The IEEE 802.1x protocols are a collection of wireless protocol standards. Most modern wireless network communications follow the specifications outlined by the 802.1x standard. There are two widely used wireless standards: 802.11 and 802.16. However, the Security+ exam only focuses on 802.11 and related wireless networking technologies. Figure 2.2 shows a laptop PC (a network client) using a wireless access card to communicate with the rest of the network through a wireless access point and to a wireless server that offers Internet connectivity.

Figure 2.2. A typical wireless network

A virtual private network (VPN) is a communication tunnel between two entities across an intermediary network. In most cases, the intermediary network is an untrusted network, such as the Internet, and therefore the communication tunnel is also encrypted. VPNs can be used to connect two networks across the Internet (see Figure 2.3) or to allow distant clients to connect into an office LAN across the Internet (see Figure 2.4). Once a VPN link is established, the network connectivity for the VPN client is exactly the same as a LAN connected by a cable connection. The only difference between a direct LAN cable connection and a VPN link is speed.

Figure 2.3. Two LANs being connected using a VPN across the Internet

Figure 2.4. A client connecting to a network via a VPN across the Internet

VPNs are often the best solution to allow remote users to access resources on a corporate LAN. They have a number of advantages:

VPN links are established using VPN protocols. There are several VPN protocols, but the three you should recognize are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Protocol Security (IPSec).

Sometimes VPN protocols are called tunneling protocols. This naming convention is designed to focus attention on the tunneling capabilities of VPNs.

VPNs work through a process called encapsulation. As data is transmitted from one system to another across a VPN link, the normal LAN TCP/IP traffic is encapsulated (encased, or enclosed) in the VPN protocol. The VPN protocol acts like a security envelop that provides special delivery capabilities (for example, across the Internet) as well as security mechanisms (such as data encryption).

When firewalls, intrusion detection systems, antivirus scanners, or other packet-filtering and -monitoring security mechanisms are used, you must realize that the data payload of VPN traffic won't be viewable, accessible, scannable, and so on, since it's encrypted. Thus, in order for these security mechanisms to function against VPN transported data, they must be placed outside of the VPN tunnel to act on the data after it has been decrypted and returned back to normal LAN traffic.

VPNs provide four critical functions:

As with any type of remote access connection, VPN clients can be authenticated through RADIUS.

Remote Authentication Dial-In User Service (RADIUS) is a centralized authentication system. It's often deployed to provide an additional layer of security for a network. By offloading authentication of remote access clients from domain controllers or even the remote access server itself to a dedicated authentication server such as RADIUS, you can provide greater protection against intrusion for the network as a whole. RADIUS can be used with any type of remote access, including dial-up, VPN, and terminal services.

RADIUS is known as an AAA server. AAA stands for authentication, authorization (or access control), and auditing. RADIUS provides for distinct AAA functions for remote access clients separate from those of normal local domain clients. RADIUS isn't the only AAA server, but it's the most widely deployed.

When RADIUS is deployed, it's important to understand the terms RADIUS client and RADIUS server, both of which are depicted in Figure 2.5.The RADIUS server is obviously the system hosting the RADIUS service. However, the RADIUS client is the Remote Access Server (RAS), not the remote system connecting to RAS. As far as the remote access client is concerned, it only sees the RAS server, not the RADIUS server. Thus, the RAS server is the RADIUS client.

Figure 2.5. The RADIUS client manages the local connection and authenticates against a central server.

Terminal Access Controller Access Control System (TACACS) is another example of an AAA server. TACACS is an Internet standard (RFC 1492); however, Cisco's proprietary implementations of XTACACS and TACACS+ have quickly gained in popularity. TACACS is a centralized remote access authentication solution (Figure 2.6) similar to RADIUS; it uses ports TCP 49 and UDP 49.

Figure 2.6. Centrally managed remote access authentication with TACACS

Layer 2 Tunneling Protocol (L2TP) and Point to Point Tunneling Protocol (PPTP) are widely used VPN protocols. PPTP was originally developed by Microsoft. Cisco and Microsoft worked together in creating L2TP (based on Cisco's L2F and Microsoft's PPTP). Since its development, L2TP has become an Internet standard (RFC 2661) and is quickly becoming widely supported.

Both L2TP and PPTP are based on Point-to-Point Protocol (PPP) and thus work well over various types of remote access connections, including dial-up. L2TP can support just about any networking protocol. PPTP is limited to IP traffic. L2TP uses UDP port 1701, and PPTP uses TCP port 1723.

PPTP can use any of the authentication methods supported by PPP, including the following:

Note that PPTP can provide data encryption only when MS-CHAP v.2 is employed for authentication.

L2TP can rely on PPP and thus on PPP's supported authentication protocols. But L2TP also supports other authentication and encryption protocols, such as Internet Protocol Security (IPSec). Although it isn't required, L2TP is most often deployed using IPSec.

Secure Shell (SSH) is a secure replacement for Telnet, rlogon, rsh, and rcp. SSH can be called a remote access or remote terminal solution. It consists of an SSH server component and an SSH client component. SSH offers a means by which a command-line, text-only interface connection with a server can be established over any distance. Through the SSH connection, you can perform any command-line or scriptable activities. See Figure 2.7.

SSH transmits both authentication traffic and data in a secured encrypted form. Thus, no information is exchanged in clear text. This makes SSH a secure alternative to Telnet, which transmits both authentication credentials and data in clear text. SSH operates over TCP port 22.

Internet Protocol Security (IPSec) is both a stand-alone VPN protocol and a module that can be used with L2TP. You can use IPSec in dial-up or network-to-network connections. When it's employed over dial-up, it usually functions as the encryption protocol in an L2TP link. IPSec by itself is more suitable for network-to-network connections across normal LAN connections, high-speed WAN links, and the Internet.

Figure 2.7. A Unix version of SSH, showing a list of available command-line options

IPSec isn't a single protocol but rather a collection of protocols. Two of the primary protocols of IPSec are Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides authentication of the sender's data; ESP provides encryption of the transferred data as well as limited authentication.

IPSec operates at the OSI Model layer 3 (the Network layer). IPSec operates over TCP ports 50 and 51. Thus, if an IPSec tunnel is to cross a firewall, these ports must be opened.

IPSec can operate in two modes: tunnel mode and transport mode. In tunnel mode (see Figure 2.8), IPSec provides encryption protection for both the payload and message header by encapsulating the entire original LAN protocol packet and adding its own temporary IPSec header. In transport mode (see Figure 2.9), IPSec provides encryption protection for just the payload and leaves the original message header intact. Tunnel mode should be used when you're connecting over an untrusted network.

Figure 2.8. IPSec's encryption of a packet in tunnel mode

Figure 2.9. IPSec's encryption of a packet in transport mode

IPSec provides for encryption security using symmetric cryptography. This means communication partners use shared secret keys to encrypt and decrypt traffic over the IPSec VPN link. One of the mechanisms used by IPSec to manage cryptography is Internet Key Exchange (IKE); it ensures the secure exchange of secret keys between communication partners in order to establish the encrypted VPN tunnel.

IPSec also uses Internet Security Association and Key Management Protocol (ISAKMP), which is known as a security association manager. A security association is the agreed-upon method of authentication used by two entities. Without a common method of authentication, a VPN link can't be established. So, ISAKMP is used to negotiate and provide authenticated keying material (a common method of authentication) for security associations in a secured manner. The four major functional components of ISAKMP are

Every communications technology, mechanism, or solution is vulnerable to one thing or another. With the implementation of cryptography to provide security through encryption, many forms of communication have become more reliable and now offer dependable protection. When encryption is involved, the issue often distills down to the algorithm in use and the length of the key. Obviously, using algorithms such as DES, which have been broken, offers weaker security. Likewise, using shorter keys allows a brute-force attack to be more successful.

Outside of the technologies involved with communications, there will always be the weakness of social engineering against the people involved in using those connections. Ultimately, no matter how strong the technology, without reliable physical access control and sufficient employee training, security is little more than a fading wish.

Secure Multipurpose Internet Mail Extensions (S/MIME) is an Internet standard for encrypting e-mail. Many e-mail security products are based on the S/MIME standard. S/MIME takes the standard MIME element of e-mail, which enables e-mail to carry attachments and higher-order textual information (fonts, color, size, layout, and so on), and expands this to include message encryption. S/MIME uses RSA (an asymmetric encryption scheme) to encrypt and protect e-mail.

S/MIME works by taking the original message from the server, encrypting it, and then attaching it to a new blank e-mail as an attachment. The new blank e-mail includes the sender's and receiver's e-mail addresses, to control routing of the message to its destination. The receiver must then strip off the attachment and decrypt it in order to extract the original message. When e-mail encryption is used, confidentiality is protected.

As shown in Figure 2.11, the basic process is as follows:

The process of encrypting e-mail isn't complex; however, it's cumbersome in implementation. Fortunately, an S/MIME add-on package for an e-mail client automates the process. The only restriction to the S/MIME e-mail solutions is that all communication partners must have compatible S/MIME products installed and use a common or compatible source for their asymmetric encryption key pairs.

S/MIME includes the capability to digitally sign e-mails; however, this isn't a widely employed feature. Pretty Good Privacy's (PGP) digital signature feature is much more popular.

Figure 2.11. The asymmetric-based e-mail encryption process

Pretty Good Privacy (PGP) is another e-mail security and encryption product that functions in much the same way as S/MIME. PGP was developed by Phillip R. Zimmerman in 1991. It has widespread popularity with the general public as well as corporations that wish to use secured private e-mail. PGP uses RSA or Diffie-Hellman asymmetric cryptography solutions. It's similar to S/MIME, but it's a proposed e-mail security standard of its own known as PGP/MIME.

Another popular feature of PGP is digital signatures. A digital signature is a means by which PGP users can sign their e-mails so that both PGP and non-PGP using recipients can see the text or body of the message. However, a PGP recipient can then verify or authenticate the message by testing the signature. Digital signatures provide a means to verify the source of a message; this is known as nonrepudiation. The digital signature also includes a hash value of the message and allows the recipient to verify that the integrity of the message hasn't been violated while in transit.

The process of using a digital signature is more complex than encrypting a message. It requires not only a shared asymmetric cryptography solution between the communication partners, but also that both parties use the same hashing algorithm. The procedure for employing a digital signature is as follows (see Figure 2.12):

Figure 2.12. The asymmetric-based e-mail digital signature process

E-mail allows for fast, efficient communications across the Internet. There are more e-mail addresses than there are actual Internet users, because many people have multiple e-mail addresses whether by chance or by choice. E-mail offers individuals and companies alike a means to communicate without paying any type of per-message fee (such as with snail mail) and allows message to be delivered in seconds rather than days. However, these abilities of e-mail also make it ripe for exploitation by those with malicious or at least nonbenevolent intentions. Some examples include spam and hoaxes, which are discussed in the following sections.

Because e-mail is so widely used, it has become the most prevalent delivery vehicle for malicious code such as viruses, logic bombs, and Trojan horses. To combat this threat, you should deploy an antivirus scanner to scan e-mail content and attachments. You should even consider stripping or blocking e-mail attachments (especially those with known extensions of scripts or executables) as they enter your network (on an e-mail gateway, firewall, and so on).

E-mail servers should also check for invalid, corrupted, or malformed messages. An e-mail message with a corrupted MIME header can cause an unprepared e-mail server to crash or freeze. Thus, attackers can use invalid e-mail formats as a method of waging a Denial of Service (DoS) attack against your e-mail systems. By keeping e-mail servers properly updated and deploying antivirus scanners and e-mail filters, you can avoid most of the problems and attacks associated with e-mail.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are used to encrypt traffic between a web browser and a web server. Through the use of SSL or TLS, web surfers can make online purchases, interact with banks, and access private information without disclosing the contents of their communications. SSL and TLS can make web transactions private and secure. While they aren't true VPN protocols, SSL and TLS operate in much the same manner as VPNs.

SSL was originally developed by Netscape, but it quickly became an Internet standard. Currently SSL version 3.0 is in widespread use across the Internet. TLS is based on SSL, but they aren't interoperable. SSL operates over TCP port 443, whereas TLS can operate over TCP port 443 or 80 (as does HTTP).

SSL can also be used to provide encrypted sessions for other application layer protocols, such as Telnet, FTP, and e-mail. SSL functions at layer 5 (the Session layer) of the OSI Model.

When SSL is to be used to secure the communications between a web browser and web server, a six-step handshake process must be completed to establish the secured session:

SSL uses symmetric keys as the session keys. The session keys are available in 40-bit and 128-bit strengths.

HTTP is the standard foundational protocol used on the Web. It operates over TCP port 80. HTTP is a plain text or clear text communication protocol; thus it offers no security or privacy to transactions. When SSL or TLS is used to secure transactions, this is known as Hypertext Transfer Protocol over SSL (HTTPS). You'll be able to recognize when secure web communications are occurring using SSL or TLS because the URL will begin with HTTPS and a locked padlock icon will appear in the status bar at the bottom of the browser window.

It's important not to confuse HTTPS with a similar protocol, Secure HTTP (S-HTTP). S-HTTP isn't in widespread use. The primary differences are that S-HTTP doesn't use SSL, it encrypts individual web page elements rather than the entire web communication session, and it can only be used to support HTTP. Overall, S-HTTP is less secure than HTTPS.

In addition to web pages, SSL can also be used to secure FTP, Network News Transfer Protocol (NNTP), Telnet, and other Application layer TCP/IP protocols. S-HTTP is unable to protect anything other than web traffic.

Instant messaging (IM) is a mechanism that allows for real-time text-based chat between two users located anywhere on the Internet. Some IM utilities allow for file transfer, multimedia, voice and video conferencing, and more. However, unlike many Internet information services, such as the Web, FTP, and e-mail, IM is a peer-to-peer based service. There is no need for a centralized controlling server. This makes IM easy for end users to deploy and use, but it's difficult to manage from a corporate perspective. IM is insecure. It has numerous vulnerabilities, such as susceptibility to packet sniffing, it lacks true native security capabilities, and it provides no protection for privacy.

As the capabilities of the Web and other Internet information services expand, the vulnerabilities seem to increase as well. Nearly every form of communication that occurs over the Internet has a wide range of weaknesses. It's important to keep yourself informed about the relevant problems and issues with communication methods you employ and how to resolve or safeguard against them. Some of these issues include JavaScript, ActiveX, buffer overflows, cookies, signed applets, CGI scripts, and SMTP relays.

SSL and TLS are covered earlier, in section "2.3 Internet Security."

LDAP is a standardized protocol that enables clients to access resources within a directory service. A directory service is a network service that provides access to a central database of information, which contains detailed information about the resources available on a network. LDAP follows the x.500 standard, which defines what a directory service is and how it is to be constructed (at least from a foundational infrastructure perspective). Clients can interact with directory service resources through LDAP by using authentication that is at least a minimum of a username and password.

LDAP directory structures are hierarchical data models that use branches like a tree and that have a clearly identified and define root (see Figure 2.14). LDAP operates over TCP ports 389 and 636. It can employ SSL or TLS to provide authentication and data encryption security.

Figure 2.14. An example of an LDAP-based directory services structure

Secure FTP (S/FTP) is a secured alternative to standard FTP. Standard FTP sends all data, including authentication traffic, in the clear. Thus, there is no confidentiality protection. S/FTP encrypts both authentication and data traffic between the client and server; it employs SSH to provide secure FTP communications.

No matter what secure FTP solution is employed, both the server and the client must have the same solution. Otherwise, FTP session establishment and subsequent file transfer communications won't be possible.

Anonymous FTP is a form of nameless logon to an FTP server. Usually, visitors to an FTP site who wish to log on anonymously use the word anonymous as the logon name. They're then prompted to provide their e-mail address as the password, but any text string suffices.

Site administrators should carefully configure FTP servers that allow anonymous access. Anonymous users shouldn't be able to download (or, in many cases, view) any files uploaded by anonymous users. Anonymous upload and upload should only be enabled if absolutely necessary. When possible, don't allow both authenticated and anonymous FTP logons on the same FTP site. Most FTP servers have anonymous FTP enabled by default, so usually it must be specifically disabled in order to limit access to authenticated users.

If FTP upload is allowed, especially when anonymous FTP uploading is allowed, ensure that it isn't possible to access upload folders from a web URL. If you don't take this precaution, web visitors may be able to download files from the FTP site through HTTP, or they may be able to execute uploaded files.

Blind FTP is a configuration of anonymous FTP or authenticated FTP where uploaded files are unseen and unreadable by visitors. Thus, users can upload files but not see the resulting uploads. This ensures that your FTP site isn't overrun by file swappers using your system as a file exchange point. File swappers often exchange illegal (unlicensed) copies of software, music, and movies through unsecured FTP servers. Uploaded files on a blind FTP server become accessible only after the administrator has either changed the files' permissions or moved them into a folder configured to allow downloads.

You can support file sharing by deploying an FTP server that allows visitors to upload and download files. Restricting such a site to authenticated logons ensures than only authorized users gain access to the site. Allowing anonymous connections to a file-sharing FTP server encourages the exchange of illegal copies of software, music, and movies.

FTP is an in-the-clear transmission protocol. It's also a fairly old but standardized protocol. This makes FTP servers vulnerable to packet sniffing and possibly naming convention troubles.

Wireless Transport Layer Security (WTLS) is the security layer for the Wireless Application Protocol (WAP). It provides the security services of privacy, integrity, and authentication for WAP-supporting networks. WTLS is based on TLS. It provides for encrypted traffic between a mobile device and a WAP gateway (see Figure 2.15). WAP is often deployed to support wireless handheld devices like PDAs and cell phones.

Figure 2.15. A WAP gateway enables secure communications between an information server (a web server) and a portable handheld device.

802.11 is the IEEE standard for wireless network communications. Various versions of the standard have been implemented in wireless networking hardware, including 802.11a, 802.11b, and 802.11g. 802.11x is often used to collectively refer to all of these specific implementations as a group, however 802.11 and 802.11x may be used interchangeably when discussing standard wireless issues. Each version offered slightly better throughput: 2 MB, 11 MB, and 54 MB, respectively. The 802.11 standard also defines Wired Equivalent Privacy (WEP), which provides eavesdropping protection for wireless communications.

Wired Equivalent Privacy (WEP) is defined by the IEEE 802.11 standard. It was designed to provide the same level of security and encryption on wireless networks as is found on wired or cabled networks. WEP provides protection from packet sniffing and eavesdropping against wireless transmissions.

A secondary benefit of WEP is that it can be configured to prevent unauthorized access to the wireless network. WEP uses a predefined shared secret key; however, rather than being a typical symmetric cryptography solution, the shared key is static and shared among all wireless access points and device interfaces. This key is used to encrypt packets before they are transmitted over the wireless link, thus providing confidentiality protection. A hash value is used to verify that received packets weren't modified or corrupted while in transit; thus WEP also provides integrity protection. Knowledge or possession of the key not only allows encrypted communication but also serves as a rudimentary form of authentication, since without it, access to the wireless network is prohibited.

Wireless Application Protocol (WAP) is often deployed to support wireless handheld devices like PDAs and cell phones. WAP employs WTLS for security. WAP environments function using a WAP gateway between the mobile client and the information server.

Wireless networking has made networking more versatile than ever before. Workstations and portable systems are no longer tied to a cable, but can roam freely around an office or environment—anywhere within the signal range of the deployed wireless access points. However, this freedom comes at the cost of additional vulnerabilities. Wireless networks are subject to the same vulnerabilities, threats, and risks as any cabled network, plus there are the additional issues of distance eavesdropping and packet sniffing as well as new forms of DoS and intrusion.

When you're deploying wireless networks, you should deploy wireless access points configured to use infrastructure mode rather than ad hoc mode. Ad hoc mode means that any two wireless networking devices, including two wireless Network Interface Cards (NICs), can communicate without a centralized control authority. Infrastructure mode means that a wireless access point is required, wireless NICs on systems can't interact directly, and the restrictions of the wireless access point for wireless network access are enforced.

One method used to discover areas of a physical environment where unwanted wireless access might be possible is to perform a site survey.