Chapter 6. Securing Communications
Terms you need to understand
Techniques you need to master
Understand the use of encapsulating protocols in the creation of a virtual private network (VPN) over a public network.
Recognize the use of Internet Protocol Security (IPsec) to create a secured encapsulation of client and server data.
Be able to identify the use of HTTP and HTTPS protocol connections over ports 80 and 443, respectively.
The hallmark of modern computer use involves network connectivity over many local area network (LAN) and wide area network (WAN) protocols. A wide variety of solutions for connectivity are available, although the most universally available addressing scheme involves the TCP/IP-based global network commonly referred to as the Internet.
This connectivity creates the need for many security considerations, including encapsulation and authentication mechanisms, internetworking communications such as email and web-based connectivity, and issues surrounding the transfer of data across distributed public networks. In this chapter, you learn about the security-related issues surrounding communications through modern network technologies.
Remote Access
The first area of focus within the arena of communications security involves enabling remote or mobile clients to connect to necessary resources. Remote access might include a wireless fidelity (Wi-Fi) link supporting a small office/home office (SOHO) network using modern 802.1x-compliant wireless networking equipment or perhaps allowing a mobile sales force the ability to be authenticated as they dial in to a central office using telephony carriers.
This section focuses on several specific areas of concern related to remote access, including the following:
• 802.1x wireless networking
• Virtual private network (VPN) connections using the Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) connections
• Dial-up authentication using the Remote Authentication Dial-In User Service (RADIUS) or the Terminal Access Controller Access Control System (TACACS and TACACS+)
• Secure terminal connections using the Secure Shell (SSH) interface
• Packet-level authentication of VPN connections using the IPsec standard
802.1x Wireless Networking
The IEEE 802.1x specification establishes standards for wireless network connectivity. When a client attempts to make an 802.1x-compliant connection, the client attempts to contact a wireless access point (AP). The AP authenticates the client through a basic challenge-response method and then provides pass-through to a wired network or serves as a bridge to a secondary wireless AP. The one-way initiating authentication process, broadcast using radio waves, is susceptible to several security concerns:
• Data emanation—802.1x transmissions generate detectable radio-frequency signals in all directions. Although intervening material and walls may affect the functional distance at which these transmissions may be used for normal network connectivity, they remain detectable at extended range. Persons wishing to “sniff” the data transmitted over the network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
• Weak encryption—Without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form. Additional forms of encryption may be implemented, such as the Wired Equivalent Privacy (WEP) and the Advanced Encryption Standard (AES), but transport encryption mechanisms suffer from the fact that a determined listener can obtain enough traffic data to calculate the encoding key in use. New standards that involve time-changing encryption keys may help with this, such as the Temporal Key Integrity Protocol (TKIP) and Wi-Fi Protected Access (WPA/WPA2) standards.
• Session hijacking—Because the authentication mechanism is one way, it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transact data traffic pretending to be the original client. Unless a secondary authentication and access control mechanism is employed, mobile wireless connectivity may be subjected to this type of attack—particularly when a mobile client moves between locations and must negotiate successive WAP connections in transit.
• Man-in-the-middle attacks—Because the request for connection by the client is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. By implementing a rogue AP with stronger signal strength than more remote permanent installations, the attacker can cause a wireless client to preferentially connect to their own stronger nearby connection using the wireless device’s standard roaming handoff mechanism.
• War driving/chalking—Coordinated efforts are underway aimed at identification of existing wireless networks, the service set identifier (SSID) used to identify the wireless network, and any known WEP keys. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x APs announcing their SSID broadcasts, which is known as war driving. Many websites provide central repositories for identified networks to be collected, graphed, and even generated against city maps for the convenience of others looking for open access links to the Internet. A modification of Depression era symbols is being used to mark buildings, curbs, and other landmarks indicating the presence of an available AP and its connection details. This so-called war chalking uses a set of symbols and shorthand details to provide specifics needed to connect using the AP.
• Bluejacking/Bluesnarfing—Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as Bluejacking. Although typically benign, attackers can use this form of attack to generate messages that appear to be from the device itself, leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as Bluesnarfing.
VPN Connections
When data must pass across a public or unsecured network, one popular way to secure the data involves the use of a virtual private network (VPN) connection. VPN connections provide a mechanism for the creation of a secured tunnel through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network. This technology allows a secure, authenticated connection between a remote user and the internal private network of an organization. Additional security may be gained through the use of encryption protocols and authentication methods, such as using the IP Security (IPsec) protocol over the VPN connection. VPN connections may be used to create secured connections between remote offices to allow replication traffic and other forms of intersite communication to occur, without incurring the cost of expensive dedicated leased circuits. Some VPN solutions can provide additional checks that ensure users connecting from home have virus software and patches properly installed. A VPN quarantine ensures that computers connecting to the network using the VPN are subject to preconnection and postconnection checks, and can be isolated until the computer meets the required security policy. These checks can examine service pack versions, security updates, and whether the antivirus program is running with the most recent virus definition files. This is especially important because it is often difficult to be sure telecommuters and road warriors conform to security policies by keeping virus software and patches up to date and properly configuring firewalls.
Additionally, it is necessary to make sure that any USB devices these employees use are encrypted. There are many solutions that use AES encryption, such as IronKey and TrueCrypt.
The VPN tunneling process includes three protocols: carrier protocol (IP), encapsulating protocol (PPTP or L2TP), and the passenger protocol (original data). We now examine the encapsulating protocol options PPTP and L2TP.
PPTP Connections
One common VPN encapsulation protocol initially proposed by a group of companies, including Microsoft, in RFC 2637 is the Point-to-Point Tunneling Protocol (PPTP). Connections made between remote users and sites may be made using this encapsulation protocol, which creates a secured “tunnel” through which other data can be transferred.
Layer 2 Tunneling Protocol Connections
The Layer 2 Tunneling Protocol (L2TP) is an extension of the earlier PPTP and Layer 2 Forwarding (L2F) standards. Proposed by Cisco and its partners (RFC 2661), L2TP protocol is rapidly replacing PPTP as the standard encapsulation protocol used for VPN connections. L2TP connections are created by first allowing a client to connect to an L2TP access concentrator, which then tunnels individual PPP frames through a public network to the network access server (NAS), where the frames may then be processed as if generated locally.
Dial-Up User Access
Although broadband solutions such as cable-modems and Digital Subscriber Line (DSL) connections are becoming more available, the use of an acoustic modulator/demodulator (modem) over normal telephony lines remains a common means of remote connectivity. Client systems equipped with a modem can connect using normal dial-up acoustic connections to a properly equipped RAS server, which then functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet.
Most Internet service providers (ISPs) offer this type of network connectivity for their users, although many organizations still maintain the use of RAS servers to provide direct connectivity for remote users or administrators and to provide failover fault-tolerant communication means in the event of WAN connectivity loss. Demand-dial solutions involving the use of modem technology may even provide on-demand intersite connectivity for replication or communications, without requiring a continuous form of connection between the remote sites.
This section reviews several options for authentication and access control within the dial-up network environment, including the TACACS, RADIUS, TACACS+, and LDAP protocols.
Terminal Access Controller Access Control System
An early authentication mechanism used by UNIX-based RAS servers to forward dial-up user logon and password values to an authentication server is the Terminal Access Controller Access Control System (TACACS) protocol. TACACS did not provide authentication itself; instead, it provided an encryption protocol used to send the logon information to a separate authentication service.
Remote Authentication Dial-In User Service and TACACS+
Modern solutions provide for both user authentication and authorization, including the Remote Authentication Dial-In User Service (RADIUS) and TACACS+ protocols. A RADIUS server functions to authenticate dial-in users using a symmetric-key (private key) method and provides authorization settings through a stored user profile.
Authentication is managed through a client/server configuration in which the RAS server functions as a client of the RADIUS server, passing dial-in user access information to the RADIUS server, often through a VPN connection between the two systems.
The TACACS+ protocol is an extension of the earlier TACACS form, adding authentication and authorization capabilities similar to the RADIUS authentication method. One important difference between these two is that the TACACS+ protocol relies on TCP connectivity, whereas RADIUS uses the User Datagram Protocol (UDP). The TACACS+ protocol is a Cisco proprietary enhancement to improve upon TACACS and extended TACACS (XTACACS). Other differences between RADUIS and TACACS+ include the following:
• RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted.
• TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
• RADIUS combines authentication and authorization.
• TACACS+ uses the AAA architecture, which separates AAA.
• RADIUS does not support the AppleTalk Remote Access (ARA) protocol, NetBIOS Frame Protocol Control protocol, Novell Asynchronous Services Interface (NASI), or X.25 PAD connections.
• TACACS+ offers multiprotocol support.
• RADIUS does not allow users to control which commands can or can’t be executed on a router.
• TACACS+ allows control of the authorization of router commands on a per-user or per-group basis.
TACACS+ does have weaknesses, as it is vulnerable to birthday attacks and packet sniffing.
Lightweight Directory Access Protocol
Often used within extended enterprise networks, Lightweight Directory Access Protocol (LDAP) allows authentication of logon identities over TCP/IP connectivity against a hierarchical directory. As of this writing, the Internet Engineering Task Force (IETF) has established the third official version of LDAP, although additional LDAP variations exist in commercial directory services, such as the Microsoft Active Directory.
Secure Shell Connections
As a more secure replacement for the common command-line terminal utility Telnet, the Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection. SSH uses the asymmetric (public key) Rivest-Shamir-Adleman (RSA) cryptography method to provide both connection and authentication.
Data encryption is accomplished using one of the following algorithms:
• International Data Encryption Algorithm (IDEA)—The default encryption algorithm used by SSH, which uses a 128-bit symmetric key block cipher.
• Blowfish—A symmetric (private key) encryption algorithm using a variable 32- to 448-bit secret key.
• Data Encryption Standard (DES)—A symmetric key encryption algorithm using a random key selected from a large number of shared keys. Most forms of this algorithm cannot be used in products meant for export from the United States.
The SSH suite encapsulates three secure utilities: slogin, ssh, and scp, derived from the earlier non-secure UNIX utilities rlogin, rsh, and rcp. SSH provides a large number of available options that you should be at least somewhat familiar with.
Like Telnet, SSH provides a command-line connection through which an administrator may input commands on a remote server. SSH provides an authenticated and encrypted data stream, as opposed to the clear-text communications of a Telnet session. The three utilities within the SSH suite provide the following functionality:
• Secure Login (slogin)—A secure version of the UNIX Remote Login (rlogin) service, which allows a user to remotely connect to a remote server and interact with the system as if directly connected
• Secure Shell (ssh)—A secure version of the UNIX Remote Shell (rsh) environment interface protocol
• Secure Copy (scp)—A secure version of the UNIX Remote Copy (rcp) utility, which allows transfer of files in a manner similar to the File Transfer Protocol (FTP)
Remote Desktop Protocol (RDP)
The Microsoft Remote Desktop Protocol (RDP) evolved from Terminal Services. RPD is an extension of the ITU T.120 family of protocols supporting various types of network topologies and LAN protocols. It provides remote display and input capabilities over network connections for Windows-based applications running on a server. This is similar to the environment provided by Citrix for remote access to applications.
The server functionality is provided by the Terminal Server component. It handles Remote Assistance, Remote Desktop and Remote Administration clients. Two client applications that use terminal services are Remote Assistance and Remote Desktop. The RDP allows a user to log on to a remote system and access the desktop, applications, and data on the system, as well as control it remotely just as if it were on the local machine. RDP allows for separate virtual channels to carry device communication and present data from the server, as well as encrypt client mouse and keyboard data. RDP uses RSA Security’s RC4 cipher and uses TCP port 3389 by default.
Internet Protocol Security
The Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. Unlike most security systems that function within the application layer of the Open Systems Interconnection (OSI) model, the IPsec functions within the network layer.
IPsec provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol.
IPsec Services
The asymmetric key standard defining IPsec provides two primary security services:
• Authentication Header (AH)—This provides authentication of the data’s sender, along with integrity and nonrepudiation. RFC2402 states that AH provides authentication for as much of the IP header as possible, as well as for upper-level protocol data. However, some IP header fields might change in transit, and when the packet arrives at the receiver, the value of these fields might not be predictable by the sender. The values of such fields cannot be protected by AH. Thus the protection provided to the IP header by AH is somewhat piecemeal.
• Encapsulating Security Payload (ESP)—This supports authentication of the data’s sender and encryption of the data being transferred along with confidentiality and integrity protection. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality. The set of services provided depends on options selected at the time of security association establishment and on the placement of the implementation. Confidentiality may be selected independently of all other services. However, the use of confidentiality without integrity/authentication (either in ESP or separately in AH) might subject traffic to certain forms of active attacks that could undermine the confidentiality service.
Protocols 51 and 50 are the well-known port numbers assigned to the Authentication Header and Encapsulating Security Payload components of the IPsec protocol. IPsec inserts ESP or AH (or both) as protocol headers into an IP datagram that immediately follows an IP header.
The protocol field of the IP header will be 50 for ESP, or 51 for AH. If IPsec is configured to do authentication rather than encryption, you must configure an IP filter to let protocol 51 traffic pass. If IPsec uses nested AH and ESP, an IP filter can be configured to let only protocol 51 (AH) traffic pass.
Internet Key Exchange Protocol
IPsec supports the Internet Key Exchange (IKE) protocol, which is a key management standard used to allow specification of separate key protocols to be used during data encryption. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet.
Electronic Mail
One of the most fundamental changes brought by the global interconnectivity of networked computers is electronic mail (email). Originally used to send messages between systems operators on the early Bitnet and other pre-Internet networks, email messages are becoming an increasingly pervasive method of communications between individuals, business partners, and to facilitate financial transactions and electronic commerce. Email has been used successfully as evidence in several court trials and forms the fundamental method of communication within many organizations.
The global nature of email distribution and the speed of delivery (often only seconds separate transmission and receipt, even between users on separate continents), makes email a valuable tool. However, the speed and accessibility of this technology also carry several security considerations. Public transfer of sensitive information could potentially expose this information to undesired recipients, undesired and often unsolicited email messages can require a significant amount of time to review and discard, and email messages may contain any number of hazardous programmatic file attachments directed at unsuspecting users.
This section reviews mechanisms for securing email transmissions using the S/MIME protocol and the PGP third-party application. In addition, this section touches on some of the undesirable elements of email, including spam and hoaxes.
Secure Multipurpose Internet Mail Extension
The Multipurpose Internet Mail Extension (MIME) protocol extended the capability of the original Simple Mail Transfer Protocol (SMTP) to allow the inclusion of nontextual data within an electronic mail message. Embedding data within an electronic mail message allows a simple method for the transmission and receipt of images, audio and video files, application programs, and many other types of non-ASCII text.
To provide a secure method of transmission, the Secure Multipurpose Internet Mail Extension (S/MIME) standard was developed. S/MIME uses the Rivest-Shamir-Adleman asymmetric encryption scheme to encrypt email transmissions over public networks. Modern versions of Netscape and Internet Explorer include S/MIME support in their role as email clients.
Pretty Good Privacy
An alternative to the use of S/MIME is the proposed PGP/MIME standard, derived from the Pretty Good Privacy (PGP) application program developed by Phillip R. Zimmerman in 1991. This program is used to encrypt and decrypt email messages using either the Rivest-Shamir-Adleman or the Diffie-Hellman asymmetric encryption schemes. The PGP application must be purchased and is available for individual and corporate use.
One useful feature of the PGP program is the ability to include a digital signature and thus validate an email to its recipient. This recipient can use this calculated hash value to verify that the received email has not been tampered with.
Undesirable Email
The strength of email involves its ability to be rapidly transmitted to one or many recipients, who rapidly receive the directed message, generally without per-item charges, as would be the case for surface mail, which requires a stamp for each item. Via email, small organizations can rapidly reach a tremendously large potential base of consumers, whether with a possible item for sale, request for donation, notice of service, or any other manner of information.
Spam
With the entire world only a single click of the Send button away, the volume of messages that a user may receive rapidly becomes too great to easily manage. Undesired or unsolicited email has gained the nickname spam, derived from the name of an amalgamated meat product by the same name. These electronic junk mail messages can rapidly overtax the capacity of email servers and require a large amount of user time to review each item and respond or discard each.
Many solutions attempt to stem the rising tide of spam messages flowing into users’ inboxes, such as blacklist subscriptions. These blacklists register known spam senders. Email messages that match the sender’s address can be discarded before they are received by an organization’s clients. Most email clients enable users to configure automatic rule, which can handle many types of spam automatically, discarding items from particular senders or items that contain certain words or phrases.
The subjective nature of any type of email filtering can be problematic to implement, particularly when it is critical that messages be received from clients or vendors, who might inadvertently put the wrong words or phrases within the body of an important message. Chapter 1 discussed spam in greater detail.
Hoaxes
Another form of problematic email includes those messages that include incorrect or misleading information. These hoax messages may warn of emerging threats that do not exist. They might instruct users to delete certain files to ensure their security against a new virus, while actually only rendering the system more susceptible to later viral agents.
Hoaxes may warn of pending legislation, offer to send the user great sums of money if the user will just provide all their identity and financial information to the source, or may even tell of a $1,000 cookie recipe that the sender will be glad to make available for only a fraction of the price. These and many more hoax items circulate in a growing thread of tales and ideas, everything from urban myths to detailed instructions that may result in loss of functionality or later security vulnerability.
Instant Messaging
One alternative to the asynchronous communications of email is instant messaging (IM) software solutions, such as the Windows Live Messenger, ICQ, and AOL Instant Messenger. These products link to a central server when they are opened and provide a continuously available means of communications with other users of the same system. Other file-sharing solutions using both client/server and peer-to-peer network connectivity are also included in this category, such as the Napster and Gnutella products, which have been the subject of much legislation recently.
IM solutions pose many of the same vulnerabilities as email, in that they are readily accessible to a broad audience and may receive a high volume of spam, hoaxes, and unwanted viral programs. Because the IM client application may not integrate strongly with the operating system, file-transfer capabilities can be used to transmit viral agents that bypass some forms of antivirus protection.
Because some file-sharing systems advertise only the platform-independent short name form of a file’s name, which specifies only an eight-character filename and a three-character file extension (often written as 8.3 naming), it is possible for improperly named executable files to be received and automatically processed by the IM software (and then perform unexpected and often undesirable actions).
Open file shares inadvertently advertised by file-sharing systems can generate a tremendous load on the network bandwidth as others connect to the shared system and potentially expose many forms of sensitive information. In addition, because many IM clients transmit data in plain text, user conversations along with any sensitive information they may transfer can be sniffed and later used for nefarious purposes.
Web Connectivity
The Internet enables users to connect to many millions of sources of information, services, products, and other functionality through what has come to be known as the World Wide Web (or simply, the Web). Business transactions, membership information, vendor/client communications, and even distributed business logic transactions can all occur using the basic connectivity of the Web, which uses the Hypertext Transport Protocol (HTTP) on TCP port 80.
Chapter 2, “Online Vulnerabilities,” examined the vulnerabilities of many web-based technologies. Here, we focus only on the protocols used to secure basic communications with a web server.
Hypertext Transport Protocol over Secure Sockets Layer
Basic Web connectivity using HTTP occurs over TCP port 80, providing no security against interception of transacted data sent in clear text. An alternative to this involves the use of Secure Sockets Layer (SSL) transport protocols operating on port 443, which creates an encrypted pipe through which HTTP traffic can be conducted securely. To differentiate a call to port 80 (http://servername/), HTTP over SSL calls on port 443 using HTTPS as the URL port designator (https://servername/).
HTTPS was originally created by the Netscape Corporation and used a 40-bit RC4 stream encryption algorithm to establish a secured connection encapsulating data transferred between the client and web server, although it can also support the use of X.509 digital certificates to allow the user to authenticate the sender. Now, 128-bit encryption keys are possible and have become the accepted level of secure connectivity for online banking and electronic commerce transactions.
Secure Sockets Layer
Secure Sockets Layer (SSL) protocol communications occur between the HTTP (application) and TCP (transport) layers of Internet communications. SSL establishes a stateful connection negotiated by a handshaking procedure between client and server. During this handshake, the client and server exchange the specifications for the cipher that will be used for that session. SSL communicates using an asymmetric key with cipher strength of 40 or 128 bits.
Transport Layer Security
Another asymmetric key encapsulation currently considered the successor to SSL transport is the Transport Layer Security (TLS) protocol based on Netscape’s Secure Sockets Layer 3.0 (SSL3) transport protocol, which provides encryption using stronger encryption methods, such as the Data Encryption Standard (DES), or without encryption altogether if desired for authentication only.
TLS has two layers of operation:
• TLS Record Protocol—This protocol allows the client and server to communicate using some form of encryption algorithm (or without encryption if desired).
• TLS Handshake Protocol—This protocol allows the client and server to authenticate one another and exchange encryption keys to be used during the session.
Exam Prep Questions
1. Between which two layers of the OSI model does the Secure Sockets Layer (SSL) protocol function?
A. Application layer
B. Presentation layer
C. Session layer
D. Transport layer
E. Network layer
F. Data link layer
G. Physical layer
2. Which of the following encryption protocols are used in Secure Shell connections? (Select all that apply.)
A. International Data Encryption Algorithm
B. Blowfish
C. Rivest Cipher 4
D. Digital Encryption Standard
E. Message Digest
3. In a RADIUS authentication scenario, which of the following systems would be considered the RADIUS client?
A. The RADIUS server
B. The RAS server
C. The authentication server
D. The dial-up client
4. Which of the following encryption methods are available when using Pretty Good Privacy? (Select all that apply.)
A. International Data Encryption Algorithm
B. Blowfish
C. Diffie-Hellman
D. Digital Encryption Standard
E. Rivest-Shiva-Aldeman
5. Which standard port will be used to establish a web connection using the 40-bit RC4 encryption protocol?
A. 21
B. 80
C. 443
D. 8,250
6. Which of the Secure Shell utilities is used to establish a secured command-line connection to a remote server?
A. rlogin
B. slogin
C. rsh
D. ssh
E. rcp
F. scp
7. When using RADIUS to authenticate a dial-in user, which of the following is the RADIUS client?
A. The dial-in user’s computer
B. The RAS server
C. The RADIUS server
D. The client’s Internet service provider
E. The virtual private network
8. You have decided to use the Terminal Access Controller Access Control System (TACACS) standard for dial-up authentication. Which of the following capabilities will be provided by this service?
A. User authentication
B. Authorization
C. Encrypted forwarding
D. All of the above
9. At which layer of the OSI model does the Internet Protocol Security protocol function?
A. Application layer
B. Presentation layer
C. Session layer
D. Transport layer
E. Network layer
F. Data link layer
G. Physical layer
10. Which of the following are possible dangers of using instant messaging clients? (Select all that apply.)
A. Spam
B. Hoaxes
C. Viruses
D. File sharing
E. File execution
11. Which of the following are asymmetric encryption standards? (Choose two correct answers.)
A. IDEA
B. MD5
C. RSA
D. SHA
E. Diffie-Hellman
F. DES
Answers to Exam Prep Questions
1. A, D. SSL connections occur between the application and transport layers. Answers B and C are incorrect because the Secure Sockets Layer transport effectively fills the same role as these OSI model layers. Answers E, F, and G are incorrect because the data has been abstracted beyond the level at which SSL operates.
2. A, B, and D. SSH connections can make use of the IDEA, Blowfish, and DES encryption methods. Answer C is incorrect because the RC4 protocol is used by the SSL protocol. Answer E is incorrect because the MD5 hashing algorithm is not used by Secure Shell connectivity.
3. B. The RAS server is considered the RADIUS client, authenticating dial-up connection requests against the RADIUS server. Answer A is incorrect because the RADIUS server does not directly provide remote dial-up functionality of the RAS server. Answer C is incorrect because the RADIUS server provides authentication response to the RAS server as its client. Answer D is incorrect because the dial-up client is a client of the RAS server, rather than of the RADIUS server, which is not directly contacted by the dial-up client.
4. C, E. PGP can make use of either the Diffie-Hellman or RSA public key encryption methods. Answers A, B, and D are incorrect because these protocols are not available within PGP.
5. C. A connection using the HTTP protocol over SSL (HTTPS) will be made using the RC4 cipher and will be made using port 443. Answer A is incorrect because port 21 is used for FTP connections. Answer B is incorrect because port 80 is used for unsecure plain-text HTTP communications. Answer D is incorrect because port 8250 is not designated to a particular TCP/IP protocol.
6. B. The slogin SSH utility provides secured command-line connections to a remote server. Answers A, C, and E are incorrect because rlogin, rsh, and rcp do not use secured connections. Answer D is incorrect because the ssh utility is used to establish a secured environment link to a remote server, and answer F is incorrect because the scp utility is used for secure file copying.
7. B. The RAS server functions as the RADIUS client authenticating dial-in user attempts against the RADIUS server. Answer A is incorrect because the dial-in user does not directly contact the RADIUS server. Answer C is incorrect because the RADIUS server would not be its own client. Answer D is incorrect because a client dialing in to an RAS server would not be connecting through a separate ISP. Answer E is incorrect because a VPN connection establishes a secured tunnel between two systems and is not involved in RADIUS authentication.
8. C. TACACS forwards logon information to an authentication server through an encrypted connection. Answer A is incorrect because TACACS cannot provide authentication by itself. Answer B is incorrect because the original TACACS protocol does not provide authorization support. Answer D is incorrect because the question specifies the original TACACS protocol, rather than the extended TACACS+ protocol that adds authentication and authorization to the earlier protocol’s functionality.
9. E. IPsec validation and encryption function at the network layer of the OSI model. Answers A, B, C, and D are incorrect because IPsec functions at a lower level of the OSI model. Answers F and G are incorrect because they define a more abstracted level of data manipulation than is managed by the IPsec standard.
10. A, B, C, D, and E. IM solutions have many potential security problems, including the receipt of spam and hoax messages, possible execution of files and viruses bypassing operating system protections, and possible exposure of file shares to public access.
11. C, E. The Diffie-Hellman and Rivest-Shamir-Adleman encryption standards specify public key (asymmetric) encryption methods. Answers A and F are incorrect because the Digital Encryption Standard and International Data Encryption Algorithm standards specify private key (symmetric) encryption methods. Answers B and D are incorrect because the Message Digest 5 and Secure Hash Algorithm standards are hashing algorithms.
Suggested Reading and Resources
1. Allen, Julia H. The CERT Guide to System and Network Security Practices. Addison-Wesley, 2001.
2. SANS Information Security Reading Room: http://www.sans.org/reading_room/