(i)Point-to-Point Tunneling Protocol (PPTP)
PPTP is a popular tunneling protocol used to implement VPNs. It uses TCP port 1723 and works by sending a regular PPP session using a Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to start and maintain the GRE session.
PPTP is easy to configure and supports Unix, MAC, and Linux as its clients. It is supported on almost all major versions of Microsoft Windows. Due to its low administrative costs, PPTP is the choice of many administrators for VPNs that require medium security. It is commonly used in Microsoft networks, which use Microsoft Point-to-Point Encryption (MPPE) for encrypting data.
Following are some of the limitations of PPTP:
• It cannot be used if the RAS/NAS servers are located behind a firewall.
• It works only in IP networks.
• When used alone, it does not provide encryption for authentication data.
Only the transmissions after the initial negotiations are encrypted.
PPTP is a popular tunneling protocol used to implement VPNs. It uses TCP port 1723 and works by sending a regular PPP session using a Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to start and maintain the GRE session.
PPTP is easy to configure and supports Unix, MAC, and Linux as its clients. It is supported on almost all major versions of Microsoft Windows. Due to its low administrative costs, PPTP is the choice of many administrators for VPNs that require medium security. It is commonly used in Microsoft networks, which use Microsoft Point-to-Point Encryption (MPPE) for encrypting data.
Following are some of the limitations of PPTP:
• It cannot be used if the RAS/NAS servers are located behind a firewall.
• It works only in IP networks.
• When used alone, it does not provide encryption for authentication data.
Only the transmissions after the initial negotiations are encrypted.
(ii)Layer 2 Tunneling Protocol (L2TP)
L2TP is another tunneling protocol that is widely supported by most vendors in the IT industry. It uses the Data Link layer (Layer 2 of the OSI model) to carry data from one point of the tunnel to another over the Internet. This protocol uses UDP port 1701 for transport. L2TP offers the combined benefits of the PPTP and the L2F (Layer 2 Forwarding) protocol from Cisco. It is considered a major improvement over PPTP, but it still lacks encryption capabilities when used alone. A combination of L2TP and IP Security (IPSec) is generally used to provide secure transmissions for VPN connections. L2TP/IPSec can be used behind firewalls provided UDP port 1701 is opened for incoming and outgoing packets. Besides this, both ends of the communications must support the L2TP/IPSec protocols. Some of the advantages of using the L2TP/IPSec combination over PPTP for implementing VPNs include the following:
• L2TP/IPSec requires two levels of authentication: computer or network hardware authentication and user-level authentication. This provides better authentication security.
• IPSec provides confidentiality, authentication, and integrity for each packet. This helps prevent replay attacks. PPTP provides only data confidentiality.
L2TP is another tunneling protocol that is widely supported by most vendors in the IT industry. It uses the Data Link layer (Layer 2 of the OSI model) to carry data from one point of the tunnel to another over the Internet. This protocol uses UDP port 1701 for transport. L2TP offers the combined benefits of the PPTP and the L2F (Layer 2 Forwarding) protocol from Cisco. It is considered a major improvement over PPTP, but it still lacks encryption capabilities when used alone. A combination of L2TP and IP Security (IPSec) is generally used to provide secure transmissions for VPN connections. L2TP/IPSec can be used behind firewalls provided UDP port 1701 is opened for incoming and outgoing packets. Besides this, both ends of the communications must support the L2TP/IPSec protocols. Some of the advantages of using the L2TP/IPSec combination over PPTP for implementing VPNs include the following:
• L2TP/IPSec requires two levels of authentication: computer or network hardware authentication and user-level authentication. This provides better authentication security.
• IPSec provides confidentiality, authentication, and integrity for each packet. This helps prevent replay attacks. PPTP provides only data confidentiality.
• IPSec establishes security associations (SA) during the transmission of the user-level authentication process. This ensures that the authentication data is not sent unencrypted. This is an advantage over PPTP in which the user-level authentication is never encrypted.
• L2TP/IPSec supports the use of RADIUS and TACACS+ for centralized authentication, while PPTP does not.
• L2TP/IPSec can be used on top of several protocols such as IP, IPX, and SNA, while PPTP can be used only with IP.
• L2TP/IPSec supports the use of RADIUS and TACACS+ for centralized authentication, while PPTP does not.
• L2TP/IPSec can be used on top of several protocols such as IP, IPX, and SNA, while PPTP can be used only with IP.
(iii)Internet Protocol Security (IPSec)
IPSec is a standardized frame work used to secure Internet Protocol (IP) communications by encrypting and authenticating each IP packet in a data stream. This protocol ensures confidentiality and authentication of IP packets so that they can
securely pass over a public network such as the Internet. IPSec is considered to be an “open standard” because it is not bound to a particular application, authentication method, or encryption algorithm. IPSec is implemented at the Network layer (Layer 3 of the OSI model). This makes IPSec independent of application compatibility.
IPSec can be implemented in any of the modes that are described in the next sections.
Transport mode.
When implemented in transport mode, only the payload (the actual message or data) inside the IP packet is encrypted during transmission. The IP header is not encrypted. This results in better transmission speeds. Transport mode is generally implemented in host-to-host communications over VPNs or inside a local area network (LAN).
Tunnel mode.
When implemented in tunnel mode, the entire IP packet is encrypted. This includes the IP header (AH) as well as the data (ESP) (AH and ESP are discussed next). The advantage is that both the IP header and the data inside the IP packet are secured. This comes at the cost of transmission speed. Tunnel mode IPSec is implemented in gateway-to-gateway VPNs.
IPSec is a standardized frame work used to secure Internet Protocol (IP) communications by encrypting and authenticating each IP packet in a data stream. This protocol ensures confidentiality and authentication of IP packets so that they can
securely pass over a public network such as the Internet. IPSec is considered to be an “open standard” because it is not bound to a particular application, authentication method, or encryption algorithm. IPSec is implemented at the Network layer (Layer 3 of the OSI model). This makes IPSec independent of application compatibility.
IPSec can be implemented in any of the modes that are described in the next sections.
Transport mode.
When implemented in transport mode, only the payload (the actual message or data) inside the IP packet is encrypted during transmission. The IP header is not encrypted. This results in better transmission speeds. Transport mode is generally implemented in host-to-host communications over VPNs or inside a local area network (LAN).
Tunnel mode.
When implemented in tunnel mode, the entire IP packet is encrypted. This includes the IP header (AH) as well as the data (ESP) (AH and ESP are discussed next). The advantage is that both the IP header and the data inside the IP packet are secured. This comes at the cost of transmission speed. Tunnel mode IPSec is implemented in gateway-to-gateway VPNs.
IPSec components.
IPSec is made up of two distinct security components: Authentication Header (AH) and Encapsulating Security Payload (ESP), described here:
Authentication Header (AH)
The AH protocol secures data or payload by signing each IP packet to maintain its authenticity and integrity.
Encapsulating Security Payload (ESP)
The ESP protocol also ensures authenticity and integrity of data but adds confidentiality to the data that uses encryption techniques.
AH and ESP can either be used together or separately. When they are used together, the sender and receiver of data can be assured of complete security.
Authentication Header (AH)
The AH protocol secures data or payload by signing each IP packet to maintain its authenticity and integrity.
Encapsulating Security Payload (ESP)
The ESP protocol also ensures authenticity and integrity of data but adds confidentiality to the data that uses encryption techniques.
AH and ESP can either be used together or separately. When they are used together, the sender and receiver of data can be assured of complete security.
IPSec authentication.
As noted earlier, IPSec ensures authenticity, integrity, and confidentially of data. IPSec uses the Internet Key Exchange (IKE) mechanism to authenticate the two ends of the tunnel by providing a secure exchange of shared secret keys before the transmission starts. Both ends of the transmission use a password known as a pre-shared key. Both ends exchange a hashed version of the pre-shared key during IKE transmissions. Upon receipt of the hashed data, it is recreated and compared. A successful comparison is required to start the transmission.
IPSec can also be used for digital signatures. A digital signature is a certificate issued by a third-party Certificate Authority (CA) to provide authenticity and non-repudiation. Non-repudiation means that the sender cannot deny that he sent the data and can be held responsible for the sent data or message.
IPSec can also be used for digital signatures. A digital signature is a certificate issued by a third-party Certificate Authority (CA) to provide authenticity and non-repudiation. Non-repudiation means that the sender cannot deny that he sent the data and can be held responsible for the sent data or message.
(iv)Secure Socket Layer (SSL)
SSL is an encryption protocol popularly used for Internet-based transactions such as online banking and e-commerce. This protocol is based on public key encryption mechanisms. SSL provides end-to-end security for Internet communications by using encryption. In typical implementations, only the server component is required to use public keys for authentication. For example, when you access a secure server on the Internet that uses SSL, the address of the web site begins with https://, while the addresses of unsecure web sites begin with http://. When both the client and the server need to authenticate each other, the SSL communications start with the following steps:
• Both the client and the server negotiate the encryption algorithm.
• The client and the server exchange session keys using public key-based encryption.
• The client and the server authenticate each other using certificates.
• Communications start, and all traffic is encrypted using a symmetric cipher.
The client and the server negotiate a common encryption algorithm and a hashing algorithm. For end-to-end security using SSL, a Public Key Infrastructure (PKI) is required. Both the server and the client must be SSL-enabled to communicate over a secure channel.
SSL is an encryption protocol popularly used for Internet-based transactions such as online banking and e-commerce. This protocol is based on public key encryption mechanisms. SSL provides end-to-end security for Internet communications by using encryption. In typical implementations, only the server component is required to use public keys for authentication. For example, when you access a secure server on the Internet that uses SSL, the address of the web site begins with https://, while the addresses of unsecure web sites begin with http://. When both the client and the server need to authenticate each other, the SSL communications start with the following steps:
• Both the client and the server negotiate the encryption algorithm.
• The client and the server exchange session keys using public key-based encryption.
• The client and the server authenticate each other using certificates.
• Communications start, and all traffic is encrypted using a symmetric cipher.
The client and the server negotiate a common encryption algorithm and a hashing algorithm. For end-to-end security using SSL, a Public Key Infrastructure (PKI) is required. Both the server and the client must be SSL-enabled to communicate over a secure channel.
(v)Wired Equivalent Privacy (WEP)
WEP is a security protocol used mainly for IEEE 802.11 wireless networks. Because wireless networks communicate using radio signals, they are susceptible to eavesdropping. Eavesdropping refers to the monitoring and capturing of signals as they travel over network media. WEP is designed to provide a comparable privacy (confidentiality) to a wired network. When sending data over radio frequencies, a WEP-enabled client adds a 40-bit secret key to the data while it is passed through an encryption process. The resulting data is called cipher text. On the receiving end, the data is decrypted using the secret key to recover the plain text.
Initial implementations ofWEP used a 40-bit encryption key and were not considered very secure. It was still better than not using WEP at all. Soon, a number of tools appeared that could crack the WEP keys. A later version of WEP uses 128- bit encryption keys, which is more secure than the earlier version.
WEP is a security protocol used mainly for IEEE 802.11 wireless networks. Because wireless networks communicate using radio signals, they are susceptible to eavesdropping. Eavesdropping refers to the monitoring and capturing of signals as they travel over network media. WEP is designed to provide a comparable privacy (confidentiality) to a wired network. When sending data over radio frequencies, a WEP-enabled client adds a 40-bit secret key to the data while it is passed through an encryption process. The resulting data is called cipher text. On the receiving end, the data is decrypted using the secret key to recover the plain text.
Initial implementations ofWEP used a 40-bit encryption key and were not considered very secure. It was still better than not using WEP at all. Soon, a number of tools appeared that could crack the WEP keys. A later version of WEP uses 128- bit encryption keys, which is more secure than the earlier version.
(vi)Wi-Fi Protected Access (WPA)
WPA is used for secure access to wireless networks, and it overcomes many weak-nesses found in WEP. It is backward-compatible with wireless devices that support WEP, but use of large encryption keys makes it a better choice than WEP. The following are some of the features of WPA:
• It provides enhanced data encryption security by using a Temporal Key Integrity Protocol (TKIP). TKIP scrambles encryption keys using a hashing algorithm. At the receiving end, the hash value of the key is passed through anintegrity check to ensure that the key has not been tampered with during transmission.
• WPA uses several variations of Extensible Authentication Protocol (EAP) and public key cryptography.
WPA can also be used in personal mode or a pre-shared key mode. Each user must know and use a paraphrase to access the wireless network. A paraphrase is a short text message that is configured on all wireless devices. In other words, it is the secret key shared by all wireless devices on a network. The pre-shared key mode is less secure than the standard mode but allows small offices or home networks to secure wireless transmissions. This is particularly useful for small organizations that cannot afford the cost of implementing PKI.
WPA is used for secure access to wireless networks, and it overcomes many weak-nesses found in WEP. It is backward-compatible with wireless devices that support WEP, but use of large encryption keys makes it a better choice than WEP. The following are some of the features of WPA:
• It provides enhanced data encryption security by using a Temporal Key Integrity Protocol (TKIP). TKIP scrambles encryption keys using a hashing algorithm. At the receiving end, the hash value of the key is passed through anintegrity check to ensure that the key has not been tampered with during transmission.
• WPA uses several variations of Extensible Authentication Protocol (EAP) and public key cryptography.
WPA can also be used in personal mode or a pre-shared key mode. Each user must know and use a paraphrase to access the wireless network. A paraphrase is a short text message that is configured on all wireless devices. In other words, it is the secret key shared by all wireless devices on a network. The pre-shared key mode is less secure than the standard mode but allows small offices or home networks to secure wireless transmissions. This is particularly useful for small organizations that cannot afford the cost of implementing PKI.
(vii)802.1x
802.1x is a secure authentication protocol standard used in wired and wireless networks to provide port-based access control. This standard was mainly developed to provide enhanced security to WLANs. 802.1x provides secure point-to-point connection between a WAP and a host computer. This protocol is based on Extensible Authentication Protocol (EAP) and is usually implemented in closed wireless networks to provide authentication. The authentication process uses the following two components:
Supplicant
Supplicant refers to the software component installed on the user’s computer that needs access to a wireless access point.
Authenticator
Authenticator refers to a centralized wireless access point. The authenticator forwards the authentication request to the authentication server, such as a RADIUS server.
When a user (the supplicant) wants access to a wireless network, the 802.1x protocol sends the request to an access point (authenticator). After the communication begins, the supplicant is placed into an unauthorized state. There is an exchange of EAP messages between the authenticator and the supplicant, wherein the authenticator requests the credentials of the supplicant. After receiving the credentials, the authentication request is sent to the authentication server, such as the RADIUS server. The authentication server either accepts the credentials of the supplicant and grants access, or rejects it, thereby rejecting the connection request. If the connection is accepted, the user is placed into an authorized state.
802.1x is a secure authentication protocol standard used in wired and wireless networks to provide port-based access control. This standard was mainly developed to provide enhanced security to WLANs. 802.1x provides secure point-to-point connection between a WAP and a host computer. This protocol is based on Extensible Authentication Protocol (EAP) and is usually implemented in closed wireless networks to provide authentication. The authentication process uses the following two components:
Supplicant
Supplicant refers to the software component installed on the user’s computer that needs access to a wireless access point.
Authenticator
Authenticator refers to a centralized wireless access point. The authenticator forwards the authentication request to the authentication server, such as a RADIUS server.
When a user (the supplicant) wants access to a wireless network, the 802.1x protocol sends the request to an access point (authenticator). After the communication begins, the supplicant is placed into an unauthorized state. There is an exchange of EAP messages between the authenticator and the supplicant, wherein the authenticator requests the credentials of the supplicant. After receiving the credentials, the authentication request is sent to the authentication server, such as the RADIUS server. The authentication server either accepts the credentials of the supplicant and grants access, or rejects it, thereby rejecting the connection request. If the connection is accepted, the user is placed into an authorized state.
No comments:
Post a Comment