Scribd Logo
Upload

Welcome to Scribd!

  • 18 views

    Module 8 - Remote Access

    Uploaded by

    Don Jino
    Remote access allows users to log into a network from a distant location using a computer, modem, and remote access software. It involves establishing a temporary network connection and negotiating user privileges through authentication, authorization, and accounting protocols. Common remote access methods include SSH, VPNs like PPTP and L2TP, and remote desktop protocols. Network security tools like firewalls, IDSs, and authentication systems help secure remote access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Module 8 - Remote Access

    Uploaded by

    Don Jino
    18 views30 pages
    Remote access allows users to log into a network from a distant location using a computer, modem, and remote access software. It involves establishing a temporary network connection and negotiating user privileges through authentication, authorization, and accounting protocols. Common remote access methods include SSH, VPNs like PPTP and L2TP, and remote desktop protocols. Network security tools like firewalls, IDSs, and authentication systems help secure remote access.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Remote access allows users to log into a network from a distant location using a computer, modem, and remote access software. It involves establishing a temporary network connection and negotiating user privileges through authentication, authorization, and accounting protocols. Common remote access methods include SSH, VPNs like PPTP and L2TP, and remote desktop protocols. Network security tools like firewalls, IDSs, and authentication systems help secure remote access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    18 views30 pages

    Module 8 - Remote Access

    Uploaded by

    Don Jino
    Remote access allows users to log into a network from a distant location using a computer, modem, and remote access software. It involves establishing a temporary network connection and negotiating user privileges through authentication, authorization, and accounting protocols. Common remote access methods include SSH, VPNs like PPTP and L2TP, and remote desktop protocols. Network security tools like firewalls, IDSs, and authentication systems help secure remote access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 30

    What is Remote Access?

    ❑ refers to the ability to log onto a network from a distant location


    ❑ implies a computer, a modem, and some remote
    access software to connect to the network

    Two elements involved in remote access process:


    ❑ temporary network connection
    ❑ series of protocols to negotiate privileges and commands

    Three steps to establish proper privileges:


    ❑ Authentication
    ❑ Authorization
    ❑ Accounting
    standard terminal-emulation protocol within the TCP/IP
    protocol series, and it is defined in RFC 854

    allows users to log in remotely and access resources as


    if the user had a local terminal connection

    makes its connection using TCP port 23


    protocol series designed to facilitate secure network functions across an insecure
    network
    provides direct support for secure remote login, secure file transfer, and secure
    forwarding of TCP/IP and X Window System traffic
    implemented on servers through the use of SSH daemon that listens for incoming
    client connections on port 22 by default

    has facilities to automatically encrypt data, provide authentication, and compress


    data in transit

    consists of three major components:


    ❑ Transport layer protocol
    ❑ User authentication protocol
    ❑ Connection protocol
    stands for Point-to-Point Tunneling Protocol

    usually used to implement security over a PPP


    connection

    popular choice because it’s available in Microsoft


    Windows and relatively simple to implement

    uses TCP port 1723


    stands for Layer Two Tunneling Protocol

    intended as a replacement for PPTP and L2F, combining the


    best features of both

    supports PAP, CHAP, MS-CHAP and other authentication


    protocols

    use UDP port 1701


    secure “virtual” networks built atop
    physically connected networks
    usually perform user authentication
    protocols include PPTP, L2TP, SSH
    and IPSec

    A “session within a session” can create a


    secure connection over a public network.
    the most popular Layer 3 tunneling protocol, uses public key
    encryption technology

    establishes an SA (Security Association) for each side of the


    connection and negotiates session keys via ISAKMP (Internet
    Security Associations and Key Management Protocol), which
    uses port 500 to pass its traffic

    packet types:
    ❑ authenticationheader (AH) protocol
    ❑ encapsulating security payload (ESP) protocol
    IPSec Transport and Tunnel Modes

    A Simplified comparison of IP V4 and IPSec Transport mode. A more detailed drawing


    would be: IP Header + AH Header + ESP header + TCP/UDP header + payload + IPSec
    ESP trailer + IPSec ESP Auth.
    IPSec Transport and Tunnel Modes

    A Simplified comparison of IP V4 and IPSec Tunnel mode. A more detailed drawing would be: Transit IP header + IPSec ESP
    header + original IP header + TCP/UDP header + payload + IPSec ESP trailer + IPSec ESPAuth.
    relatively recent protocol enhancement that creates a standard for how
    authentication is performed over an 802 standards-based network

    improves scalability and security of wireless LAN authentication, and allows


    for the use of multiple authentication mechanisms as needed

    uses a specific form of the Extensible Authentication Protocol (EAP), called


    EAP Over LANs (EAPOL)

    used to return encryption keys to users, allowing the network to dynamically


    vary the encryption used by each connection, rather than requiring that all
    stations be pre-configured with a fixed key
    de-facto standard client/server protocol that authenticates and
    authorizes users connecting
    to a network, to access the network’s resources, utilizing a
    centralized database

    widely supported and popular authentication protocol, which


    many users consider providing better authentication security
    than its main alternatives, TACACS+ and unencrypted LDAP
    alone
    In general, the way RADIUS based
    authentication works is:

    ❑ A user dials in (via modem, DSL, etc.) as a client to a remote access server, and
    provides credentials (user/password) in response to the remote access server’s
    request
    ❑ The remote access server (itself a client to a RADIUS server) communicates the
    credentials to the RADIUS server, after encrypting it by computing an MD5 hash (see
    chapter 4) of it using a “secret” shared between client and server (this is an example
    of one way in which credentials are communicated)
    ❑ The RADIUS server uses a user/password database or perhaps integration with a
    network- based authentication system like Windows passwords or LDAP to validate
    the password, and returns the results to the remote access server
    ❑ The remote access server then accepts or denies the connection
    stands for Terminal Access Controller Access Control
    System+

    developed by Cisco

    builds on XTACACS by adding a two-factor user authentication,


    system and encrypting all client/server communication

    has some security vulnerabilities that may concern you if end-


    users have access to the network over which TACACS+ traffic
    travels
    monitors any network traffic and logs/notifies any possible
    malicious activity, note activity that deviates from normal behavior,
    catalog and classify the activity, and if possible, respond to the
    activity

    categorized into two types:


    ❑ Host-based IDS – examines activity on an individual system, such as
    a mail server, web server, or individual PC
    ❑ Network-based IDS – examines the activity on
    the network itself
    An IDS may have logical components:

    ❑ Traffic collector – collects activity/events to


    examine by the IDS.
    ❑ Analysis engine – examines the collected network traffic and compares it to
    known patterns of suspicious or malicious activity stored in the signature
    database; also known as the “brains” of the IDS.
    ❑ Signature database – collection of patterns and definitions of known suspicious
    or malicious activity.
    ❑ User interface and reporting – interfaces with the human element, providing
    alerts when appropriate and giving the user a means to interact with and operate
    the IDS.
    Logical Depiction of IDS Components
    system that examines log files, audit trails, and network
    traffic coming in to or leaving a specific host

    consults several types of log files (kernel, system, server,


    network, firewall, and more), and compare the logs against
    an internal database of common signatures for known
    attacks

    can operate in real time (looking for activity as it occurs) and


    in batch mode (looking for activity on a periodic basis)
    Host-based IDS look for certain activities that characterize hostile
    actions or misuse such as:

    ❑ Logins at odd hours


    ❑ Login authentication failures
    ❑ Adding new user accounts
    ❑ Modification or access of critical system files
    ❑ Modification or removal of binary files
    (executables)
    ❑ Starting or stopping processes
    ❑ Privilege escalation
    ❑ Use of certain programs
    Host-Based IDS Components
    Advantages of Host-Based IDS: Disadvantages of Host-Based IDS:

    ✓ They can be very operating system-  Must have a process on every system
    specific and have more detailed you want to watch
    signatures  Can have a high cost of ownership
    ✓ They can reduce positive rates and maintenance
    ✓ They can examine data after it has been  Uses local system resources
    decrypted  Has a very focused view and cannot
    ✓ They can be very application specific relate to
    ✓ They can determine whether or not an activity around it
    alarm may impact that specific system  If logged locally, could be
    compromised or disabled
    system that examines the network traffic as it passes by and analyzes traffic
    according to protocol, type, amount, source, destination, content, traffic
    already seen, etc.

    Network-based IDS look for certain activities that characterize hostile actions or
    misuse such as:

    ❑ Denial of service attacks


    ❑ Port scans or sweeps
    ❑ Malicious content in the data payload of a packet or packets
    ❑ Vulnerability scanning
    ❑ Trojans, viruses, or worms
    ❑ Tunneling
    ❑ Brute-force attacks
    Network-Based IDS Components
    Advantages of Network-Based IDS: Disadvantages of Network-Based IDS:

    ✓ It takes fewer systems to provide IDS  It is ineffective when traffic is encrypted


    coverage  It can’t see traffic that does not cross it
    ✓ Deployment, maintenance, and upgrade  It must be able to handle high volumes of
    costs are usually lower traffic
    ✓ It has visibility into all network traffic and  It doesn’t know about activity on the hosts
    can correlate attacks among multiple themselves
    systems
    pre-defined patterns used to spot malicious or suspicious traffic

    composed of two main groups: content-based


    and context-based

    Content-based signatures are designed to look at the content of


    network packets or log entries.They are considered the simplest form.
    The following are example content-based signatures:

    ❑ Matching the characters “/etc/passwd” in a telnet


    session
    ❑ Matching a TCP packet with the synchronize, reset, and urgent flags all set
    ❑ Matching the characters “to: decode” in the header of an e-mail message
    Context-based signatures are designed to match large patterns of
    activity and examine how certain types of activity fit into the other
    activities going on around them. They are generally more
    complicated. Context signatures are more difficult to analyze and take
    more resources to match. The following are example context-based
    signatures:

    ❑ Match a potential intruder scanning for open web servers on a specific network
    ❑ Identify a Nessus scan
    ❑ Identify a ping flood attack
    In anomaly detection model, the IDS must know what “normal” behavior on the host
    or network being protected really is.

    Anomaly detection was developed to make the system capable of dealing with
    variations in traffic and to determine which activity patterns were malicious.

    In misuse detection mode, the IDS looks for suspicious activity or activity that
    violates specific policies and then reacts as it has been programmed.

    The misuse detection model is more efficient since it takes fewer resources to
    operate, does not need to learn what “normal” behavior is, and generates an alarm
    whenever a pattern is successfully matched.
    sometimes called a digital sandbox

    based on the concept of attracting attackers away from legitimate


    systems by presenting more tempting or interesting systems that
    appear to be easy target

    gives the appearance of a real network, application servers, user


    systems, network traffic, etc.

    security personnel monitor traffic in and out of a honeypot to better


    identify potential attackers along with their tools and capabilities
    Logical Depiction of a Honeypot

    At t a ck er

    Hon eyp ot
    system
    formalized response of reacting to a situation such as a security
    breach or system outage

    it is how an organization reacts to an unusual


    negative situation

    covers the technical and administrative aspects of dealing with incidents


    and can range in formality from simple approach to a formal, detailed
    step-by-step response plan including procedures and tools that covers
    every situation imaginable

    You might also like