Communication Security and Countermeasure Slide ke-6 Mata Kuliah: Keamanan Jaringan oleh Setio Basuki

Course Objectives • Virtual Private Network (VPN)

• Network Address Translator (NAT).
• Switching Technologies.
• WAN Technologies.
• Network Attacks and Countermeasure.

  (VPN)

• Communication

  Tunnel that provides

  point-to-point transmission of both authentication and data traffic over an intermediary untrusted network.

• – Most VPNs use Encryption to protect the encapsulated traffic

• – VPNs can link clients, servers, routers, firewalls, and switches.

Virtual Private Network (VPN)

  Tunneling

  is the network communications

• Tunneling

  

process that protects the contents of protocol

packets by encapsulating them in packets of another protocol.

• The encapsulation is what creates the logical illusion of a communications tunnel over the untrusted network.
• – This virtual path exists between the

  Encapsulation and the entities located at the

  Deencapsulation

  Tunneling (Cont.)

  

In fact, sending a letter to your grandmother

involves the use of a tunneling system. You create

the personal letter (the primary content protocol

packet) and place it in an envelope (the tunneling

protocol). The envelope is delivered through the

postal service (the untrusted intermediary network)

to its intended recipient.

  Tunneling Drawbacks

  of communicating:

• Inefficient
• – Most protocols include their own error detection, error handling, acknowledgment, and session management features, so using more than one protocol at a time compounds the

  overhead

required to communicate a single message.

• – Tunneling creates either

  or Larger Packets

additional packets that in turn consume additional network bandwidth. Implementing VPN

Implementing VPN (Cont.)

• • Point-to-point Tunneling Protocols (PPTP)

  

creates a point-to-point tunnel between two

systems and encapsulates PPP packets.

  Implementing VPN (Cont.)

• Layer 2 Tunneling Protocol (L2TP)

  was derived by combining elements from both PPTP and L2F. Implementing VPN (Cont.)

• IP Security (IPSec) is both a stand-

  alone VPN protocol and the security mechanism for L2TP, and it can be used only for IP traffic.

• IPSec has two primary components, or functions: – Authentication Header (AH).
• – Encapsulating Security Payload (ESP).

  Implementing VPN (Cont.)

  (NAT)

• NAT is a mechanism for

  Converting the internal IP addresses found in packet headers into public IP addresses for transmission over the Internet.

• NAT was developed to allow

  private networks to use any IP address set without causing collisions or conflicts with public Internet hosts with the same IP addresses.

  (NAT)

  (Cont.)

• NAT translates the IP addresses of your

  internal clients to leased addresses outside

  your environment.
• NAT offers numerous benefits :

  1. Able to connect an entire network to the Internet using only a single (or just a few) leased public

  IP addresses.

  2. Using the private IP addresses in a private network while still being able to communicate

  (Cont.)

• NAT offers numerous

   benefits : by hiding the IP

  addressing scheme and network topography from the Internet.

  4. Protection by Restricting Connections so that only connections originating from the internal protected network are allowed back into the network from the Internet.

  Circuit Switching

• Circuit Switching

  was originally developed to manage telephone calls over the public switched telephone network.

• – A dedicated physical pathway is created between the two communicating parties.
• Once a call is established, the links between the two parties remain the same throughout the conversation.

  Circuit Switching

• Circuit-switching systems employ permanent, physical connections .
• – However, the term permanent applies only to each communication session.

• – Only after a session has been closed can a

  pathway be reused by another communication.

• • Circuit switching grants exclusive use of a

  communication path to the current

  Circuit Switching Packet Switching

• Packet-switching

  : the data is chopped up into small pieces called packets and sent over the network.

• – Each packet of data has its own header that

  contains source and destination information.
• The packets can be routed, combined or fragmented, as required to get them to their eventual destination.

  Packet Switching

  Comparison

• In

  circuit switching , a circuit is first

  established and then used to carry all data between devices.

• In

  packet switching no fixed path is

  created between devices that communicate;

• – it is broken into packets, each of which may

  take a separate path from sender to recipient.

  Comparison Virtual Circuit

• Virtual Circuit

  or communication path is a logical pathway or circuit created over a packet-switched network between two specific endpoints.

• Within packet-switching systems are two types of virtual circuits: – Permanent Virtual circuit (PVC).
• – Switched Virtual Circuit (SVC).

  Virtual Circuit

• A

  PVC is like a dedicated leased line; the

  logical circuit always exists and is waiting for the customer to send data.

• An

  SVC is more like a dialup connection

  because a virtual circuit has to be created before it can be used and then disassembled after the transmission is complete.

  Technologies

• WAN links

  and long-distance connection technologies can be divided into two primary categories: dedicated and non- dedicated lines.

• A dedicated line

  is always on and waiting for traffic to be transmitted over it and dedicated WAN link is always open and established. Technologies

• A non-dedicated

  line is one that requires a connection to be established before data transmission can occur.

• A non-dedicated

  line can be used to connect with any remote system that uses the same type of non-dedicated line. Technologies

Countermeasure

• Understanding the threats and

  Possible Countermeasures is an important part of securing an environment.

• – Any activity that can cause harm to resources must be addressed and mitigated if possible.

• • Keep in mind that harm includes more than just

  destruction or damage.

• – It also includes disclosure, access delay, denial of

  access, fraud, resource waste, resource abuse, and

  Eavesdropping

  Countermeasure:

• Listening to communication traffic for the purpose of duplicating it.
• – Once a copy of traffic content is in the hands of a attacker, they can often

  Extract Many Forms of confidential information, such as usernames, passwords, process procedures, data, etc.

• – Wireshark and NetWitness and dedicated eavesdropping tools such as T-sight and Paros are usually used.

Countermeasure:

  Eavesdropping

  Eavesdropping

  Countermeasure:

• Combating eavesdropping by maintaining

  physical access security to prevent

  unauthorized personnel from accessing your IT infrastructure

• – Using encryption (such as IPSec or SSH) and one-time authentication methods (that is, one time pads or token devices).

  Masquerading

  Countermeasure:

• Act of

  Pretending to be someone or

  something you are not, to access a systems.

• Masquerading is often possible through capturing of usernames and passwords or of session setup procedures.
• – Using one-time pads and token authentication

  systems, Kerberos, and using encryption.

  Reply Attack

  Countermeasure:

• • An offshoot of masquerading attacks and

  are made possible through capturing network traffic via eavesdropping.
• – Replay attacks attempt to Reestablish a

  Communication Session by replaying captured traffic against a system. one-time

• You can prevent them by using

  authentication mechanisms and

  Modification

  Countermeasure:

• An attack in which captured packets are and then played against a system.

  altered

• – Modified packets are designed to bypass the restrictions of improved authentication mechanisms and session sequencing.
• Countermeasures to modification replay attacks include using digital signature

  verifications and packet checksum

  End of Slides

• Available at