Chapter 6. Security Protocols

“...The wisest mind [always] has something yet to learn.”

—Author Unknown

By the end of this chapter, you should know and be able to explain the following:

• The difference between DES and 3DES encryption, including their limitations

• AES encryption and its strengths

• The function and role the MD5 hash plays in securing connections

• What a message digest is and how an SHA hash functions

• The differences between PPTP and L2TP

• The breadth and scope of SSH and how it is more secure than Telnet

Answering these key questions will enable you to better understand the overall characteristics and importance of network security. By the time you finish this book, you should have a solid appreciation for network security, its issues, how it works, and why it is important.

Some of you might be wondering why this chapter is called “Security Protocols” because in the IT realm, the term protocol is usually reserved for routing, or routed, protocols of some sort. The best routing protocol is Open Shortest Path First (OSPF), and you should learn more about it when you can. At this time, however, the discussion focuses on security. According to Newton’s Telecom Dictionary, a protocol is defined as “a set of rules governing the format of messages that are exchanged between computers and people.” I have also seen it defined like this: “A sequence of operations that ensure protection of data. Used with a communications protocol, it provides secure delivery of data between two parties.”

In the realm of security, a security protocol is defined as a secure procedure for regulating data transmission between computers. This chapter concerns the methods of securely encrypting data for transmission over a network. Chapter 9, “IPsec Virtual Private Networks (VPNs),” covers the means of transporting data securely.

This chapter enables to develop an understanding of how you can secure data. In many ways, being able to protect data through encryption is yet another layer of a network’s security.

Consider that each day, information is being disclosed to people whom you do not want to have it; more often than not, this is sensitive information. In many cases, this is not intentional, nor is it related to criminal activity or attackers in any way. Do you find this difficult to believe? You should not. Think about the following points:

• Sensitive data is placed on servers connected to your LAN for other people to access.

• Sensitive data is copied to USB flash drives, CDs, and DVDs, or printed and then handed to the (in many cases unauthorized) recipient.

• Sensitive data is emailed across the network, or perhaps the Internet, often unencrypted.

• Sensitive data is transmitted in some other manner.

• Sensitive data is placed on a web server and then often removed or altered.

Certainly, these common examples of “business as usual” and “how we do business” are easily recognizable scenarios to many people. We have all done this at some time or another. The danger here is that the sensitive data is being sent in the clear; this means that anyone can read the data if they intercept it intentionally or accidentally, or even unintentionally. (Have you ever sent an email to the wrong person?) You might ask yourself what possible kind of data could be used in a negative manner. Consider the following types of data:

• Personally identifiable information: Have you ever entered your full name, address, phone number, date of birth, driver’s license number, vehicle registration plate number...dare I say Social Security number into a web page or an email?

• Financial data: Do you use Quicken or other money-management software on your computer? Is that computer ever connected to a network? What about checking bank account information online, tracking stocks you own, or entering credit-card data online?

• Customer data: Does your company enter customer information into a database or take orders online?

• Medical data: When was the last time you walked into a hospital or doctor’s office and did not see a computer, no less in a common area? Last time I was there, the doctor had a Palm Pilot with all my data loaded onto it. What would happen if he lost it or it was stolen?

These are the most commonly known types of data, but what about movies, music, new product plans, future projections, source code, and so on?

Most of the time, there is no danger of any sort; however, this is not always the case. When there is a mistake, it can be extremely serious. The point here is that everyone and every company has important data that they would not want shared. This chapter discusses ways to protect this data.