CISSP Common Body of Knowledge Review:

Telecommunications & Network Security Domain Part 2

Version: 5.9

CISSP Common Body of Knowledge Review by Alfred Ouyang is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

Learning Objectives Telecommunications & Network Security Domain Part 2

The Telecommunications and Network Security domain encompasses the structures, techniques, transport protocols, and security measures used to provide integrity, availability, confidentiality, and authentication for transmissions over private and public communication networks. The candidate is expected to demonstrate an understanding of communications and network security as it relates to data communications in local area and wide area networks, remote access, internet/intranet/extranet configurations. Candidates should be knowledgeable with network equipment such as switches, bridges, and routers, as well as networking protocols (e.g., TCP/IP, IPSec,) and VPNs.

Reference: CISSP CIB, January 2012 (Rev. 2)

-2-

Question:

Name the seven layers of OSI reference model?

Hint: People do not throw sausage pizza away

-3-

Question:

Name the seven layers of OSI reference model?

Physical (people) Data-Link (do) Network (not) Transport (throw) Session (sausage) Presentation (pizza) Application (away)

-4-

Topics

Telecommunications & Network Security Domain Part 2

Security Countermeasures and Controls

Physical Layer Data-Link Layer IP Network Layer Transport Layer Application Layer

VPN NAS

-5-

Implementation of Technical Countermeasures

Example implementation of technical countermeasures in Network and Internetworking Services: Routers Switches Encryptors Firewalls Intrusion Detection System (IDS) Intrusion Prevention Systems (IPS) Operating Systems (OS)

Security CONOPs, Security Operations Process & Procedure

Security Operations

DEFENSE-IN-DEPTH
OSI Reference Model Internet Protocol Suite Information Assurance Technical Framework (IATF) Defense Information Infrastructure (DII) & Security Mechanisms

Certification and Accreditation

Application

NFS FTP, Telnet, SMTP, HTTP, SNMP etc. Defending the Computing Environment

Technical Countermeasures

Presentation

XDR

OS + Host-based IDS + Secure Messaging + Trusted RDBMS

Security mechanism, System Architecture,

Session

RPC Supporting the Infrastructure

Transport

TCP

UDP Defending the Enclave

Domain Controller + Active Directory Service + DIICOE APM (+ Directory Services + X.509-based PKI/KMI/ CA) Firewall + Network-based IDS + Switchs

Network

Routing Protocols

IP

ICMP Defending the Network & Infrastructure

ARP, RARP Data-Link

Routers + KGs

Physical Sec.

Facility Security, Protection of Critical Infrastructure

Physical

-6-

Topics

Telecommunications & Network Security Domain Part 2 Security Countermeasures and Controls
Physical Layer Data-Link Layer IP Network Layer Transport Layer Application Layer
OSI Reference Model TCP/IP Protocol Architecture

Memorization

Away Pizza Sausage Throw Not Do People

Application

Presentation

Application Layer

Session

Transport

Host-to-Host Transport Layer

VPN NAS

Network

Internet Layer Network Access Layer

Data-Link

Physical

-7-

Security Countermeasures & Controls

Security of Physical Layer Review

Transport Medium Cables

LAN: Twisted Pair (Shield, Un-shield), Coaxial, Fiber Optics (Single-mode, Multi-mode) WAN: SONET, X.21-bis, HSSI, SMDS

OSI Reference Model

TCP/IP Protocol Architecture

Application

Presentation

Application Layer

Radio Frequency (RF)

LAN: 2.4GHz, 5GHz, UWB (3.1GHz 10.6GHz) WAN: Microwave (VHF, UHF, HF) (300MHz 300GHz)

Session

Transport

Host-to-Host Transport Layer

Network

Internet Layer Network Access Layer

Data-Link

Light
LAN: Infrared WAN: LASER (medium: fiber, air)

Physical

-8-

Security of Physical Layer

Transport Media

Physical protection of transport media

Cables/ Fibers: Casings (Concrete, Steel pipe, Plastic, etc.) RF: Allocation of radio spectrum, power of RF, selection of line-of-sight (LOS), protection from element (rain, ice, air) Optical: Selection of transport medium, light wave spectrum (multi-mode), LOS and strength of light beam (e.g. LASER, single-mode)

Path Diversity of transport media

Cables / Fibers: Geographic diversity RF: Utilization of radio channels, coverage area Optical: Multi-mode

-9-

Security of Physical Layer

Transport Media

Security considerations for transport media EMI (Electromagnetic Interference)

Crosstalk HEMP (High-altitude Electromagnetic Pulse)

RFI (Radio Frequency Interference)

UWB (Ultra Wide Band): > 500MHz, FCC authorizes the unlicensed use in 3.1 10.6GHz Household microwave oven: 2.45GHz

Transient. Disturbance of power traveling across transport medium Attenuation. Loss of signal strength over distance

- 10 -

Security of Physical Layer

Transport Interfaces (I/Fs)

Physical protection of transport I/Fs

Access control of network equipment
Telco Demarcation / Telecommunication Room Data Center / Server Room Network Closet

Logical protection of transport I/Fs

Disable All Interfaces Not In-Use Enable Interface only when Ready-To-Use Designate specific I/Fs for management Designate specific I/Fs for monitor

- 11 -

Security of Physical Layer

Network Equipment

Enable service password-encryption on all routers. Use enable secret command and not with the enable password command Each router shall have different enable and user password Access routers only from secured or trusted server or console Reconfigure the connect, telnet, rlogin, show ip access-lists, and show logging command to privilege level 15 (secret) Add Warning Banner

Reference: DISA FSO Network STIG

- 12 -

Questions:

Why household microwave oven may interfere with your Wi-Fi (IEEE 802.11b/g)?

Loss of signal strength over distance is?

Disturbance of power traveling across a transport medium is?

- 13 -

Answers:

Why household microwave oven may interfere with your Wi-Fi (IEEE 802.11b/g)?
The microwave oven operates in 2.45GHz and Wi-Fi operates in 2.4GHz

Loss of signal strength over distance is?

Attenuation

Disturbance of power traveling across a transport medium is?

Transient

- 14 -

Topics

Telecommunications & Network Security Domain Part 2 Security Countermeasures and Controls
Physical Layer Data-Link Layer IP Network Layer Transport Layer Application Layer
Memorization
OSI Reference Model TCP/IP Protocol Architecture

Away Pizza Sausage Throw Not Do People

Application

Presentation

Application Layer

Session

Transport

Host-to-Host Transport Layer

VPN NAS

Network

Internet Layer Network Access Layer

Data-Link

Physical

- 15 -

Security Countermeasures & Controls

Security of Data-Link Layer Review

Data-Link Layer
MAC (LAN & WAN) LLC (LAN)
OSI Reference Model TCP/IP Protocol Architecture Application

LAN Data-Link Layer Protocols

Ethernet (CSMA/CD) Token Ring (Token Passing) IEEE 802.11 a/b/g (CSMA/CA)

Presentation

Application Layer

Session

Transport

Host-to-Host Transport Layer

WAN Data-Link Layer Protocols

X.25 Frame Relay SMDS (Switched Multi-gigabit Data Services) ISDN (Integrated Services Digital Network) HDLC (High-level Data Link Control) ATM (Asynchronous Transfer Mode)

Network

Internet Layer Network Access Layer

Data-Link

Physical

- 16 -

Security Countermeasures & Controls

Security of Data-Link Layer

Confidentiality and Integrity of Data-Link Layer SLIP (Serial Line Internet Protocol) PPP (Point-to-Point Protocol) L2TP (Layer 2 Tunnel Protocol) Link Encryption (i.e. Link / Bulk Encryptor) : ISDN, Frame Relay, ATM RF:
LAN: WEP (Wired Equivalent Privacy), EAP (Extensible Authentication Protocol), IEEE 802.1X WAN: AN/PSC-5 Radio (w/ embedded encryption for SATCOM, DAMA, LOS communications), TADIL-J (Link-16) (w/ embedded encryption for LOS communications)

- 17 -

Security of Data-Link Layer

Serial Line Internet Protocol (SLIP)

SLIP (Serial Line Internet Protocol) is a packet framing protocol that encapsulates IP packets on a serial line Runs over variety of network media:
LAN: Ethernet, Token Ring WAN: X.25, Satellite links, and serial lines

Supports only one network protocol at a time. No error correction No security

- 18 -

Security of Data-Link Layer

Point-to-Point Protocol (PPP)

PPP (Point-to-Point Protocol) is a encapsulation mechanism for transporting multi-protocol packets across Layer 2 point-to-point links. (RFC 1661)
ISDN, Frame Relay, ATM, etc.

PPP replaces SLIP because:

Support multiple network protocols (IP, AppleTalk, IPX, etc.) in a session Options for authentication

Security features:
PAP (Password Authentication Protocol) CHAP (Challenge Handshake Authentication Protocol) EAP (Extensible Authentication Protocol)

- 19 -

Security of Data-Link Layer

Point-to-Point Protocol (PPP)

PAP (Password Authentication Protocol) (RFC 1334)

Authentication process is in plaintext, and it is send over the established link

CHAP (Challenge Handshake Authentication Protocol) (RFC 1994, replaces RFC 1334)
Protection against playback attack by using 3-way handshake:
1. After link established, authenticator sends a challenge message to the peer 2. Peer response with a value calculated using a one-way hash 3. Authenticator calculate the expected hash value and match against the response

CHAP requires that the secret key be available in plaintext form. But the secret key is NOT send over the link
- 20 -

Security of Data-Link Layer

Point-to-Point Protocol (PPP)

EAP (Extensible Authentication Protocol) (RFC 2284) supports multiple authentication mechanisms:
MD5-Challenge One-Time Password (OTP) Generic Token Card

Protection against playback attack by using 3-way handshake:

1. After link established, authenticator sends a authentication request message to the peer 2. Peer send response with a set of values that matches authentication mechanism of the authenticator 3. Authenticator calculates the expected value and match against the response

- 21 -

Security of Data-Link Layer

Layer 2 Tunnel Protocol (L2TP)

L2TP (Layer 2 Tunnel Protocol) (RFC 2661) extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices (e.g. workstation to router) interconnected by a packetswitched network

PPP Frames L2TP Data Message L2TP Data Channel (unreliable) L2TP Control Message L2TP Control Channel (reliable)

Physical Layer Packet Transport (Frame Relay, ATM, ISDN, etc.)

- 22 -

Security of Data-Link Layer

Wired Equivalent Privacy (WEP)

WEP (Wired Equivalent Privacy) is an optional IEEE 802.11 encryption standard.

Implemented at the MAC sub-layer Use RSAs RC4 stream cipher with variable key-size Shared symmetric key, 40-bit! (104-bit is not a standard!) with 24-bit IV (Initialization Vector)

Security issue with WEP

Size of IV (24-bit) + Shared static symmetric key (40-bit or 104-bit) Hacker can collect enough frames in same IV and find out the symmetric key (i.e. related key attack)

Mitigation:
IPsec over 802.11 IEEE 802.11i and IEEE 802.1X
Reference: http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy - 23 -

Security of Data-Link Layer

IEEE 802.1X

IEEE 802.1X uses EAP (Extensible Authentication Protocol)

802.1X is an interoperability standard NOT a security standard!

Uses 3-way handshake, in state machine model:

1. Unauthorized State: After link established, authenticator (access point) sends a authentication request message to the peer. 2. Unauthorized State: Peer send response with a set of values that matches authentication mechanism of the authenticator. 3. Unauthorized State: Authenticator calculates the expected value and match against the response. 4. Authorized State: Exchange encrypted data message.

Reference: http://standards.ieee.org/getieee802/download/802.1X-2004.pdf.

- 24 -

Security of Data-Link Layer

IEEE 802.11i

IEEE 802.11i standard has been ratified on 6/24/2004.

FIPS 140-2 certified by NIST. A.k.a. WPA2 (Wi-Fi Protected Access version 2)

Client Workstation (STA) AP sends a single use random numeric value (Nonce) to STA ANonce

Access Point (AP)

Uses IEEE 802.1X (i.e. EAP) for authentication. Uses 4-way handshake. Uses AES-based CCMP (Counter-mode Cipherblock-chaining Message authentication code Protocol).

STA constructs a Pair-wise Transient Key (PTK)*

STA returns a single use nonce along with Message Integrity Code (MIC) SNonce + MIC

AP returns a Group Temporal Key (GTK) along with MIC to STA GTK + MIC STA send an acknowledgement to AP ACK

AP constructs a PTK*

* As soon as the PTK is obtained it is divided into 3 separate keys: EAP-KCK (Extended Authentication Protocol-Key Confirmation Key) EAP-KEK (Key Encryption Key) TK (Temporal Key) The key used to encrypt the wireless traffic.

Reference: - Q&A, Wi-Fi Protected Access, WPA2 and IEEE 802.11i, Cisco Systems - http://en.wikipedia.org/wiki/IEEE_802.11i

- 25 -

Security of Data-Link Layer

Address Resolution Protocol (ARP) & Reverse ARP (RARP)

ARP (Address Resolution Protocol) maps MAC addresses (physical addresses) to IP addresses (logical addresses) RARP (Reverse ARP), opposite of ARP, maps IP addresses to MAC addresses Preserving integrity of ARP table is the key to security of switching topology.

- 26 -

Security of Data-Link Layer

Address Resolution Protocol (ARP) & Reverse ARP (RARP)

ARP Table is vulnerable to Denial-of-Services (DoS) Attack

A hacker can easily associate an operationally significant IP address to a false MAC address. Then your router begin to send packets into a non-existing I/F.

Man-in-the Middle Attack

A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network.

MAC Flooding Attack

MAC Flooding is an ARP Cache Poisoning technique aimed at network switches. By flooding a switch's ARP table with a ton of spoofed ARP replies, a hacker can overload network switch and put it in hub mode. Then the hacker can packet sniff your network while the switch is in "hub" mode.
Reference: DISA FSO Network STIG - 27 -

Security of Data-Link Layer

Address Resolution Protocol (ARP) & Reverse ARP (RARP)

To preserve integrity of ARP table Logical Access Control:

Static ARP table. Not scalable, but very effective. Enable port security using sticky MAC address. Write the dynamically learned MAC addresses into memory. Disable all un-necessary protocols & services.

Physical Access Control:

Disable all Interfaces Not In-Use. Enable Interface only when Ready-To-Use. Designate specific I/Fs for management. Designate specific I/Fs for monitor.

Reference: DISA FSO Network STIG

- 28 -

Questions:

Why Point-to-point protocol (PPP) is better than Serial Line Internet Protocol (SLIP)?

Both Challenge handshake authentication protocol (CHAP) and Extensible authentication protocol (EAP) uses 3-way handshake. What is the advantage using EAP instead of CHAP?

- 29 -

Answers:

Why Point-to-point protocol (PPP) is better than Serial Line Internet Protocol (SLIP)?
PPP supports multiple internetworking protocols in a session SLIP has no security feature

Both Challenge handshake authentication protocol (CHAP) and Extensible authentication protocol (EAP) uses 3-way handshake. What is the advantage using EAP instead of CHAP?
EAP supports multiple authentication mechanisms: MD5, One-time password (OTP), and Token card.

- 30 -

Questions:

What is the size of the shared static symmetric key for 128-bit Wired Equivalent Privacy (WEP)?

What is the relationship between IEEE 802.1X and IEEE 802.11i?

Is IEEE 802.1X a security standard?

What is the primary security issue for Layer 2 switches?

- 31 -

Answers:

What is the size of the shared static symmetric key for 128-bit Wired Equivalent Privacy (WEP)?
104-bit. 24-bit of Initialization vector (IV)

What is the relationship between IEEE 802.1X and IEEE 802.11i?

IEEE 802.11i uses IEEE 802.1X for EAP authentication

Is IEEE 802.1X a security standard?

No. IEEE 802.1X is an interoperability standard

What is the primary security issue for Layer 2 switches?

Preserving the integrity of ARP table
- 32 -

Topics

Telecommunications & Network Security Domain Part 2 Security Countermeasures and Controls
Physical Layer Data-Link Layer IP Network Layer Transport Layer Application Layer
OSI Reference Model TCP/IP Protocol Architecture

Memorization

Away Pizza Sausage Throw Not Do People

Application

Presentation

Application Layer

Session

Transport

Host-to-Host Transport Layer

VPN NAS

Network

Internet Layer Network Access Layer

Data-Link

Physical

- 33 -

Security Countermeasures & Controls

Security of Network Layer Review

Logical Addressing (IP address) Controls: ICMP, ARP, RARP Routing: Static, Dynamic Routing Protocols:
Interior Gateway Protocols (IGPs)
Distance Vector Routing Protocols Link State Routing Protocols

OSI Reference Model

TCP/IP Protocol Architecture

Application

Presentation

Application Layer

Session

Transport

Host-to-Host Transport Layer

Exterior Gateway Protocols (EGPs)

State Vector Protocols

Network

Internet Layer Network Access Layer

Data-Link

Physical

- 34 -

Security of Network Layer

Network Address Translation (NAT)

NAT (Network Address Translation) is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address. The increased use of NAT comes from several factors: Shortage of IP addresses Security needs Ease and flexibility of network administration RFC 1918 reserves the following private IP addresses for NAT Class A: 10.0.0.0 10.255.255.255 Class B: 172.16.0.0 172.31.255.255 Class C: 192.168.0.0 192.168.255.255
Reference: http://www.ietf.org/rfc/rfc1918.txt - 35 -

Security of Network Layer

Virtual IP Address (VIP)

VIP (Virtual IP Address) is a method that maps a virtual internetworking entity into many computing hosts. One-to-Many:
Used for Load-Balance / Sharing Used limit exposure of multiple IP addresses or multiple network I/Fs. (one-to-many)

Many-to-one:
One network I/F to many IP addresses. Used for Application sharing

- 36 -

Security of Network Layer

Routing: Static vs. Dynamic

Preserving integrity of route table is the key to security of routing topology. Static routing is the most secure routing configuration. However, scalability is a major drawback.
Static Route Table, no automatic updates.

Dynamic routing is scalable, but need to establish security policy to preserve integrity of route table
Automatic updates. Need to set thresholds. Authenticate neighbors and peers.

- 37 -

Security of Network Layer

Dynamic Routing

There are two types of routing protocols: Interior Gateway Protocols (IGPs)
Routing Information Protocols (RIP) Interior Gateway Routing Protocol (IGRP) Enhanced IGRP (EIGRP, Cisco proprietary) Open Shortest Path First (OSPF) Intermediate System to Intermediate System (IS-IS)

Exterior Gateway Protocols (EGPs)

Exterior Gateway Protocol (EGP, RFC 827). EGP is no longer in use for Internet Border Gateway Protocol (BGP). BGP is the standard routing protocol for Internet

- 38 -

Security of Network Layer

Dynamic Routing: Interior Gateway Protocols (IGPs)

Router uses distance vector routing protocols mathematically compare routes using some measurement of distance (or # of hops) and send all or a portion of route table in a routing update message at regular intervals to each of neighbor routers.
RIP (Routing Information Protocol) IGRP (Interior Gateway Routing Protocol) EIGRP (Enhanced IGRP, Cisco proprietary)

Security issues:
Integrity of routing tables: Automatic distribution of route table updates. Operational stability: The routing updates create chainreaction of route table recalculations to every neighbor routers.
Reference: Routing TCP/IP Volume I, by J. Doyle, et. al., Cisco Press - 39 -

Security of Network Layer

Dynamic Routing: Interior Gateway Protocols (IGPs)

To preserve integrity of route table: Use MD-5 authentication between neighbor routers.
Do not use RIPv1, because it does not support MD-5 authentication.

To improve operational stability of routers running distance vector IGPs:

Use Split horizons with poison-reverse updates. It prevents routing loops by preventing a router from updating adjacent neighbors of any routing changes that it originally learned from those neighbors. Use Hold downs (for IGRP & EIGRP). It prevents IGRPs interval updates from wrongly reinstating an invalid route.

Reference: Routing TCP/IP Volume I, by J. Doyle, et. al., Cisco Press

- 40 -

Security of Network Layer

Dynamic Routing: Interior Gateway Protocols (IGPs)

Router uses link-state routing protocols sends only link-state advertisements (LSAs) to each of its neighbor routers.
OSPF (Open Shortest Path First) IS-IS (Integrated intermediate system-to-intermediate system)

Security issues:
Integrity of routing tables: Automatic distribution of LSAs. Operational stability: After the adjacencies are established, the router may begin sending out LSAs. the LSAs create chain-reaction of recalculations of route paths to every neighbor routers (i.e. Link-state Flooding).

Reference: Routing TCP/IP Volume I, by J. Doyle, et. al., Cisco Press

- 41 -

Security of Network Layer

Dynamic Routing: Interior Gateway Protocols (IGPs)

To preserve integrity of route table: Use MD-5 authentication between neighbor routers. To improve operational stability of routers running link-state IGPs:
Set sequence number for each link-state advertisement (LSA). The sequence numbers are stored along with the LSAs, so when a router receives the same LSA that is already in the database and the sequence number is the same, the received information is discarded.

Reference: Routing TCP/IP Volume I, by J. Doyle, et. al., Cisco Press

- 42 -

Security of Network Layer

Dynamic Routing: Exterior Gateway Protocols (EGPs)

Exterior gateway protocols are design for routing between multiple AS (Autonomous Systems).
EGP (Exterior Gateway Protocol). BGP (Border Gateway Protocol). BGP is THE routing protocol for Internet. BGP peers exchange full routing information when a new peer is introduced, then send only updates for route change. BGP is a path vector routing protocol, because the router does its own path calculation, and advertises only the optimal path to a destination network.

Security issues:
Integrity of routing tables: Automatic distribution of route table updates. Operational stability: The router running BGP is vulnerable to route-flap. Where a unstable routing path to an unreachable network may cause dynamic updates to all peering routers and this impacts performance of entire Internet!
- 43 -

Security of Network Layer

Dynamic Routing: Exterior Gateway Protocols (EGPs)

To preserve integrity of route table: Use MD-5 authentication between peering routers. To preserve operational stability of edge routers running BGP:
Enable BGP route-flap damping on all edge routers. For example: Prefix length: /24 /19 /16 Suppress time: 3hr. 45-60min. <30min. Set ACL to deny all Bogon IP addresses. For Edge routers peering on Internet.

Note: Bogon IP addresses are the un-used or not been assigned IP addresses on the Internet. The list can be obtained at http://www.cymru.com/Documents/bogon-list.html.

- 44 -

Security of Network Layer

Packet-filtering Firewall

Router ACLs = Packet-filtering firewall Firewall Policy: Deny by default, Permit by exception.
Understand the data-flow (i.e. source, destination, protocols, and routing methods), so the security engineer knows how to apply IP filtering. Knows the specific inbound and outbound I/Fs Disable all un-necessary protocols & services.

Application

Application

Presentation

Presentation

Session

Session

Transport

Transport

Network

Network

Network

Data-Link

Data-Link

Data-Link

Physical

Physical

Physical

Source

Firewall (RTR w/ ACL)

Destination

Reference: DISA FSO Network STIG

- 45 -

Security of Network Layer

Packet-filtering Firewall

Use distribute-list <ACL> out to control outbound routing information. Use distribute-list <ACL> in to control inbound routing information. Global Filtering:
1. Create ACLs that defines what network information is allowed in/out. 2. Configure distribute-list in the appropriate direction under the routers routing protocol configuration.

OSI Reference Model

Application

Presentation

Session

Transport

Network

Data-Link

Per-interface Filtering:
Apply distribute-list <ACL> <in/out> to a <specific interface>

Physical

Reference: DISA FSO Network STIG

- 46 -

Security of Network Layer

Security of Network Equipment

Physical Access Control

Dedicated access ports for management
Console Port, Auxiliary Port, VTY (Virtual TTY) Port.

Dedicated monitoring I/Fs for SNMP

Use SNMPv3, or SNMPv2c, no default community strings For SNMPv2c, treat community strings as password.

Logical Access Control

Set password & privilege levels. Implement AAA (Authentication, Authorization & Accountability). Implement centralized authentication & authorization mechanism: TACACS+ or RADIUS.

Reference: DISA FSO Network STIG

- 47 -

Security of Network Layer

Security of Network Equipment

Time synchronization
Use multiple time sources. Use NTP for all Layer 3 equipment to synchronize their time. Use NTP authentication between clients, servers, and peers to ensure that time is synchronized to approved servers only.

Event Logging
Configure key ACLs to record access violations. Example: Anti-spoofing violations, VTY access attempts, Router filter violations, ICMP, HTTP, SNMPetc.

Reference: DISA FSO Network STIG

- 48 -

Questions:

What are the two primary security issues associated with the use of dynamic routing protocols?

What is the difference between Interior gateway protocols (IGPs) and Exterior gateway protocols (EGPs)?

- 49 -

Answers:

What are the two primary security issues associated with the use of dynamic routing protocols?
Integrity of routing tables Operational stability

What is the difference between Interior gateway protocols (IGPs) and Exterior gateway protocols (EGPs)?
IGPs are used within autonomous systems. EGPs are used between autonomous systems

- 50 -

Topics

Telecommunications & Network Security Domain Part 2 Security Countermeasures and Controls
Physical Layer Data-Link Layer IP Network Layer Transport Layer Application Layer
Memorization
OSI Reference Model TCP/IP Protocol Architecture

Away Pizza Sausage Throw Not Do People

Application

Presentation

Application Layer

Session

Transport

Host-to-Host Transport Layer

VPN NAS

Network

Internet Layer Network Access Layer

Data-Link

Physical

- 51 -

Security of Transport & Application Layers

Firewalls

Packet-filtering firewall (i.e. Router ACLs)

Do not examine Layer 4-7 data. Therefore it cannot prevent application-specific attacks

Proxy firewall
It supports selected IP protocols (I.e. DNS, Finger, FTP, HTTP, LDAP, NNTP, SMTP, Telnet). For multicast protocols (PIM, IGMPetc) must be TUNNEL through the firewall

Stateful inspection firewall

Its faster than proxy firewall and more flexible because it examines TCP/IP protocols not the data Unlike proxy firewall, it does not rewrite every packets and does not talk on application servers behalf

- 52 -

Security of Transport & Application Layers

Firewalls

Hybrid Firewalls Circuit-level proxy firewall

IETF created SOCKS proxy protocol (RFC 1928) for secure communications SOCKS creates a circuit between client and server without requiring knowledge about the internetworking service. (No application specific controls) It supports user authentication

Application proxy firewall

Application proxy + Stateful inspection A different proxy is needed for each service It supports user authentication for each supported services. e.g. Checkpoint Firewall-1 NG

- 53 -

Security of Transport & Application Layers

Packet-filtering firewalls

Router ACLs ~ Packet-filter firewall Firewall Policy: Deny by default, Permit by exception
Understand the data-flow (i.e. source, destination, protocols, and routing methods), so the security engineer knows how to apply IP filtering Knows the specific inbound and outbound I/Fs Disable all un-necessary protocols & services

Application

Application

Presentation

Presentation

Session

Session

Transport

Transport

Network

Network

Network

Data-Link

Data-Link

Data-Link

Physical

Physical

Physical

Source

Firewall (RTR w/ ACL)

Destination

Source: DISA FSO Network STIG

- 54 -

Security of Transport & Application Layers

Proxy firewalls

Do not allow any direct connections between internal and external computing hosts Able to analyze application commands inside the payload (datagram) Supports user-level authentications. Able to keep a comprehensive logs of traffic and specific user activities

Presentation

Presentation

TCP/IP Application Layer

Application

Application

Application

Presentation

Session

Session

Session

Transport

Transport

Transport

Network

Network

Network

Data-Link

Data-Link

Data-Link

Physical

Physical

Physical

Source

Firewall

Destination

- 55 -

Security of Transport & Application Layers

Stateful inspection firewalls Supports all TCP/IP-based services, including UDP (by some) Inspects TCP/IP packets and keep track of states of each packets. Low overhead and high throughput Allows direct TCP/IP sessions between internal computing hosts and external clients Offers no user authentication

Application

Application

Application

Presentation

Presentation

Presentation

Session

Session

Stateful Inspection

Session

Transport

Transport

Transport

Network

Network

Network

Data-Link

Data-Link

Data-Link

Physical

Physical

Physical

Source

Firewall

Destination

- 56 -

Security of Transport & Application Layers

Firewall Policy

In principal, firewall performs three actions: Accept: where the firewall passes the IP packets through the firewall as matched by the specific rule Deny: where the firewall drops the IP packets when not matched by the specific rule and return an error message to the source system. (log entries are generated) Discard: where the firewall drops the IP packets, and not return an error message to the source system. (i.e., Like a black hole)

OSI Reference Model

Application

Presentation

Session

Transport

Network

Data-Link

Physical

- 57 -

Security of Transport & Application Layers

Network Design with Firewalls

` `
Public users (Citizen and LoB) ISP Employee User HTTP / HTTPS Internet VPN DOI Intranets Intranet DOI Intranets ISP Federated Enterprise

`
VPN or dedicated circuit

Redundant Routers using diverse path uplinks to external networks

Exterior Firewalls Multi-Service Switches Content Switch for load balacing

DMZ External DNS Business Specific VLAN External DNS Business Specific VLAN

DMZ

FTP Srvr.

Web Srvrs

Web Application Srvrs

Web Application Srvrs

Web Srvrs

FTP Srvr.

Proxy-ed E-mail Srvr. (Virtual)

Proxy-ed Certificate Srvr. (Virtual)

Proxy-ed Directory Srvr. (Virtual)

Proxy-ed Directory Srvr. (Virtual)

Proxy-ed Certificate Srvr. (Virtual)

Proxy-ed E-mail Srvr. (Virtual)

Primary

Backup

- 58 -

Security of Transport & Application Layers

Intrusion Detection System (IDS) & Intrusion Prevention System (IPS)

Network-IDS (Intrusion Detection System) is a passive device

To detect attacks and other security violations To detect and deal with pre-ambles to attacks (i.e., doorknob rattling/ probing / scanning) To document the threat to a network, and improve diagnosis, recovery and correction of an unauthorized intrusion

Network-IPS (Intrusion Prevention System) is a inline device

Has all the same service features of a N-IDS, plus Inference the internetworking behavior to PREVENT further damage to internetworking services

- 59 -

Security of Transport & Application Layers

Intrusion Detection System (IDS) & Intrusion Prevention System (IPS)

N-IDS (and Host-IDS) use knowledge-based (a.k.a. signature-based) methodology to detect intrusions
Uses a database of known attacks and vulnerabilities called signatures Only as good as the last signature update Can be difficult to tune false positives, acceptable behavior.

N-IPS uses behavior-based methodology to detect and prevent intrusions.

Learns normal network or host behavior Alerts when behavior deviates from the norm such as malformed packets, abnormal network utilization, or memory usage

- 60 -

Security of Transport & Application Layers

Network-based Intrusion Detection System (N-IDS)

Network-IDS (intrusion detection system) is a passive device

There are two way to setup the listening interfaces: Network TAP and VLAN Port Spanning on L2 switch N-IDS is composted of two components: Pre-processor (Sensor) and Event Collector/Analyzer
Pre-processor assembles the packets and match them against a pre-defined signature database Event Collector/Analyzer collects the events from all the sensors, correlate and present intrusion pattern
Business Specific VLAN L2 Switch with Port Span on VLAN Business Specific VLAN

Listening I/F

Listening I/F

N-IDS Sensor

N-IDS Sensor

Monitor & Management VLAN

Reporting I/F

Monitor & Management VLAN

Reporting I/F

- 61 -

Security of Transport & Application Layers

Network-based Intrusion Prevention System (N-IPS)

Network-IPS (intrusion prevention system) is an in-line device

Examines network traffic and automatically blocks inappropriate or malicious traffic However, it may block some normal enterprise internetworking LAN traffic. So, its best to use it between the edge router and exterior perimeter firewall
Redundant Routers using diverse path uplinks to external networks

N-IPS Exterior Firewalls Multi-Service Switches Content Switch for load balacing

DMZ

DMZ

Primary

Backup
- 62 -

Questions:

What are the five common types of firewall?

What are the three policy actions a firewall can take?

- 63 -

Answers:

What are the five common types of firewall?

Packet filtering Proxy Stateful inspection Circuit-level proxy (i.e., SOCKS) Application proxy

What are the three policy actions a firewall can take?

Accept Deny Discard

- 64 -

Questions:

If 1 is a router, 4 is located in a DMZ. What is 2?

1 2 3 5 6 4

If 3 is a switch, 5 is a N-IDS, and 6 is a computing platform. What does one have to do to the switch ports to 5 and 6?

- 65 -

Answers:

If 1 is a router, 4 is located in a DMZ. What is 2?

1 2 3 5 6 4

Firewall

If 3 is a switch, 5 is a N-IDS, and 6 is a computing platform. What does one have to do to the switch ports to 5 and 6?
Provision a port span

- 66 -

Topics

Telecommunications & Network Security Domain Part 2 Security Countermeasures and Controls
Physical Layer Data-Link Layer IP Network Layer Transport Layer Application Layer
Memorization
OSI Reference Model TCP/IP Protocol Architecture

Away Pizza Sausage Throw Not Do People

Application

Presentation

Application Layer

Session

Transport

Host-to-Host Transport Layer

VPN NAS

Network

Internet Layer Network Access Layer

Data-Link

Physical

- 67 -

Security Countermeasures & Controls

Security of Application Layers S-HTTP vs. HTTPS

S-HTTP (Secure HTTP) (RFC 2660) is an experimental protocol designed for use in conjunction with HTTP
S-HTTP is a Message-oriented secure communication protocol

HTTPS is HTTP over SSL (Secure Socket Layer).

SSL works at the Transport Layer level HTTP message is encapsulated within the SSL

- 68 -

Security Countermeasures & Controls

Security of Application Layers SET

Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the Internet. It was supported initially by MasterCard, Visa, Microsoft, Netscape, and others A user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signature among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality SET uses Netscape's SSL, Microsoft's STT (Secure Transaction Technology), and Terisa System's SHTTP SET uses some but not all aspects of a PKI
- 69 -

Security Countermeasures & Controls

Security of Application Layers DNS

Domain Name System (DNS) translates hostnames to IP addresses. BIND (Berkeley Internet Name Domain) is the most commonly used DNS server on the Internet
DNS server. It supplies domain name to IP address conversion DNS resolver. When it can not resolve DNS request. It send a DNS query to another known DNS server

Security issues with DNS:

DNS cache poisoning, where the legitimate IP addresses are replaced DNS spoofing, where the attacker spoofs the DNS servers answer with its own IP address in source-address field

Countermeasures:
Forbid recursive queries to prevent spoofing Setup multiple DNS servers (External, internal) Keep your BIND up to date
Reference: http://en.wikipedia.org/wiki/Domain_name_system - 70 -

Security Countermeasures & Controls

Security of Application Layers Computing Hosts

Protection of servers (network focused) Be specific on service functions

Limit services, minimize potential exposures Focus on a single function
Web Server DNS Server E-mail Server DB Server Web Pages DNS E-mail DB Services

Install Host-IDS
Enforce CM and Change Control

Install Anti-Virus Disable all processes/services not in use Enforce strict access control
Network I/Fs OS / Applications
- 71 -

Security Countermeasures & Controls

Technical Countermeasures in IATF v3.1

Defense-InSecurity Mechanism Depth
Defending the Network & Infrastructure Defending the Enclave Boundary Redundant & Diverse Comm. Links Encryptors Routers Firewalls Multi-Service & Layer 2 Switches Network-based & Host-based IDSs Defending the Computing Environment Hardened OS Anti-Virus Software

Security Services
Availability Confidentiality, Integrity Access Control Access Control, Integrity Access Control Integrity Access Control, Integrity Access Control, Integrity Confidentiality: Access Control, Identification, Authentication, Integrity, NonRepudiation
Security Services Spectrum: Access Control Confidentiality Integrity Availability Non-Repudiation

Supporting the Infrastructure

PKI (X.509-based Messaging: DMS)

Reference & Guidelines: Information Assurance Technical Framework (IATF), Release 3.1 DoDI 8500.2 Information Assurance (IA) Implementation

- 72 -

Topics

Telecommunications & Network Security Domain Part 2

Security Principles & Network Architecture Security Countermeasures and Controls

Physical Layer Data-Link Layer IP Network Layer Transport Layer Application Layer

VPN NAS

- 73 -

Security Countermeasures & Controls

Virtual Private Network (VPN) & Tunneling

Tunneling is used to package/encapsulate packets and transport them INSIDE of another packets from one internetworking domain to another. VPN enables the shared internetworking resources to be used as private or dedicated circuits. (i.e. Access Control)
Types of VPN:
LAN-to-LAN Remote Client Access Client-less Remote Access

Example:
PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) MPLS (Multi-Protocol Label Switching) GRE (Generic Routing Encapsulation) IPsec (Internet Protocol Security) SSH (Secure Shell)
- 74 -

Virtual Private Network (VPN)

Point-to-Point Tunneling Protocol (PPTP)

PPTP (Point-to-Point Tunneling Protocol) operates at Layer 2. (RFC 2637) A protocol which allows PPP (Point-to-Point Protocol) to be tunneled through an IP-based network.
PPTP packages data within PPP packets, then encapsulates the PPP packets within IP packets for transmission through an Internet-based VPN tunnel

PPTP supports data encryption and compression PPTP also uses a form of GRE to get data to and from its final destination

- 75 -

Virtual Private Network (VPN)

Layer 2 Tunneling Protocol (L2TP)

L2TP (Layer 2 Tunneling Protocol) operates at Layer 2. (RFC 2661) A protocol which allows PPP (Point-to-Point Protocol) to be tunneled through an IP-based network. It is a hybrid of PPTP and L2F can support multiple protocols Often combined with IPsec for security

- 76 -

Virtual Private Network (VPN)

Multi-Protocol Label Switching (MPLS)

MPLS (Multi-Protocol Label Switching) (a.k.a. Tag Switching), operates at Layer 2 a data-carrying mechanism, operating at data-link layer. It was designed to provide a unified datacarrying service for both circuit-based clients and packet-switching clients which provide a datagram service model It can be used to carry many different kinds of traffic, including both voice telephone traffic and IP packets. It does not rely on encapsulation and encryption to maintain high-level of security

- 77 -

Virtual Private Network (VPN)

Generic Routing Encapsulation (GRE)

GRE (Generic Routing Encapsulation) (RFC 2784) GRE is a Network Layer tunnel that allows any network protocol to be transmitted over a network running some other protocol such as:
Transmitting multicast datagrams over a unicast network. Transmitting non-TCP/IP routing protocols such as: AppleTalk, IPX, etc.

GRE can be a security issue (i.e. packet-filtering), so recommended that GRE be created in front of a firewall.

- 78 -

Virtual Private Network (VPN)

IPsec (1/6)

IPsec is a protocol suite (RFC 2401 4301, 2411). Transport Layer:

AH (IP Authentication Header) provides connection-less integrity, data origin authentication. ESP (Encapsulating Security Payload) provides confidentiality through encryption.

Application Layer: (RFC 4306)

IKE (Internet Key Exchange) is performed using ISAKMP (Internet Security Association and Key Management IPsec Module 1 IPsec Module 2 Protocol).
IPsec Key Exchange (IKE) ISAKMP ISAKMP

Application Layer
Security Association (SA)

IPSP

Security Association Database

AH protection ESP protection

Security Association Database

IPSP

Transport Layer

Security Association Database

Security Association Database

- 79 -

Virtual Private Network (VPN)

IPsec (2/6)

Authentication Header (AH) (RFC 4302)

AH follows right after IP header Next Header: Identifies the protocol of transferred data Payload Length: Size of AH packet SPI: Identifies the security parameters, which in combination with the IP address, identify the security association implemented with this packet Sequence Number: Used to prevent replay attacks Authentication Data: Contains the integrity check value (ICV) to authenticate the packet
Bits

0 1

4 Next Header

12

16

20

24 Reserved

28

31

Payload Length

Words

2 3 4

Security Parameters Index (SPI) Sequence Number Authentication Data (variable)

- 80 -

Virtual Private Network (VPN)

IPsec (3/6)

Encapsulating Security Payload (ESP) (RFC 4303)

ESP operates directly on top of IP header SPI: Identifies the security parameters in combination with the IP address Sequence Number: Used to prevent replay attacks Payload Data: The encapsulated data Padding: Used to pad the data for block cipher Pad Length: Necessary to indicate the size of padding Next Header: Identifies the protocol of the transferred data Authentication Data: Contains the integrity check value (ICV) to authenticate the packet
Bits 0 1 2 4 8 12 16 20 24 28 31 Security Parameters Index (SPI) Sequence Number Payload Data (variable) Payload Data... Padding... Pad Length Next Header

Words

3 4 5

Authentication Data (variable)

- 81 -

Virtual Private Network (VPN)

IPsec (4/6)

IPsec imposes computational performance costs on the host or security gateways.

Memory needed for IPSec code and data structures Computation of integrity check values. Encryption and decryption. Added per-packet handlingmanifested by increased latency and possibly, reduced throughput Use of SA/key management protocols, especially those that employ public key cryptography, also adds computational costs to use of IPSec
ESP Protocol

IPsec Architecture

AH Protocol

Encryption Algorithm Encryption Algorithm Encryption Algorithm

Authentication Algorithm Authentication Algorithm Authentication Algorithm

Domain of Interpritation (DOI)

Key Management

Reference: http://tools.ietf.org/html/rfc2411

- 82 -

Virtual Private Network (VPN)

IPsec (5/6)

IPsec operates in two modes: Transport mode:

Only the payload is protected (i.e., encryption & hash) IP headers are not encrypted If AH is used then IP address can not be translated (i.e., NAT) For host-to-host communications only

Tunnel mode:
The payload and header are protected (i.e., encryption & hash) Used for network-to-network, host-to-network, and host-to-host communications

Reference: http://en.wikipedia.org/wiki/IPsec - 83 -

Virtual Private Network (VPN)

IPsec... (6/6)

IPsec is implemented in the following popular ways Network-to-Network

IPsec tunnel between two security gateways GRE/IPsec in established Layer 3 tunnel L2TP/IPsec in established Layer 2 tunnel

Host-to-Network
L2TP/IPsec in established Layer 2 tunnel via VPN client on remote client (i.e. your laptop or PC) IPsec tunnel between VPN client to security gateway

Host-to-Host
IPsec in transport mode or tunnel mode between two computing machines
Reference: http://en.wikipedia.org/wiki/IPsec http://en.wikipedia.org/wiki/L2TP http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt4/scipsec.htm RFC 4301, Security Architecture for the Internet Protocol (http://tools.ietf.org/html/rfc4301) - 84 -

Virtual Private Network (VPN)

Secure Sockets Layer (SSL)

SSL (Secure Sockets Layer) Runs between the Application Layer (HTTP, SMTP, NNTP, etc) and Transport Layer (TCP) Supports client/servers negotiation of cryptographic algorithms:
Public-key cryptography: RSA, DiffieHellman, DSA or Fortezza Symmetric ciphers: RC2, IDEA, DES, 3DES or AES One-way hash functions: MD5 or SHA

Client
client hello

Server

server hello certificate server key exchange Request for clients certificate server hello done

certificate client key exchange certificate verification change cipher specification finished

change cipher specification finished

Application Data...

Reference: http://wp.netscape.com/eng/ssl3/

- 85 -

Virtual Private Network (VPN)

Secure Sockets Layer (SSL)

SSL works in two modes:

Application embedded. i.e. HTTPS SSL Tunnel or SSL VPN (e.g. OpenVPN)

Remote Client
Client Application (with embedded support for SSL/TLS) SSLv3/TLSv1

Server
Server Application (with embedded support for SSL/TLS) SSLv3/TLSv1

TCP/IP stack

TCP/IP stack

Data-Link Layer SSL/TLS encrypted payload using e.g. 2048 RSA, 3DES

Data-Link Layer

SSL VPN is less complex than IPsec

Unlike IPsec, SSL protocol sits on top of Transport Layer stack. OpenVPN (a.k.a. user-space VPN) because unlike IPsec, it operates out side of OS kernel. SSL is more flexible in supporting multiple cryptographic algorithms
Remote Client
Server Applications Server Applications Server Applications Server Applications

DOI ESN Networks

Server Applications Server Applications Server Applications Server Applications

TCP/IP stack

TCP/IP stack

SSLv3/TLSv1 Tunnel Client Software SSLv3/TLSv1

SSLv3/TLSv1 Tunnel Security Gateway SSLv3/TLSv1

TCP/IP stack

TCP/IP stack

Data-Link Layer Proprietary transparent SSL/ TLS encrypted VPN tunnel using e.g. 2048 RSA, 3DES

Data-Link Layer

- 86 -

Virtual Private Network (VPN)

Transport Layer Security (TLS)

TLS 1.0 (Transport Layer Security) (RFC 2246) is defined base on SSL 3.0 TLS and SSL protocols are not interchangeable. (during a client/server session) The selection of TLS or SSL is negotiated between client/server at the hello.

Client
client hello

Server

server hello certificate server key exchange Request for clients certificate server hello done

certificate client key exchange certificate verification change cipher specification finished

change cipher specification finished

Application Data...

Reference: http://www.ietf.org/rfc/rfc2246.txt

- 87 -

Virtual Private Network (VPN)

Secure Shell (SSH)

SSH (Secure Shell) is a secure replacement for the r* programs (rlogin, rsh, rcp, rexec, etc.) SSH uses public-key to authenticate users, and supports variety of cryptography algorithms: Blowfish, 3DES, IDEA, etc. SSH protects:

Host

Application Client

SSH Client

Secure SSH Connection Target

Eavesdropping of data transmitted over the network. Manipulation of data at intermediate elements in the network (e.g. routers). IP address spoofing where an attack hosts pretends to be a trusted host by sending packets with the source address of the trusted host. DNS spoofing of trusted host names/IP addresses. IP source routing

Application Server

SSH Server

Reference: http://www.ietf.org/rfc/rfc4251.txt

- 88 -

Questions:

Why PPP can utilize PPTP and L2TP?

What are the two primary purposes to use GRE?

What are the two operating modes for IPsec?

- 89 -

Answers:

Why PPP can utilize PPTP and L2TP?

Because PPP allows multiple protocols per session

What are the two primary purposes to use GRE?

Transmission of non-TCP/IP routing protocols (e.g., AppleTalk or IPX) Transmission of multicast datagrams over a unicast network

What are the two operating modes for IPsec?

Transport mode Tunnel mode

- 90 -

Questions:

Why IPsec requires AH protocol and ESP protocol?

SSL uses which three cryptosystems?

What are the two operating modes for SSL?

- 91 -

Answers:

Why IPsec requires AH protocol and ESP protocol?

AH for authentication and ESP for encryption

SSL uses which three cryptosystems?

Public-key (Asymmetric) (RSA, Diffie-Hellman, DSA or Fortezza) Symmetric (RC2, IDEA, DES, 3DES or AES) Hash function (MD5 or SHA)

What are the two operating modes for SSL?

Application embedded Tunnel mode

- 92 -

Topics

Telecommunications & Network Security Domain Part 2

Security Principles & Network Architecture Security Countermeasures and Controls

Physical Layer Data-Link Layer IP Network Layer Transport Layer Application Layer

VPN NAS

- 93 -

Security Countermeasures & Controls

Network Access Servers (NAS)

NAS (Network Access Server) provides centralized Access Control of AAA (Authentication, Authorization, Accounting) services
A distributed (client/server) security model Authenticated transactions Flexible authentication mechanisms

Versions of NAS:
TACACS+ (Terminal Access Controller Access Control System) (Cisco proprietary). RADIUS (Remote Authentication Dial-In User Service) (Open source). DIAMETER.

Reference: RADIUS: http://www.ietf.org/rfc/rfc3579.txt DIAMETER: http://www.ietf.org/rfc/rfc4005.txt

- 94 -

Network Access Servers (NAS)

Authentication Servers TACACS+

TACACS (Terminal Access Controller Access Control System) (RFC 1492) TACACS+ is a significant improvement of old version. Unlike RADIUS, TACACS is stateful, TCP-based. TACACS is not supported by all vendors. In addition, TACACS protocol does not support authentication proxies, which means user authentication can only be stored centrally in a Cisco ACS. (However, Cisco ACS does support authentication proxy to both UNIX and Windows servers.) Unlike RADIUS, TACACS encrypts entire TCP packet, not just the authentication messages.
Reference: http://www.cisco.com/warp/public/480/10.html http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094eb0.shtml - 95 -

Network Access Servers (NAS)

Authentication Servers RADIUS

RADIUS (Remote Authentication Dial-In User Service) RADIUS Server stores UserID, Password, and Authorization parameter (ACL) centrally. Unlike TACACS, RADIUS does support authentication proxies, so the user authentication information or schema is scale able. Uses CHAP (Challenge Handshake Authentication Protocol) to authenticate user. Client/Server uses shared secret stored in configuration file for encryption and decryption of CHAP, but not data packets. Uses a single UDP packet design for speed and performance.
Reference: RADIUS: http://www.ietf.org/rfc/rfc3579.txt DIAMETER: http://www.ietf.org/rfc/rfc4005.txt

- 96 -

Network Access Servers (NAS)

Authentication Servers Diameter

Diameter (RFC 3588) is designed based on RADIUS that supports Mobile-IP services. Diameter protocol supports NAS, Mobile-IP, ROAMOPS (Roaming Operations), and EAP. Operates peer-to-peer (instead of client/server), supports multiple authentication proxy and broker models. Diameter supports both IPsec (mandatory) and TLS (optional).

Reference: RADIUS: http://www.ietf.org/rfc/rfc3579.txt Diameter: http://tools.ietf.org/html/rfc4005 http://tools.ietf.org/html/rfc3588

- 97 -

Validation Time

1. Class Exercise 2. Review Answers

- 98 -

Exercise #1: VPN

Please provide explanations for the following:

If you are running WPA2 (IEEE 802.11i) at home, why would you need to run IPsec to MITRE? Why is running split tunnel bad? How is MITRE WiFi WPA2 different than your home wireless network running WPA2? (Hint: IEEE 802.1X)

- 99 -

Exercise #2: Layers of Perimeter Security

Please provide examples of network-based perimeter security controls and provide rationale:
For boundary protection at the edge? For DMZ? For enclave protection at the core (/ interior)?

- 100 -