Remote access security management requires that security system designers address the hardware and software components of an implementation along with issues related to policy, work tasks, and encryption.
Protocols & mechanisms that may be used on LANS and WANS are:
skip, swipe, ssl, set, ppp, slip, chap, pap, eap, s-rpc, this can include the VPN, TLS/SSL, and VLAN.
Tunneling is the encapsulation of a protocol-deliverable message within a second protocol. The second protocol performs the encryption to protect the message contents.
VPNs are based on encrypted tunneling. they can offer authentication and data protection as a point-to-point solution. Common VPN protocols are PPTP, L2F, L2TP, and IPSec.
NAT protects the addressing scheme of a private network, allows the use of the private IP addresses and enables multiple internal clients to get Internet through a few public IPs. NAT is supported by many border devices like firewalls, routers, gateways and proxies.
In circuit switching, physical pathways are created between the 2 communicating parties. in packet switching, a message or communication is broken up into small segments and sent across the intermediary networks to the destination.
There are 2 communications paths (virtual circuits) in packet-switching systems called PVCs (permanent) or SVCs (switched).
Dedicated vs Non Dedicated links
An always on connection is dedicated, like T1, T3, E1, E3, and cable modems.
ISDN and DSL are examples of non dedicated links.
Most WAN technologies require a CSU/DSU (channel/data service unit) aka WAN switch. Carrier networks and WAN connection technologies, such as x.25, Frame Relay, ATM, and SMDS. Some WAN connection technologies require additional specialized protocols to support various types of specialized systems or devices. Three of these protocols are SDLC, HDLC, and HSSI.
PPP is point to point protocol, an encapsulation protocol to support the transmission of IP traffic over dial up or point to point links.
PPP includes assignment and management of IP addresses, management of synchronous communications, standardized encapsulation, multiplexing, link configuration, link quality testing error detection and feature or option negotiation, lik compression. PPP was designed to support CHAP and PAP for authentication, but later versions support MS-CHAP, EAP and SPAP.
SLIP was replaced with PPP. SLIP has no authentication , supports half duplex communications, has no error detection and required manual link establishment and teardown.
Security controls
Security controls should be transparent to users. hash totals and CRC checks can be used to verify message integrity. Record sequences are used to ensure sequence integrity of a transmission. transmission logging helps detect communications abuses.
Internet email is based on SMTP, POP3, IMAP which are insecure methods which can be secured (and must be addressed in policy) to use S/MIME, MOSS, PEM or PGP.
Fax security is primarily based on using encrypted transmissions or encrypted communication lines to protect the faxed materials. The goal is to prevent interception. Logs and reports can be used to detect anomalies in fax activity.
Countermeasures to PBX fraud and abuse include many of the same precautions you would employ to protect a typical computer network: logical or technical controls, administrative controls and physical controls.
VoIP is at risk for Caller ID spoofing, vishing, SPTI, call manager software/firmware attacks, phone hardware attacks, DoS, MitM, spoofing and switch hopping.
Phreaking is a specific type of attack in which various types of technology are used to circumvent the telephone system to make free long distance calls, alter function of telephone service, steal specialized services or even cause service disruptions. black, red, blue, and white boxes are common phreaker tools.
Voice communications are vulnerable to many attacks, you can use encryption to gain confidentiality.
Social engineering is a means by which an unknown person gains the trust of someone inside your organization by convincing employees that they are associated with support management or technical support, usually. The victim is often encouraged to make a change to their user account on the system like reset their password. To counter this, train users to identify and report this.
Communications systems are vulnerable to many attacks, including DDoS, eavesdropping, impersonation, replay, modification, spoofing, ARP and DNS attacks. Know the effective countermeasures for each.
