Security + Certification - Chapter 4: Remote Access - Athena

Chapter 4 Remote Access Objectives in this chapter  Understand implications of IEEE 802.1x and how it is used  Understand VPN technology and its uses for securing remote access to networks  Understand how RADIUS authentication works  Understand how TACACS+ operates  Understand how PPTP works and when it is used ATHENA Learning Objectives  Understand how PPTP/ L2TP works and when it is used  Understand how SSH operates and when it is used  Understand how IPSec works and when it is used  Understand the vulnerabilities associated with telecommuting ATHENA IEEE 802.1x  Users needing access to networks from remote locations is increasing, along with the associated security issues.  The need to identify who is trying to access a specific port on a network has lead to the development of the 802.1x standard. ATHENA IEEE 802.1x  802.1x is an internet standard created to perform authentication services for remote access to a central LAN.  802.1x specifies a protocol for transmission between devices accessing the LAN as well as protocol requirements between an authenticator and an authentication server. ATHENA IEEE 802.1x  Uses SNMP to define levels of access control and behavior of ports providing remote access to LAN environment  Uses EAP over LAN (EAPOL) encapsulation method  The PPP Extensible Authentication Protocol (EAP) is a general protocol for PPP authentication which supports multiple authentication mechanisms. ATHENA 802.1x Terminology  Authenticator - The entity that requires the entity on the other end of the link to be authenticated.  Supplicant - The entity being authenticated by the Authenticator and desiring access to the services of the Authenticator.  Port Access Entity (PAE) - The protocol entity associated with a port. May support functionality of Authenticator, Supplicant or both.  Authentication Server - An entity providing authentication service to the Authenticator. ATHENA 802.1x General Topology ATHENA ATHENA Telnet  Standard terminal emulation protocol within TCP/IP protocol suite defined by RFC 854  Utilizes UDP port 23 to communicate  Allows users to log on to remote networks and use resources as if locally connected ATHENA Telnet  Username and password are sent cleartext from the client to the telnet server (can be sniffed).  Telnet is one of the ways you can manage routers and switches (remote management). ATHENA Controlling Telnet Access to Routers and Switches  Assign enable password as initial line of defense  Use access lists that define who has access to what resources based on specific IP addresses  Use a firewall that can filter traffic based on ports, IP addresses, etc ATHENA Virtual Private Network  A virtual private network (VPN) is an encrypted connection that is carried across a shared public network in a manner that makes it appear to be a dedicated and secure link between two cooperating nodes. ATHENA Virtual Private Network  Secures connection between user and home office using authentication mechanisms and encryption techniques • Encrypts data both directions  Uses two technologies (currently) • IPSec • PPTP • SSL (new) ATHENA VPN Diagram ATHENA Tunneling  Enables one network to send its data via another network’s connections  Encapsulates a network protocol within packets carried by the second network  ISP acts as a transporter of encrypted, encapsulated data stream. ATHENA Tunneling ATHENA Tunneling  Tunneling requires three different protocols:  Carrier Protocol The protocol used by the network (IP on the Internet) that the information is traveling over  Encapsulating Protocol The protocol (PPTP, L2TP, IPSec, Secure Shell [SSH]) that is wrapped around the original data  Passenger Protocol The original data being carried ATHENA VPN Options  Install/configure client computer to initiate necessary security communications all the way to your network  Outsource VPN to a service provider • Encryption does not happen until data reaches provider’s network ATHENA Site-to-Site VPN ATHENA Remote Access VPN ATHENA Service Provider Tunneling ATHENA Remote Authentication Dial-in User Service (RADIUS)  Provides a client/server security system  Uses distributed security to authenticate users on a network  Includes two pieces • Authentication server • Client protocols  Authenticates users through a series of communications between client and server using UDP ATHENA Remote Authentication Dial-in User Service (RADIUS)  RADIUS is the most popular of all the access control, authentication, and auditing (AAA) servers.  An RAS must be able to authenticate a user, authorize the authenticated user to perform specified functions, and log (account for) the actions of users for the duration of the connection. ATHENA Remote Authentication Dial-in User Service (RADIUS)  One of the reasons the RADIUS is so popular is that it supports a number of protocols including:  Point-to-Point Protocol (PPP)  Password Authentication Protocol (PAP)  Challenge Handshake Authentication Protocol (CHAP) ATHENA Authenticating with a RADIUS Server ATHENA Vulnerabilities of RADIUS  Certain “flavors” of RADIUS servers and Web servers can be compromised by buffer overflow attacks. A buffer overflow attack occurs when a buffer is flooded with more information than it can hold.The extra data overflows into otherbuffers, which may be accessible to hackers. ATHENA Terminal Access Controller Access Control System (TACACS+)  Authentication protocol developed by Cisco  Uses TCP – a connection-oriented transmission – instead of UDP  Offers separate acknowledgement that request has been received regardless of speed of authentication mechanism  Provides immediate indication of a crashed server ATHENA Terminal Access Controller Access Control System (TACACS)  TACACS is also used in authenticating remote users.  TACACS has gone through three major “generations”, TACACS, XTACACS, and TACACS+. ATHENA Terminal Access Controller Access Control System (TACACS)  TACACS offers authentication and authorization, it does not offer any accounting tools.  TACACS utilized the User Datagram Protocol (UDP) to handle communications. ATHENA TACACS+  Cisco decided to develop a proprietary version of TACACS known as TACACS+.The driving factor behind TACACS+ was to offer networking professionals the ability to manage all remote access components from a centralized location.  TACACS+ is also credited with separating the AAA functions.  TACACS+ uses TCP. ATHENA Vulnerabilities of TACACS+  One of the biggest complaints regarding TACACS+ is that it does not offer protection against replay attacks. Replay attacks occur when a hacker intercepts an encrypted packet and impersonates the client using the information obtained from the decrypted packet. ATHENA Other common weaknesses of TACACS+ include:  Birthday Attacks The pool of TACACS+ session IDs is not very large, therefore, it is reasonable that two users could have the same session ID  Buffer Overflow Like RADIUS,TACACS+ can fall victim to buffer overflow attacks.  Packet Sniffing The length of passwords can be easily determined by “sniffing” a network.  Lack of Integrity Checking A attacker can alter accounting records during transmission because the accounting data is not encrypted during transport. ATHENA ATHENA Advantages of TACACS+ over RADIUS  Addresses need for scalable solution  Separates authentication, authorization, and accounting  Offers multiple protocol support  Considered to be more secure than RADIUS, but less used due to it’s being proprietary ATHENA PPTP/L2TP  there are several standard tunneling protocol technologies in use today.  Two of the most popular are PPTP and L2TP, which are Layer 2 (Data Link Layer) encapsulation (tunneling) protocols using ports 1723 and 1701,respectively.  However, PPTP and L2TP do use different transport protocols:  PPTP uses TCP and L2TP uses UDP. ATHENA Point-to-Point Tunneling Protocol (PPTP)  PPTP establishes point-to-point connections between two computers by encapsulating the PPP packets being sent.  PPTP encrypts the data being transmitted, but does not encrypt the information being exchanged during negotiation. In Microsoft implementations, Microsoft Point-to-Point Encryption (MPPE) protocol is used to encrypt the data.  PPTP is protocol-restrictive, meaning it will only work over IP networks  PPTP cannot use the added benefit of IPSec  A Microsoft development ATHENA L2TP  L2TP was developed through a joint venture between Microsoft and Cisco.  L2TP was designed to use IPSec for encryption purposes. ATHENA The differences between PPTP and L2TP  L2TP requires IPSec in order to offer encryption.  L2TP offers RADIUS and TACACS+, where PPTP does not.  L2TP is often implemented as a hardware solution, where PPTP is not.  L2TP can run on top of protocols such as IP, IPX, and SNA, where  PPTP can work only on IP networks.  Using L2TP with IPSec provides per-packet data origin authentication (proof that the data was sent by an authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from interpreting captured packets without an encryption key).  L2TP/IPSec connections require two levels of authentication:computer level authentication using certificates or pre-shared keys for IPSec sessions, and user-level authentication using PPP authentication protocol for the L2TP tunnel. ATHENA Some advantages of the L2TP/IPSec combination over PPTP are  IPSec provides per-packet data origin, data integrity, replay protection, and data confidentiality. In contrast, PPTP only provides per-packet data confidentiality.  L2TP/IPSec connections require two levels of authentication: computer level authentication and user- level authentication.  PPP frames exchanged during user-level authentication are never sent unencrypted because the PPP connection process for L2TP/IPSec occurs after the IPSec security association (SA) is established. ATHENA Secure Shell (SSH)  Secure replacement for remote logon and file transfer programs (Telnet and FTP) that transmit data in unencrypted text ATHENA How SSH Works Once the server receives the request from the client, the two perform a handshake, which includes the verification of the protocol version. Next, session keys are exchanged between the client and server. ATHENA IP Security Protocol  Set of protocols developed by the IETF to support secure exchange of packets at IP layer  Deployed widely to implement VPNs  Works with existing and future IP standards  Transparent to users  Promises painless scalability  Handles encryption at packet level using Encapsulating Security Payload (ESP) ATHENA IPSec Security Payload ATHENA ESP and Encryption Models  Supports many encryption protocols  Encryption support is designed for use by symmetric encryption algorithms  Provides secure VPN tunneling ATHENA Telecommuting Vulnerabilities  Split tunnel – when the remote user is sending traffic to the office network over the VPN, and is also sending traffic to other locations on the Internet (his/her connection to the Internet is not dedicated exclusively to the VPN connection) ATHENA Telecommuting Vulnerabilities  If the VPN client has split tunneling enabled, the client is on both the Internet and the central office network at the same time.  The VPN tunnel can become a direct path for the bad guys into the office network, by-passing your firewall and perimeter defenses. ATHENA Telecommuting Vulnerabilities ATHENA Telecommuting Vulnerabilities ATHENA Telecommuting Vulnerabilities ATHENA Telecommuting Vulnerabilities ATHENA Telecommuting Vulnerabilities ATHENA Remote Solutions Microsoft Terminal Server  Citrix Metaframe  Virtual Network Computing ATHENA Summary  Paramount need for remote access security  Use of technologies to mitigate some of the risk of compromising the information security of a home network  Importance of keeping pace with technology changes ATHENA