site_logo

previous next


  1. A+ Core 1 Practice Tests
  2. A+ Core 2 Practice Tests
  3. Network+ Practice Tests
  4. Security+ Practice Tests

Network Security : Wireless Security Measures, Network Access Security, Methods Of User Authentication

5. Network Security

5.1 Given a scenario, implement appropriate wireless security measures.

WEP (Wired Equivalent Privacy) : A deprecated wireless network security standard, less secure than WPA. Key size is 64 bit. WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another. However, it has been found that WEP is not very secure. WEP is used at the two lowest layers of the OSI model - the data link and physical layers; it therefore does not offer end-to-end security.

WPA (Wi-Fi Protected Access) : A wireless encryption standard created by the Wi-Fi Alliance to secure wireless computer networks. WPA improves on the authentication and encryption features of WEP (Wired Equivalent Privacy). Key size is 128 bits. WPA provides stronger encryption than WEP through use of either of two standard technologies: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). WPA also includes built-in authentication support that WEP does not offer. WPA provides comparable security to VPN tunneling with WEP, with the benefit of easier administration and use.

WPA2 (Wi-Fi Protected Access Version 2) : It is wireless encryption protocol and is based on the IEEE 802.11i technology standard for data encryption. Key size is 256 bits. It is more secure than WPA and WEP. WPA2 also improves the security of Wi-Fi connections by requiring use of stronger wireless encryption than what WPA requires. Specifically, WPA2 does not allow use of an algorithm called TKIP (Temporal Key Integrity Protocol) that has known security holes (limitations) in the original WPA implementation. There are two versions of WPA2: WPA2-Personal, and WPA2-Enterprise. WPA2-Personal protects unauthorized network access by utilizing a set-up password. WPA2-Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.

MAC Filtering : Every Wi-Fi device is assigned a MAC (Media Access Control) address, a unique 12-digit hexadecimal identifier issued by the IEEE, the standards body that developed the Wi-Fi protocol. The MAC address is "hard-coded" in to the device and sent automatically to a Wi-Fi access point when the device tries to connect to the network.

Using the access point configuration software, you can create a safe list of allowed client devices or a black list of banned devices. If MAC filtering is activated, regardless of what encryption security is in place, the AP only allows devices on the safe list to connect, or blocks all devices on the black list - irrespective of encryption used.

Encryption protocols like WPA2 (Wi-Fi Protected Access 2), reduced the necessity for using MAC filtering. Hackers may break in to MAC filtering device by sniffing addresses of connected devices and then spoofing or masquerading as one of them.

To enable MAC address filtering and to allow the devices with matching MAC addresses, perform these steps (these steps are generic in nature, and likely to change from one device type to another):

  • Step 1: Access the router's web-based setup page.

  • Step 2: When the router's web-based setup page appears, click Wireless, look for MAC address filtering tab.

  • Step 3: Enter the MAC addresses of the devices that are allowed to use the wireless network in the table provided.

  • Step 3: Click on Save Settings

5.2 Explain the methods of network access security.

  • VPN stands for Virtual Private Network. A VPN provides a mechanism to access corporate networks safely using Internet. VPN uses encryption to ensure only authorized user can access the corporate resources. A secure tunnel is created through the public network through which the packets are transported between the remote computer and the corporate network. Vit is used for accessing a corporate network securely from remote locations using public Internet. There are two widely known protocols that can be implemented for enabling VPN communications:

    1. PPTP: PPTP stands for Point to Point Tunneling Protocol. It is a PPTP is pioneered by Microsoft and others is a widely used protocol.

    2. L2TP: L2TP stands for Layer Two (2) Tunneling Protocol. L2TP merges the best features of PPTP and L2F (from Cisco Systems).

    PPTP and L2TP protocols together with PPP protocol enable ISPs to operate Virtual Private Networks (VPNs).

  • PGP is used primarily for securing email communications.

  • IPSEC stands for IP SECurity. The protocol is developed by IETF and supports secure exchange of packets at IP layer. When using IPSEC, the sending and receiving devices share a public key. IPSEC is the most widely used protocol in Virtual Private Networks (VPNs).

  • ISAKMP (Short for Internet Security Association and Key Management Protocol) defines payloads for exchanging key generation and authentication data.

  • SSH (Secure Shell): It is a protocol that can create a secure channel between two computers or network devices, enabling one computer or device to remotely control the other. It is commonly used on Linux and Unix systems, and nowadays also has widespread use on Windows clients. It uses public key cryptography to authenticate remote computers. One computer (the one to be controlled) runs the SSH daemon, while the other computer runs the SSH client and makes secure connections to the first computer (which is known as a server), as long as a certificate can be obtained and validated.

5.3 Explain methods of user authentication.

  • EAP (Extensible Authentication Protocol) :It is a framework for transporting authentication protocols. EAP defines the format of the messages. It uses four types of packets : request, response, success and failure. Request packets are issued by authenticator and ask for response packet from supplicant. If authentication is successful, a success packet is sent to the supplicant is not a failure packet is sent.

  • Public Key Infrastructure (PKI): It is a framework for all of the entities involved in digital certificates-including hardware, software, people, policies, and procedures to create, store, distribute, and revoke digital certificates. PKI is essentially digital certificate management.

  • Kerberos: Kerberos is basically an authentication protocol that uses secret-key cryptography for secure authentication. In Kerberos, all authentication takes place between clients and servers. The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades. It was developed by the Massachusetts Institute of Technology, USA Kerberos require that the time sources are approximately in synchronization (with in 5 minutes) with each other. However, with recent revisions of Kerberos software, this rule has become flexible. Some of the features of Kerberos authentication system:

    • Uses client-server based architecture.

    • Kerberos server, referred to as KDC (Key Distribution Ceter) implements the Authentication Service (AS) and the Ticket Granting Service (TGS).

    • The term "application server" generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication purpose. For example, the Kerberos telnet daemon (telnetd) is an example of an application server.

  • When the user wants to talk to a Kerberized service, he uses the TGT to talk to the Ticket Granting Service (TGS, also runs on the KDC). The TGS verifies the user's identity using the TGT and issues a ticket for the desired service. The TGT ensures that a user doesn't have to enter in their password every time they wish to connect to a Kerberized service. The TGT usually expires after eight hours. If the Ticket Granting Ticket is compromised, an attacker can only masquerade as a user until the ticket expires. The following are the important properties of Kerberos:

    • It uses symmetric encryption

    • Tickets are time stamped

    • Passwords are not sent over the network

  • Remote Authentication Dial-In User Service (RADIUS): It provides centralized administration of dial-up, VPN, and wireless authentication and can be used with EAP and 802.1X.

  • Terminal Access Controller Access-Control System (TACACS ): It is remote authentication protocol used more often in UNIX networks. In UNIX, the TACACS service is known as the TACACS daemon. The newer and more commonly used implementation of TACACS is called TACACS+. It is not backward compatible with TACACS. TACACS+, and its predecessor XTACACS, were developed by Cisco. TACACS+ uses inbound port 49. TACACS and XTACACS are not commonly seen anymore. The two common protocols used today are RADIUS and TACACS+.

  • CHAP: It is an authentication type that uses three-way handshake. The passwords are transmitted in encrypted form ensuring security. Compare this with PAP, which transmits passwords in clear text. It uses a three step process for authentication (excluding making the connection itself). If making the connection is also involved, it would be a 4 step process.

  • Multifactor authentication: Here two or more number of authentication methods are used for granting access to a resource. Usually, it combines a password with that of a biometric authentication.

previous next



simulationexams.com ad


certexams.com ad

Disclaimer:TutorialsWeb.com is neither associated nor affiliated with CompTIA® or any other company. A+, Network+, Security+, Server+ are trademarks of CompTIA® organization and duly acknowledged. The Cram Notes material is a copyright of TutorialsWeb.com and the same is not approved or endorsed by respective certifying bodies.