Pi's Website - Archived

Vista Q & A
Home
Common Errors
Helpful Links
Linux
Tutorial Index
Windows Vista
Contact Us
Site Map
PC & Certification Info
Tweaks
Programs
Security+ Domain 2.1 - Communication Security - Remote Access Technologies
 
2.1 Recognize and understand the administration of the following types of remote access technologies
o 802.1x
o VPN (Virtual Private Network)
o RADIUS (Remote Authentication Dial-In User Service)
o TACACS (Terminal Access Controller Access Control System)
o L2TP / PPTP (Layer Two Tunneling Protocol / Point to Point Tunneling Protocol)
o SSH (Secure Shell)
o IPSEC (Internet Protocol Security)
o Vulnerabilities

802.1x

What is 802.1x?
802.1x is a form of port-based access control used in remote access. Before I go further, I need to define the Point-to-Point Protocol (PPP) and the Extensible Authentication Protocol (EAP).

What are PPP and EAP?
PPP is used to create a connection between two network devices. It was commonly used in dial-up, but now is more widely used. PPP includes authentication, which consisted of only a username and password. EAP was then developed to make a more secure authentication method and is now included in PPP.

802.1x continued
802.1x is just a standard of how to use EAP over a local area network (LAN). EAP frames are packaged (encapsulated) and sent over the network without PPP. 802.1x's protocol is known as EAP encapsulation over LANs, or EAPOL. Now for a few vocab words. A supplicant is the user wishing to be authenticated, the authenticator is the device the supplicant connects to and the server that authenticates the supplicant is creatively named the authentication server. The authentication server does not have to be sophisticated at all, which is an advantage of 802.1x.

VPNs
 
What is a Virtual Private Network?
A virtual private network, or VPN, is a secure way to connect one location, or user, to another over a public network.

What are some advantages of VPNs?
VPNs are widely used because:
  • They reduce costs - the company does not have to pay for private circuits (dedicated or for rent) and there are no long-distance fees for dialing in remotely to a Remote Access Service (RAS) server.
  •  
    They increase the security of data passing through a public network


How do they work?
VPNs create virtual "tunnels" inside a public network where data is encrypted. Data packets are encapsulated, or put inside, other packets which are then sent over the network. There are three protocols necessary for tunneling:

  1. The carrier protocol - the protocol used by the public network, such as IP over the Internet
  2. The encapsulation protocol - the protocol determining how the data is wrapped. There are several possibilities including the Point-to-point tunneling protocol (PPTP), Site-two tunneling protocol (L2TP), Secure Shell (SSH), and IPSec.
  3. The passenger protocol - the protocol of the original data. There are several different protocols including IP, IPX, and NetBEUI.


What types of VPNs are there?
There are two types of VPNs: Site-to-Site and Remote Access

 

  1. Site-to-site, or LAN-to-LAN, VPNs are generally between business partners or different branches/offices of a corporation. The tunnel is usually created between two routers or firewalls. This type is sometimes split into intranet VPNs, which are between two offices of the same company and extranet VPNs between two different companies.
  2. Remote Access VPNs, or private virtual dial-up networks (PVDNs), are created from an end user to the company.

RADIUS
 
What is RADIUS?
RADIUS stands for Remote Authentication Dial-in User Service.  It was originally designed for dial-in authentication, but has expanded into wireless networks and VPNs for authentication. 
 
Which protocols are supported by RADIUS?
Radius supports:
  • Point-to-Point Protocol, or PPP
  • Password Authentication Protocol, or PAP
  • Challenge Handshake Authentication Protocol, or CHAP

 

How does RADIUS work?

According to the Security+ Study Guide, Second Edition from Syngress, RADIUS authentication has five steps:

  1. First, the connection must be initiated with a Remote Access Server (RAS), which then asks the user for a password and username.
  2. Then, the RAS uses a "shared secret" to encrypt the password and username which it sends to the RADIUS serer
  3. The RADIUS server looks at the database to see if the user's credentials are present.
  4. The server either gives an "access-accept" or "access-reject" message to the RAS depending on whether the username and password combination is valid.
  5. The RAS either allows the client to connect or doesn't depending on the results of step 4.

 

What are some weaknesses of RADIUS?

The main weakness of RADIUS is its vulnerability to buffer overflow attacks where too much information is put into the buffer, which overflows.


TACACS
 
What is TACACS?
TACACS stands for Terminal Access Controller Access Control System.  There have been various versions including the original, TACACS, then Cisco's Extended TACACS, or XTACACS, then finally Cisco's (proprietary) competitor for RADIUS, TACACS+.
 
What are the differences between the versions?
The original TACACS allowed for Authentication and Authorization, but not Accounting (from the AAA model).  It used the User Datagram Protocol (UDP) for communication, but UDP does not support sequencing.  This was fixed in XTACACS when Cisco switched to Transmission Control Protocol, or TCP.  Finally, Cisco developed TACACS+, which is proprietary as the format for the packets are completely different.  It provides Authentication, Authorization, and Accounting, and, unlike the other versions, it has a separate database for each of those three.
 
What are some weaknesses of TACACS+?
TACACS+ does have weaknesses.  The primary one is that it cannot prevent replay attacks.  Additionally, it is vulnerable to birthday attacks, buffer overflows, packet sniffing, and it does not check integrity since data isn't encrypted.

PPTP
 
What is PPTP?
PPTP stands for Point-to-Point Tunneling Protocol, and was designed by Microsoft.  It encapsulates PPP data packets between two points.
 
What are some weaknesses of PPTP?
PPTP has a few weaknesses.  First, it does not encrypt data during negotiation.  Second, it only works on IP-based networks. Finally, it cannot use IPSec.

L2TP
 
What is L2TP?
L2TP, or Layer 2 Tunneling Protocol came from a combination of PPTP and Cisco's L2F (Layer 2 Forwarding) protocols.  L2F didn't offer encryption, but only encapsulation.  L2TP was an improvement, but, like PPTP and L2TP, it did not offer encryption, so IPSec is required for encryption.  L2TP is frequently used as a "hardware solution."  L2TP, unlike PPTP, can be used with multiple protocols including IP, IPX, and SNA.

SSH
 
What is SSH?
SSH is a secure replacement for older, less secure commands including rlogin, rsh, rcp, and telnet.  These commands send the username and password in cleartext, which made it easy to "sniff" the data and use it for malicious purposes.  In SSH, the client and server use public key cryptography (described in domain 4) to encrypt sessions of communication.  It prevents sniffing, IP spoofing, and unauthorized data manipulation.
 
How does it work?
At first, the client requests an SSH session.  Then, the client and server undergo a "handshake" in which the protocol version is verified.  They exchange session keys, which are verified against stored keys, it begins the (secured) session.

IPSec
 
What is IPSec?
IPSec is an "open standard," meaning that it can use a variety of authentication methods that works in the network layer (layer 5).  This means that not every application has to be configured for it.  There are two modes it can operate in:
  1. Transport Mode - only the data is encrypted, which makes it faster, but IP headers are not encrypted, which means that they can be read.
  2. Tunnel Mode - the data and IP headers are both encrypted, although it slows down the process.  This is used in VPNs.

 

There are also two different security protocols.  One or both can be used, and using both together authenticates the whole packet.
  1. Authentication header (AH) - this protocol delivers authenticity and data integrity and packets are signed.
  2. Encapsulating security payload (ESP) - this delivers authenticity, integrity, and  confidentiality through signing and encryption.

Vulnerabilities
 
What types of vulnerabilities exist?
  • Eavesdropping/sniffing - Sniffing is listening to all the data on a network, which is a passive attack.  This can be dangerous if usernames and passwords are sent in cleartext, but encryption can make sniffing useless unless enough packets are received that the encryption key can be deciphered.
  • Modification - Data can be modified for malicious purposes fairly easily in an active attack.  One attack that modifies data is known as a man-in-the-middle attack (domain 1).  Nonrepudiation is a method of proving that a sender sent a message and that he or she cannot deny it.  Using digital signatures provides nonrepudiation, which can help overcome this vulnerability
  • Spoofing - Spoofing is pretending to be someone and/or something you are not.  Attackers can create packets that appear to be from someone else, such as a trusted computer that is allowed access inside a network through a firewall.

Resources:
"What is 802.1x" By: Joel Snyder. Network World. http://www.networkworld.com/research/2002/0506whatisit.html
TechExams.net - Security+ Technote: Remote Access Technologies. By: Johan Hiemstra
http://www.techexams.net/technotes/securityplus/ras.shtml
Security+ Study Guide & DVD Training System, Second Edition. By: Ido Dubrawsky, Jeremy Faircloth
ISBN: 1597491535 http://www.syngress.com/catalog/?pid=4350
Howstuffworks.com - "How Virtual Private Networks Work." By: Jeff Tyson.
http://computer.howstuffworks.com/vpn.htm

This page was last modified on 07/28/07 02:14 PM