Lesson 11: Securing TCP/IP

Network+ Objectives:
+ clasisfy apps, devices, and protocols related to the OSI layers for encryption devices
+ common networking protocols: HTTPS, NTP, SNMP 2/3. SSH
+ given a scenario, use appropriate networking monitoring resource to analyze traffic SNMP, SNMPv2, SNMPv3
+ explain methods of network access security: IPsec, ISAKMP, TLS, TLS2.0, PP, SSH
+ explain methods of user authentication: PKI, Kerbebos, AAA, networkign access control, CHAP, MS-CHAP, EAP

Making TCP/IP Secure

The four areas of security are:
1. encryption
2. nonrepudiation
3. authentication
4. authorization

encryption = scrambled up data

nonrepudiation = guarantees the purity, “sameness” of data. (ie, is the data the same before and after it was sent)

authentication = verify identity of the user that want to use the data

authorization = what a user can do with the data, once the user has been authenticated (permission levels)

I. Encryption

• “plaintext” or cleartext file — easily view in standard format, can also be a binary file like a photograph or a .exe file
• cipher = series of complex, hard to reverse algorithm
• complete algorithm = could mean both the cipher and the implementation of that cipher
• binary XOR (exclusive OR) cipher — has a key like “10101010”, and convert clear text string of binary to new encrypted data

1. Symmetric-Key Algorithmn

• uses the same key for both encryption and decryption

• block ciphers — “chunks” of data, usu in 128-bit chunkcs, encrypted by each block
• Data Encryption Standard (DES) was symmetric, invented in the 70s by the US govt
• DES used 64-bit blocks, and 56-bit keys
• the newer, stronger DES descendants: 3DES, IDEA (International Data Encryption Algorithm), and Blowfish
• stream ciphers = single bit at a time, on-the-fly encryption, usu common in wireless data and cellphones
• Rivest Cipher 4 (RC4) is an example of a stream cipher
• back in the days, Ron Rivest wrote the RC4, which was used in most TCP/IP apps
• we don’t use RC4 for TCP/IP anymore. Most TCP/IP apps moved to Advanced Encryption Standard (AES)
• AES is a block cipher created in teh 1990s
• 128-bit block size
• 128-, 192-, or 256- bit key size
• secure, fast
• AES is used in file encryption to wireless networking

2. Asymmetric-Key Algorithm Standards

• sym key alg = weak, one key can encrypt or decrypt
• we have to send the key to another person one way or another (possible for hackers to intercept)
• public-key cryptography — by Diffie, Hellman, and Merkle
• also called the Diffie-Hellman method
• Rivest improves their algorithmn to create:
• Rivest Shamir Adleman (RSA) to anable secure digital signatures
• we generate two keys: a public and private key
• the public key is sent to the recipient
• the algorithmn works by encrypting data with the public key and decrypting the data with the private key

3. Encryption & the OSI Model

Layer1: none

Layer2: common place for encryption using proprietary encryption devices such as the Ethernet frame, place for on-the-fly stream cipher

Layer3: only one common protocol here — the IPsec protocol
IPsec is done via software that takes the IP packet and encrypts everything inside the packet (the payload), leaving the IP addr and a few other fields unencrypted

Layer4: none, neither TCP or IP offers encryption here
Layer5–6: not common
Layer7: many apps use their own encryption at this level, for example SSL/TLS

Overall, pay attention to L2 (data link), L3 (internet/network), and L7 (application) for encryption.

II. Nonrepudiation

• the receiver of the data has high degree of confidence that th esender truly is who she says she is

A. Hashes

• hashes — mathematical function that you run on a string of binary digits of any length that results in a vlue of some fixed length called “checksum” or “digest”
• hashes are one-way function, irreversible
• creates one unique checksum for any two diff input streams
• ex: Message Digest ALgorithm (MD5)

• Secure Hash Algorithmn (SHA)
• SHA-1, SHA-2
• Challenge-Response Authentication Mechanism Message Digest-5 (CRAM-MD5)
• use for SMTP servers as a tool for server authentication

B. Digital Signatures

• digital signatures — another binary string that can be generated by the sender
• do something to the message and the private key
• the person with matching public-key does something to the digital sign. usign the public key to verify that the dig.sign. comes from teh actual sender

1. Public Key Infrastructure (PKI)

• certificates — standardized type of digial signature that includes digit sign of a third party
• ex: ebay sites have their certificate registered to a third party company like VeriSign
• the PKI has a root such as VeriSign, and other intermediate certificate authority under the root

• PGP — pretty good privacy encryption program, uses the trust model

III. Authentication

pw and username are common, will be discussed under security standards section below

IV. Authorization

• different lv of access to each resource
• Network Access Control (NAC) — combines traditional functions and protections
• prevents computer lacking anti-malware and patches from accessing the network
• create policies that define what individual systems can do on the network

A. Access Control List (ACL)

ACL is alist of permissions to what an authenticated user may perform on a shared resource.
There are three ACL models:

1. Mandatory Access Control
   + MAC security model
   + every resource is assigned a label
   + the oldest and least common model
   + ex: define what priviledge programs have to other programs stored in RAM
2. Discretionary Access Control
   + DAC security model
   + the user who created the resource assigns lv of control
3. Role-based Access Control
   + RBAC security model
   + most popular model in filesharing
   + based on the roles user plays in the network
   + leads to the creation of groups in a network

TCP/IP Security Standars

. I. Authentication Standards

• oldest used, predates the Internet
• ex: dial up, using telephone lines

Point-to-Point (PPP)

• enables pt-to-pt devices to connect, authenticate w/ username and pw
• negociate the network protocol the two devices will use
• ppp and dial-up DOES NOT MEAN Ethernet, but it can support TCP/IP

Five Distinct Phases to a PPP connection

1. link dead — modem off
2. link establishment — the Link Control Protocol (LCP) talks with other LCP, determine good link
3. authentication — usually username and pw
4. network layer protocol — ppp works with layer3 network protocol

• ppp still support NetWave IPX/SPX, Microsoft NetBEUI
• LCP uses Network Control Protocol here
• shutdown means LCP init a …

1. termination = two ends of ppp sends e/o term. packet and closes