At what level of the OSI model does IPSec work at?
IPSec operates at the network layer of the Open Systems Interconnect (OSI) model and provides security for protocols that operate at the higher layers. Thus, by using IPSec, you can secure practically all TCP/IP-related communications.
Site to site
In a site-to-site implementation, as the name implies, whole networks are connected together. An example of this would be divisions of a large company. Because the networks are supporting the VPN, each gateway does the work and the individual clients do not need to have any VPN.
Client to site
In a client-to-site scenario, individual clients (such as telecommuters or travelers) connect to the network remotely. Because the individual client makes a direct connection to the network, each client doing so must have VPN client software installed.
Access control describes the mechanisms used to filter network traffic to determine who is and who is not allowed to access the network and network resources. Firewalls, proxy servers, routers, and individual computers all can maintain access control to some degree.
Types of scope of tunnels?
Site to site and client-to-site which are also two types of VPNs.
What kind of networks can IPSec be used in?
Mandatory Access Control (MAC)
Mandatory access control (MAC) is the most secure form of access control. In systems configured to use mandatory access control, administrators dictate who can access and modify data, systems, and resources. MAC systems are commonly used in military installations, financial institutions, and, because of new privacy laws, medical institutions.
Discretionary Access Control (DAC)
(DAC) is not forced from the administrator or operating system. Instead, access is controlled by an objects owner. For example, if a secretary creates a folder, he decides who will have access to that folder. This access is configured using permissions and an access control list. DAC uses an access control list (ACL) to determine access. The ACL is a table that informs the operating system of the rights each user has to a particular system object, such as a file, directory, or printer. Each object has a security attribute that identifies its ACL. The list has an entry for each system user with access privileges. The most common privileges include the ability to read a file (or all the files in a directory), to write to the file or files, and to execute the file (if it is an executable file or program). Microsoft Windows ervers/7/Vista/XP, Linux, UNIX, and Mac OS X are among the operating systems that use ACLs. The list is implemented differently by each operating system.
Rule-Based Access Control (RBAC)
Rule-based access control controls access to objects according to established rules. The configuration and security settings established on a router or firewall are a good example. In a practical application, rule-based access control is a variation on MAC. Administrators typically configure the firewall or other device to allow or deny access. The owner or another user does not specify the conditions of acceptance, and safeguards ensure that an average user cannot change settings on the devices.
Role-Based Access Control (RoBAC)
In role-based access control (RoBAC), access decisions are determined by the roles that individual users have within the organization. Role-based access requires the administrator to have a thorough understanding of how a particular organization operates, the number of users, and each users exact function in that organization. Because access rights are grouped by role name, the use of resources is restricted to individuals who are authorized to assume the associated role.
What is the concept of least privilege?
You may be asked about the concept of least privilege. This refers to assigning network users the privilege level necessary to do the job associated with their role nothing more and nothing less.
What is RAS?
Remote Access Service
What does RAS do?
RAS is a remote-access solution included with Windows Server products. RAS is a feature-rich, easy-to-configure, easy-to-use method of configuring remote access.
Does RAS only work with dial-up?
Connection to a RAS server can be made over a standard phone line, using a modem, over a network, or via an ISDN connection and it supports connectivity from all major OSs.
What protocols enable RAS?
Dial up protocols such as PPP
PPP is the standard remote-access protocol in use today. PPP is actually a family of protocols that work together to provide connection services. Because PPP is an industry standard, it offers interoperability between different software vendors in various remote-access implementations. PPP provides a number of security enhancements compared to regular SLIP, the most important being the encryption of usernames and passwords during the authentication process. PPP enables remote clients and servers to negotiate data encryption methods and authentication methods and support new technologies. PPP even enables administrators choose which LAN protocol to use over a remote link.
What are some PPP authentication protocols?
CHAP, MS-CHAP, MS-CHAP v2, EAP, and PAP
What is PPPoE?
Point-to-Point Protocol over Ethernet (PPPoE) is a protocol used to connect multiple network users on an Ethernet local area network to a remote site through a common device. For example, using PPPoE, you can have all users on a network share the same link, such as a DSL, cable modem, or wireless connection to the Internet. PPPoE is a combination of PPP and the Ethernet protocol, which supports multiple users in a local area network (hence the name). The PPP information is encapsulated within an Ethernet frame. With PPPoE, a number of different users can share the same physical connection to the Internet. In the process, PPPoE provides a way to keep track of individual user Internet access times. Because PPPoE e for individual authenticated access to high-speed data networks, it is an efficient way to create a separate connection to a remote server for each user. This strategy enables Internet service providers (ISPs) or administrators to bill or track access on a per-user basis rather than a per-site basis.
What are the PPPoE communication processes?
The PPPoE communication process has two stages: the discovery stage and the PPP session stage. The discovery stage uses four steps to establish the PPPoE connection: initiation, offer, request, and session confirmation. These steps represent back-and-forth communication between the client and the PPPoE server. After these steps have been negotiated, the PPP session can be established using familiar PPP authentication protocols.
Network Access Control
Network Access Control (NAC) is a method to restrict access to the network based on identify or posture (discussed later in this chapter). This was created by Cisco to enforce privileges and make decisions on a client device based on information gathered from it (such as the vendor and version of the antivirus software running).
A posture assessment is any evaluation of a system's security based on settings and applications found. In addition to looking at such values as settings in the Registry or dates of files, NACs can also check 802.1x values the group of networking protocols associated with authentication of devices attempting to connect to the network. 802.1x works with EAP (discussed later in this chapter).
Citrix ICA enables clients to access and run applications on a server, using the server's resources. Only the user interface, keystrokes, and mouse movements transfer between the client system and the server. In effect, even though you work at the remote computer, the system functions as if you were actually sitting at the computer itself. As with Terminal Services and RDP, ICA is an example of thin client computing.
Filtering network traffic using a systems MAC address typically is done using an ACL. When configuring security for wireless networks, filtering by MAC address is a common practice. Typically, in MAC filtering security, MAC addresses can be added to an allow ACL or deny ACL.
The ACL determines what types of IP traffic will be let through the router. IP traffic that is not permitted according to the ACL is blocked. Depending on the type of IP filtering used, the ACL can be configured to allow or deny several types of IP traffic: TCP, UDP, ICMP, SNMP IP, Port number, Message Source Address, Message destination address
Which of the following protocols is used in thin-client computing?
A. RDP B. PPP C. PPTP D. RAS
Which of the following statements best describes the function of PPP?
C. PPP is a protocol that can be used for dialup connections over serial links. Answer A describes SSL, answer C describes a VPN, and answer D describesPKI.
Your company wants to create a secure tunnel between two networks over the Internet. Which of the following protocols would you use to do this?
B. To establish the VPN connection between the two networks, you can use PPTP. PAP and CHAP are not used to create a point-to-point tunnel; they areauthentication protocols. SLAP is not a secure dialup protocol.
Because of a recent security breach, you have been asked to design a security strategy that will allow data to travel encrypted through both the Internet and intranet. Which of the following protocols would you use?
A. IPSec B. SST C. CHAP D. FTP