclosure of dataPrevents unauthorized disclosure of data
Ensures that data is only viewable by Ensures that data is only viewable by authorized usersauthorized users
Some methodsSome methods– Authentication combined with Access controlsAuthentication combined with Access controls– CryptographyCryptography
IntegrityIntegrity
Assures that data has not been modified, Assures that data has not been modified, tampered with, or corruptedtampered with, or corrupted
Only authorized users should modify dataOnly authorized users should modify data
Hashing Hashing assures integrityassures integrity– Hash types: MD5, SHA, HMACHash types: MD5, SHA, HMAC– If data changes, the hash value changesIf data changes, the hash value changes
Hash Value for DownloadHash Value for Download
AvailabilityAvailability
Data and services are available when Data and services are available when neededneeded
Techniques:Techniques:– Disk redundancies (RAID)Disk redundancies (RAID)– Server redundancies (clusters)Server redundancies (clusters)– Site redundanciesSite redundancies– BackupsBackups– Alternate powerAlternate power– Cooling systemsCooling systems
Balancing CIABalancing CIA
You can never have perfect securityYou can never have perfect security
Increasing one item lowers othersIncreasing one item lowers others
Increasing confidentiality generally lowers Increasing confidentiality generally lowers availabilityavailability– Example: long ,complex passwords that are Example: long ,complex passwords that are
easily forgotteneasily forgotten
Non-RepudiationNon-Repudiation
Prevents entities from denying that they Prevents entities from denying that they took an actiontook an action
Examples: signing a home loan, making a Examples: signing a home loan, making a credit card purchasecredit card purchase
TechniquesTechniques– Digital signaturesDigital signatures– Audit logsAudit logs
Defense in DepthDefense in Depth
Layers of protectionLayers of protection
ExampleExample– FirewallFirewall– AntivirusAntivirus– Deep FreezeDeep Freeze
Implicit DenyImplicit Deny
Anything not Anything not explicitly allowed explicitly allowed is deniedis denied
Common Access Common Access Control Lists forControl Lists for– FirewallsFirewalls– RoutersRouters– Microsoft file and Microsoft file and
folder permissionsfolder permissions
Introducing Basic Risk Introducing Basic Risk ConceptsConcepts
RiskRisk
RiskRisk– The likelihood of a The likelihood of a threat exploiting threat exploiting a a
vulnerabilityvulnerability, resulting in a , resulting in a lossloss
ThreatThreat– Circumstance or event that has the potential to Circumstance or event that has the potential to
compromise confidentiality, integrity, or availabilitycompromise confidentiality, integrity, or availability– Insider threatInsider threat
VulnerabilityVulnerability– A weaknessA weakness
Risk MitigationRisk Mitigation
Reduces chance that a threat will exploit a Reduces chance that a threat will exploit a vulnerabilityvulnerability
Done by implementing Done by implementing controls controls (also (also called countermeasures and safeguards)called countermeasures and safeguards)
Even if a threat can't be prevented, like a Even if a threat can't be prevented, like a tornadotornado– Risk can still be reduced with controls, like Risk can still be reduced with controls, like
insurance, evacuation plans, etc.insurance, evacuation plans, etc.
ControlsControls
Access controlsAccess controls– After After AuthenticationAuthentication, only authorized users , only authorized users
can perform critical taskscan perform critical tasks
Business continuity Business continuity and and Disaster Disaster Recovery PlansRecovery Plans– Reduce the impact of disastersReduce the impact of disasters
Antivirus softwareAntivirus software– Reduces the impact of malwareReduces the impact of malware
Exploring Authentication Exploring Authentication ConceptsConcepts
Identification, Authentication, Identification, Authentication, and Authorizationand Authorization
IdentificationIdentification– State your name (without proving it)State your name (without proving it)
AuthenticationAuthentication– Proves your identity (with a password, Proves your identity (with a password,
fingerprint, etc.)fingerprint, etc.)
AuthorizationAuthorization– Grants access to resources based on the Grants access to resources based on the
user's proven identityuser's proven identity
Identity ProofingIdentity Proofing
Verifying that people are who they claim to Verifying that people are who they claim to be prior to issuing them credentialsbe prior to issuing them credentials– Or when replacing lost credentialsOr when replacing lost credentials
Sarah Palin's Sarah Palin's EmailEmail
Link Ch 1aLink Ch 1a
Three Factors of AuthenticationThree Factors of Authentication
Something you Something you knowknow– Such as a passwordSuch as a password– Weakest factor, but most commonWeakest factor, but most common
Something you Something you havehave– Such as a smart cardSuch as a smart card
Something you Something you areare– Such as a fingerprintSuch as a fingerprint
Password RulesPassword Rules
Passwords should be strongPasswords should be strong– At least 8 characters, with three of: uppercase, At least 8 characters, with three of: uppercase,
lowercase, numbers, and symbolslowercase, numbers, and symbols
Change passwords regularlyChange passwords regularly
Don't reuse passwordsDon't reuse passwords
Change default passwordsChange default passwords
Don't write down passwordsDon't write down passwords
Don't share passwordsDon't share passwords
Account lockout policiesAccount lockout policies– Block access after too many incorrect passwords are Block access after too many incorrect passwords are
enteredentered
Password historyPassword history– Remembers previous passwords so users Remembers previous passwords so users
cannot re-use themcannot re-use them
Account Lockout PoliciesAccount Lockout Policies– Account lockout thresholdAccount lockout threshold
The maximium number of times a wrong password The maximium number of times a wrong password can be entered (typically 5)can be entered (typically 5)
– Account lockout durationAccount lockout durationHow long an account is locked (typically 30 min.)How long an account is locked (typically 30 min.)
Previous Logon NotificationPrevious Logon Notification
Gmail has it, at the bottom of the screenGmail has it, at the bottom of the screen
Something You HaveSomething You Have
Smart CardSmart Card– Contains a Contains a
certificatecertificate– Read by a card Read by a card
readerreader– Image from made-in-Image from made-in-
china.com/china.com/
Token or Key FobToken or Key Fob– Image from tokenguard.comImage from tokenguard.com
Smart CardsSmart Cards
Embedded certificateEmbedded certificate
Public Key InfrastructurePublic Key Infrastructure– Allows issuance and management of Allows issuance and management of
certificatescertificates
CAC (Common Access Card)CAC (Common Access Card)– Used by US Department of DefenseUsed by US Department of Defense
PIV (Personal Identity Verfication) cardPIV (Personal Identity Verfication) card– Used by US federal agenciesUsed by US federal agencies
Something You Are (Biometrics)Something You Are (Biometrics)
Physical biometricsPhysical biometrics– FingerprintFingerprint
Image from amazon.comImage from amazon.com
– Retinal scannersRetinal scanners– Iris scannersIris scanners
Behavioral biometricsBehavioral biometrics– Voice recognitionVoice recognition– Signature geometrySignature geometry– Keystrokes on a keyboardKeystrokes on a keyboard
False Acceptance and False False Acceptance and False Rejection Rejection
False Acceptance False Acceptance RateRate– Incorrectly identifying Incorrectly identifying
an unauthorized user an unauthorized user as authorizedas authorized
False Rejection False Rejection RateRate– Incorrectly rejecting Incorrectly rejecting
an authorized useran authorized user
Multifactor AuthenticationMultifactor Authentication
More than one ofMore than one of– Something you knowSomething you know– Something you haveSomething you have– Something you areSomething you are
Two similar factors is Two similar factors is not not two-factor two-factor authenticationauthentication– Such as password and PINSuch as password and PIN
Exploring Authentication Exploring Authentication ServicesServices
Authentication ServicesAuthentication Services
KerberosKerberos– Used in Windows Active Directory DomainsUsed in Windows Active Directory Domains– Used in UNIX realmsUsed in UNIX realms– Developed at MITDeveloped at MIT– Prevents Man-in-the-Middle attacks and Prevents Man-in-the-Middle attacks and
replay attacksreplay attacks
Kerberos RequirementsKerberos Requirements
A method of issuing tickets used for A method of issuing tickets used for authenticationauthentication– Key Distribution Center (KDC) grants ticket-Key Distribution Center (KDC) grants ticket-
granting-tickets, which are presented to granting-tickets, which are presented to request tickets used to access objectsrequest tickets used to access objects
Time synchronization within five minutesTime synchronization within five minutes
A database of subjects or usersA database of subjects or users– Microsoft's Active DirectoryMicrosoft's Active Directory
Kerberos DetailsKerberos Details
When a user logs onWhen a user logs on– The KDC issues a ticket-granting-ticket with a The KDC issues a ticket-granting-ticket with a
lifetime of ten hourslifetime of ten hours
Kerberos uses port 88 (TCP & UDP)Kerberos uses port 88 (TCP & UDP)
Kerberos uses symmetric cryptographyKerberos uses symmetric cryptography
LDAP (Lightweight Directory LDAP (Lightweight Directory Access Protocol)Access Protocol)
Formats and methods to query directoriesFormats and methods to query directories
Used by Active DirectoryUsed by Active Directory
An extension of the X.500 standardAn extension of the X.500 standard
LDAP v2 can use SSL encryptionLDAP v2 can use SSL encryption
LDAP v3 can use TLS encryptionLDAP v3 can use TLS encryption
LDAP uses ports 389 (unencrypted) or LDAP uses ports 389 (unencrypted) or 636 (encrypted) (TCP and UDP)636 (encrypted) (TCP and UDP)
Mutual AuthenticationMutual Authentication
Both entities in a session authenticate Both entities in a session authenticate prior to exchanging dataprior to exchanging data– For example, both the client and the serverFor example, both the client and the server
MS-CHAPv2 uses mutual authenticationMS-CHAPv2 uses mutual authentication
Single Sign-OnSingle Sign-On
Users can access multiple systems after Users can access multiple systems after providing credentials only onceproviding credentials only once
Federated Identity Management SystemFederated Identity Management System– Provides central authentication in Provides central authentication in
nonhomogeneous environmentsnonhomogeneous environments
IEEE 802.1xIEEE 802.1x
Port-based authenticationPort-based authentication– User conects to a specific access point or logical portUser conects to a specific access point or logical port
Secures authentication prior to the client gaining Secures authentication prior to the client gaining access to a networkaccess to a network
Most common on wireless networksMost common on wireless networks– WPA Enterprise or WPA2 EnterpriseWPA Enterprise or WPA2 Enterprise
Requires a RADIUS (Remote Authentication Requires a RADIUS (Remote Authentication Dial-in User Service) or other centralized Dial-in User Service) or other centralized identification serveridentification server
Remote Access Remote Access AuthenticationAuthentication
Remote AccessRemote Access
Clients connect through VPN (Virtual Clients connect through VPN (Virtual Private Network) or dial-upPrivate Network) or dial-up
A VPN allows a client to access a private A VPN allows a client to access a private network over a public network, usually the network over a public network, usually the InternetInternet
Remote Access Authentication Remote Access Authentication MethodsMethods
PAP (Password Authentication Protocol)PAP (Password Authentication Protocol)– Passwords sent in cleartext, rarely usedPasswords sent in cleartext, rarely used
CHAP (Challenge Handshake Protocol)CHAP (Challenge Handshake Protocol)– Server challenges the clientServer challenges the client– Client responds with appropriate Client responds with appropriate
authentication informationauthentication information
MS-CHAPMS-CHAP– Microsoft's implementation of CHAPMicrosoft's implementation of CHAP– DeprecatedDeprecated
Remote Access Authentication Remote Access Authentication MethodsMethods
MS-CHAPv2MS-CHAPv2– More secure than MS-CHAPMore secure than MS-CHAP– Seriously broken by Moxie Marlinspike at Seriously broken by Moxie Marlinspike at
Defcon 2012 (Link Ch 1c)Defcon 2012 (Link Ch 1c)– He recommends using certificate He recommends using certificate
authentication insteadauthentication instead
Remote Access Authentication Remote Access Authentication MethodsMethods
RADIUS (Remote Authentication Dial-in RADIUS (Remote Authentication Dial-in User Service) User Service) – Central authentication for multiple remote Central authentication for multiple remote
access serversaccess servers– Encrypts passwords, but not the entire Encrypts passwords, but not the entire
authentication processauthentication process– Uses UDP Uses UDP
Remote Access Authentication Remote Access Authentication MethodsMethods
TACACS (Terminal Access Controller TACACS (Terminal Access Controller Access-Control System)Access-Control System)– Was used in UNIX systems, rare todayWas used in UNIX systems, rare today
TACACS+TACACS+– Cisco proprietary alternative to RADIUSCisco proprietary alternative to RADIUS– Interacts with KerberosInteracts with Kerberos– Encrypts the entire authentication processEncrypts the entire authentication process– Uses TCPUses TCP– Uses multiple challenges and responses Uses multiple challenges and responses
during a sessionduring a session
AAA Protocols:AAA Protocols:Authentication, Authorization, Authentication, Authorization,
and Accountingand Accounting
AuthenticationAuthentication– Verifies a user's identificationVerifies a user's identification
AuthorizationAuthorization– Determines if a user should have accessDetermines if a user should have access
AccountingAccounting– Tracks user access with logsTracks user access with logs
AAA Protocols:AAA Protocols:Authentication, Authorization, Authentication, Authorization,
and Accountingand Accounting
RADIUS and TACACS+ are both AAA RADIUS and TACACS+ are both AAA protocolsprotocols
Kerberos doesn't provide accounting, but Kerberos doesn't provide accounting, but is sometimes called an AAA protocolis sometimes called an AAA protocol