Scribd
Upload
30 views17 pages

Ch10. Security in Network Design (PPT Slides)

IS notes chapter 10

Uploaded by

kulevikaypirano
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views17 pages

Ch10. Security in Network Design (PPT Slides)

IS notes chapter 10

Uploaded by

kulevikaypirano
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Network+ Guide to Networks Objectives (1 of 2)

Eighth Edition 10.1 Describe the functions and features of various network
security devices
Chapter 10
10.2 Implement security precautions on a switch
Security in Network Design 10.3 Track the processes of authentication, authorization, and
auditing on a network

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
classroom use. 1 distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Network Security Devices

• Non-security devices with security features


• Proxy servers and ACLs
Objectives (2 of 2) • Specialized security devices
• Firewalls and IDS/IPS systems
10.4 Explain the available options in network access control
methods • Using multiple options for network security results in layered security
10.5 Configure various security measures on a wireless network • Provides more protection than any one type of device

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. distributed with a certain product or service or otherwise on a password-protected website for classroom use. 4
Proxy Servers (1 of 2) Proxy Servers (2 of 2)

• Proxy server:
• Acts as an intermediary between external and internal networks
• Screens all incoming and outgoing traffic
• Manages security at Application layer
• Appears as an internal network server to the outside world, but is a filtering device for
internal LAN
• One of its most important functions is preventing the outside world from discovering
the addresses of the internal network
• Reverse proxy:
• Provides services to Internet clients from servers on its own network
• Provides identity protection for the server rather than the client
• Useful when multiple Web servers are accessed through the same public IP address

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 5 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 6

ACLs (Access Control Lists) on Network Devices (1 of 4) ACLs (Access Control Lists) on Network Devices (2 of 4)

• Router’s main functions: • Router receives packet, examines packet:


• Examine packets • Refers to ACL for permit, deny criteria
• Determine destination based on Network layer addressing information • Drops packet if deny characteristics match
• ACL (access control list): • Forwards packet if permit characteristics match
• Used by routers to decline forwarding certain packets • If the packet does not match any criteria given, the packet is dropped
• Acts like a filter to instruct the router to permit or deny traffic according to one or - Called the implicit deny rule
more of the following variables: • On most routers, each interface must be assigned a separate ACL
- Network layer protocol (e.g., IP or ICMP)
• Different ACLs may be associated with inbound and outbound traffic
- Transport layer protocol (e.g., TCP or UDP)
- Source IP address
- Destination IP address
- TCP or UDP port number

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 7 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 8
ACLs (Access Control Lists) on Network Devices (3 of 4) ACLs (Access Control Lists) on Network Devices (4 of 4)

• The access-list command is used to assign a statement to an already-installed


ACL
• Must identify the ACL and include a permit or deny argument
• Example: To permit ICMP traffic from any IP address or network to any IP
address or network:
• access-list acl_2 permit icmp any
• Example: To permit TCP traffic from 2.2.2.2 host machine to 5.5.5.5 host
machine:
• access-list acl_2 permit tcp host 2.2.2.2 host 5.5.5.5
• ACLs do affect router performance
• The more statements or tests a router must scan the more time it takes a router to
act

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 9 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 10

Firewalls (1 of 9) Firewalls (2 of 9)

• A firewall is a specialized device or software that selectively filters or blocks


traffic between networks
• Typically involves hardware and software combination
• Firewall location:
• Between two interconnected private networks
• Between private and public networks (network-based firewall)
• May also see firewall features integrated in routers, switches, and other network
devices
• Other types of firewalls only protect the computer on which they are installed
• Known as host-based firewalls

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 11 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 12
Firewalls (3 of 9) Firewalls (4 of 9)

• Packet-filtering firewall:
• Simplest firewall
• Examines header of every entering packet (inbound traffic)
• Can block traffic entering or exiting a LAN (outbound traffic)
• Firewall default configuration:
• Blocks most common security threats
• Preconfigured to accept and deny certain traffic types
• Network administrators often customize settings

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 13 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 14

Firewalls (5 of 9) Firewalls (6 of 9)

• Common packet-filtering firewall criteria:


• Source and destination IP addresses
• Source and destination ports
• Flags set in the TCP header
• Transmissions using UDP or ICMP protocols
• Packet’s status as the first packet in new data stream, subsequent packet
• Packet’s status as inbound to, outbound from private network

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 15 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 16
Firewalls (7 of 9) Firewalls (8 of 9)

• Port blocking • Unified Threat Management (UTM):


• Prevents connection to and transmission completion through ports • Security strategy that combines multiple layers of security appliances and
• Optional firewall functions: technologies into a single safety net

• Encryption • Requires a great deal of processing power


• User authentication • Next Generation Firewalls (NGFW):
• Centralized management • Have built-in Application Control features and are application aware
• Easy rule establishment - They can monitor and limit traffic of specific applications
• Content-filtering based on data contained in packets • Adapt to the class of a specific user or user group
• Logging, auditing capabilities • May also be context aware
• Protect internal LAN’s address identity - They adapt to various applications, users, and devices
• Monitor packets according to existing traffic streams (stateful firewall)
- A stateless firewall manages each incoming packet as a stand-along entity without regard to
active connections

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 17 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 18

Firewalls (9 of 9) IDS (Intrusion Detection System) (1 of 2)

• Troubleshooting firewalls: • IDS (intrusion detection system):


• Most common cause of firewall failure is firewall misconfiguration • Stand-along device, an application, or a built-in feature running on a workstation,
server, switch, router, or firewall
• Configuration must not be so strict that it prevents authorized users from transmitting
and receiving necessary data • Monitors network traffic and generates alerts about suspicious activity
- But no so lenient that you unnecessarily risk security breaches • Commonly exists as an embedded feature in UTM solutions or NGFWs
• You may need to create exceptions to the rules • Two primary methods for detecting threats:
- Referred to as “punching a hole” in the firewall • Statistical anomaly detection
- Compares network traffic samples to a predetermined baseline in order to detect anomalies
• Signature-based detection
- Looks for identifiable patterns (signatures) of code that are known to indicate specific
vulnerabilities, exploits, or other undesirable traffic

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 19 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 20
IDS (Intrusion Detection System) (2 of 2) IPS (Intrusion Prevention System) (1 of 2)

• IDS implementations: • IDS can only detect and log suspicious activity
• HIDS (host-based IDS) runs on a single computer to alert about attacks to that one • IPS (intrusion prevention system):
host
• Reacts to suspicious activity when alerted
- Might also include FIM (file integrity monitoring) which alerts when any changes made to files • Detects threat and prevents traffic from flowing to network
that shouldn’t change
- Based on originating IP address
• NIDS (network-based IDS) protects a network and is usually situated at the edge of
the network or in the DMZ (demilitarized zone) • NIPS (network-based intrusion prevention)
- Network’s protective perimeter • Protects entire networks

• Port mirroring • HIPS (host-based intrusion prevention)


• One port makes copy of traffic and sends to second port for monitoring • Protects certain hosts

• IDS drawback
• Number of false positives logged

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 21 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 22

IPS (Intrusion Prevention System) (2 of 2) SIEM (Security Information and Event Management)

• SIEM systems can be configured to evaluate all log data


• Looking for significant events that require attention from the IT staff
• Effectiveness of the SIEM
• Determined by the amount of storage space needed for the amount of data
generated
• Network administrators can fine-tune a SIEM’s configuration rules for the
specific needs
• Which event should trigger responses
• Network technicians should review raw data on a regular basis
• To ensure no glaring indicators are being missed by existing rules

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 23 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 24
Switch Management Switch Path Management (1 of 5)

• This section covers the following: • To make networks more fault tolerant
• How paths between switches are managed • You install multiple (redundant) switches at critical junctures
• Switch security concerns (Physical, Data Link, and Network layers) • Redundancy allows data the option of traveling through more than one switch
• Makes a network less vulnerable to hardware malfunctions
• A potential problem with redundant paths is traffic loops

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 25 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 26

Switch Path Management (2 of 5) Switch Path Management (3 of 5)

• STP (Spanning Tree Protocol): • Three steps:


• Defined in IEEE standard 802.1D • Select root bridge based on Bridge ID (BID)
• Operates in Data Link layer • Examine possible paths between network bridge and root bridge
• STP prevents traffic loops: • Disables links not part of shortest path
• Calculating paths avoiding potential loops
• Artificially blocking links completing loop
• If a switch is removed, STP will recalculate the best loop-free data paths
between the remaining switches

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 27 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 28
Switch Path Management (4 of 5) Switch Path Management (5 of 5)

• STP information is transmitted between switches • Newer (faster) versions of STP include:
• Via BPDUs (Bridge Protocol Data Units) • RSTP (Rapid Spanning Tree Protocol) and MSTP (Multiple Spanning Tree
• Security precautions that must be configured on STP-enabled interfaces: Protocol)
• BPDU guard—Blocks BPDUs on any port serving network hosts • TRILL (Transparent Interconnection of Lots of Links)
- Ensures these devices aren’t considered as possible paths • A multipath, link-state protocol
• BPDU filter—Can be used to disable STP on specific ports • SPB (Shortest Path Bridging)
• Root guard—Prevents switches beyond the configured port from becoming the root • A descendent of S T P that operates at Layer 3
bridge
• Keeps all potential paths active while managing flow of data
• Some switch manufacturers have designed proprietary versions of STP
• Example: Cisco and Extreme Networks

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 29 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 30

Switch Port Security AAA (Authentication, Authorization, and Accounting)

• Unused physical and virtual ports on switches and other network devices • Controlling users’ access to a network and its resources consists of three major
should be disabled: elements:
• Use the shutdown command on Cisco, Huawei, and Arista routers and switches • Authentication—Process of verifying user’s credentials to grant user access to secured
resources
• Use the no shutdown command to enable them again
• Authorization—Determines what the user can and cannot do with network resources
• Another Cisco command (also used on Arista devices) to secure switch access
ports: • Accounting—To keep an account of the client’s system or network usage
• Switchport port-security (or just port-security on Huawei switches)
• Essentially a MAC filtering functions that also protects against MAC flooding
• On a Juniper switch:
• The mac-limit command restricts the number of MAC addresses allowed in the MAC
address table
• Allowed MAC addresses are configured with the allowed-mac command

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 31 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 32
Authentication (1 of 3) Authentication (2 of 3)

• A user can be authenticated to the local device or to the network


• Local authentication—Usernames and passwords are stored locally which has
both advantages and disadvantages:
• Low security
• Convenience varies
• Reliable backup access
• With local authentication
• Every computer on the network is responsible for securing its own resources
• In Windows
• Switch from local authentication to network authentication on the domain using the
System Properties dialog box

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 33 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 34

Authentication (3 of 3) Authorization (1 of 2)

• Network authentication and logon restrictions: • User access to network resources falls into one of the two categories:
• Harden your network by requiring secure passwords to authenticate to the network • The privilege or right to execute, install, and uninstall software
• Additional authentication restrictions that strengthen network security: • Permission to read, modify, create, or delete files and folders
- Time of day • RBAC (role-based access control):
- Total time logged on • Most popular authorization method
- Source address
• Administrator assigns privileges and permissions necessary for users to perform their
- Unsuccessful logon attempts roles (duties)
- Geographic location (geofencing) • Administrators create groups associated with certain roles
• Role separation
• Each user can only be a member of a single group

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 35 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 36
Authorization (2 of 2) Accounting

• A log file viewer can be installed to make it easier to monitor log files for
interesting or suspicious events
• In Windows, use Event viewer to view Windows logs

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 37 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 38

NAC (Network Access Control) (1 of 2) NAC (Network Access Control) (2 of 2)

• A network access control (NAC) solution employs a set of rules called network • Two types of agents:
policies which determine the level and type of access granted to a device when • Nonpersistent agent remains on the device long enough to verify compliance and
it joins a network complete authentication and then uninstalls
• NAC authenticates and authorizes devices - Also called dissolvable agent
• By verifying that the device complies with predefined security benchmarks • Persistent agent is permanently installed on a device
• An agent can be installed on the device before it can be authenticated • Devices that do not meet compliance requirements can be placed in a
• Monitors device’s status to determine the device’s compliance quarantine network
• Separate from sensitive network resources

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 39 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 40
Access Control Technologies Directory Services

• Authentication protocols • Directory service


• The rules computers follow to accomplish authentication • Maintains a database of account information, such as, usernames, passwords, and
other authentication credentials
• Several types of authentication services and protocols exist
• Examples:
• AD (Active Directory) in Windows
• Open LDAP
• 389 Directory Server
• LDAP (Lightweight Directory Access Protocol):
• Standard protocol for accessing an existing directory
• All the above are built to be LDAP-compliant
• AD is configured to use the Kerberos protocol

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 41 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 42

Kerberos (1 of 6) Kerberos (2 of 6)

• Kerberos • Terms:
• Cross-platform authentication protocol • Principal
• Uses key encryption: • KDC (Key Distribution Center)

• Verifies client identity • Ticket

• Securely exchanges information after client logs on • Kerberos server runs two services:
• Example of a private key encryption service • AS (authentication service)
- Initially validates a client
• Provides significant security advantages over simple NOS authentication
• TGS (ticket-granting service)
- An application running separate from the AS that also runs on the KDC
- Alleviates the need for the client to request a new ticket from the TGS each time it wants to
use a different service on the network

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 43 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 44
Kerberos (3 of 6) Kerberos (4 of 6)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 45 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 46

Kerberos (5 of 6) Kerberos (6 of 6)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 47 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 48
SSO (Single Sign-On) (1 of 2) SSO (Single Sign-On) (2 of 2)

• SSO: • Five categories of authentication factors:


• Form of authentication in which a client signs on one time to access multiple systems • Something you know—password or PIN
or resources
• Something you have—ATM or smart card
• Primary advantage is convenience
• Something you are—fingerprint or facial pattern
• Disadvantage is that once authentication is cleared, the user has access to numerous
• Somewhere you are—location in a specific building
resources
• Something you do—specific way you type or speak
• 2FA (two-factor authentication)
• MFA requires at least one authentication method from at least two different
• User must provide something and know something
categories
• MFA (multifactor authentication)
• Security token
• Process that requires two or more pieces of information
• A device or application that stores or generates information

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 49 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 50

RADIUS (Remote Authentication Dial-In User Service) (1 of 2) RADIUS (Remote Authentication Dial-In User Service) (2 of 2)

• RADIUS (Remote Authentication Dial-In User Service):


• Open-source and standardized by the IETF
• Runs in the Application layer and can use either UDP or TCP in the Transport layer
• Can operate as application on remote access server
- Or on dedicated RADIUS server
• Highly scalable
• May be used to authenticate wireless, mobile, and remote users
• RADIUS services are often combined with other network services on a single machine

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 51 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 52
TACACS+ (Terminal Access Controller Access Control System Plus) Wireless Network Security

• TACACS+ (Terminal Access Controller Access Control System Plus): • Recall a disadvantage of WEP
• Offers the option of separating authentication, authorization, and auditing capabilities • Used a shared key for all clients and the key might never change
• Differences from RADIUS: • WEP offered two forms of authentication:
- Relies on TCP, not UDP, at the Transport layer • OSA (Open System Authentication)
- Proprietary protocol developed by Cisco Systems, Inc. • SKA (Shared Key Authentication)
- Typically installed on a router or switch, rather than a server
- Encrypts all information transmitted for AAA

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 53 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 54

WPA (Wi-Fi Protected Access) WPA2 (Wi-Fi Protected Access, version 2)

• TKIP (Temporal Key Integrity Protocol) • Data confidentiality methods used in WPA were replaced by stronger
• Encryption key generation and management scheme technologies

• TKIP accomplishments: • CCMP—Short for Counter Mode with CBC (Cipher Block Chaining) MAC
(Message Authentication Code) Protocol
• Message integrity
• Improves wireless security for newer devices that can use WPA2
• Key distribution
• CCMP helps ensure data confidentiality with both encryption and packet
• Encryption
authentication by providing:
• TKIP was a quick fix and is only offered today in order to provide compatibility • Message integrity
with older wireless devices
• Encryption—Uses AES (Advanced Encryption Standard), which provides faster and
more secure encryption than TKIP

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 55 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 56
Personal and Enterprise (1 of 6) Personal and Enterprise (2 of 6)

• Personal versions of WPA and WPA2: • Three main EAP entities (shown in Figure 10-29 on previous slide):
• Sometimes referred to as WPA-PSK or WPA2-PSK • Supplicant—Device requesting authentication
• PSK is short for Pre-Shared Key • Authenticator—Device that initiates the authentication process (wireless access point)
• Enterprise versions of WPA and WPA2: • Authentication server—Server that performs authentication
• Implement additional security measures
• A RADIUS server is used in cooperation with an authentication mechanism called EAP
(Extensible Authentication Protocol)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 57 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 58

Personal and Enterprise (3 of 6) Personal and Enterprise (4 of 6)

• EAP-TLS
• Uses TLS encryption to protect communications
• Uses PKI certificates to exchange public keys and authenticate both supplicant and the
server (called mutual authentication)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 59 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 60
Personal and Enterprise (5 of 6) Personal and Enterprise (6 of 6)

• PEAP (Protected EAP) • EAP-FAST (EAP-Flexible Authentication via Secure Tunneling)


• Tunnel-based • A form of tunneled EAP
• Creates an encrypted TLS tunnel between the supplicant and the server • Developed by Cisco and works similarly to PEAP (only faster)
• Uses PACs (Protected Access Credentials) stored on the supplicant device for speedier
establishment of the TLS tunnel

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 61 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 62

Chapter Summary (1 of 4) Chapter Summary (2 of 4)

• A proxy server acts as an intermediary between the external and internal • STP (Spanning Tree Protocol) prevents traffic loops by calculating paths that
networks avoid potential loops and blocking links that would complete a loop
• Thanks to a router’s ACL or access list, routers can decline to forward certain • Unused physical and virtual ports on switches and other network devices
packets depending on their content should be disabled until needed
• A firewall is a specialized device or software that selectively filters or blocks • Controlling users’ access to a network consists of three major elements:
traffic between networks authentication, authorization, and accounting
• An IDS (intrusion detection system) is a stand-alone device, an application, or a • With geofencing, GPS or RFID data is sent to the authentication server to report
built-in feature running on a workstation, server, switch, router, or firewall, the location of the device attempting to authenticate to the network
which is used to monitor network traffic • Systems generate many logs that can be used for troubleshooting and auditing
• IDS, IPS, firewalls, and proxy servers all generate a great deal of data that is
• A NAC system employs a set of rules, called network policies, which determine
stored in logs and must be monitored and analyzed
the level and type of access granted to a device when it joins a network

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 63 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 64
Chapter Summary (3 of 4) Chapter Summary (4 of 4)

• Kerberos is a cross-platform authentication protocol that uses key encryption to • TKIP was a quick fix, designed more as an integrity check for WEP transmissions
verify identity of clients and to securely exchange information after a client logs than as a sophisticated encryption protocol
on to a system • CCMP improves wireless security for newer devices that can use WPA2
• Kerberos is an example of SSO (single sign-on)
• The Personal versions of WPA and WPA2 are sometimes referred to as WPA-PSK
• The most popular AAA service is RADIUS (Remote Authentication Dial-In User • The Enterprise versions of WPA and WPA2 implement additional security
Service) measures
• TACACS+ (Terminal Access Controller Access Control System Plus) offers
network administrators the option of separating the access, authentication, and
auditing capabilities
• WEP offered two forms of authentication, neither of which is secure: OSA
(Open System Authentication) and SKA (Shared Key Authentication)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license © 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 65 distributed with a certain product or service or otherwise on a password-protected website for classroom use. 66

You might also like