Designing Network Security by Merike Kaeo

From the Publisher

A practical guide to creating a secure network infrastructure

• Understand basic cryptography and security technologies
• Identify the threats and common attacks to a network infrastructure
• Learn how to create a security policy
• Find out how to recover from a security breach
• Study specific implementation scenarios for securing your network environment
• Learn about advances in security technologies

Designing Network Security, Second Edition, is a practical guide designed to help you understand the fundamentals of securing your corporate network infrastructure. This book takes a comprehensive look at underlying security technologies, the process of creating a security policy, and the practical requirements necessary to implement a corporate security policy.

You will gain a thorough understanding of basic cryptography, the most widely deployed security technologies, and key emerging security technologies. You will be able to guide the architecture and implementation of a security policy for a corporate environment by knowing possible threats and vulnerabilities and understanding the steps required to perform a risk management assessment. Through the use of specific configuration examples, you will learn about the features required in network infrastructure equipment to implement the given security policy, including securing the internal corporate infrastructure, Internet access, and the remote access environment.

This new edition includes coverage of new security features including SSH on routers, switches, and the PIX(r) Firewall; enhancements to L2TP and IPSec; Cisco(r) LEAP forwireless networks; digital certificates; advanced AAA functionality; and Cisco Intrusion Detection System features and products. Additional practical examples include current security trends using VPN, wireless, and VoIP networking examples.

This book is part of the Networking Technology Series from Cisco Press(r), which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Product Details

• Table of Contents
• Read an Excerpt

Table of Contents

Read an Excerpt

Chapter 2: Security Technologies

Throughout this book, authentication, authorization, and access control are incorporated into the concept of identity. Although these concepts are distinct, they all pertain to each individual user of the network -be it a person or device. Each person or device is a distinct entity that has separate abilities within the network and is allowed access to resources based on who they are. Although in the purest sense, identity really pertains only to authentication, in many cases, it makes sense to discuss the entities authorization and access control at the same time.

Authentication is the process of validating the claimed identity of an end user or a device (such as clients, servers, switches, routers, firewalls, and so on). Authorization is the process of granting access rights to a user, groups of users, or specified system; access control is limiting the flow of information from the resources of a system to only the authorized persons or systems in the network. In most of the cases we will study, authorization and access control are subsequent to successful authentication.

This chapter describes security technologies commonly used for establishing identity (authentication, authorization, and access control) as well as for ensuring some degree of data integrity and confidentiality in a network. Data integrity ensures that the data has not been altered or destroyed except by people who are explicitly intended to modify it; data confidentiality ensures that only the entities allowed to see the data see it in a usable format.

The intent is to develop a basic understanding of how these technologies can be implemented in corporate networks and to identify their strengths and weaknesses. The following categories have been selected in an attempt to group the protocols according to shared attributes:

• Identity technologies

• Security in TCP/IP structured layers

• Virtual private dial-up security technologies

• Public Key Infrastructure and distribution models

NOTE Many of the technologies discussed here either have been, or are in the process of being

Identity Technologies

This section describes the primary technologies used to establish identity for a host, an enduser, or both. Authentication is an extremely critical element because everything is based on who you are. In many corporate networks, you would not grant authorized access to specific parts of the network before establishing who is trying to gain access to restricted resources. How foolproof the authentication method is depends on the technology used.

We can loosely categorize authentication methods as those where there is local control and those where you provide authentication verification through a trusted third party.

One of the potential weaknesses in some authentication methods is who you trust. Many authentication methods rely on a third party to verify someone's identity. The strength of this verification is the limiting factor in the strength of the authentication. When using a third party to authenticate an end user or device, ask yourself, "What is the likelihood that the third party I'm counting on to provide the authentication verification has been compromised?"

The technologies discussed in this section include variants of secure passwords, which provide varying degrees of security and are offered by most vendors today. Many protocols will authorize some form of connection setup after authentication is successfully verified. In dial-up environments, a peer-to-peer link level connection is established; sometimes, additional access control mechanisms can be employed at higher levels of the protocol stack, such as permitting access to hosts with certain IP addresses accessing specific applications. We will look at different protocols that often use an initial authentication process to then grant authorization and access control.

NOTE Digital certificates can be used as an authentication method, as discussed in detail in "Public

Secure Passwords

Although passwords are often used as proof for authenticating a user or device, passwords can easily be compromised if they are easy to guess, if they are not changed often enough, and if they are transmitted in cleartext across a network. To make passwords more secure, more robust methods are offered by encrypting the password or by modifying the encryption so that the encrypted value changes each time. This is the case with most one-time password schemes; the most common being the S/Key protocol and the token password authentication schemes.

S/Key Password Protocol

The S/Key One- Time Password System, released by Bellcore and defined in RFC 1760, is a one-time password generation scheme based on MD4 and MD5. The S/Key protocol is designed to counter a replay attack when a user is attempting to log in to a system. A replay attack in the context of login is when someone eavesdrops on a network connection to get the login ID and password of a legitimate user and later uses it to gain access to the network.

The operation of the S/Key protocol is client/server based: the client is typically a PC, and the server is some flavor of UNIX. Initially, both the client and the server must be configured with the same pass phrase and an iteration count. The iteration count specifies how many times a given input will be applied to the hash function. The client initiates the S/Key exchange by sending an initialization packet; the server responds with a sequence number and seed, as shown in Figure 2- 1.

The client then computes the one-time password, a process that involves three distinct steps: a preparatory step, a generation step, and an output function (see Figure 2-2).

1. In the preparatory step, the client enters a secret pass phrase. This pass phrase is concatenated with the seed that was transmitted from the server in cleartext.

2. The generation step applies the secure hash function multiple times, producing a 64-bit final output.

3. The output function takes the 64-bit one-time password and displays it in readable form.

The last phase is for the client to pass the one-time password to the server, where it can be verified (see Figure 2-3).

The server has a file (on the UNIX reference implementation, it is /etc/skeykeys) containing, for each user, the one-time password from the last successful login. To verify an authentication attempt, the authentication server passes the received one-time password through the secure hash function once. If the result of this operation matches the stored previous one-time password, the authentication is successful and the accepted one-time password is stored for future use.

Because the number of hash function applications executed by the client decreases by one each time, this ensures a unique sequence of generated passwords. However, at some point, the user must reinitialize the system to avoid being unable to log in again. The system is reinitialized using the keyinit command, which allows the changing of the secret pass phrase, the iteration count, and the seed.

When computing the S/Key password on the client side, the client pass phrase can be of any length -more than eight characters is recommended. The use of the non-secret seed allows a client to use the same secret pass phrase on multiple machines (using different seeds) and to safely recycle secret pass phrases by changing the seed.

Note: Many implementations require the generated one-time password to be entered either using a cut-and-paste approach, or manually. In manual entry scenarios, the one-time password is converted to, and accepted, as a sequence of six short (one- to four-letter) English words. Each word is chosen from a dictionary of 2,048 words; at 11 bits per word, all one-time passwords may be encoded. Interoperability requires that all S/Key system hosts and calculators use the same dictionary.

S/Key is an alternative to simple passwords. Free as well as commercial implementations are widely available....