Principles of Computer Security
Download
Report
Transcript Principles of Computer Security
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Remote Access
Connection, Authentication, Authorization
Chapter 11
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms (continued)
•
•
•
•
•
•
© 2012
Layer 2 Tunneling Protocol (L2TP)
Mandatory access control (MAC)
Point-to-Point Tunneling Protocol (PPTP)
Remote Access Server (RAS)
Role-based access control (RBAC)
Rule-based access control (RBAC)
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Remote Access Process
• Requires two things:
– A temporary network connection
– A series of protocols to negotiate privileges and commands
• To establish proper privileges, three steps are used:
– Authentication
– Authorization
– Accounting
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Identification
• The process of assigning a computer ID to a specific
user, computer, network device or computer process.
• User IDs should not be shared or descriptive of job
function.
• Links the logon ID or user ID to previously assigned
credentials.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Authentication
• The process of binding a specific ID to a specific
computer connection
• Four categories of secrets are used:
–
–
–
–
© 2012
What users know (password)
What users have (tokens/key cards)
What users are (biometrics)
What users do
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Kerberos
• A network authentication protocol designed for the
client/server environment.
• Uses tickets in a two-step process with the client.
– An authentication server issues a ticket-granting ticket to the
client.
– The ticket is then presented to a Kerberos server to request a
ticket granting access to that server.
– The server the issues a client-to-server ticket to the client.
• The entire session is encrypted.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Kerberos Operations
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Tokens
• A hardware device that counts as both something-youhave and something-you-know.
• A number is displayed on the screen that is used in
conjunction with a user ID.
• The number changes at a constant interval.
• Even if someone finds the token, they won’t know the
corresponding user ID.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
One-Time Password Generator Token
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Multifactor
• Uses more than one authentication mechanism at the
same time. Examples include:
– Biometric scanners and a PIN
– Hardware tokens
– ATM card and a PIN
• Increase the level of security, as multiple methods
would need to be spoofed accurately and
simultaneously.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Single Sign-On
• One authentication method works for every system
that a user needs to access.
• Reduces login hassles:
– Fewer usernames and passwords to remember
• Inherently less secure:
– If a login is compromised for one system, all systems the user
can access are also compromised
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Access Control
• Access is the ability of a subject to interact with an
object.
• An access control matrix shows what can be accessed
by whom.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Models of Access Control
•
•
•
•
© 2012
Discretionary access control (DAC)
Mandatory access control (MAC)
Role-based access control (RBAC)
Rule-based access control (RBAC)
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Discretionary Access Control
• The owner of an object can decide what other subjects
can access the object and what specific access they
may have.
• Often use access control lists
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Mandatory Access Control
• The operating system decides what access will be
granted to an object, based on its label.
• Every subject and every object in the system has a
label, and they must match before access is granted.
– For example, a subject with a “secret” label cannot access an
object with a “top-secret” label.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Role-Based Access Control
• Users are assigned a set of roles that they can perform.
• Each role is assigned the access permissions needed to
carry out its function.
• Simplifies access control: people who need the same
level of access are assigned to the same role, instead of
having to give them all permission individually.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Rule-Based Access Control
• The ACL contains a series of rules, and these rules are
used to determine whether or not access to a resource
is granted.
• Can be used in addition to other access control
methods or as a stand-alone method.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Authentication Protocols
• Numerous authentication protocols exist. Some of
them include:
–
–
–
–
–
© 2012
L2TP and PPTP
PPP
EAP
CHAP
SSH
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
L2TP and PPTP
• Layer 2 Tunneling Protocol (L2TP) and Point-to-Point
Tunneling Protocol (PPTP) are both OSI Layer 2
tunneling protocols.
• Tunneling is the encapsulation of one packet within
another:
– This allows you to hide the original packet from view
– Provides greater security
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
PPP
• Point-to-Point Protocol (PPP) is an OSI Layer 2 protocol
used to connect devices.
• Used for establishing dial-in connections over serial
lines or Integrated Services Digital Network (ISDN)
services.
• Has several authentication mechanisms: PAP, CHAP,
and EAP.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
PPTP
• An extension of PPP that enables the creation of virtual
private networks (VPNs)
• Enables the secure transfer of data from a remote PC to
a server by creating a VPN across a TCP/IP network
• Involves three computers:
– The PPTP client
– The NAS (usually an ISP)
– The PPTP server
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
L2TP
• Designed for use across all kinds of networks, including
ATM and Frame Relay
• Can be implemented by both hardware and software
• Designed to work with established AAA services such
as RADIUS and TACACS+
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Telnet
• Allows users to log in remotely and access resources as
if they had a local terminal connection
• Offers little security, as usernames, passwords, and all
data are passed in clear text over the TCP/IP
connection
• Access control to Telnet on machines and routers
should be implemented when they are first set up
• Uses TCP port 23
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Secure Shell (SSH)
• Secure Shell is a protocol series designed to facilitate secure
network functions across an insecure network.
• SSH was designed as a replacement for the insecure telnet.
• SSH uses TCP port 22.
• SSH has three major components:
– Transport layer protocol
– User authentication protocol
– Connection protocol
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
VPNs
• A virtual private network is a secure network built on
top of a physical network.
• It’s not a protocol in and of itself, but rather a method
of using protocols to achieve secure communications.
• It is typically used to access a corporate data network
from a home PC across the Internet.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
VPN Service Over an Internet Connection
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
IPsec
• Operates at OSI Layer 3, the network layer
• Content and context protection
• Provides a sweeping array of services:
–
–
–
–
–
© 2012
Access control
Connectionless integrity
Traffic-flow confidentiality
Rejection of replayed packets
Data security (encryption)
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Vulnerabilities of Remote Access
Methods
•
•
•
•
© 2012
Plaintext credential passing
Strength of the encryption algorithm
Bugs can open the system to attack
Vendor responsiveness to fixing the bugs once they are
discovered
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Chapter Summary
• Discuss the methods and protocols for remote
access to networks.
• Explain authentication methods and the security
implications in their use.
• Implement virtual private networks (VPNs) and their
security aspects.
• Describe Internet Protocol Security (IPsec) and its
use in securing communications.
© 2012