Professional Documents
Culture Documents
Network Security
User Authentication
6/10/2011
6/10/2011
NETWORK AUTHENTICATION
METHODS
Authorization
Accounting
6/10/2011
Passwords
Complex passwords use lower and uppercase
letters, numbers, special characters
Minimum password length
Password protection
Use different passwords
6/10/2011
Strong passwords
Balance difficulty of remembering with complexity
Create from first letter of title or phrase pass
phrase
Mix letter cases, add numbers and special characters
Authentication factors
Something
you know
Something
you have
Something
you are
Password
Security
token,
Smart Card
Fingerprint,
Retina
6/10/2011
One-factor authentication
Something you know
Windows logon
dialog box
Username and
password
Something you are
Two-factor authentication
Something you know
PLUS
Something you have
Something you are
6/10/2011
Three-factor authentication
Something you know
+ something you have
+ something you are
A PIN, a card, and a
fingerprint
6/10/2011
Encryption
Decryption
Algorithm
Cipher
6/10/2011
Symmetric
Asymmetric
Differing keys
for encryption
and
decryption
6/10/2011
10
6/10/2011
11
6/10/2011
12
6/10/2011
Administration phase
Key storage
Certificate retrieval and validation
Backup or escrow
Recovery
13
6/10/2011
Destruction
Suspension
Renewal
Revocation
14
6/10/2011
15
6/10/2011
attackers
Vulnerable to DoS attacks
Authenticating devices need to be loosely synchronized
Access to AS allows attacker to impersonate any
authorized user
Authenticating device identifiers shouldnt be reused
on a short-time basis
Authentication
Accounting
Authorization
16
6/10/2011
RADIUS
TACACS+
Authentication
Accounting
Authorization
Access
17
6/10/2011
18
6/10/2011
19
6/10/2011
MS-CHAPv1
MS-CHAPv2
20
6/10/2011
Mutual authentication
21
6/10/2011
Review
Public Key Infrastructure (PKI)
Kerberos
Authentication Authorization Accounting
(AAA)
Network Access Control (NAC)
Challenge Handshake Authentication Protocol
(CHAP)
Extensible Authentication Protocol (EAP)
22
6/10/2011
23
6/10/2011
SECURITY FILTERING
24
6/10/2011
MAC filtering
MAC Standard Access List use Source MAC
addresses
MAC Extended Access List use Source and
Destination MAC addresses and optional
protocol type information
25
6/10/2011
IP Filtering
Also know as Packet Filters
Permit or Deny Traffic based on IP address
Can sometimes also use Port Numbers
Called Stateless Filtering
26
6/10/2011
VPN Protocols
PPTP
L2F
L2TP
IPSec
SSL/TLS
27
6/10/2011
Types of VPNs
Remote Access
Site-to-Site
Extranet
28
6/10/2011
Security Capabilities
Minicomputer
29
6/10/2011
30
6/10/2011
L2TP
Encryption
Native PPP
Negotiations in plaintext
IPsec
Authentication
RADIUS, TACACS+
Data protocols
IP
Port
1723 (TCP)
1701 (UDP)
31
6/10/2011
REMOTE ACCESS
32
6/10/2011
33
6/10/2011
34
6/10/2011
35
6/10/2011
Summary
Security Filtering
Tunneling and encryption
Remote access
36
6/10/2011
37
6/10/2011
I
n
t
e
r
n
e
t
38
6/10/2011
IDS
In Parallel with
Traffic
Firewall
U
N
T
R
U
S
T
E
D
In Line with
Traffic
IPS
Firewall
U
N
T
R
U
S
T
E
D
39
6/10/2011
Intrusion Detection/Prevention
Systems
Network
Host
Based
Based
IDS/IPS
VPN Concentrator
VPN Clients
VPN
Concentrator
Internal
Network
Firewall
Internet
40
6/10/2011
Review
Firewall
Intrusion
Detection
Systems
Intrusion
Prevention
Systems
Network
Based
Network
Based
Network
Based
Host
Based
Host
Based
Host
Based
VPN
Concentrator
41
6/10/2011
Firewall Features
42
6/10/2011
Agenda
43
6/10/2011
Network layer
Application Layer
Web
Scan for Malware
FTP
Scan for Malware
44
6/10/2011
45
6/10/2011
Internal
Zone B
E8
DMZ Zone
2
E9
E10
E2
E0
E4
Firewall
E6
E12
E1
I
n
Z
t
o
e t
n
r
e
n
e
46
6/10/2011
Review
Firewall types:
Stateful vs. Stateless
Application Layer vs. Network Layer
Scanning Services
Content Filtering
Signature Identification
Zones
47
6/10/2011
48
6/10/2011
Physical security
One common
security truism is
"Once you have
physical access to a
box, all bets are
off."
49
6/10/2011
Surveillance
Security
guards
Guard
dogs
Logging
physical
access
to
facility
Video
Cameras
Activity
With your Term or by Yourself
Identifying the risks associated with
physical access to systems
50
6/10/2011
Access-Control Principles
Utilize implicit denies
Follow the least-privilege model
51
6/10/2011
Access-Control Models
Mandatory Access Control (MAD)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
52
6/10/2011
Telnet
RSH
HTTP
SNMP v1 & v2
FTP
RCP
Secure
SSH
HTTPS
SNMPv3
SFTP
SCP
Review
Physical Security
Restricting Local and
Remote Access
Secure and Unsecure
Application Protocols
53
6/10/2011
54
6/10/2011
55
6/10/2011
Share Level
Security
User Level
Security
Disabling Accounts
Modify Account Authorization
Setting Up Anonymous Accounts
Limiting Connections
Renaming the Maintenance Account
56
6/10/2011
Strong
At least 8 characters
Combination of Upper and Lower
case Letters, Numbers, and Symbols
B^1d&7St
Password-Management Features
Automatic Account Lockouts
Password Expiration
Password Histories
57
6/10/2011
SECURITY THREATS
58
6/10/2011
Computer viruses
Worms
Trojan horses
Rootkits - designed to hide the fact that a system
has been compromised
Spyware
Dishonest adware
Crimeware - malware designed specifically to
automate cybercrime
59
6/10/2011
60
6/10/2011
Victim
SYN Flood
sends a flood of TCP/SYN packets, with a fake
sender address
Teardrop attacks
sends mangled IP fragments with
overlapping, over-sized payloads to the target
61
6/10/2011
Man-in-the-Middle
http://blogs.paretologic.com/malwarediaries/index.php/category/wireless-security/
62
6/10/2011
Social Engineering
The act of manipulating
people into performing
actions or divulging
confidential information
Usually over the phone
Uses an invented scenario
(the pretext)
What is Phishing?
Phishing:
Creating a replica of an existing Web page in order to
fool visitors into providing Personal, Financial, or
Password information.
63
6/10/2011
MITIGATION TECHNIQUES
64
6/10/2011
User Training
It makes no sense to create all these policies and procedures and
not train the IT staff and the users.
65
6/10/2011
66
6/10/2011
Review
Managing User Account and Password
Security
Security Threats
Threat Mitigation Techniques
67