2-4 Protocols and Standards
Posted February 27th, 2007 by admin
2.16 Define the function of the following remote access protocols and services:
> RAS (Remote Access Service)
Remote Access Service A service that provides remote networking for telecommuters, mobile workers, and system administrators who monitor and manage servers at multiple branch offices. Users with RAS can dial in to remotely access their networks for services such as file and printer sharing, electronic mail, scheduling, and SQL database access.
> PPP (Point-to-Point Protocol)
An industry standard suite of protocols for the use of point-to-point links to transport multiprotocol datagrams.
Point to point Protocol facilitates Internet connections over serial lines, including modem connections. PPP software requires only a destination address usually a phone number for modem connections and a user login in order to negotiate a complete configuration for each session.
PPP support enables computers to dial in to remote networks through any server that complies with the PPP standard. PPP also enables remote access clients to use any combination of IPX, TCP/IP, NetBEUI, and AppleTalk. Remote access clients running Windows NT and Windows 2000, Windows 98, and Windows 95 can use any combination of TCP/IP, IPX, and NetBEUI and programs written to the Windows Sockets, NetBIOS, or IPX interface. Microsoft remote access clients do not support the use of the AppleTalk protocol over a remote access connection.
PPP connection sequence
When you connect to a remote computer, PPP negotiation accomplishes the following:
- Framing rules are established between the remote computer and server. This allows continued communication (frame transfer) to occur.
- The remote access server then authenticates the remote user by using the PPP authentication protocols (MS-CHAP, EAP, CHAP, SPAP, PAP). The protocols that are invoked depend on the security configurations of the remote client and server.
- Once authenticated, if callback is enabled, the remote access server hangs up and calls the remote access client.
- The Network Control Protocols (NCPs) enable and configure the remote client for the desired LAN protocols.
> SLIP (Serial Line Internet Protocol)
An older industry standard that is part of Windows remote access client to ensure interoperability with other remote access software.
> PPPoE (Point-to-Point Protocol over Ethernet)
A specification for connecting users on an Ethernet network to the Internet through a broadband connection, such as a single DSL line, wireless device, or cable modem. Using PPPoE and a broadband modem, LAN users can gain individual authenticated access to high-speed data networks. By combining Ethernet and Point-to-Point Protocol (PPP), PPPoE provides an efficient way to create a separate connection for each user to a remote server.
> PPTP (Point-to-Point Tunneling Protocol)
Networking technology that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet or other networks by dialing into an Internet service provider (ISP) or by connecting directly to the Internet. The Point-to-Point Tunneling Protocol (PPTP) tunnels, or encapsulates, IP, IPX, or NetBEUI traffic inside of IP packets. This means that users can remotely run applications that are dependent upon particular network protocols.
> VPN (Virtual Private Network)
Virtual private network A remote LAN that can be accessed through the Internet by using PPTP (see above)
> RDP (Remote Desktop Protocol)
Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user to connect to a computer running Microsoft Terminal Services. Clients exist for most versions of Windows (including handheld versions), and other operating systems such as Linux, FreeBSD, Solaris Operating System and Mac OS X. The server listens by default on TCP port 3389.
- Version 4.0 was introduced with Terminal Services in Windows NT 4.0 Server, Terminal Server Edition.
- Version 5.0, introduced with Windows 2000 Server, added support for a number of features, including printing to local printers, and aimed to improve network bandwidth usage.
- Version 5.1, introduced with Windows XP Professional, included support for 24-bit color and sound.
- Version 5.2, introduced with Windows Server 2003, included support for console mode connections, a session directory, and local resource mapping.
- Version, 6.0, introduced with Windows Vista and Windows Server includes a significant number of new features, most notably being able to remotely access a single application instead of the entire desktop, and support for 32 bit color.
2.17 Identify the following security protocols and describe their purpose and function:
> IPSec (Internet Protocol Security)
Is a set of protocols used to support secure exchange of packets at the IP layer.
IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the data portion.
For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley, which allows the receiver to obtain a public key and authenticate the sender using digital certificates.
IPsec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL and TLS, operate from the transport layer up (OSI layers 4 - 7). This makes IPsec more flexible, as it can be used for protecting both TCP and UDP based protocols
> L2TP (Layer 2 Tunneling Protocol)
Layer 2 Tunneling Protocol is a tunneling protocol used to support virtual private networks VPNs. L2TP is an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks. L2TP combines the best features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems.
> SSL (Secure Sockets Layer)
Secure Sockets Layer is a protocol that supplies secure data communication through data encryption and decryption. SSL enables communications privacy over networks by using a combination of public key, and bulk data encryption.
> WEP (Wired Equivalent Privacy)
Wired Equivalent Privacy is a scheme that is part of the IEEE 802.11 wireless networking standard to secure IEEE 802.11 wireless networks. Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping.
WEP was intended to provide comparable confidentiality to a traditional wired network and thus it does not protect users of the network from each other.
> WPA (Wi-Fi Protected Access)
A security protocol for wireless networks that builds on the basic foundations of WEP. It secures wireless data transmission by using a key similar to WEP, but the added strength of WPA is that the key changes dynamically. The changing key makes it much more difficult for a hacker to learn the key and gain access to the network.
WPA2 (Wi-Fi Protected Access 2) WPA2 is the second generation of WPA security and provides a stronger encryption mechanism through Advanced Encryption Standard (AES), which is a requirement for some government users.
> 802.11x
IEEE 802.11 also known by the brand Wi-Fi, denotes a set of Wireless LAN/WLAN standards developed by working group 11 of the IEEE LAN/MAN Standards Committee (IEEE 802). The term 802.11x is also used to denote this set of standards and is not to be mistaken for any one of its elements. There is no single 802.11x standard.
| Protocol | Release Date | Op. Frequency | Data Rate (Typ) | Data Rate (Max) | Range (Indoor) | Range (Outdoor) |
|---|---|---|---|---|---|---|
| 802.11a | 1999 | 5.15-5.35/5.47-5.725/5.725-5.875 GHz | 25 Mbit/s | 54 Mbit/s | ~25 meters | ~75 meters |
| 802.11b | 1999 | 2.4-2.5 GHz | 6.5 Mbit/s | 11 Mbit/s | ~35 meters | ~100 meters |
| 802.11g | 2003 | 2.4-2.5 GHz | 25 Mbit/s | 54 Mbit/s | ~25 meters | ~75 meters |
| 802.11n | 2007 | 2.4 GHz or 5 GHz bands | 200 Mbit/s | 540 Mbit/s | ~50 meters | ~125 meters |
2.18 Identify authentication protocols:
> CHAP (Challenge Handshake Authentication Protocol)
Challenge Handshake Authentication Protocol is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients.
> MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
MS-CHAP Microsoft Challenge Handshake Authentication Protocol. MS-CHAP is a nonreversible, encrypted password authentication protocol. The challenge handshake process works as follows:
- The remote access server or the IAS server sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.
- The remote access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password.
- The authenticator checks the response and, if valid, the user's credentials are authenticated.
> PAP (Password Authentication
Protocol)
Password Authentication Protocol uses plaintext passwords and is the least sophisticated authentication protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation.
> RADIUS (Remote Authentication Dial-In User Service)
Is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. It is intended to work in both local and roaming situations.
Some ISPs (commonly modem, DSL, or wireless 802.11 services) require you to enter a username and password in order to connect on to the Internet. Before access to the network is granted, this information is passed to a Network Access Server (NAS) device over the Point-to-Point Protocol (PPP), then to a RADIUS server over the RADIUS protocol. The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. If accepted, the server will then authorize access to the ISP system and select an IP address.
RADIUS is also widely used by VoIP service providers.
> Kerberos and EAP (Extensible
Authentication Protocol)).
An authentication system, Kerberos is designed to enable two parties to exchange private information across an open network. It works by assigning a unique key, called a ticket, to each user that logs on to the network. The ticket is then embedded in messages to identify the sender of the message.
Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. Recently, the WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.