Chapter 13: Security Protocols Chapter Outline 1. On the Test 2.13: Identify the following security protocols and describe their purpose and function: IPSec; L2TP; SSL; Kerberos. 2. Internet Protocol Security (IPSec) a. IPSec is an IETF standard designed to provide secure communication across both public and private networks. b. IPSec can deter several types of threats, including denial-of-service, identity spoofing, and packet sniffing. 3. How IPSec Works a. IPSec relies on key management functions through the use of Internet Key Exchange (IKE). b. IKE provides the exchange of the required key types between the source and destination machines that will allow identification and authentication. c. The key types supported by IPSec are: i. Pre-shared keys: same key installed on source and destination devices ii. Public Key Cryptography: also known as PKI, requires a certificate to generate a key pair (public key and private key). iii. Digital signatures: allows a sending device to add digital code to a transmission, thus “sealing” the transmission. d. Two types of headers are used with IPSec: i. Authentication header (AH): provides data integrity ii. Encapsulating security payload (ESP): provides data integrity and confidentiality. 4. IPSec Modes of Operation a. Transport Mode i. IPSec in transport mode encrypts the payload of the packet only. ii. Original IP headers remain intact with correct information. Intervening devices know the real addresses of the source and destination. b. Tunnel Mode i. Tunnel mode allows the entire datagram to be encrypted. ii. The real source and destination addresses are hidden, replaced by the source and destination addresses of the routers that handle the process. iii. End systems do not need any configuration when deploying IPSec in tunnel mode. 5. Virtual Private Networks (VPNs) a. The VPN is a transmission between two systems that makes use of the public infrastructure as the medium for transmission, thus extending the boundary of the private network. b. VPNs rely on tunneling to create a safe transmission. c. The tunneling protocol “wraps’ the packet (often just the header), creating a virtual tunnel through which the data can be transmitted. d. The encapsulation provides the needed routing information. e. VPN transmissions usually contain an encrypted payload. f. The advantages of VPNs include: i. safety of transmission ii. flexibility in the business environment iii. lower transmission costs iv. lower administrative overhead 6. Point-to-Point Tunneling Protocol a. PPTP is built on the foundation of PPP used for remote access connections. b. Transmissions are subject to setup negotiation, authentication, and errorchecking. c. PPTP supports a multiprotocol environment, using IP as the transport protocol, but allowing other protocols (IPX, NetBEUI) to be used for communication on the remote network. d. PPTP uses MPPE as its encryption protocol on Microsoft networks. e. PPTP supports 40-bit, 56-bit, and 128-bit encryption schemes 7. Layer 2 Tunneling Protocol a. L2TP is a relatively new tunneling protocol, built by combining Microsoft’s PPTP and Cisco’s L2F protocols. b. L2TP uses a single 56-bit key as its encryption scheme or Triple DES (three 56-bit keys) 8. Deploying L2TP and IPSec on the Network a. L2TP and IPSec are used together on Microsoft networks to provide secure communications over the Internet or intranet. b. When combined, L2TP provides the tunnel and IPSec provides the payload encryption necessary for security c. To communicate using L2TP/IPSec, both the source and destination devices must understand the mechanisms and be configured to use them. 9. Secure Sockets Layer (SSL) a. Secure Sockets Layer (SSL) is a protocol that has been designed to provide a secure connection over an insecure network, such as the Internet. b. SSL runs above the TCP/IP protocol and below some of the higher-level protocols such as Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP). c. SSL uses a series of keys, public and private, to encrypt the data that is transported across the secure connection. d. The RSA algorithm, or cipher, is a commonly used encryption and authentication algorithm that includes the use of a digital certificate. e. The public key is made available to whoever needs it while the private key is stored in a central location and never made public. f. Data that is encrypted with the public key can be decrypted only with the private key. 10. SSL Server Authentication a. SSL server authentication allows a client computer to identify the server that it is talking with. b. A client using SSL-enabled software uses a public key to verify that the server’s certificate and public ID are correct and valid, and that they have been issued by a certificate authority (CA) that is listed on the client’s list of trusted CAs. 11. SSL Client Authentication a. SSL client authentication is used to verify the client’s identity. b. SSL-enabled server software checks the client’s certificate and public ID to ensure they are correct and valid and that they have been issued by a CA listed on the server’s list of trusted CAs. 12. Encrypted SSL Connection a. The encrypted SSL connection ensures that all of the information transferred between the SSL-enabled client and SSL-enabled server are encrypted and decrypted during transmission b. All of the data transmitted across the connection contains a mechanism to detect tampering, so the data can be checked to see if it was altered during the transfer process. 13. SSL Sub-Protocols The SSL protocol includes two sub-protocols, SSL record protocol and the SSL handshake protocol. 14. The SSL Record Protocol a. The SSL Record protocol is used to define the message format that is used to transmit encrypted data. b. The record protocol uses a series of algorithms that are generated by the handshaking process to encrypt the transmitted data. 15. The SSL Handshake Protocol a. An SSL session begins with the SSL handshake process. b. The handshake process is an exchange of messages that the server uses to authenticate itself to the client using a public key. c. The client and the server cooperate to create symmetric keys that will be used for the encryption, decryption, and tamper-detection processes that occur during data transmission. d. If necessary, the handshake process will also allow the client to authenticate itself to the server. 16. Man-in-the-Middle Attack The "man in the middle" is a rogue program that intercepts all communication between the client and a server during an SSL session. 17. Kerberos a. Kerberos is a secure network system, using strong encryption processes that are designed to provide authentication for users and services that need to communicate and be validated on a network. b. Kerberos provides a way for these users and network services to prove their identity in order to gain access to other network resources. c. Kerberos works through the use of encrypted tickets, and several server processes that run on one or more third-party trusted servers. d. The principals and the Kerberos server all share a secret password. e. This secret password is then used by the users and services to verify that messages they receive are authentic 18. Understanding the Kerberos Process a. Begin the process by requesting authentication from the third-party, trusted Kerberos server. b. This Authentication Server (AS) will create a session key, commonly referred to as a “ticket-granting ticket” (TGT). c. Once you have the TGT, it must be sent to a ticket-granting server (TGS). d. The TGS verifies the ticket; time stamps it, and returns it to the principal that submitted it. e. Once the ticket has been returned by the TGS, it can be submitted to the service you are trying to access. f. The service can accept the ticket, allowing you to access the server, or it can reject it, denying you access. g. Since the ticket was time stamped by the TGS, it is valid for more than one session. h. Kerberos is the default encryption and security system used with Microsoft Windows 2000 operating systems.