Remote Access MindMap (4 of 4) | CISSP Domain 4

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cisp exam we're going to go through a review of the major topics related to remote access in domain 4 to understand how they interrelate and to guide your studies this is the final fourth of four videos for domain 4 I've included links to the other mindmap videos in the description below these mind maps are one part of our complete cisp Master [Music] Class the battle continues between corporations and real estate companies trying to drag folks back into the office and most

people wanted to continue to work from home so they can have a better work life balance and not waste a significant part of their lives in cursed traffic jams thankfully we have many excellent protocols and systems that allow us to securely connect to remote corporate networks and remain highly productive working for from home we're going to go through the major protocols that allow us to establish tunnels encrypt those tunnels to create vpns perform remote authentication and Remote Management of systems let's start with the concept of tunneling which is encapsulating an entire packet within the data

portion of another packet tunneling allows us to do some very useful things such as connecting private networks together across a public network like the internet recall the IP addresses we tend to use on private networks for example 10.0 IP addresses are not routable across the public internet thus with tunneling we can take a packet that has a private IP destination address and encapsulate that packet with another packet that has a public IP destination address tunneling basically means adding a new header to a packet we can also encapsulate foreign protocols to run over a network that

does not support that particular protocol for example sending IP version six six packets across the IP version 4 Network there are three major tunneling protocols that you should know about and we'll start with gr generic routing encapsulation which is a simple tunneling protocol that can encapsulate a wide variety of network protocols and create point-to-point connections essentially allowing you to easily connect two networks together and pass traffic back and forth between those networks across a third network typically the internet pptp point2 Point tunneling protocol is an obsolete tunneling protocol with many well-known security vulnerabilities pptp by

itself does not provide encryption and authentication and must be used in combination with other protocols to create vpns more on what a VPN is in just a moment l2tp layer 2 tunneling protocol is a successor to pptp and l2tp includes many improvements such as the ability to encrypt its control messages but very importantly l2tp on its own does not encrypt the data portion of a packet split tunneling is where some traffic will be sent through the secure encrypted tunnel often to a corporate Network while other traffic will not be sent through the tunnel but instead

will go straight out onto the internet this is sometimes done for performance Reasons by not sending traffic first through the tunnel then out onto the internet but rather straight onto the internet the security concern with split tunneling is that the traffic that goes straight out onto the internet bypasses the corporate security controls now an extremely important topic to layer on to tunneling is encryption why is it so important to encrypt the data portion of a packet when sending that data through a tunnel as we've discussed tunnels are typically used to connect two private networks together

over the public internet or to connect a Remote device like a laptop to a corporate Network again across the public internet and you should always assume that someone probably multiple someone's are inspecting your data that transits the internet therefore from a security perspective it is very important to encrypt the data that's being sent through a tunnel to provide confidentiality and that is a VPN a virtual private network is an encrypted tunnel where the data that is sent through the tunnel is encrypted let's now talk through the major VPN protocols that you need to noo and

we'll start with the protocol that you need to know the most about IP SEC IP security is a standardized Suite of protocols which work together and allow a massive degree of flexibility in how IP set can be configured to create VPN the First Choice you have when establishing an IP set connection is choosing either authentication header mode which provides only Integrity data origin authentication and replay protection or encapsulating security payload which provides everything in ah plus confidentiality by encrypting the data portion of the payload so technically IPC in ah mode is just a tunnel while

IPC in ESP mode is a VPN because it provides an encrypted tunnel the next choice you have is to run IPC in either transport mode which means the original packet header is reused or tunnel mode which means a new header is created encapsulating the original packet header in p Lo here's a 2 X2 Matrix showing you a simplified view of these different modes and how they fit together hopefully this makes these different modes a little easier to understand another part of IPC is ik ke internet key exchange which is the protocol used to establish security

associations what are security associations are hear you asking they are a Simplex establishment of attributes such as authentication algorithm encryption algorithm and encryption keys to be used when a establishing a connection think of it this way when an IP set connection is established a bunch of negotiations and agreements need to occur the client and the server or more generalized two entities need to authenticate each other using say x509 digital certificates and exchange symmetric encryption Keys using say the Diffy Helman key exchange protocol to allow these two entities to do all this they first need to

agree on what authentication algorithm they're going to use and what encryption algorithm and what IP SEC modes this is the purpose of security associations to agree on and establish these attributes and that word Simplex means that essays only allow Communication in One Direction so to establish a tunnel where two entities can talk back and forth you need two security associations one for each Direction and if you want to add encryption in both directions you need two more security associations a total of four security associations are required to establish an IPC VPN next up another protocol

commonly used for establishing bpns SSL TLS let's start with naming inv verions SSL secure socket layer was the name of the protocol for the first three major versions The protocol was then renamed transport layer security TLS to better reflect that it operates at layer 4 the transport layer The OSI model so SSL TLs are the same protocol and TLS is just the name of the most recent versions TLS was primarily created to authenticate and encrypt the connection between a web browser and a web server but it can also be used to secure other types of

connections and allow you to create say a VPN it's important to understand the steps that are required to establish a TLS connection first the client sends a client Hello message which tells a server which version of TLS the client supports and which encryption algorithms second the server then responds with a server Hello message and very importantly the server Hello message includes a copy of the server's digital certificate step three the client decrypts the server's digital certificate allowing the client to authenticate the server confirm that the server is in fact say amazon.com and not sketchy hacker.com

as part of step three the client generates a new symmetric encryption key also known as a session key and encrypts this symmetric key with the server's public key obtained from the server's digital certificate step four the client sends the encrypted session key over to the server and the server decrypts with the server's private key and now that both the client and the server have the same symmetric session key they can efficiently encrypt and any data they want to to and send it back and forth thus creating a secure encrypted connection I created a video which

I've linked to above and down below in the description on digital certificates where I talk in a little more detail about how they are used in the TLs protocol one final piece I'll mention here related to TLS is that in the initial client Hello message the client can send the client's certificate to the server allowing the server to authenticate the client thus allowing Mutual authentication the client and server can both authenticate each other and in fact you can even run SSL TLS in a mode referred to as unencrypted SSL where an encrypted connection is not

required but authentication is required a couple of protocols that you should recognize as VPN protocols socks socket secure protocol which operates at layer five the session layer and SSH secure shell protocol which operates at layer seven the application layer next up remote authentication let's say it's 199 5 and you're running a hell flyclub internet service with a few thousand customers you need some way of authenticating your users authorizing them and account for their usage of your service enter radius a protocol originally designed to do just that remote authentication dial in user service is a protocol

that allows us to connect to and access network resources and the protocol provides authentication authorization and accounting AAA that's radius the tacx plus encrypts the full contents of the packets it transmits versus radius which just poorly obis skates the user's password and diameter is the successor to radius diameter adds some good security features such as EAP extensible Authentication Protocol for much more secure and robust authentication of users final topic remote access management networks have grown ever larger over the years with network devices like firewalls routers switches and servers spreading all over a building across multiple

buildings or even across multiple countries we need protocols to allow us to remotely connect to these network devices and administer them check on the status of the device and make configuration changes enter SNMP simple Network management protocol which allows you to collect all sorts of information from network devices in real time including performance metrics alerts and the specific configuration of a device and well be on just monitoring you can further send commands to reconfigure a network device SNMP is a very powerful protocol I like to remember SNMP as standing for security is not my problem

as the first versions of SNMP are a total dumpster fire from a security perspective SNMP version one sends passwords in clear text plain text version two is a slight Improvement as it allows password hashing but not by default version 3 is a huge improvement from a security pers perspective so if you're using SNMP make sure it's at least a version three and finally tnet which is a protocol that allows you to remotely connect to a network device like a server and get command line interface access and there we go that is an overview of remote

access within domain 4 covering the most critical Concepts you need to know for the exam a really cool feature of our free cisb app is that it includes an immense glossery of terms you need to know for the exam and a giant list of acronyms you might see on the exam as well link to download our free app are in the description [Music] below