Solutions session 9
16.1
Following are the elements of a NAC system:
a. Access Requestor (AR): It is a node that is attempting to access the network and may be any
device that is managed by the NAC system, including workstations, servers, printers, cameras,
and other IP-enabled devices.
b. Policy Server: Based on the AR’s posture and an enterprise’s defined policy, the policy server
determines what access should be granted.
c. Network Access Server (NAS): It functions as an access control point for users in remote
locations connecting to an enterprise’s internal network.
16.2
The Extensible Authentication Protocol (EAP) acts as a framework for network access and
authentication protocols. EAP provides a set of protocol messages that can encapsulate various
authentication methods to be used between a client and an authentication server. EAP can operate
over a variety of network and link level facilities, including point-to-point links, LANs, and other
networks, and can accommodate the authentication needs of the various links and networks.
16.3
EAP-TLS (EAP-Transport Layer Security): EAP-TLS (RFC 5216) defines how the TLS protocol
(described in Chapter 17) can be encapsulated in EAP messages. EAP-TTLS (EAP-Tunneled TLS) is
similar to EAP-TLS except only the server has a certificate to authenticate itself to the client first.
EAP-GPSK (EAP Generalized Pre-Shared Key) is an EAP method for mutual authentication and
session key derivation using a Pre-Shared Key (PSK). EAP-GPSK specifies an EAP method based on
pre-shared keys and employs secret key-based cryptographic algorithms. EAP-IKEv2 supports
mutual authentication and session key establishment using a variety of methods.
16.5
IEEE 802.1X, Port-Based Network Access Control was designed to provide access control functions
for LANs.
16.6
The essential characteristics of cloud computing are: broad network access, rapid elasticity,
measured service, on-demand self-service and resource pooling.
16.7
There are mainly four deployment models of cloud computing:
a. Public cloud: The cloud infrastructure is made available to the general public or a large industry
group and is owned by an organization selling cloud ser-vices.
b. Private cloud: The cloud infrastructure is operated solely for an organization. It may be
managed by the organization or a third party and may exist on premise or off premise.
c. Community cloud: The cloud infrastructure is shared by several organizations and supports a
specific community that has shared concerns (e.g., mission, security requirements, etc).
d. Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private,
community, or public) that remain unique entities but are bound together by standardized or
proprietary technology that enables data and application portability.
17.1
The advantage of using IPSec (Figure 17.1a) is that it is transparent to end users and applications
and provides a general-purpose solution. Further, IPSec includes a filtering capability so that only
selected traffic need incur the overhead of IPSec processing. The advantage of using SSL is that it
makes use of the reliability and flow control mechanisms of TCP. The advantage of applicationspecific security services (Figure 17.1c) is that the service can be tailored to the specific needs of a
given application.
17.2
SSL handshake protocol; SSL change cipher spec protocol; SSL alert protocol; SSL record protocol.
17.3
Connection: A connection is a transport (in the OSI layering model definition) that provides a
suitable type of service. For SSL, such connections are peer-to-peer relationships. The connections
are transient. Every connection is associated with one session. Session: An SSL session is an
association between a client and a server. Sessions are created by the Handshake Protocol.
Sessions define a set of cryptographic security parameters, which can be shared among multiple
connections. Sessions are used to avoid the expensive negotiation of new security parameters for
each connection.
17.4
Session identifier: An arbitrary byte sequence chosen by the server to identify an active or
resumable session state. Peer certificate: An X509.v3 certificate of the peer. Compression method:
The algorithm used to compress data prior to encryption. Cipher spec: Specifies the bulk data
encryption algorithm (such as null, DES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for
MAC calculation. It also defines cryptographic attributes such as the hash_size. Master secret: 48byte secret shared between the client and server. Is resumable: A flag indicating whether the
session can be used to initiate new connections.
17.5
Server and client random: Byte sequences that are chosen by the server and client for each
connection. Server write MAC secret: The secret key used in MAC operations on data sent by the
server. Client write MAC secret: The secret key used in MAC operations on data sent by the client.
Server write key: The conventional encryption key for data encrypted by the server and decrypted
by the client. Client write key: The conventional encryption key for data encrypted by the client
and decrypted by the server. Initialization vectors: When a block cipher in CBC mode is used, an
initialization vector (IV) is maintained for each key. This field is first initialized by the SSL Handshake
Protocol. Thereafter the final ciphertext block from each record is preserved for use as the IV with
the following record. Sequence numbers: Each party maintains separate sequence numbers for
transmitted and received messages for each connection. When a party sends or receives a change
cipher spec message, the appropriate sequence number is set to zero. Sequence numbers may not
exceed 264 – 1.
17.6
Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional
encryption of SSL payloads. Message Integrity: The Handshake Protocol also defines a shared
secret key that is used to form a message authentication code (MAC).
17.7
Fragmentation; compression; add MAC; encrypt; append SSL record header.
17.8
HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure
communication between a Web browser and a Web server.
17.9
The initial version, SSH1 was focused on providing a secure remote logon facility to replace TELNET
and other remote logon schemes that provided no security. SSH also provides a more general
client/server capability and can be used for such network functions as file transfer and e-mail.
17.10
Transport Layer Protocol: Provides server authentication, data confidentiality, and data integrity
with forward secrecy (i.e., if a key is compromised during one session, the knowledge does not
affect the security of earlier sessions). The transport layer may optionally provide compression.
User Authentication Protocol: Authenticates the user to the server. Connection Protocol:
Multiplexes multiple logical communications channels over a single underlying SSH connection.
Problems
17.3
a. Brute Force Cryptanalytic Attack: The conventional encryption algorithms use key lengths
ranging from 40 to 168 bits.
b. Known Plaintext Dictionary Attack: SSL protects against this attack by not really using a 40-bit
key, but an effective key of 128 bits. The rest of the key is constructed from data that is
disclosed in the Hello messages. As a result the dictionary must be long enough to
accommodate 2128 entries.
c. Replay Attack: This is prevented by the use of nonces.
d. Man-in-the-Middle Attack: This is prevented by the use of public-key certificates to
authenticate the correspondents.
e. Password Sniffing: User data is encrypted.
f.
IP Spoofing: The spoofer must be in possession of the secret key as well as the forged IP
address.
g. IP Hijacking: Again, encryption protects against this attack.
h. SYN Flooding: SSL provides no protection against this attack.