Access control lists (ACL) are rules, typically applied to router interfaces, that specify permitted and denied traffic. Although ACL features can vary by router vendor, examples
of filtering criteria include IP addresses (source or destination), port number(source or destination), and MAC addresses (source or destination).
A device that filters traffic based on ACL-like rules is a packet filtering firewall.
The list of trustees assigned to a file or directory. A trustee can be any object available to the security subsystem. The term ACL is also used
with routers and firewall systems to refer to the list of permitted computers
ACL MAC filtering
Media Access Control
This is perhaps the least used of the packet-filtering methods discussed, but you can configure a firewall to use the hardware configured MAC address as the determining factor in whether access to the network is granted. This is not a particularly flexible method, and therefore it is suitable only in environments in which you can closely control who uses which MAC address. The Internet is not such an
ACL IP filtering
By using the IP address as a parameter, the firewall(ACL) can allow or deny traffic based on the source or destination IP address. For
example, you can configure the firewall so that only certain hosts on the internal network can access hosts on the Internet. Alternatively, you can configure it so that only certain hosts on the Internet can gain access to a system on the internal network.
ACL Port filtering
The TCP/IP suite uses port numbers to identify which service a certain packet is destined for. By configuring the firewall to allow certain types of traffic, you can control the flow. You might, for
example, open port 80 on the firewall to allow Hypertext Transfer Protocol (HTTP) requests from users on the Internet to reach the corporate
web server. Depending on the application, you might also open the HTTP Secure (HTTPS) port, port 443, to allow access to a secure web server application. Windows Firewall in Windows 7 enables you to configure which programs
are allowed through the private network and the public network by checking boxes associated with the programs/features.
Secure Sockets Layer(SSL) was first created for use with the Netscape web browser and is used with a limited number of TCP/IP protocols (such as HTTP and FTP). Transport Layer Security (TLS) is not only an enhancement to SSL, but also a replacement for it, working with almost every TCP/IP protocol. Because of this TLS is popular with VPNs and VoIP applications.
Just as Kleenex is often used to represent any paper tissue whether it is made by Kimberly-Clark, SSL is often the term used to signify the confidentiality function whether it is actually SSL in use or TLS, the latest version of which is 1.2.
Tunneling and encryption: SSL VPN
SSL VPN, also marketed as WebVPN an OpenVPN, can be used to connect locations that would run into trouble with firewalls and NAT
when used with IPSec. It is known as an SSL VPN whether the encryption is done with SSL or TLS.
Tunneling and encryption: VPN
A network that uses a public network such as the Internet as a backbone to connect two or more private networks. A VPN provides users with
the equivalent of a private network in terms of security. VPNs can also be used as a means of establishing secure remote connectivity between a remote system and another network.
VPNs support analog modems, Integrated Services Digital Network (ISDN) wireless
connections, and dedicated broadband connections such as cable and DSL
VPNs can use different technologies (for example, IPsec, GRE, L2TP, and L2F)
offer a variety of features, IPsec VPNs offer strong security features.
The two primary categories of VPNs
Site-to-site: A site-to-site VPN interconnects two sites, as an alternative to a leased line, at a reduced cost.
Client-to-site: A client-to-site VPN (also known as a remote-access VPN) interconnects a remote user with a site, as an alternative to dial-up or ISDN connectivity, at a reduced cost.
Although a VPN tunnel might physically pass through multiple service provider routers, the tunnel appears to be a single router hop from the perspective of the routers at each end of the tunnel.
Although a client-to-site VPN allows a user, with software on their client computer, to connect to a centralized VPN termination device, a site-to-site VPN interconnects two sites without requiring the computers at those sites to have any specialized
VPN software installed.
VPN Access method:
A VPN is most often established over a public network such as the Internet; however, some VPN implementations use a private intranet. The network used must be IP (Internet protocol)- based.
Required to establish, manage, and secure the data over the VPN connection. Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) are commonly associated with VPN connections. These protocols enable authentication and encryption
in VPNs. Authentication enables VPN clients and servers to correctly establish the identity of people on the network. Encryption enables potentially sensitive data to be guarded from the general public.
Tunneling and encryption: L2TP
Layer 2 Tunneling Protocol (L2TP) is a combination of PPTP and Cisco L2F technology. L2TP, as the name suggests, uses tunneling to deliver data. It authenticates the client in a two-phase process: It authenticates the computer and then the user. By authenticating the computer, it prevents the data from being intercepted, changed, and returned to the user in what is known as a man-in-the-middle attack. L2TP ensures both parties that the data they receive is exactly the data sent by the originator.
L2TP offers two-phase authentication—once for the computer and once for the user. This helps prevent man-in-the-middle attacks.
Layer 2 Tunneling Protocol (L2TP) is a VPN protocol that lacks security features, such as encryption. However, L2TP can still be used for a secure VPN connection if it is combined with another protocol that does provide encryption.
Unlike IPSec, which operates at the network layer of the OSI model, L2TP operates at the data link layer, making it protocol-independent. This means that an L2TP connection can even support protocols other than TCP/IP, such as AppleTalk and Novell's legacy IPX.
Tunneling and encryption: PPTP
Point-to-Point Tunneling Protocol (PPTP)
is often mentioned together with PPP. Although it's used in dialup connections, as PPP is, PPTP provides different functionality. It creates a secure tunnel between two points on a network,
over which other connectivity protocols, such as PPP, can be used. This tunneling functionality is the basis of VPNs.
PPTP does not use a public key infrastructure but does use a user ID and password.
PPTP uses the same authentication methods as PPP, including MS-CHAP, CHAP, PAP, and EAP
To establish a PPTP session between a client and server, a TCP connection known as a PPTP control connection is required to create and maintain the communication tunnel. The PPTP control connection exists between the IP
address of the PPTP client and the IP address of the PPTP server, using TCP port 1723 on the server and a dynamic port on the client. It is the function of the PPTP control connection to pass the PPTP control and management messages used to maintain the PPTP communication tunnel between the remote system and the server. PPTP provides authenticated and encrypted communications between two endpoints such as a client and server.
Differences between PPTP and L2TP
PPTP has been around longer; it offers more interoperability than L2TP.
PPTP is an industry standard.
PPTP is easier to configure than L2TP because L2TP uses digital certificates.
PTP has less overhead than L2TP.
L2TP offers greater security than PPTP.
L2TP supports common public key infrastructure technology.
L2TP provides support for header compression.
Tunneling and encryption: IPSec
The IP Security (IPSec) protocol is designed to provide secure communications between systems. This includes system-to-system communication in the same network, as well as communication to systems on external networks.
IPSec is an IP layer security protocol that can both encrypt and authenticate network transmissions. In a nutshell, IPSec is composed of two separate protocols Authentication Header (AH) and Encapsulating Security Payload (ESP).
AH provides the authentication and integrity checking for data packets, and ESP provides encryption services.
IPSec operates at the network layer of the Open Systems Interconnect (OSI) model and provides security for protocols that operate at the higher layers. Thus, by using IPSec, you can secure practically all TCP/IP-related communications.
IPSec can be used only on TCP/IP networks. If you use another network protocol, you need to use a security protocol such as L2TP.
3 key security services of IPSec
Data verification: Verifies that the data received is from the intended source
Protection from data tampering: Ensures that the data has not been tampered with or changed between the sending and receiving devices
Private transactions: Ensures that the data sent between the sending and receiving devices is unreadable by any other devices
Tunneling and encryption: ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP)
ISAKMP,is a framework defining the procedures for authentication, creation and management of security associations (SAs), key generation techniques, and threat mitigation. In short, it outlines how secure communications should take place, but is not a protocol, or application, itself.
Tunneling and encryption: TLS
Transport Layer Security (TLS) has largely replaced SSL as the VPN protocol of choice for providing cryptography and reliability to upper layers of the OSI model. For example, when you securely connect to a website using HTTPS, you
are probably using TLS.
Tunneling and encryption: Site-to-site and client-to-site
site-to-site and client-to-site are two types of VPNs.
The scope of a tunnel can vary, with the two most common variations being site-to-site and client-to-site. In a site-to-site implementation, as the name implies, whole networks are connected together. An example of this would be divisions of a large company. Because the networks are supporting the VPN, each gateway does the work and the individual clients do not need to have any VPN.
In a client-to-site scenario, individual clients (such as telecommuters or travelers)
connect to the network remotely. Because the individual client makes a direct connection to the network, each client doing so must have VPN client software installed.
Remote access PPP
Point-to-Point Protocol (PPP)
PPP is the standard remote-access protocol in use today. PPP is actually a family of protocols that work together to provide connection services.
Because PPP is an industry standard, it offers interoperability between different software vendors in various remote-access implementations. PPP provides a number of security enhancements compared to regular SLIP(Serial Line Internet Protocol), the most
important being the encryption of usernames and passwords during the authentication process.
PPP enables remote clients and servers to negotiate data encryption methods and authentication methods and support new technologies. PPP even enables administrators choose which LAN protocol to use over a remote link.
Establishment of a PPP connection
During the establishment of a PPP connection between the remote system and the server, the remote server needs to authenticate the remote user. It does so by using the PPP authentication protocols. PPP accommodates a number of authentication protocols, and it's possible on many systems to configure more than one authentication protocol. The protocol used in the
authentication process depends on the security configurations established between the remote user and the server. PPP authentication protocols include CHAP, MS-CHAP, MS-CHAP v2, EAP, and PAP
Remote access PPPoE
Point-to-Point Protocol over Ethernet (PPPoE) is a protocol used to connect multiple network users on an Ethernet local area network to a remote site through a common device. For example, using PPPoE, you can have all users
on a network share the same link, such as a DSL, cable modem, or wireless
connection to the Internet. PPPoE is a combination of PPP and the Ethernet
protocol, which supports multiple users in a local area network (hence the
name). The PPP information is encapsulated within an Ethernet frame.
With PPPoE, a number of different users can share the same physical connection to the Internet. In the process, PPPoE provides a way to keep track of individual user Internet access times. Because PPPoE for individual authenticated access to high-speed data networks, it is an efficient way to create a
separate connection to a remote server for each user. This strategy enables Internet service providers (ISPs) or administrators to bill or track access on a per-user basis rather than a per-site basis.
PPPoE communication process
The PPPoE communication process has two stages: the discovery stage and the PPP session stage. The discovery stage uses four steps to establish the PPPoE connection: initiation, offer, request, and session confirmation. These steps represent back-and-forth communication between the client and the
PPPoE server. After these steps have been negotiated, the PPP session can be established using familiar PPP authentication protocols.
Remote access: RAS
Remote Access Service (RAS)
RAS is a remote-access solution included with Windows Server products. RAS is a feature-rich, easy-to-configure, easy-to-use method of configuring remote access.
Any system that supports the appropriate dial-in protocols, such as PPP, can connect to a RAS server. Most commonly, the clients are Windows systems that use the dialup networking feature, but any operating system that supports dialup client software will work. Connection to a RAS server can be made over a standard phone line, using a modem, over a network, or via an ISDN
Although the system is called RAS, the underlying technologies that enable the RAS process are dialup protocols such as PPP.
Remote access RDP
Remote Desktop Protocol (RDP) is used in a Windows environment. Terminal Services provides a way for a client system to connect to a server, such as Windows Server and, by using RDP, operate on the server as if they were local client applications. Such a configuration is
known as thin client computing, whereby client systems use the resources of the server instead of their local processing power.
RDP is a low-bandwidth protocol used to send mouse movements, keystrokes, and bitmap images of the screen on the server to the client computer. RDP does not actually send data over
the connection—only screenshots and client keystrokes.
Remote access ICA
Citrix Independent Computing Architecture (Citrix ICA) enables clients to access and run applications on a server, using the server's resources. Only the user interface, keystrokes, and mouse movements transfer between the client system and the server. In effect, even though you work at the remote computer, the system functions as if you were actually sitting
at the computer itself. As with Terminal Services and RDP, ICA is an example of thin client computing.
Remote access SSH
Secure Shell (SSH) is a tunneling protocol originally created for UNIX systems. It uses
encryption to establish a secure connection between two systems and provides alternative, security-equivalent applications for such utilities as Telnet, FTP, and other communications-oriented applications. Although it is available with
Windows and other operating systems, it is the preferred method of security for Telnet and other cleartext-oriented programs in the UNIX environment. SSH uses port 22 and TCP for connections.