Key Areas in Network Security

Authentication and authorization—Identifying who’s permitted to access which network resources.

Encryption—Making data unusable to anyone except authorized users

Virtual private networks (VPNs)—Allowing authorized remote access to a private network via the public
Internet

Wireless security—Implementing measures for protecting data and authorizing access to a wireless
network

Network security devices—A hardware device or software (including firewalls, intrusion detection and
prevention systems, and content filters) that protects a computer or network from unauthorized access
and attacks designed to cripple network or computer performance

Malware protection—Securing data from software designed to destroy data or make computers and
networks operate inefficiently.

The following sections discuss some of these security areas and explore network features.

Setting Up Authentication and Authorization

Authentication and authorization are key security features in network systems, allowing administrators
to control access and permissions on a network.

Various protocols offer different levels of secure authentication:

- Kerberos:

Common in Windows domains, Kerberos provides mutual authentication (both client

and server identities are verified). It uses secret key encryption, ensuring passwords are
never sent over the network.

Remote Authentication Dial In User Service:

RADIUS centralizes Authentication, Authorization, and Accounting (AAA) for remote and
wireless access. It authenticates administrative access to network devices. Cisco’s
**TACACS+** is a similar AAA protocol but offers more security by encrypting the entire
packet, while RADIUS only encrypts the password, leaving other data exposed.

Extensible Authentication Protocol (EAP):

EAP is a framework for various encryption and authentication methods, such as EAP-TLS
(certificate-based), EAP-TTLS (tunneled security), and EAPoL(often used for wireless
networks). EAP is flexible and compatible with smart cards, biometrics, and standard
login methods.
 Microsoft Challenge Handshake Authentication Protocol version 2

MS-CHAP v2 This protocol provides mutual authentication and encrypts data using a
new encryption key for each connection. It’s commonly used with Windows clients,
though it should only be used when stronger protocols, like EAP, are unavailable.

Microsoft Challenge Handshake Authentication Protocol

MS-CHAP: An earlier version of MS-CHAP v2, this protocol lacks mutual authentication
and is easier to breach.

Password Authentication Protocol (PAP):

PAP is insecure as it transmits usernames and passwords in plain text, making it vulnerable to
interception and unauthorized access.

Multifactor Authentication (MFA) enhances security by requiring users to provide multiple types of
security, especially for sensitive information.

Types of authentication drawn from these credential categories:

1. Knowledge
2. Possession
3. Inherence

Configuring Password Requirements in a Windows Environment -Network OSs include tools that enable
administrators to specify options and restrictions on how and when users can log on to the network.

Reviewing Password Dos and Don’ts Some general rules for creating passwords include the following:

• Do use a combination of uppercase letters, lowercase letters, numbers, and special characters, such as
periods, dollar signs, exclamation points, and question marks.

• Do consider using a phrase, such as NetW@rk1ng !s C00l. Phrases are easy to remember but generally
difficult to crack, especially if you mix in special characters and numbers.

• Don’t use passwords based on your logon name, your family members’ names, or even your pet’s
name. Users often use these types of passwords, but unfortunately, they’re easy to guess after attackers
discover personal information about users.

• Don’t use common dictionary words unless they’re part of a phrase, and substitute special characters
and numbers for letters.

• Don’t make your password so complex that you forget it or need to write it down somewhere.

Close the Local Security Policy console, and log off Windows.

Restricting Logon Hours and Logon Location

 Network administrators allow users to log on any time of the day and any day of the week, but if
your security policy states otherwise, most OSs have solutions to restrict logon by time of day,
day of the week, and location.

Authorizing Access to Files and Folders

After users log in to a network, they need authorization to access network resources like files
and folders. This is managed through file system security, which allows administrators to assign
permissions to users or groups.

Securing Data with Encryption

To prevent unauthorized access through eavesdropping tools, like packet sniffers, and ensures
that even if someone gains physical access to a computer, they cannot use the encrypted data
without proper authorization.

Using IPsec to Secure Network Data

Is commonly used to encrypt data on networks, creating a secure connection between two
devices by authenticating them with a shared key, Kerberos, or digital certificates. A preshared key is
manually entered on both devices, while Kerberos generates and manages keys securely within systems
like Windows and Linux. Digital certificates, issued by a Certificate Authority (CA), verify identities for
secure data exchanges. Once authenticated, IPsec encrypts the data, making it unreadable to
interceptors. However, IPsec only protects data in transit, not on disk, which requires additional security
measures.

Securing Data on Disk Drives

Encrypting files on disk drives adds a layer of security that file system permissions alone
cannot provide. If someone gains physical access to a computer, they can bypass file access
controls by booting the system from an external OS, exposing all files. The Encrypting File System
(EFS) feature on NTFS-formatted drives allows users to encrypt files easily through the file’s
properties, ensuring data remains unreadable to unauthorized users.

BitLocker operates in three modes:

1. Transparent Mode: Requires TPM (Trusted Platform Module) hardware to verify the boot
environment. If altered, a recovery key or password is needed; otherwise, it boots normally.

2. USB Key Mode: Commonly used without TPM. An encryption key stored on a USB drive is needed to
boot.

3. User Authentication Mode: Requires a password to decrypt the OS files at boot, especially if the boot
environment is compromised or the USB key is missing.

Securing Communication with Virtual Private Networks

A Virtual Private Network (VPN) provides secure access to a company’s network over the
Internet by encrypting communication. It creates a secure "tunnel" between the VPN client and
 server. This tunnel works through encapsulation, where the data is encrypted inside an inner
packet, while an outer layer holds the necessary routing information for Internet devices.

VPN Remote Access Modes

Point-to-Point Tunneling Protocol (PPTP) – A widely used VPN protocol compatible with multiple OSs,
including Linux and macOS.

Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) – Co-developed by Cisco and Microsoft, this protocol
provides stronger security than PPTP by adding data integrity and identity verification to encryption.

Secure Socket Tunneling Protocol (SSTP) – Uses HTTPS port 443, allowing it to bypass most firewalls
without configuration changes. Supported from Windows Vista SP1 and requires the server to have a
valid certificate from a CA.

VPN Benefits

-Enable mobile users to connect with organizations’ networks securely wherever an Internet connection
is available.

-Allow multiple sites to maintain permanent secure connections via the Internet instead of using
expensive WAN links.

- Reduce costs by using the ISP’s support services instead of paying for more expensive WAN support.

Securing Wireless Networks

Wireless encryption

 implement encryption to prevent unauthorized access and to secure the data transmitted over
the network. Encryption helps ensure that intercepted packets cannot be interpreted by
attackers.

Wi-Fi Protected Access 2 (WPA2)- Currently the strongest encryption standard

Has two main variations:

 WPA2-Personal (WPA2-PSK): Ideal for small office/home office (SOHO) networks, does not
require an authentication server.

 WPA2-Enterprise (WPA2-802.1X): Suitable for larger networks, requires an authentication server

like RADIUS.

MAC Address Filtering:

 Restricts access to specific devices by their MAC addresses. This is suitable for small networks
but can be easily bypassed without encryption.

Service Set Identifier (SSID)

  A unique alphanumeric label for the WLAN.

 Use an SSID that is not easily guessable and consider disabling SSID broadcasting to reduce
visibility to casual users, although this won't stop determined attackers

Additional Recommendations

 Conduct a Site Survey: Position access points (APs) to limit coverage outside necessary areas.

 Regularly Change Encryption Keys: If using WEP, change keys regularly; upgrade to WPA2 where
possible.

 Implement MAC Address Filtering: Combine with encryption for better security.