Scribd
Upload
42 views29 pages

NDEv1 Module 01 Network Security Fundamentals

The document outlines the fundamentals of network security, focusing on the goals of network defense, information assurance principles, and various network security controls and protocols. It discusses the benefits and challenges of network defense, including the need for compliance and the evolving nature of threats. Additionally, it covers different approaches to network defense and specific protocols like RADIUS, TACACS+, and Kerberos.

Uploaded by

hemajeevafoodvlog
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views29 pages

NDEv1 Module 01 Network Security Fundamentals

The document outlines the fundamentals of network security, focusing on the goals of network defense, information assurance principles, and various network security controls and protocols. It discusses the benefits and challenges of network defense, including the need for compliance and the evolving nature of threats. Additionally, it covers different approaches to network defense and specific protocols like RADIUS, TACACS+, and Kerberos.

Uploaded by

hemajeevafoodvlog
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Module01

Network Security Fundamentals

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Module Objectives
1 UnderstandingtheGoalsofNetworkDefense

2 UnderstandingInformationAssurance(IA)Principles

3 UnderstandingtheBenefits andChallenges ofNetworkDefense

4 OverviewofDifferentTypesofNetworkDefenseApproaches

5 UnderstandingtheDifferentTypesofNetworkSecurityControls

6 UnderstandingtheDifferentNetworkSecurityProtocols

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Module Flow

Understand Fundamentals
01 of Network Security

Discuss Essential Network


02 Security Protocols

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Essentials of
Network Security
‰ Acompletelysecureandrobustnetworkcan
bedesignedwithproperimplementation and
configuration ofnetworksecurityelements

Elements of Network Security

NetworkSecurity NetworkSecurity NetworkSecurity


Controls Protocols Devices

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Goal of Network Defense
Theultimategoalofnetworkdefenseistoprotectan
organization’sinformation,systems,andnetworkinfrastructure
fromunauthorizedaccess,misuse,modification,servicedenial,
oranydegradation anddisruptions

Organizationsrelyoninformationassurance(IA)principles to
attaindefenseͲinͲdepthsecurity

InformationAssurance(IA)principlesactasenablers foran
organization’ssecurityactivitiestoprotectanddefendthe
organizationalnetworkfromsecurityattacks

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Information Assurance (IA) Principles
Confidentiality Availability
‰ Ensuresinformationisnot ‰ Ensuresinformationisavailable
disclosed tounauthorized toauthorizedpartieswithout
parties anydisruption
Cannotlistentoor
Servicesunavailable
viewtheinformation
toauthorizedusers

AuthorizedUser AuthorizedUser
Server Server

ManintheMiddle
Integrity
Cannotmodifytheinformation
‰ Ensuresinformationisnot
modified ortampered with AuthorizedUser
Server
byunauthorizedparties

ManintheMiddle

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Information Assurance (IA) Principles (Cont’d)

Non-repudiation Authentication

‰ Ensuresthatapartyinacommunication ‰ Ensurestheidentity ofanindividualisverified


cannotdenysending themessage bythesystemorservice

Transferamount500toUser

Userdeniestransaction

User Server AuthorizedUser Server

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Network Defense Benefits

‰ Protect informationassets

‰ Comply withgovernmentandindustryspecific
regulations

‰ Ensure securecommunicationwithclientsandsuppliers

‰ Reduce theriskofbeingattacked

‰ Gain competitive edgeovercompetitor


byprovidingmoresecureservices

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Network Defense Challenges

Distributed Computing Lack of Network


Emerging Threats
Environments Security Skills

‰ Withtheadvancementin ‰ Potential threats to the ‰ Organizationsarefailing


moderntechnologyandto network evolveeachday. todefendthemselves
meetbusinessrequirements, Networksecurityattacks againstrapidlyincreasing
networksarebecomingvast arebecomingtechnically networkattacksdueto
andcomplex,potentially moresophisticated and thelackofnetwork
leadingtoserioussecurity betterorganized securityskills
vulnerabilities.Attackers
exploitexposedsecurity
vulnerabilitiesto
compromisenetwork
security

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Types of Network Defense Approaches

Preventive Approaches Retrospective Approaches


Consistofmethodsor Consistofmethodsortechniques
techniquesthatareusedto thatexaminethecausesfor
avoidthreatsorattackson attacks,andcontain,remediate,
thetargetnetwork eradicate,andrecoverfrom
damagecausedbytheattackon
thetargetnetwork

Reactive Approaches Proactive Approaches


Consistofmethodsor Consistofmethodsortechniques
techniquesthatareusedto thatareusedtomakeinformed
detectattacksonthetarget decisionsonpotentialattacksin
network thefutureon thetargetnetwork

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Network Security Controls:
Administrative Security Controls

‰ Themanagementimplementsadministrativeaccesscontrolstoensure thesafety oftheorganization

Examples of Administrative Security Controls

01 RegulatoryframeworkCompliance 02 Securitypolicy

03 EmployeeMonitoringandSupervising 04 InformationClassification

05 SecurityAwarenessandTraining

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Network Security Controls: Physical Security Controls

‰ Thisisasetofsecuritymeasurestakentopreventunauthorizedaccesstophysicaldevices

Examples of Physical Access Controls

Locks Fences Badge system Security guards Mantrap doors

Biometric system Lighting Motion detectors Closed-circuit TVs Alarms

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Network Security Controls: Technical Security Controls

‰ Thisisasetofsecuritymeasurestakentoprotectdataandsystemsfromunauthorizedpersonnel

Examples of Technical Security Controls

01 03 05
Authorization Auditing Security
Access Network
Controls Protocols Security
Authentication
04 Devices

02 06

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Module Flow

Understand Fundamentals
01 of Network Security

Discuss Essential Network


02 Security Protocols

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Network Security Protocols

RADIUS Secure HTTP

TACACS+ HTTPS

Kerberos TLS

PGP SSL

S/MIME IPsec

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Remote Authentication Dial-in User Service (RADIUS)
‰ RemoteauthenticationdialͲinuserservice(RADIUS)isanauthenticationprotocolwhichprovidescentralizedauthentication,
authorization,andaccounting(AAA)forremoteaccessserverstocommunicatewithacentralserver

Authentication Steps in RADIUS


1) AclientinitiatesaconnectionbysendingtheaccessͲrequest packet totheserver

2) Theserverreceivestheaccessrequestfromtheclientandcomparesthecredentialswiththeonesstoredinthedatabase.
Iftheprovidedinformationmatches,thenitsendstheaccessͲacceptmessagealongwiththeaccessͲchallenge totheclient
foradditionalauthentication,elseitsendsbackanacceptͲreject message

3) ClientsendstheaccountingͲrequest totheservertospecifytheaccountinginformationforaconnectionthatwasaccepted

PacketTypeͲAccessRequest(Username,Password)

AccessͲAccept/AccessͲReject(UserService,FramedProtocol)

AccessChallenge(optional)(ReplyMessage)

AccessServer RADIUSServer

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Remote Authentication Dial-in User Service
(RADIUS) (Cont’d)

Radius Accounting Steps RADIUS RADIUS


Client Server

‰ Clientsendsthe accountingͲrequest to RADIUS:AccountingͲ Request


[acct_status_type=start]
theservertospecifytheaccounting
informationforaconnectionthatwas
RADIUS:AccountingͲResponse
accepted
RADIUS:AccountingͲ Request
[acct_status_type=interimupdate]

RADIUS:AccountingͲResponse

‰ Theserverreceivesthismessageand RADIUS:AccountingͲ Request


[acct_status_type=stop]
sendsbacktheaccountingͲresponse
messagewhichstatesthesuccessful
RADIUS:AccountingͲResponse
establishmentofthenetwork

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Terminal Access Controller Access Control System
Plus (TACACS+)

‰ Theterminalaccesscontrolleraccess
TACACS+
controlsystemplus(TACACS+)isa SecurityServer
networksecurityprotocolusedfor RemoteUser
PublicSwitched
Telephone
AAAofnetworkdevicessuchas Network(PSTN)/
TACACS+
Integrated
switches,routers,andfirewallsthrough ServicesDigital Client
Network(ISDN)
oneormorecentralizedservers Router CorporateNetwork

‰ TACACS+encrypts theentire
communicationbetweentheclientand RemoteUser AAAClient TACACS+Server
theserverincludingtheuser’s
passwordwhichprotectsitfrom
sniffingattacks
2.REQUEST issenttoAAAserver
‰ Itis aclientͲservermodel approach 1. TheAAAclientreceivesaresource forserviceshell
requestfromauser.Thisisassumingthat
wheretheclient(userornetwork theauthenticationhasalreadytaken
place
device)requestsforconnectiontoa 3.RESPONSE isreturnedtotheAAA
server,theserverauthenticatesthe 4.AAAclientmaygrantordenyaccessto
clientindicatingapassorfail

userbyexaminingtheir credentials theserviceshell

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Kerberos
Client KDC(Kerberos)

‰ Kerberosisanauthenticating method foraccessing anetwork Key


Distribution Ticket
Center(KDC) Ticketrequest generated
request and
Kerberos authentication protocol (KAP) encrypted
usingaserver
secretkey
01 Ausersendshis/hercredentialstoanauthenticationserver(AS)

TheAShashesthepasswordoftheuserandverifiestheircredentialsintheactive
directorydatabase.Ifthecredentialmatches,thenAS(consistingoftheticket
02 grantingservice,TGS)sendsbacktheTGSsessionkeyandticketgrantingticket
Decryptthe
ticket
Ticketresponse
response
(TGT)totheusertocreateasession andforward
the
Onceusersareauthenticated,theysendtheTGTtorequestaservicetickettothe
03
tickettothe
server Server
serverorTGSforaccessingtheservices

Ticket
TheTGSauthenticatestheTGTandgrantsaservicetickettotheuser.Theservice Decryptthe
04 ticketconsistsoftheticketandasessionkey
ticketand
confirmthe
identityof
theclient
Theclientsendstheservicetickettotheserver.Theserverusesitskeytodecrypt
05 theinformationfromtheTGSandtheclientisauthenticatedtotheserver

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Pretty Good Privacy (PGP)
‰ Prettygoodprivacy(PGP)isanapplicationlayerprotocolwhichprovidescryptographic
privacyandauthenticationfornetworkcommunication

‰ Itencryptsanddecryptsemailcommunicationaswellasauthenticatesmessages
with digitalsignatures andencryptsstoredfiles

FileEncryption FileDecryption
RandomKey
User’sPrivateKey

File Encryption EncryptedFile


Decryption
EncryptedFile EncryptedKey
User’sPublicKey withtheUser’s
EncryptedFile PublicKeyinthe
withtheUser’s Header
PublicKeyinthe
Header
Encryption EncryptedFile Decryption File
EncryptedKey

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Secure/Multipurpose Internet Mail
Extensions (S/MIME)

Secure/multipurposeinternetmailextensions(S/MIME)
01 isanapplicationlayerprotocolwhichisusedforsending
digitallysignedandencryptedemailmessages

02 ItusestheRSA systemforemailencryption

03 Networkdefendersneedtoenable S/MIMEͲbased
securityformailboxesintheirorganizations

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Secure/Multipurpose Internet Mail Extensions
(S/MIME) (Cont’d)
Alice Public Bob

Message
Certificate PublicKey
OK? Alice
PrivateKey Alice
Alice

Digital Signature
Signing
Signature Checking

Encrypted
Encryption(DES) Decryption(DES)
Message
Message

SecretKey SecretKey

Encryption(RSA) Decryption(RSA)

Certificate
PublicKey OK? PrivateKey
Bob
Bob Bob

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Differences between
PGP and S/MIME
MandatoryFeatures S/MIMEv3 OpenPGP
MessageFormat Binary, BasedonCMS Application/Pkcs 7Ͳmime

Binary, Basedonprevious
CertificateFormat Binary, BasedonX.509v3
PGP
Symmetric Encryption TripleDES(DES,EDE3,and
TripleDES(DES,EDE3,andCBC)
Algorithm EccentricCFB)
DiffieͲHellman(X9.42)withDSS
SignatureAlgorithm ElGamalwithDSS
orRSA

HashAlgorithm SHAͲ 1 SHAͲ 1

MIMEEncapsulationof ChoiceofMultipart/signedor
Multipart/signedASCIIarmor
SignedData CMSFormat

MIMEEncapsulationof
Application/Pkcs 7Ͳmime Multipart/Encrypted
EncryptedData

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Secure Hypertext Transfer
Protocol (S-HTTP)
‰ Securehypertexttransferprotocol(SͲHTTP)isanapplicationlayer
protocolthatisusedtoencryptwebcommunicationscarriedover
HTTP
‰ ItisanalternativefortheHTTPS (SSL)protocol
‰ Itensuressecuredatatransmissionofindividualmessages,while
SSLestablishesasecureconnectionbetweentwoentitiesthus
ensuringsecurityoftheentirecommunication

ClientMachine ServerMachine

WWWClient HTTP WWWServer


S-HTTP
CryptoSmart CryptoSmart
Application- Level
Security Encryptedand/or Encryptedand/or
SignedMessages SignedMessages
UnencryptedChannel
NetworkLayer NetworkLayer

Note:NotallWebbrowsers andservers supportSͲHTTP


Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Hypertext Transfer Protocol Secure (HTTPS)
‰ Hypertexttransferprotocolsecure(HTTPS)ensuressecure communication
betweentwocomputersoverHTTP
‰ Theconnectionisencrypted usingatransportlayersecurity(TLS)orSSL
protocol
‰ Itisoftenusedinconfidentialonlinetransactions
‰ ItprotectsagainstmanͲinͲtheͲmiddleattackssincethedataaretransmitted
overanencryptedchannel

HTTPS

A B
“Mypass” “Xz54p6kd” “Mypass”
Encryption Decryption

SendsthePassword ReceivethePassword
Unauthorized Gets“Xz54p6kd”
Access

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Transport Layer Security (TLS)
‰ Transportlayersecurity(TLS)ensuresasecurecommunicationbetweenclientͲserver
applicationsovertheinternet

‰ Itprevents thenetworkcommunicationfrombeingeavesdroppedortampered

Application Application
Layers of TLS Protocol
TLSRecordProtocol TLS TLS
Handshake Handshake
ƒ Itensuresconnectionsecurity Protocol Protocol
withencryption
TLSRecordProtocol TLSRecordProtocol
TLSHandshakeProtocol
TCP/IP TCP/IP
ƒ Itensuresserverandclient
authentication NetworkHardware NetworkHardware

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Secure Sockets Layer (SSL)
‰ Securesocketslayer(SSL)wasdevelopedbyNetscapeformanagingthesecurityofamessagetransmissionon
theinternet
‰ ItusestheRSAasymmetric(publickey)encryption toencryptdatatransferredoverSSLconnections

ClientHello message(includesSSLversion,randomlygenerateddata,encryptionalgorithms,
sessionID,keyexchangealgorithms,compressionalgorithms,andMACalgorithms)

DeterminestheSSLversionandencryptionalgorithmstobeusedforthecommunication;sends
ServerHellomessage(SessionID)andCertificatemessage(localcertificate)

SendsaServerHello Donemessage

VerifiestheDigitalcertificate;generatesarandompremastersecret(Encryptedwith
server'spublickey)andsendsClientKeyExchange messagewiththepremastersecret

SendsaChangeCipherSpec messageandalsosendsFinished message(hashofhandshakemessage)

Hashvalueiscalculatedfortheexchangedhandshakemessagesandthencomparedtothehashvalue
receivedfromtheclient;Ifthetwomatch,thekeyandciphersuitenegotiationsucceeds.SendsaChange
CipherSpec messageandalsosendsFinished message(hashofhandshakemessage)

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Internet Protocol Security (IPsec)
‰ Internetprotocolsecurity(IPsec)isanetworklayer ‰ Itencrypts andauthenticates eachIPpacketinthe
protocolthatensuresa secureIPlevel communication
communication
‰ Itsupports networkͲlevelpeerauthentication,data
‰ ItprovidesendͲtoͲendsecurityattheinternet originauthentication,dataintegrity,data
layer ofthe internetprotocolsuite confidentiality(encryption),andreplayprotection

LAN– InternalIP LAN– InternalIP


Internet

Firewall Firewall

IPsecTunnel

ExternalIP ExternalIP

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.
Module Summary
Thismodulehasdiscussedtheessentialsofnetworksecurity,goal
ofnetworkdefense,andtheinformationassurance(IA)principles

Ithasdiscussedbenefitsandchallengesofnetworkdefense

Italsodiscusseddifferenttypesofnetworkdefenseapproaches
andtypesofnetworksecuritycontrols

Security
Finally,thismoduleendedwithadetaileddiscussionofvarious
networksecurityprotocols

Inthenextmodule,wewilldiscussindetailonidentification,
authentication,andauthorizationconcepts

Copyright©byEC-Council. AllRightsReserved.ReproductionisStrictlyProhibited.

You might also like