Comparing Remote Access Methods Flashcards
(31 cards)
Fiber to the curb vs fiber to the premises
Fiber to the curb goes to the cabinet near the customer’s house and fiber to the premises goes to the building.
What are the good remote access policies
- Restrict to specific users and groups
- Limit times and days
- Limit network privileges
- Logging and auditing
- Keep systems updated
- Secure admin access
Types of VPN
- Host-to-Host VPN: allows an individual host on the Internet to establish a VPN connection with another host.
- Site-to-Site VPN: Allows two local network of hosts at different locations and each host can communicate with any other host at any location. Rather than requiring a VPN configuration for each one, you install a single device that handles VPN connections and packet encryption.
- Remote Access VPNs: individual hosts establish a VPN connection to a remote site. The client computer has to be able to establish the connection with a device called VPN concentrator that sits on the edge of the private network. VPN concentrators are hardware devices that are dedicated to establishing connections to hosts. Each host is configured with software often called a VPN client, that allows establishing connection between host and VPN concentrator.
- Clientless VPN: This type of VPN does not need a host to install VPN client software. instead, a host connects to the remote resource using a web browser. Access to the site is usually controlled with a simple username and password. This type of VPN is also known as an SSL VPN because it uses the secure sockets layer to encrypt data.
Tunneling Protocols
- Point-to-point Protocol: method to send data from one point to another over a direct connection, it encapsulates data so it can travel over this connection, but it doesn’t have security.
- Generic Routing Encapsulation (GRE): A method to put one packet inside another packet so it can travel across a network. It allows different kinds of network data to travel inside regular IP packets. No security by itself but can be combined with IPsec.
- IPsec: Secure way to send data over the Internet and encrypts an authenticates the data at the network layer so no one can read or modify it. Has strong security by locking the package with a special key.
- Transport Layer Security: A secure tunnel built on top of regular Internet connections like TCP (or UDP with DTLS). It encrypts the data traveling between two devices (like your web browser talking to a website).
IPsec
It’s a framework of protocols designed to secure IP network communications. It provides services like encryption, authentication, and data integrity, ensuring secure data transmission, especially over potentially insecure networks like the internet.
Two core protocols of IPsec
- Authentication Header (AH): makes sure data hasn’t been changed. It uses a secret key + hash to create a signature. It does not encrypt data so if someone breaks the seal, they can read the data.
- Encapsulating Security Payload (ESP): Encrypts the data, keeping it secret and also checks if it has been modified.
Two modes of IPsec
- Transport mode: to secure communications between hosts on a private network. Payload data is encrypted but IP header is not.
- Tunnel mode: used for communications between VPN gateways across an insecure network.
What is an IPsec policy
A set of rules that tell each device how to secure the connection. It sets the authentication mechanism and also the use of AH/ESP and transport or tunnel mode for a connection between two peers.
What is Internet Key Exchange (IKE)
Framework for creating a security association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree on secure protocols and cipher suites to use to exchange data.
Two Phases of IKE:
Phase 1: Creates a secure channel using Diffie-Hellman key exchange. Authenticates each device using Digital certificates or Pre-Shared Key.
Phase 2: Chooses which encryption and hashing methods to use for VPN.
Versions of IKE
- IKEv1: Site to site and host to host. It needs supporting protocols to implement remote access VPNs.
- IKEv2: Stand-alone remote access VPN. Allows network address translation (NAT) traversal and MOBIKE multihoming. NAT traversal makes it easier to configure a tunnel allowed by a home router/firewall. Multihoming means that a smartphone client with Wi-Fi and cellular interfaces can keep the IPSec connection alive when switching between them.
What is Multihoming
It means a smartphone with Wi-Fi and cellular interfaces can keep the IPSec connection alive when switching between them.
Client-to-Site VPN
VPN setup where a remote device (client) connects to a VPN gateway (at the company’s network).
VPN gateway
A VPN-enabled router/firewall at the company that manages VPN connection.
Split Tunnel
The client accesses the Internet directly using its ISP-managed IP configuration, routers, and DNS servers.
Full Tunnel
Internet access is mediated by the corporate network, which will alter the client’s IP address and DNS servers and may use a proxy.
HTML5 VPN or Clientless VPN
Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless). Also called clientless VPN.
SSH
Cryptographic network protocol for secure communication of remote configuration and RDP
SSH Authentication Methods
- Username/Password: Just logging in like logging into website or email.
- Public/Private keys: A private key stays safe on your computer; the public key is stored on the remote computer. Together, they unlock the door.
- Kerberos Authentication: Mostly used at companies. It uses a ticket you get when you log into your computer at work.
What is a SSH Host key and what is it for?
Each SSH server has its own special fingerprint (host key) to prove it’s authentic.
Your computer remembers these keys so it knows it’s talking to the right remote computer.
Important SSH Commands
sshd | ssh-keygen | ssh-copy-id | ssh-agent | ssh-add | ssh user@host | ssh host “command” | scp | sftp
RDP
RDP creates a secure and encrypted remote connection and has a GUI.
RDP vs. Telnet & SSH
Telnet and SSH are text base command line interface, but RDP sends screen/audio to client and accepts mouse/keyboard input.
Telnet port
23
