What is Remote Access?

❑ refers to the ability to log onto a network from a distant location

❑ implies a computer, a modem, and some remote
access software to connect to the network

Two elements involved in remote access process:

❑ temporary network connection
❑ series of protocols to negotiate privileges and commands

Three steps to establish proper privileges:

❑ Authentication
❑ Authorization
❑ Accounting
 standard terminal-emulation protocol within the TCP/IP
protocol series, and it is defined in RFC 854

allows users to log in remotely and access resources as

if the user had a local terminal connection

makes its connection using TCP port 23

 protocol series designed to facilitate secure network functions across an insecure
network
provides direct support for secure remote login, secure file transfer, and secure
forwarding of TCP/IP and X Window System traffic
implemented on servers through the use of SSH daemon that listens for incoming
client connections on port 22 by default

has facilities to automatically encrypt data, provide authentication, and compress

data in transit

consists of three major components:

❑ Transport layer protocol
❑ User authentication protocol
❑ Connection protocol
stands for Point-to-Point Tunneling Protocol

usually used to implement security over a PPP

connection

popular choice because it’s available in Microsoft

Windows and relatively simple to implement

uses TCP port 1723

stands for Layer Two Tunneling Protocol

intended as a replacement for PPTP and L2F, combining the

best features of both

supports PAP, CHAP, MS-CHAP and other authentication

protocols

use UDP port 1701

 secure “virtual” networks built atop
physically connected networks
usually perform user authentication
protocols include PPTP, L2TP, SSH
and IPSec

A “session within a session” can create a

secure connection over a public network.
the most popular Layer 3 tunneling protocol, uses public key
encryption technology

establishes an SA (Security Association) for each side of the

connection and negotiates session keys via ISAKMP (Internet
Security Associations and Key Management Protocol), which
uses port 500 to pass its traffic

packet types:
❑ authenticationheader (AH) protocol
❑ encapsulating security payload (ESP) protocol
IPSec Transport and Tunnel Modes

A Simplified comparison of IP V4 and IPSec Transport mode. A more detailed drawing

would be: IP Header + AH Header + ESP header + TCP/UDP header + payload + IPSec
ESP trailer + IPSec ESP Auth.
IPSec Transport and Tunnel Modes

A Simplified comparison of IP V4 and IPSec Tunnel mode. A more detailed drawing would be: Transit IP header + IPSec ESP
header + original IP header + TCP/UDP header + payload + IPSec ESP trailer + IPSec ESPAuth.
relatively recent protocol enhancement that creates a standard for how
authentication is performed over an 802 standards-based network

improves scalability and security of wireless LAN authentication, and allows

for the use of multiple authentication mechanisms as needed

uses a specific form of the Extensible Authentication Protocol (EAP), called

EAP Over LANs (EAPOL)

used to return encryption keys to users, allowing the network to dynamically

vary the encryption used by each connection, rather than requiring that all
stations be pre-configured with a fixed key
 de-facto standard client/server protocol that authenticates and
authorizes users connecting
to a network, to access the network’s resources, utilizing a
centralized database

widely supported and popular authentication protocol, which

many users consider providing better authentication security
than its main alternatives, TACACS+ and unencrypted LDAP
alone
In general, the way RADIUS based
authentication works is:

❑ A user dials in (via modem, DSL, etc.) as a client to a remote access server, and
provides credentials (user/password) in response to the remote access server’s
request
❑ The remote access server (itself a client to a RADIUS server) communicates the
credentials to the RADIUS server, after encrypting it by computing an MD5 hash (see
chapter 4) of it using a “secret” shared between client and server (this is an example
of one way in which credentials are communicated)
❑ The RADIUS server uses a user/password database or perhaps integration with a
network- based authentication system like Windows passwords or LDAP to validate
the password, and returns the results to the remote access server
❑ The remote access server then accepts or denies the connection
stands for Terminal Access Controller Access Control
System+

developed by Cisco

builds on XTACACS by adding a two-factor user authentication,

system and encrypting all client/server communication

has some security vulnerabilities that may concern you if end-

users have access to the network over which TACACS+ traffic
travels
 monitors any network traffic and logs/notifies any possible
malicious activity, note activity that deviates from normal behavior,
catalog and classify the activity, and if possible, respond to the
activity

categorized into two types:

❑ Host-based IDS – examines activity on an individual system, such as
a mail server, web server, or individual PC
❑ Network-based IDS – examines the activity on
the network itself
An IDS may have logical components:

❑ Traffic collector – collects activity/events to

examine by the IDS.
❑ Analysis engine – examines the collected network traffic and compares it to
known patterns of suspicious or malicious activity stored in the signature
database; also known as the “brains” of the IDS.
❑ Signature database – collection of patterns and definitions of known suspicious
or malicious activity.
❑ User interface and reporting – interfaces with the human element, providing
alerts when appropriate and giving the user a means to interact with and operate
the IDS.
Logical Depiction of IDS Components
 system that examines log files, audit trails, and network
traffic coming in to or leaving a specific host

consults several types of log files (kernel, system, server,

network, firewall, and more), and compare the logs against
an internal database of common signatures for known
attacks

can operate in real time (looking for activity as it occurs) and

in batch mode (looking for activity on a periodic basis)
Host-based IDS look for certain activities that characterize hostile
actions or misuse such as:

❑ Logins at odd hours

❑ Login authentication failures
❑ Adding new user accounts
❑ Modification or access of critical system files
❑ Modification or removal of binary files
(executables)
❑ Starting or stopping processes
❑ Privilege escalation
❑ Use of certain programs
Host-Based IDS Components
Advantages of Host-Based IDS:
✓ They can be very operating system-
specific and have more detailed
signatures
✓ They can reduce positive rates
✓ They can examine data after it has been
decrypted
✓ They can be very application specific
✓ They can determine whether or not an
alarm may impact that specific system
Disadvantages of Host-Based IDS:
 Must have a process on every system
you want to watch
 Can have a high cost of ownership
and maintenance
 Uses local system resources
 Has a very focused view and cannot
relate to
activity around it
 If logged locally, could be
compromised or disabled
system that examines the network traffic as it passes by and analyzes traffic
according to protocol, type, amount, source, destination, content, traffic
already seen, etc.

Network-based IDS look for certain activities that characterize hostile actions or
misuse such as:

❑ Denial of service attacks

❑ Port scans or sweeps
❑ Malicious content in the data payload of a packet or packets
❑ Vulnerability scanning
❑ Trojans, viruses, or worms
❑ Tunneling
❑ Brute-force attacks
Network-Based IDS Components
Advantages of Network-Based IDS:
✓ It takes fewer systems to provide IDS
coverage
✓ Deployment, maintenance, and upgrade
costs are usually lower
✓ It has visibility into all network traffic and
can correlate attacks among multiple
systems
Disadvantages of Network-Based IDS:
 It is ineffective when traffic is encrypted
 It can’t see traffic that does not cross it
 It must be able to handle high volumes of
traffic
 It doesn’t know about activity on the hosts
themselves
pre-defined patterns used to spot malicious or suspicious traffic

composed of two main groups: content-based

and context-based

Content-based signatures are designed to look at the content of

network packets or log entries.They are considered the simplest form.
The following are example content-based signatures:

❑ Matching the characters “/etc/passwd” in a telnet

session
❑ Matching a TCP packet with the synchronize, reset, and urgent flags all set
❑ Matching the characters “to: decode” in the header of an e-mail message
Context-based signatures are designed to match large patterns of
activity and examine how certain types of activity fit into the other
activities going on around them. They are generally more
complicated. Context signatures are more difficult to analyze and take
more resources to match. The following are example context-based
signatures:

❑ Match a potential intruder scanning for open web servers on a specific network
❑ Identify a Nessus scan
❑ Identify a ping flood attack
In anomaly detection model, the IDS must know what “normal” behavior on the host
or network being protected really is.

Anomaly detection was developed to make the system capable of dealing with
variations in traffic and to determine which activity patterns were malicious.

In misuse detection mode, the IDS looks for suspicious activity or activity that
violates specific policies and then reacts as it has been programmed.

The misuse detection model is more efficient since it takes fewer resources to
operate, does not need to learn what “normal” behavior is, and generates an alarm
whenever a pattern is successfully matched.
sometimes called a digital sandbox

based on the concept of attracting attackers away from legitimate

systems by presenting more tempting or interesting systems that
appear to be easy target

gives the appearance of a real network, application servers, user

systems, network traffic, etc.

security personnel monitor traffic in and out of a honeypot to better

identify potential attackers along with their tools and capabilities
Logical Depiction of a Honeypot

At t a ck er

Hon eyp ot
system
formalized response of reacting to a situation such as a security
breach or system outage

it is how an organization reacts to an unusual

negative situation

covers the technical and administrative aspects of dealing with incidents

and can range in formality from simple approach to a formal, detailed
step-by-step response plan including procedures and tools that covers
every situation imaginable