Communication Security and Countermeasure Slide ke-6 Mata Kuliah: Keamanan Jaringan oleh Setio Basuki
Communication Security and Countermeasure Slide ke-6 Mata Kuliah: Keamanan Jaringan oleh Setio Basuki
Course Objectives • Virtual Private Network (VPN)
- Network Address Translator (NAT).
- Switching Technologies.
- WAN Technologies.
- Network Attacks and Countermeasure.
(VPN)
- Communication
Tunnel that provides
point-to-point transmission of both authentication and data traffic over an intermediary untrusted network.
- – Most VPNs use Encryption to protect the encapsulated traffic
– VPNs can link clients, servers, routers, firewalls, and switches.
Tunneling
is the network communications
- Tunneling
process that protects the contents of protocol
packets by encapsulating them in packets of another protocol.- The encapsulation is what creates the logical illusion of a communications tunnel over the untrusted network.
- – This virtual path exists between the
Encapsulation and the entities located at the
Deencapsulation
Tunneling (Cont.)
In fact, sending a letter to your grandmother
involves the use of a tunneling system. You create
the personal letter (the primary content protocol
packet) and place it in an envelope (the tunneling
protocol). The envelope is delivered through the
postal service (the untrusted intermediary network)
to its intended recipient.
Tunneling Drawbacks
of communicating:
- Inefficient
- – Most protocols include their own error detection, error handling, acknowledgment, and session management features, so using more than one protocol at a time compounds the
overhead
required to communicate a single message.
- – Tunneling creates either
or Larger Packets
additional packets that in turn consume additional network bandwidth. Implementing VPN
Implementing VPN (Cont.)• Point-to-point Tunneling Protocols (PPTP)
creates a point-to-point tunnel between two
systems and encapsulates PPP packets.Implementing VPN (Cont.)
- Layer 2 Tunneling Protocol (L2TP)
was derived by combining elements from both PPTP and L2F. Implementing VPN (Cont.)
- IP Security (IPSec) is both a stand-
alone VPN protocol and the security mechanism for L2TP, and it can be used only for IP traffic.
- IPSec has two primary components, or functions: – Authentication Header (AH).
- – Encapsulating Security Payload (ESP).
Implementing VPN (Cont.)
(NAT)
- NAT is a mechanism for
Converting the internal IP addresses found in packet headers into public IP addresses for transmission over the Internet.
- NAT was developed to allow
private networks to use any IP address set without causing collisions or conflicts with public Internet hosts with the same IP addresses.
(NAT)
(Cont.)
- NAT translates the IP addresses of your
internal clients to leased addresses outside
your environment. - NAT offers numerous benefits :
1. Able to connect an entire network to the Internet using only a single (or just a few) leased public
IP addresses.
2. Using the private IP addresses in a private network while still being able to communicate
(Cont.)
- NAT offers numerous
benefits : by hiding the IP
addressing scheme and network topography from the Internet.
4. Protection by Restricting Connections so that only connections originating from the internal protected network are allowed back into the network from the Internet.
Circuit Switching
- Circuit Switching
was originally developed to manage telephone calls over the public switched telephone network.
- – A dedicated physical pathway is created between the two communicating parties.
- Once a call is established, the links between the two parties remain the same throughout the conversation.
Circuit Switching
- Circuit-switching systems employ permanent, physical connections .
- – However, the term permanent applies only to each communication session.
– Only after a session has been closed can a
pathway be reused by another communication.• Circuit switching grants exclusive use of a
communication path to the current
Circuit Switching Packet Switching
- Packet-switching
: the data is chopped up into small pieces called packets and sent over the network.
– Each packet of data has its own header that
contains source and destination information.- The packets can be routed, combined or fragmented, as required to get them to their eventual destination.
Packet Switching
Comparison
- In
circuit switching , a circuit is first
established and then used to carry all data between devices.
- In
packet switching no fixed path is
created between devices that communicate;
– it is broken into packets, each of which may
take a separate path from sender to recipient.
Comparison Virtual Circuit
- Virtual Circuit
or communication path is a logical pathway or circuit created over a packet-switched network between two specific endpoints.
- Within packet-switching systems are two types of virtual circuits: – Permanent Virtual circuit (PVC).
- – Switched Virtual Circuit (SVC).
Virtual Circuit
- A
PVC is like a dedicated leased line; the
logical circuit always exists and is waiting for the customer to send data.
- An
SVC is more like a dialup connection
because a virtual circuit has to be created before it can be used and then disassembled after the transmission is complete.
Technologies
- WAN links
and long-distance connection technologies can be divided into two primary categories: dedicated and non- dedicated lines.
- A dedicated line
is always on and waiting for traffic to be transmitted over it and dedicated WAN link is always open and established. Technologies
- A non-dedicated
line is one that requires a connection to be established before data transmission can occur.
- A non-dedicated
line can be used to connect with any remote system that uses the same type of non-dedicated line. Technologies
Countermeasure- Understanding the threats and
Possible Countermeasures is an important part of securing an environment.
- – Any activity that can cause harm to resources must be addressed and mitigated if possible.
• Keep in mind that harm includes more than just
destruction or damage.– It also includes disclosure, access delay, denial of
access, fraud, resource waste, resource abuse, and
Eavesdropping
Countermeasure:
- Listening to communication traffic for the purpose of duplicating it.
- – Once a copy of traffic content is in the hands of a attacker, they can often
Extract Many Forms of confidential information, such as usernames, passwords, process procedures, data, etc.
- – Wireshark and NetWitness and dedicated eavesdropping tools such as T-sight and Paros are usually used.
Eavesdropping
Eavesdropping
Countermeasure:
- Combating eavesdropping by maintaining
physical access security to prevent
unauthorized personnel from accessing your IT infrastructure
- – Using encryption (such as IPSec or SSH) and one-time authentication methods (that is, one time pads or token devices).
Masquerading
Countermeasure:
- Act of
Pretending to be someone or
something you are not, to access a systems.
- Masquerading is often possible through capturing of usernames and passwords or of session setup procedures.
- – Using one-time pads and token authentication
systems, Kerberos, and using encryption.
Reply Attack
Countermeasure:
• An offshoot of masquerading attacks and
are made possible through capturing network traffic via eavesdropping.- – Replay attacks attempt to Reestablish a
Communication Session by replaying captured traffic against a system. one-time
- You can prevent them by using
authentication mechanisms and
Modification
Countermeasure:
- An attack in which captured packets are and then played against a system.
altered
- – Modified packets are designed to bypass the restrictions of improved authentication mechanisms and session sequencing.
- Countermeasures to modification replay attacks include using digital signature
verifications and packet checksum
End of Slides
- Available at