chap09
advertisement
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security Objectives Understand Internet security using protocols and services Configure Web browsers for security Configure remote access services for security Configure virtual private network services for security Guide to Operating System Security 2 Internet Security Protocols and services must be kept secure To ensure privacy of information To discourage the spread of malicious software Guide to Operating System Security 3 Internet Protocols and Services Hypertext Transfer Protocol (HTTP) Secure HTTP (S-HTTP) and Hypertext Transfer Protocol Secure (HTTPS) File Transfer Protocol (FTP) Network File System (NFS) Samba and Server Message Block (SMB) Guide to Operating System Security 4 HTTP TCP/IP-compatible application protocoltransports information over the Web Most recent version: HTTP/1.1 Increases reliability of communications Enables caching Can send message responses before full control information from a request is received Permits multiple communications over a single connection Guide to Operating System Security 5 S-HTTP and HTTPS Forms of HTTP used for more secure communications S-HTTP Standards-based protocol that enables use of a variety of security measures (including CMS and MOSS) HTTPS Essentially proprietary, but more compatible with encryption for IP-level communications Uses SSL as a subprotocol Guide to Operating System Security 6 File Transfer Protocol (FTP) TCP/IP protocol that transfers files in bulk data streams Uses two TCP ports (20 and 21) Supports transmission of binary or ASCII formatted files Commonly used on the Internet Downloading files can be risky Guide to Operating System Security 7 File Transfer Protocol (FTP) Guide to Operating System Security 8 Network File System (NFS) Designed for UNIX/Linux systems for file sharing Connection-oriented protocol that runs within TCP Uses remote procedure calls via TCP port 111 Sends data in record streams For security, let only authorized computers use NFS on host computer Guide to Operating System Security 9 Samba and Server Message Block Samba Available for UNIX and Linux computers Enables exchange of files and printer sharing with Windows-based computers through SMB protocol Server Message Block Used by Windows-based systems Enables sharing files and printers Employed by Samba Guide to Operating System Security 10 Using Samba Guide to Operating System Security 11 Configuring Web Browsers for Security Applying security measures to popular Web browsers Internet Explorer Mozilla Netscape Navigator Guide to Operating System Security 12 Configuring Internet Explorer Security Used with Windows and Mac OS X Configure version of HTTP, use of HTTPS, FTP, and download access Configure security by zones Internet Local intranet Trusted sites Restricted sites Guide to Operating System Security 13 Internet Explorer Security Settings Guide to Operating System Security 14 Configuring Internet Explorer Security Internet Explorer Enhanced Security Configuration (Windows Server 2003) Applies default security to protect server Uses security zones and security parameters preconfigured for each zone Guide to Operating System Security 15 Installing IE Enhanced Security Configuration Guide to Operating System Security 16 Configuring Mozilla Security Open-source Web browser Can run on Linux (by default with GNOME desktop) UNIX Mac OS X OS/2 Windows-based systems Security configuration is combined with privacy configuration options Guide to Operating System Security 17 Mozilla Security Categories Guide to Operating System Security 18 Privacy & Security Option in Mozilla Guide to Operating System Security 19 Configuring Netscape Navigator Security Nearly identical to Mozilla; GUI offers: A buddy list Link to Netscape channels Different sidebar presentation Guide to Operating System Security 20 Netscape Navigator in Windows 2000 Server Guide to Operating System Security 21 Privacy & Security Options in Netscape Guide to Operating System Security 22 Configuring Remote Access Services for Security Remote access Ability to access a workstation or server through a remote connection (eg, dial-up telephone line and modem) Commonly used by telecommuters Guide to Operating System Security 23 Microsoft Remote Access Services Enables off-site workstations to access a server through telecommunications lines, the Internet, or intranets Guide to Operating System Security 24 Microsoft RAS Guide to Operating System Security 25 Microsoft RAS - Supported Clients MS-DOS Windows 3.1 and 3.11 Windows NT/95/98 Windows Millennium Windows 2000 Windows Server 2003 and XP Professional Guide to Operating System Security 26 Microsoft RAS Supports different types of modems and communications equipment Compatible with many network transport and remote communications protocols Guide to Operating System Security 27 Microsoft RAS – Supported Connections (Continued) Asynchronous modems Synchronous modems Null modem communications Regular dial-up telephone lines Leased telecommunication lines (eg, T-carrier) Guide to Operating System Security 28 Microsoft RAS – Supported Connections (Continued) ISDN lines (and “digital modems”) X.25 lines DSL lines Cable modem lines Frame relay lines Guide to Operating System Security 29 Microsoft RAS – Supported Protocols NetBEUI TCP/IP NWLink PPP PPTP L2TP Guide to Operating System Security 30 Understanding Remote Access Protocols Transport protocols TCP/IP IPX NetBEUI Remote access protocols Serial Line Internet Protocol (SLIP) • CSLIP Point-to-Point Protocol (PPP) • • PPTP L2TP Guide to Operating System Security 31 Configuring a RAS Policy Employ callback security options (No Callback, Set by Caller, Always Callback to) Install Internet Authentication Service (IAS) Can be employed with Remote Authentication Dial-In User Service (RADIUS) and RADIUS server Add participating RAS and VPN servers Guide to Operating System Security 32 Remote Access Policies Objects in the IAS Tree Guide to Operating System Security 33 Granting Remote Access Permission to RAS Guide to Operating System Security 34 Enabling Access for a User’s Account via Remote Access Policy Guide to Operating System Security 35 Configuring a RAS Policy Use Remote Access Policies to configure security types Authentication Encryption Dial-in constraints Guide to Operating System Security 36 RAS Authentication Types (Continued) Challenge Handshake Authentication Protocol (CHAP) Extensible Authentication Protocol (EAP) MS-CHAP v1 (aka CHAP with Microsoft extensions) MS-CHAP v2 (aka CHAP with Microsoft extensions version 2) Guide to Operating System Security 37 RAS Authentication Types (Continued) Password Authentication Protocol (PAP) Shiva Password Authentication Protocol (SPAP) Unauthenticated Guide to Operating System Security 38 RAS Encryption Options Guide to Operating System Security 39 RAS Dial-in Constraints Options Idle and session timeouts Day and time restrictions Whether access is restricted to a single number Whether access is restricted based on media used Guide to Operating System Security 40 Security on a Virtual Private Network VPN An intranet designed for restricted access by specific clients based on subnets, IP addresses, user accounts, or a combination Apply same remote access policies as to RAS servers Guide to Operating System Security 41 Summary Protocols and services that enable Internet security Configuring Web browsers for security Internet Explorer Mozilla Netscape Navigator How to configure a server’s remote access services to enforce security Applying security options to a VPN Guide to Operating System Security 42
