c88f039c-6c09-42fa-884f-2f8697073c90_200x200

Implementing Network Access Security

Linux Administrator
Linux Administrator
All around security geek, editor-in-chief and janitor.

Share This Post:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
IT memes

Implementing network access security is a critical part of over all network security as it limits who can log on to the network.

Access Control List

  • List of allowed users/MAC addresses/IP addresses.
  • Who can send on the network.
    • MAC Filtering
      • Layer 2 type of security.
      • Can be spoofed.
    • IP Filtering
      • Layer 3 Type of security.
      • Can be spoofed, easier to spoof than MAC address.
      • Set by reservation or static – DHCP
    • Port Filtering
      • Applying an ACL (using MAC or IP addresses) to a port on a device
      • Either inbound or outbound port.
      • Make sure to disable unused ports from the management console.

Tunneling and Encryption

VPN/Virtual Private Network

A VPN is a tunnelled/encrypted connection on a public network that you can use to log in to a private network.  This provides Layer 2 (MAC level – allowed by VPN concentrator.) and Layer 3 connection/security across the internet (Encryption alone would simply be Layer 3 security).  It prevents people from listening in on your conversations/sniffing your data.  Some companies may limit the countries from which you can log in to its private network from due to government spying.

VPN Schematic
Diagrammatic representation of  client to site VPN.

To start your VPN, you send an authentication message to a remote authenticator at the server you want to log into.  The remote location sends back an acknowledgement and you negotiate a tunnel.  Even if someone is listening to your packets, they are encrypted.

At the other end of the tunnel, the data is decrypted.

Prior to VPNs you needed a private line to provide the same level of security.

Site to Site VPN

  • Connects two business sites via an encrypted tunnel.
    • Headquarters/branch office.
  • Cheaper than a leased line.
  • Persistent (always on) or Dial on demand.

Client to Site VPN

  • Remote Access VPN from a user to a remote network
  • May utilize special client software.

Virtual Private Networks (VPNs) Explained

VPNs are not a self contained protocol but rather based on a number of different protocols

SSL VPN – Secure Socket Layer

Web browser based VPN (HTTPS)

  • Most used when making a financial transaction on a website
    • Prevents transmission of clear text data.
    • Uses certificate for mutual authentication (Does not use a password).
      • Sometimes this is transparent to the user
      • Sometimes certificates go out of date and you get a warning
    • A certificate is issued by a third party that pledges the counter party is who they say they are.
    • Mostly replaced by TLS
  • TLS – Transport layer security
    • More common form of HTTPs when connecting over websites.
    • Certificate based
  • TLS 1.2
    • Enhanced security
    • Tighter security/hashing checks
    • Supported by most web browsers

PPTP – Peer to Peer Tunneling Protocol

  • Older dial up protocol.
    • Connect over POTS.
  • Adds client as a virtual node on the network we are connecting to
    • Client to site connectivity.
  • Weak encryption/hashing.

L2TP – Layer 2 Tunneling Protocol

  • Carries Layer 2 traffic
    • Step up over PPTP
    • Allows a Layer 2 traffic over Layer 3 (routable IP addresses) transport layer
  • No encryption by itself but utilizes other protocols for encryption (IPSec: encrypts layer 2 data before it is sent over Layer 3, Radius or TACAST+)

IPSec 

  • IPSec: IP Security
  • Encrypts data at Layer 3
  • 4 Sub protocols used to encrypt data
    • ESP: Encapsulated Security Payload
      • Encrypts contents with symmetric algorithm
        • The same on both ends for encryption/decryption
    • AH: Authentication Header
      • Creates checksum and hashes packets.
      • Creates a receipt for the packet
    • IP Comp:  IP Payload Compression
      • Compresses IP payload
    • IKE: Internet Key Exchange
      • Negotiates shared secret for the two parties
      • Used for decrypting data
      • IPSEC cant use the same shared secret across the board
  • Transport Mode – Encrypt data and adds authentication header and then compress it.   for local peer to peer transport
  • Tunnel Mode –  Encrypt entire packet after adding data and AH
    • Prevents tampering with AH and then modify the data.   
    • Need to decrypt entire packet to change anything.

Transport Mode: Process for sending on private network 

  • Negotiate with client over the shared secret using IKE
  • Encrypt the packet with ESP so you know have an ESP packet
  • Add authentication header to ESP packet
  • Then we send after compression with IP comp

Tunnel Mode: Process for sending on public network

  • We don’t want anyone to see the packet payload or AH
  • We take the AH/ESP packet and we encrypt it again
  • The AH/ESP cannot be read except by end point

ISAKMP – Intternet Security Association and Key Management Protocol

  • Starts the secure tunnel
    • Procedure for authenticating IPSec communication
    • Does not replace IPSec, functions within it.  IPSec by itself does not exchange keys or creating security association
    • Doesn’t encrypt data or provide an AH.
    • Exchanges keys and provides security association then creates tunnel.

Remote Access

Remote access is not just over a VPN as they will work on a local network.

Allow P2P connectivity to another device

Remote Access Server

  • Server role providing remote access into a network.
  • May be on a perimeter (in the DMZ and exposed to the public internet) or forwarded data from a VPN concentrator.

Remote Desktop Protocol (Windows)

  • Peer to peer connectivity to control another computer.
  • Need to have appropriate permissions on the remote computer.
  • Can be connected over a LAN or a remote location.
  • May be disabled by default depending on corporate security policies

PPoE (Point to Point over Ethernet)

  • Encapsulates PPP Packet in Ethernet frame.
  • Take point to point connectivity and send it over ethernet.
  • Connect multiple users to Internet through DSL
  • Setup to connect to ISP and provide password/username.

ICA  – Independent Computer Architecture 

  • Citrix protocols for cross platform remote application management.  If you have an application on a linux server, but a windows server, ICA allows you to manage the application remotely.
  • Initiates a remote session with the server.

SSH (Secure Shell)

  • Evolved from telnet, which was unencrypted.
  • Secure connection from the user machine to a remote machine.
  • Public key encryption.
  • Data communication, command line login and other remote management.

Share This Post:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

Table of Contents

You May Like

Related Posts
Linux Basics
Linux Administrator

How to Manage Storage on Linux

Knowing how to manage storage on Linux is an essential skill for both hackers and administrators.   Administrators need to optimize the processes for storing and

Read More »
December 29, 2020 No Comments
Linux Basics
Linux Administrator

Linux Process Management

A Linux system typically has hundreds to thousands of simultaneous processes (a program that consumes computing resources) running. Optimizing system performance requires an understanding of

Read More »
September 18, 2020 No Comments

Your Linux and Security Source

All Rights Reserved © 2020