based computing that takes place over the Internet, basically a step on from Utility Computing.

Similar documents
CS 393 Network Security. Nasir Memon Polytechnic University Module 13 Virtual Private Networks

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

Configuring L2TP over IPsec

Review on protocols of Virtual Private Network

Virtual Private Networks (VPNs)

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Virtual Private Networks

(2½ hours) Total Marks: 75

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Wireless LAN Security. Gabriel Clothier

Virtual Private Networks.

Sample excerpt. Virtual Private Networks. Contents

Network Security and Cryptography. 2 September Marking Scheme

Network Security and Cryptography. December Sample Exam Marking Scheme

Chapter 10 Security Protocols of the Data Link Layer

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Network Access Flows APPENDIXB

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

PPP Configuration Options

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Virtual Private Network

Firewalls, Tunnels, and Network Intrusion Detection

Network Security. Chapter 11 Security Protocols of the Data Link Layer. Scope of Link Layer Security Protocols

HP Instant Support Enterprise Edition (ISEE) Security overview

Overview. SSL Cryptography Overview CHAPTER 1

Cryptography and Network Security. Sixth Edition by William Stallings

Analysis of VPN Protocols

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

CSC 6575: Internet Security Fall 2017

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Authentication. Chapter 2

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Cisco How Virtual Private Networks Work

Cryptography and Network Security

Service Managed Gateway TM. Configuring IPSec VPN

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Virtual Private Networks

Hardware Management Console External Connectivity Security for IBM POWER5 Processor-based Systems

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology

Transport Level Security

Creating VPN s with IPsec

IPsec NAT Transparency

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

VPNS BY RICK FREY.

KALASALINGAM UNIVERSITY

Radius, LDAP, Radius used in Authenticating Users

Network Security. Chapter 10 Security Protocols of the Data Link Layer

Indicate whether the statement is true or false.

VPN Virtual Private Networks

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026.

Chapter 8. User Authentication

Network Security. Rev 1.0.

Configuring Client-Initiated Dial-In VPDN Tunneling

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

CSCE 715: Network Systems Security

VPN Overview. VPN Types

Security in IEEE Networks

CSE509: (Intro to) Systems Security

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

14. Internet Security (J. Kurose)

Most Common Security Threats (cont.)

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Lecture 13 Page 1. Lecture 13 Page 3

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

CLIENT SERVER SYNERGY USING VPN

CSC 4900 Computer Networks: Security Protocols (2)

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Virtual private networks

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

isco Cisco PPPoE Baseline Architecture for the Cisco UAC

Distributed Systems. Lecture 14: Security. 5 March,

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Securing Remote Access

CYBER SECURITY MADE SIMPLE

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Cisco PPPoE Baseline Architecture for the Cisco UAC 6400

Configuring Security for VPNs with IPsec

TSIN02 - Internetworking

Lecture 12 Page 1. Lecture 12 Page 3

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

QNAP VPN (Virtual Private Network) Secure network experience

Networking interview questions

Transcription:

REVIEW OF LITERATURE Joseph Davies & Elliot Lewis (2003) In this paper Cloud Computing is a general term used to describe a new class of network based computing that takes place over the Internet, basically a step on from Utility Computing. In other words, this is a collection/group of integrated and networked hardware, software and Internet infrastructure (called a platform). Cloud computing is an umbrella term used to refer to Internet based development and services. A cloud client consists of computer hardware and/or computer software that relies on cloud computing for application delivery. William Stallings (2005) This paper is to be considered protected, data from one customer must be properly segregated from that of another; it must be stored securely when at rest and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider. PLUMMER, D.C. (2005) In this paper Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures (application-level firewalls) be in place in the production environment.finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its

entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud. Charles P. Pfleeger (2006) In this paper a VPN is the extension of a private network that encompasses links across shared or public networks such as the Internet. A VPN enables us to send data between two computers across a shared or public inter network in a manner that emulates the properties of a point-to-point private link. In essence, it makes the remote computer virtually part of the private network by making an encrypted tunnel through the public Internet. The act of configuring and creating a VPN is known as virtual private networking. MEI and L.CHAN (2008) This paper describes tunneling is a method of using an intermediate network infrastructure to transfer data for one network over another network while maintaining privacy and control over the original data. The data to be transferred (the payload) can be the frames (or packets) of another protocol. Instead of sending a frame as the originating node produces it, the tunneling protocol encapsulates the frame in an additional header. The additional header provides routing information so that the encapsulated payload can traverse the intermediate network. SUN, W., ZHANG, K., CHEN, S.-K., ZHANG, X. and LIANG (2007) In this paper PPTP and L2TP depend heavily on the features originally specified for PPP. PPP was designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames, and then transmits the PPP-encapsulated

packets across a point-to-point link. PPP was originally defined as the protocol to use between a dial-up client and a NAS. There are four distinct phases of negotiation in a PPP connection. Each of these four phases must complete successfully before the PPP connection is ready to transfer user data. HARMER, T., WRIGHT, P., CUNNINGHAM, C. and PERROTT, R. (2007) In this paper PPP uses the Link Control Protocol (LCP) to establish, maintain, and terminate the logical point-to-point connection. During Phase 1, basic communication options are selected. For example, authentication protocols are selected, but they are not actually implemented until the user authentication phase (Phase 2). Similarly, during Phase 1, a decision is made as to whether the two peers will negotiate the use of compression and/or encryption. The actual choice of compression and encryption algorithms and other details occurs during Phase 4. In the second phase, the client computer sends the user s qualifications to the remote access server. A secure authentication scheme provides protection against repeat attacks and remote client impression. A replay attack occurs when a third party monitors a successful connection and uses captured packets to play back the remote client s response so that it can gain an authenticated connection. During Phase 2 of PPP link configuration, the NAS collects the authentication data and then validates the data against its own user database or a central authentication database server, such as one maintained by a Windows domain controller, or the authentication data is sent to a RADIUS server.

Once the previous phases have been completed, PPP invokes the various network control protocols (NCPs) that were selected during the link-establishment phase (Phase 1) to configure protocols used by the remote client. For example, during this phase, IPCP is used to assign a dynamic address to the PPP client. Once the four phases of PPP negotiation have been completed, PPP begins to forward data across the tunnel. Each transmitted data packet is wrapped in a PPP header that is removed by the receiving system when it reaches the far destination. If data compression was selected in Phase 1 and negotiated in Phase 4, data is compressed before transmission. If data encryption is selected and negotiated, data is encrypted before transmission. If both encryption and compression are negotiated, the data is compressed first and then encrypted. De-encryption and decompression occur once the packets reach the far end of the tunnel. BERNSTEIN, D., LUDVIGSON, E., SANKAR, K., DIAMOND, S. and MORROW (2007) This paper PPTP encapsulates PPP frames in IP datagrams for transmission over an IP inter network, such as the Internet. PPTP can be used for remote access and site-to-site VPN connections. PPTP uses a TCP connection for tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted, compressed, or both. OHLMAN, B., ERIKSSON, A. and REMBARZ (2008) In this paper L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco Systems, Inc. L2TP represents the best features of PPTP and L2F. L2TP encapsulates PPP frames to be sent over IP, X.25, frame relay, or ATM networks. When

configured to use IP as its datagram transport, L2TP can be used as a tunneling protocol over the Internet. L2TP is documented in RFC 2661. J. Appavoo, V. Uhlig, and A. Waterland (2008) This paper describes Security credentials take the form of either a user name and password or a certificate. If we use the proper authentication security protocol, we can ensure that the confidential portions of the credentials (such as the password or the private key for a certificate) are never sent. Rather, the connecting VPN client provides proof of knowledge of the confidential credentials. LIM, H., BABU, S., CHASE, J. and PAREKH (2009) In this paper authorization security ensures that the VPN client is allowed to make a VPN connection, and can provide a set of connection constraints such as maximum connection time, idle timeout, required authentication method, and so on. This allows for administrators to add extra security to remote-based users. Before the data between a VPN client and VPN server is sent over the VPN connection, it is encrypted using an encryption algorithm and a secret key, which is known only to the VPN client and VPN server. BITTMAN, T.J., AUSTIN, T. (2009) In this paper encryption provides data confidentiality; even if a copy of the packet is captured, it is not readable (except for the IP header) without the knowledge of the secret key. When using PPTP, the encryption is done with a password-based hash algorithm. When using L2TP/IPSec, certificates are used to set up an IPSec encrypted tunnel that all authentication and

authorization processes can take place in. This is one of the advantages to using L2TP/IPSec the entire transaction even before authentication happens occurs in an encrypted state. CEARLEY, D.W., and SMITH D.M. (2009) In this paper when we connect a VPN server to the Internet, the server and your private intranet are now exposed to attack. An Internet based attacker can try to attack the VPN server by flooding it with various types of packets or try to access your intranet by using your VPN server as a router. To combat both of types of attacks, the Internet interface of the VPN server is configured with a series of IP packet filters that only allow VPN traffic. This is different than the internal IP filters that apply to a user s authentication this process makes sure that only authorized conversations will be accepted by the VPN server. This will ensure that Denial-of- Service attacks and internet hacks cannot affect operations. DODDA, R., SMITH, C., and MOORSEL (2009) In this paper user authentication for both Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) connections is based on Point-to-Point Protocol (PPP) authentication protocols. Windows Server 2003 and Windows XP support the following PPP authentication protocols: PAP is a simple, clear-text authentication scheme. The NAS requests the user name and password, and PAP returns them in clear text (unencrypted). Obviously, this authentication scheme is not secure because a third party could capture the user s name and password and use it to get subsequent access to the NAS and all of the resources provided by the NAS. PAP provides no protection against replay attacks or remote client impersonation once the user s password is compromised.

GROSSMAN, R. L. (2009) This paper explains that CHAP is an encrypted authentication mechanism that avoids transmission of the actual password on the connection. The NAS sends a challenge, which consists of a session ID and an arbitrary challenge string, to the remote client. The remote client must use the MD5 one-way hashing algorithm to return the user name and a hash of the challenge, session ID, and the client s password. The user name is sent as plain text. CHAP is an improvement over PAP because the clear-text password is not sent over the link. Instead, the password is used to create a hash from the original challenge. SONG, S., RYU, K. and DA SILVA, (2009) According to this paper EAP is a new PPP authentication protocol that allows for an arbitrary authentication method such as smart cards, token cards, or biometrics such as fingerprint scanners or retinal scanners. EAP is an IETF standard extension to PPP that allows for arbitrary authentication mechanisms for the validation of a PPP connection. EAP was designed to allow the dynamic addition of authentication plug-in modules at both the client and server ends of a connection. This allows vendors to supply a new authentication scheme at any time. EAP provides the highest flexibility in authentication uniqueness and variation. KHAJEH-HOSSEINI, A., SOMMERVILLE, I. and SRIRAM (2010) In this paper encryption for PPTP connections is based on the use of MPPE (Microsoft Point to Point Encryption), we must use an authentication protocol that generates MPPE keys as part of the authentication process: MS-CHAP, MS-CHAP v2, or EAP-TLS. The MPPE key is generated using the password in the MS-CHAP algorithms therefore if you are using PPTP it is highly recommended that you apply strong password policies for the users. In the case of

EAP-TLS, the user certificates can be used. EAP-TLS using smart cards or MS-CHAP v2 is highly recommended as they provide mutual authentication and are the most secure methods of exchanging credentials. VISHWANATH, K., GREENBERG, A. and REED (2010) In this paper authentication for L2TP/IPSec connections occurs at two different levels: the computer is authenticated, and then the user is authenticated. This allows for the IPSec tunnel to be established prior to the authentication phase of the connection being made, thus allowing for all communications to happen in an encrypted state. John W. Rittinghouse & James F. Ransome (2010) In this paper authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication. For a connection attempt to be accepted, the connection attempt must be both authenticated and authorized. It is possible for the connection attempt to be authenticated by using valid credentials, but not authorized. Usually this is because the Active Directory group that the individual belongs to does not have the right to VPN access of the network. Examples of this can be contractors or part-time employees who should not be accessing information unless they are being monitored by full-time employees. Another example can be with internal implementations for VPN where only members of Human Resources can access information on the protected network. In this case, the connection attempt is denied. In the Windows Server 2003 family, authorization of VPN connections is determined by the dial-in properties on the user account and remote access policies. Judith Hurwitz, Robin Bloor, Marcia Kaufman and Dr. Fern Halper (2011)

In this paper symmetric, or private-key, encryption (also known as conventional encryption) is based on a secret key that is shared by both communicating parties. The sending party uses the secret key as part of the mathematical operation to encrypt (or encipher) plain text to cipher text. The receiving party uses the same secret key to decrypt (or decipher) the cipher text to plain text. Examples of symmetric encryption schemes are the RSA RC4 algorithm, which provides the basis for MPPE, and DES, which is used for IPSec encryption. MATHEW, R. and SPRAETZ (2011) According to this paper with symmetric encryption, both sender and receiver have a shared secret key. The distribution of the secret key must occur (with adequate protection) prior to any encrypted communication. With asymmetric encryption, the sender uses a private key to encrypt or digitally sign messages, while the receiver uses a public key to decipher these messages. The public key can be freely distributed to anyone who needs to receive the encrypted or digitally signed messages. The sender needs to carefully protect the private key only. EAP-TLS is an IETF standard (RFC 2716) for a strong authentication method based on public-key certificates. With EAP-TLS, a client presents a user certificate to the dial-in server, and the server presents a server certificate to the client. The first provides strong user authentication to the server; the second provides assurance that the user has reached the server that he or she expected. Both systems rely on a chain of trusted authorities to verify the validity of the offered certificate. The remote access account lockout feature is used to specify how many times a remote access authentication fails against a valid user account before the user is denied remote access. Remote access account lockout is especially important for remote access VPN connections over

the Internet. Malicious users on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. H. AbdelSalam, K. Maly, R. Mukkamala, M. Zubair, and D. Kaminsky (2011) In this paper the user has access to the network via VPN, that does not mean that the user should have access to every resource on the network while accessing from an unsecured location. Remote access policies that define authorization and connection constraints can be used to specify a set of IP packet filters that are applied per user or group to remote access connections. When the connection is accepted, the packet filters define the types of IP traffic that are allowed from and to the VPN client. This feature can be used for extranet connections.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback