CH 5 Network
CH 5 Network
EAP-TTLS is defined in
RFC 5281.
Authentication Methods Cont.
• EAP-GPSK (EAP Generalized Pre-Shared Key): EAP-GPSK, defined
in RFC 5433, is an EAP method for mutual authentication and session
key derivation using a Pre-Shared Key (PSK). EAP-GPSK specifies an
EAP method
• based on pre-shared keys and employs secret key-based cryptographic
algorithms.
• The set up of these pairwise secret keys is part of the peer registration
and must satisfy the system preconditions.
EAP-TLS is defined
in RFC 5106.
Authentication Methods Cont.
EAP Exchanges
Whatever method is used for authentication, the authentication
information and authentication protocol information are carried in EAP
messages.
Data: Contains information related to authentication. Typically, the Data field consists of a
Type subfield, indicating the type of data carried, and a Type-Data field.
EAP Exchanges
EAP messages containing the appropriate information for a chosen EAP method are then
exchanged between the EAP peer and the authentication server.
■■ Code: Identifies the Type of EAP message. The codes are Request (1), Response (2), Success
(3), and Failure (4).
■■ Identifier: Used to match Responses with Requests.
■■ Length: Indicates the length, in octets, of the EAP message, including the Code, Identifier,
Length, and Data fields.
The authentication server functions as a backend
server that can authenticate peers as a service to
a number of EAP authenticators.
• After a lower-level exchange that established the need for an EAP exchange, the
authenticator sends a Request to the peer to request an identity, and the peer
sends a Response with the identity information.
• The conversation continues until either (1) the authenticator determines that it
cannot authenticate the peer and transmits an EAP Failure or (2) the authenticator
determines that successful authentication has occurred and transmits an EAP
Success.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
EAPOL
packet
•The EAPOL packet format
includes the following fields:
•■■ Protocol version:
version of EAPOL.
•■■ Packet type: indicates
start, EAP, key, logoff, etc.
•■■ Packet body length: If
the packet includes a body, this
field indicates the body length.
•■■ Packet body: The
payload for this EAPOL packet.
An example is an EAP
•packet.
Cloud Computing
• NIST defines cloud computing, in NIST SP-800-145 (The
NIST Definition of Cloud Computing ), as follows:
“A model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of
configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider interaction. This
cloud model promotes availability and is composed of
five essential characteristics, three service
models, and four deployment models.”
The cloud computing elements in the image can be broken down into three
categories: service models, deployment models, and essential
characteristics.
•Service models define the type of service a cloud provider offers. The
three main service models are:
• Infrastructure as a Service (IaaS): IaaS provides the basic
building blocks of cloud computing, like storage, servers and
networking. Users have control over the operating system and
everything above it.
• Platform as a Service (PaaS): PaaS provides a platform for
developing, deploying, and managing applications. Users have
control over the deployed applications and configurations, but not
the underlying infrastructure.
• Software as a Service (SaaS): SaaS is a complete software
solution delivered over the internet. Users access the software
application through a web browser or API.
•Deployment models define the location of the cloud service. The four
main deployment models are:
• Public cloud: A public cloud is owned and operated by a cloud
service provider and delivers services to the general public over
the internet.
• Private cloud: A private cloud is for the exclusive use of a single
organization. It can be located on-premises or hosted by a third-
party service provider.
• Community cloud: A community cloud is shared by a group of
organizations that have a shared interest.
• Hybrid cloud: A hybrid cloud combines two or more deployment
models, such as a public cloud and a private cloud.
•Essential characteristics are the five key properties that define cloud
computing:
• On-demand self-service: Users can provision and configure
cloud computing resources without needing to interact with a cloud
provider’s sales team.
• Broad network access: Cloud computing services are available
Cloud Computing Reference
Architecture
• NIST SP 500-292 (NIST Cloud Computing Reference Architecture )
establishes a reference architecture, described as follows:
Cloud broker
• Useful when cloud services are too complex for
a cloud consumer to easily manage
• Three areas of support can be offered by a
cloud broker:
• Service intermediation
• Value-added services such as identity
management, performance reporting, and
enhanced security
• Service aggregation
• The broker combines multiple cloud services
to meet consumer needs not specifically
addressed by a single CP, or to optimize
performance or minimize cost
• Service arbitrage
• A broker has the flexibility to choose
حامل السحابة منصة شبكية توفر االتصال ونقل خدمات السحابة بين مستهلكي السحابة
ومقدمي الخدمات
مراجع السحابة كيان مستقل يمكنه ضمان أن مقدم الخدمة يلتزم بمجموعة من المعايير
وسيط السحابة مفيد عندما تكون خدمات السحابة معقدة جًدا للمستهلك إلدارتها بسهولة
:يمكن تقديم ثالث مجاالت دعم من قبل وسيط السحابة
التوسيط في الخدمة خدمات مضافة القيمة مثل إدارة الهوية وتقارير األداء وتعزيز األمان
تجميع الخدمات يجمع الوسيط بين خدمات السحابة المتعددة لتلبية احتياجات المستهلك
التي لم ُتعاَلج بشكل خاص من قبل مقدم خدمة واحد ،أو لتحسين األداء أو تقليل التكلفة
Malicious insiders
• Countermeasures: enforce strict supply chain management and
conduct a comprehensive supplier assessment; specify human
resource requirements as part of legal contract; require
transparency into overall information security and management
practices, as well as compliance reporting; determine security
breach notification processes
Risks and Countermeasures
(continued)
Insecure Shared
Data loss or
interfaces technology
leakage
and APIs issues
Countermeasures:
implement security
Countermeasures: best practices for
analyzing the installation/configura
Countermeasures:
security model of CP tion; monitor
implement strong
(Cloud provider ) environment for
API access control;
interfaces; ensuring unauthorized
encrypt and protect
that strong changes/activity;
integrity of data in
authentication and promote strong
transit; analyze data
access controls are authentication and
protection at both
implemented in access control for
design and run time;
concert with administrative
implement strong
encryption access and
key generation,
machines; operations; enforce
storage and
understanding the SLAs for patching
management, and
dependency chain and vulnerability
destruction practices
associated with the remediation; conduct
API vulnerability
scanning and
configuration audits
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Risks and
Countermeasures
(continued)
• Account or service hijacking
• Countermeasures: prohibit the sharing of
account credentials between users and
services; leverage strong two-factor
authentication techniques where
possible; employ proactive monitoring to
detect unauthorized activity; understand
CP security policies and SLAs
• Unknown risk profile
• Countermeasures: disclosure of
applicable logs and data; partial/full
disclosure of infrastructure details;
monitoring and alerting on necessary
information
Table 5.3
NIST Guidelines on
Security and
Privacy Issues
and
Recommendations
(page 1 of 2)
• The user has little ability to access individual data items based on searches or indexing on key
parameters
• The user would have to download entire tables from the database, decrypt the tables, and
work with the results
• To provide more flexibility it must be possible to work with the database in its encrypted form
Cloud Security as a Service
(SecaaS)
• The Cloud Security Alliance defines SecaaS as the
provision of security applications and services via the
cloud either to cloud-based infrastructure and software
or from the cloud to the customers’ on-premise systems
• The Cloud Security Alliance has identified the following
SecaaS categories of service:
• Identity and access management
• Data loss prevention
• Web security
• E-mail security
• Security assessments
• Intrusion management
• Security information and event management
• Encryption
• Business continuity and disaster recovery
• Network security
Table 5.4
Control Functions
and Classes
Summary
• Network access control • IEEE 802.1X port-based
• Elements of a network network access control
access control system • Cloud computing
• Network access • Elements
enforcement methods • Reference architecture
• Extensible authentication • Cloud security risks and
protocol countermeasures
• Authentication methods • Data protection in the cloud
• EAP exchanges
• Addressing cloud computing
• Cloud security as a service security concerns
Review Questions
What is an EAP?
The Extensible Authentication Protocol (EAP) acts as a
framework for network access and authentication protocols.
EAP provides a set of protocol messages that can encapsulate
various authentication methods to be used between a client
and an authentication server.
EAP can operate over a variety of network and link-level
facilities, including point-to-point links, LANs, and other
networks, and can accommodate the authentication needs of
the various links and networks.
5.4 What is DHCP? How useful is it to help achieve security of IP
addresses?