Security Protocols

• Identify the following security protocols and describe their purpose and function:

  • Internet Protocol Security (IPSec)

  • Layer 2 Tunneling Protocol (L2TP)

  • Secure Sockets Layer (SSL)

  • Kerberos

Any discussion of remote access is sure to include security, and for a good reason: As its name implies, remote access literally opens your network to remote users. Although you'd like to think that only authorized users would try to connect from remote locations, the reality is that an equal number of illegitimate users will probably attempt to connect. Because many of the methods used to establish remote access are over public networks, securing the data you send and the points at which you connect is an important consideration. A significant element of this security is encryption.

Encryption is the process of encoding the data sent over remote connections, and it involves scrambling the usernames and passwords used to gain access to the remote network. Encryption is simply the process of encoding data using a mathematical algorithm that makes it difficult for unauthorized users to read the data if they are able to intercept it. The algorithm is actually a mathematical value known as a key. The key is required in order to read the encrypted data. Encryption techniques use public and private keys; public keys can be shared and private keys cannot.

A key is a binary number that has a large number of bits. As you might imagine, the bigger the number or key, the harder it is to guess. Today, simple encryption strategies use 40 to 56 bits. On a 40-bit encryption, there are 2⁴⁰ possible keys; 56-bit encryption has 2⁵⁶ possible keys—that's more than 65 trillion possible keys. Remember that without the correct key, the data cannot be accessed. Although the number of keys associated with lower-grade encryption may seem amazing, they have been cracked by some very high-end, specialized systems. That makes necessary higher-grade encryption: Many online transactions require 128-bit encryption, and other applications support encryption as high as 1,024 bits. (If you have time, try to calculate the key combinations for these higher-grade encryption strategies.)

Using and managing remote access connections requires knowledge of security protocols and what they are designed to do. The following sections examine several different security protocols:

• IP Security (IPSec)

• Layer Two Forwarding (L2F)

• Layer 2 Tunneling Protocol (L2TP)

• Secure Sockets Layer (SSL)

• Kerberos

• Secure Shell (SSH)

• Remote Authentication Dial-In User Service (RADIUS)

IPSec

IPSec is designed to encrypt data during communication between two computers. The function of IPSec is to ensure that data on a network cannot be viewed, accessed, or modified by those who should not have access to it. IPSec provides security for both internal and external networks. It might seem that protection on an internal network is less necessary than on an external network; however, much of the data you send across networks has little or no protection, allowing unwanted eyes to access it.

IPSec provides three key security services:

• Data verification— It verifies that the data received is from the intended source.

• Protection from data tampering— It ensures that the data has not been tampered with and changed between the sending and receiving devices.

• Private transactions— It ensures that the data sent between the sending and receiving devices is unreadable by any other devices.

IPSec operates at the network layer of the Open Systems Interconnect (OSI) model and provides security for protocols that operate at higher layers of the OSI model. Thus, by using IPSec, you can secure practically all TCP/IP-related communications.

L2F

L2F is a proprietary protocol and technology that was developed by Cisco Systems. It allows tunneling to be utilized as a connection method over insecure networks. L2F is still around today; it has been folded into new implementations of tunneling protocols, and it is included in the new and improved L2TP.

Layer Two Tunneling Protocol (L2TP)

L2TP is a combination of PPTP and Cisco's L2F technology. L2TP, as the name suggests, utilizes tunneling to deliver data. It authenticates the client in a two-phase process: It first authenticates the computer and then the user. By authenticating the computer, it prevents the data from being intercepted, changed, and returned to the user in what is known as a man-in-the-middle attack. L2TP assures both parties that the data they are receiving is exactly the data sent by the originator.

L2TP and PPTP are both tunneling protocols, so you might be wondering which you should use. Here is a quick list of the some of the advantages of each, starting with PPTP:

• PPTP has been around the longest; it offers more interoperability than L2TP.

• PPTP is an industry standard.

• PPTP is easier to configure than L2TP because L2TP requires digital certificates.

• PPTP has less overhead than L2TP.

The following are some of the advantages of L2TP:

• L2TP offers greater security than PPTP.

• L2TP supports common public key infrastructure technology.

• L2TP provides support for header compression.

Secure Sockets Layer (SSL)

SSL is a security protocol that is used on the Internet. Originally developed by Netscape for use with its Navigator browser, SSL uses public key encryption to establish secure connections over the Internet. SSL provides three key services:

• Server authentication— SSL allows a user to confirm a server's identity. For example, you can use this ability when you are purchasing something online with a credit card but first want to verify the server's identity.

• Client authentication— SSL allows a server to confirm a user's identity. This functionality is often used when a server is sending sensitive information—such as banking information or sensitive documents—to a client system and wants to verify the client's identity.

• Encrypted connections— It is possible to configure SSL to require all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software. Doing this establishes private and secure communication between two devices. In addition, SSL has a mechanism to determine whether the data sent has been tampered with or altered in transit.

You can see SSL security on the Web when you access a secure universal resource locator (URL). Secure Web sites begin with https:// instead of http://. Hypertext Transfer Protocol over SSL (HTTPS) connections require a browser to establish a secure connection.

Kerberos

Seasoned administrators can tell you about the risks of sending clear-text, unencrypted passwords across any network. The Kerberos network authentication protocol is designed to ensure that the data sent across networks is encrypted and safe from attack. Its purpose is to provide authentication for client/server applications.

Kerberos was created at Massachusetts Institute of Technology to provide a solution to network security issues. With Kerberos, the client must prove its identity to the server, and the server must also prove its identity to the client. Kerberos provides a method to verify the identity of a computer system over an insecure network connection.

Kerberos is distributed freely, as is its source code, allowing anyone interested to view the source code directly. Kerberos is also available from many different vendors that provide additional support for its use.

SSH

Because Unix- and Linux-based systems are prominent in modern network environments, network administrators face huge security interoperability concerns. Windows-based clients often use Telnet to remotely access Unix/Linux servers. Unfortunately, Telnet is a very insecure remote access method; it sends the entire session—including passwords and login information—in clear text. (Clear text simply means that the information is sent unencrypted, and anyone can intercept with a packet capture program, and read the data with his or her favorite word processor.)

SSH provides a secure multiplatform replacement for Telnet. SSH allows users to connect to a remote server, and it encrypts the entire session. SSH has become an IETF standard, and development for SSH now includes a number of operating systems besides Linux and Unix. Using SSH, Windows 9x/NT/2000 as well as Macintosh systems can securely access remote servers.

To download and try SSH, go to www.freessh.org and download the client software.

Remote Authentication Dial-In User Service (RADIUS)

Among the potential issues network administrators face when implementing remote access are utilization and the load on the remote access server. As a network's remote access implementation grows, reliance on a single remote access server might be impossible, and additional servers might be required. RADIUS can help in this scenario.

RADIUS is a protocol that allows a single server to become responsible for all remote access authentication, authorization, and auditing (or accounting) services. The RADIUS protocol can be implemented as a vendor-specific product such as Microsoft's Internet Authentication Server (IAS).

RADIUS functions as a client/server system. The remote user dials in to the remote access server, which acts as a RADIUS client, or network access server (NAS), and connects to a RADIUS server. The RADIUS server performs authentication, authorization, and auditing (or accounting) functions and returns the information to the RADIUS client (which is a remote access server running RADIUS client software); the connection is either established or rejected based on the information received.

RADIUS can also be configured in a fault-tolerant architecture that provides backup servers that process requests when other RADIUS servers fail. Because RADIUS is actually a set of protocols based on RFCs, it works with many remote access servers—it is not a Microsoft-only implementation.