TELE 301 Network Management. Lecture 16: Remote Terminal Services

Similar documents
An Overview of the Secure Shell (SSH)

Chapter 17. Transport-Level Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Understanding Secure Shell Host Keys

finger, ftp, host, hostname, mesg, rcp, rlogin, rsh, scp, sftp, slogin, ssh, talk, telnet, users, w, walla, who, write,...

Secure File Multi Transfer Protocol Design

TELE 301 Network Management. Lecture 17: File Transfer & Web Caching

Exam Questions SY0-401

Client Server Registration Protocol

Tera Term Telnet. Introduction

Directory and File Transfer Services. Chapter 7

Topics in Network Security

SSH and FTP on Ubuntu WNYLUG Neal Chapman 09/09/2009

F-Secure. Securing the Mobile Distributed Enterprise. F-Secure SSH User's and Administrator's Guide

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Security. TestOut Modules

SCP - Strategic Infrastructure Security

Contents. Part 1 SSH Basics 1. Acknowledgments About the Author Introduction

How To Understand And Understand The Security Of A Key Infrastructure

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Abstract. VNC (Virtual Network Computing) is an open-source, cross-platform protocol for viewing GUI

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

SSH, SCP, SFTP, Denyhosts. Süha TUNA Res. Assist.

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Introduction. -- some basic concepts and terminology -- examples for attacks on protocols -- main network security services

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security vulnerabilities in the Internet and possible solutions

Secure File Transfer with SSH

Secure Shell. The Protocol

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Transport Level Security

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

Windows Remote Access

Cornerstones of Security

Potential Targets - Field Devices

10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 9 Application Security

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

SSH The Secure Shell

CTS2134 Introduction to Networking. Module Network Security

Linux Network Security

Virtual Private Networks

Security Configuration Guide P/N Rev A05

TELE 301 Network Management. Lecture 18: Network Security

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol)

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Install and configure SSH server

Chapter 7 Transport-Level Security

File transfer clients manual File Delivery Services

WinSCP PuTTY as an alternative to F-Secure July 11, 2006

Cryptography: RSA and Factoring; Digital Signatures; Ssh

Network Security Fundamentals

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

Using sftp in Informatica PowerCenter

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

EXPLORER. TFT Filter CONFIGURATION

File Transfer Protocol (FTP) & SSH

Q: Why security protocols?

VPN Lesson 2: VPN Implementation. Summary

F-Secure SSH. for Windows. User s Guide

MobaXTerm: A good gnome-terminal like tabbed SSH client for Windows / Windows Putty Tabs Alternative

How Reflection Software Facilitates PCI DSS Compliance

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

File Protection using rsync. Setup guide

Wireless Encryption Protection

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Tunnels and Redirectors

My FreeScan Vulnerabilities Report

Methods available to GHP for out of band PUBLIC key distribution and verification.

Network Access Security. Lesson 10

SSH! Keep it secret. Keep it safe

Tel: Toll-Free: Fax: Oct Website: CAIL Security Facility

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Exploiting Transparent User Identification Systems

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Secure access to the DESY network using SSH

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Know your tools SSH. Dariusz Puchalak Dariusz_Puchalak < at > ProbosIT.pl

Cisco Configuring Secure Shell (SSH) on Cisco IOS Router

Remote Logging. Tanveer Brohi(14cs28)

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Wireless Networks. Welcome to Wireless

Deployment Guide AX Series with Active Directory Federation Services 2.0 and Office 365

Firewall Piercing. Alon Altman Haifa Linux Club

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SSL/FTP (File Transfer Protocol over Secure Sockets Layer)

Transcription:

TELE 301 Network Management Lecture 16: Remote Terminal Services Haibo Zhang Computer Science, University of Otago TELE301 Lecture 16: Remote Terminal Services 1

Today s Focus Remote Terminal Services -- What is a remote terminal? -- SSH TELE301 Lecture 16: Remote Terminal Services 2

What is a terminal? An electronic device used for entering data into, and displaying data from a computer Dumb terminal (thin client): no local processing ability Smart terminal (fat client): has local processing ability TELE301 Lecture 16: Remote Terminal Services 3

Hard-copy terminals TeleTYpewriter (TTY) System console What is a terminal? Terminal emulator a program that does what a dumb terminal used to do Terminal window TELE301 Lecture 16: Remote Terminal Services 4

TTY Remote History Berkeley r -commands rsh remote shell commands rlogin remote terminal rcp remote copy Weak host-based authentication Privileged ports,.rhosts, no password Telnet Remote terminal, similar to rlogin User-based authentication TELE301 Lecture 16: Remote Terminal Services 5

Past Problems Everything sent in clear-text, no encryption Weak Host-based authentication Exploitable trust relationships Privileged ports offer little protection Server not authenticated Man-in-the-middle (MITM) attack potential TELE301 Lecture 16: Remote Terminal Services 6

Resolutions Encrypt all traffic Authenticate both user and server Avoid trust relationships TELE301 Lecture 16: Remote Terminal Services 7

Secure SHell (SSH) SSH provides secure versions of the r - commands and telnet Encrypts all traffic Public/Private Key for authentication Fast block cipher for data transfer Authenticate both server and user A wide range of means to do so TELE301 Lecture 16: Remote Terminal Services 8

Functionality of SSH (1) Secure Command Shell: anything that can be done at a local machine can be done securely remotely View contents in directories and edit files Start batch jobs, Start, view or stop services and process Create user accounts, change permissions TELE301 Lecture 16: Remote Terminal Services 9

ecure Shell Overview Functionality of SSH (2) Port forwarding or some applications, a secure remote command shell isn t sufficient and graphical emote control is necessary. Secure Shell s port forwarding capabilities can be used to reate an encrypted tunnel over which an application can be run. Virtual Network Clien VNC this will be a link to: http://www.uk.research.att.com/vnc/index.html), a cross latform GUI remote control application is a good example. allows data from normally unsecured TCP/IP applications to be securely sent across the encrypted tunnel, multiple applications can transmit data over a single multiplexed channel. Secure encrypted tunnel Internet SSH Client port forwarding: E-mail Database VNC client Firewall with only port 22 open Host with: SSH server Mail server Database server VNC server Ref: An Overview of the Secure Shell (SSH), Vandyke Software Port forwarding allows multiple TCP/IP applications to share a single secure connection TELE301 Lecture 16: Remote Terminal Services 10

Functionality of SSH (3) Port forwarding Local port forwarding: forward data securely from another client application running on the same computer as the Secure Shell Client Client Mail Client pop3.domain POP3 Server TCP TCP 127.0.0.1 : 10110 ssh -L 10110:pop3:110 ras.domain SSH TCP sshd ras.domain TELE301 Lecture 16: Remote Terminal Services 11

Functionality of SSH (4) Port forwarding Remote port forwarding: enables applications on the server side of a Secure Shell connection to access services residing on the SSH's client side. printer cupsd cupsd Client ssh -R 10631:printer:631 ssh_server shell 127.0.0.1 : 10631 sshd SSH Server TELE301 Lecture 16: Remote Terminal Services 12

Functionality of SSH (5) Secure File Transfer Secure copy (SCP): RCP protocol over SSH. Rsync: intended to be more efficient than SCP SSH File Transfer Protocol (SFTP): a secure alternative to FTP (not to be confused with FTP over SSH) Files transferred over shell protocol (FISH): evolved from Unix shell command over SSH TELE301 Lecture 16: Remote Terminal Services 13

rotocol Basics of Secure Shell User Authentication Host Authentication Data Encryption Data Integrity Basics of SSH he Secure Shell protocol provides four basic security benefits: User Authentication Host Authentication Data Encryption Data Integrity http://docstore.mik.ua/orelly/ networking_2nded/ssh/ch03_03.htm Picture from: An Overview of the Secure Shell (SSH), VanDyke software TELE301 Lecture 16: Remote Terminal Services 14 Secure Shell authentication, encryption and integrity ensure identities and keep data secure

Keys, Keys, Keys User Key A persistent, asymmetric key used by clients as proof of a user's identity. A single user may have multiple keys Host Key A persistent, asymmetric key used by a server as proof of its identity Used by a client when proving its host's identity as part of trustedhost authentication Server Key A temporary, asymmetric key used in the SSH-1 protocol. It is regenerated by the server at regular intervals (by default every hour) and protects the session key Session Key A randomly generated, symmetric key for encrypting the communication between an SSH client and server. TELE301 Lecture 16: Remote Terminal Services 15

User Authentication Password authentication The username and password are encrypted before transmission. Inherently vulnerable in that they can be guessed Public key authentication Public key and private key: generated using ssh-keygen Private key should never be distributed, and should be protected by passphrase My public key: ssh-dss AAAAB3NzaC1kc3MAAACBAOYxKP/MGpQ4WzWZWwMhhkdUqzYlt/MQ9wGqvtjYemsAT6JFhsoQhBxetqRl// M1CmX6I29M9Xosi9y6n0ch8WYQOYb2pJmoLOs+imn71E52c/BcQ+81QMIKbXDirWYfFBKVO6/laEHzhmI +84mGMgtEX5yHShJJ1T1Kw03Oq57DAAAAFQDbQ0zs3AuDYJSjNwUY+48hGvnyQwAAAIA7vSwfKmfXp6frnx8UwBD/ 6HwmGiMiwMOg8mXxm8iVm8Qg210TIFihNU8b6Y/chWfjsy0iYo1Rczs/ 0yMfdLgupYRluYOEbj58+Rg5WNKa0Np7aOuCrftLRrdwOQCiT93EQSObFzBYxlChEG75rgQIBFc65M8cE9ear0oeC8JWqQA AAIAFEHQHFCUeZsusoWRm7uP5nTB2rnIb2ZpvpdTb/8UqNtIIn0WctqxELWGfCLiKEVpOYsjvCtHHYr/ 3tsQ3PloudD479Uke9fn8N5E2rIRQkbQM4yLi0elAV9lgIh6ctJUQqRdmmAZC+xidE6JxMUssvUIOHosRqSc70XSabUYswQ== haibo@oucs1325.otago.ac.nz TELE301 Lecture 16: Remote Terminal Services 16

Host Authentication Host key Used by a server to prove its identity to a client Used by a client to verify its known host Persistent (change infrequently) and asymmetric Guards against the Man-in-the-Middle attack Two operations: Looking up the client host key Matching the client host TELE301 Lecture 16: Remote Terminal Services 17

Data Encryption/Integrity Encryption Use ciphers to encrypt and decrypt data being send over the wire Block cipher such as DES, 3DES, use a shared key (session key) Agree which cipher use during connection setup Session keys are randomly generated by both the client and server, after host authentication and before user authentication Integrity Message Authentication Code (MAC) in SSH2 Simple 32-bit CRC in SSH1 TELE301 Lecture 16: Remote Terminal Services 18

SSH versions Two major versions SSH1 Has inherent design flaws which make it vulnerable SSH2 Currently used Support any number of sessions over a single SSH connection Better security: Diffie-Hellman key exchange and strong integrity checking. TELE301 Lecture 16: Remote Terminal Services 19

Threats Addressed by SSH Eavesdropping or Password Sniffing All transmitted data is encrypted Man-in-the-middle attack (MITM) cure Shell Overview Host authentication Can not happen unless the host itself has been compromised cure Shell protects against MITM attacks through server host authentication. U e host itself has been compromised, Eve does not have access to the server s pri y and cannot impersonate Alice. Client (Bob) Server (Alice) SSH fake server fake client SSH Attacker (Eve) Picture from: An Overview of the Secure Shell (SSH), VanDyke software TELE301 Lecture 16: Remote Terminal Services 20

Threats Addressed by SSH Insertion and Replay attack Attacker is not only monitoring the SSH session, but is also observing the keystrokes By comparing what is typed with the traffic in the SSH stream, the attacker can deduce the packet containing a particular command, and reply the command at a particularly inappropriate time during the session. Message authentication code prevents such attacks. SSH Doesn t Prevent Password Cracking IP and TCP attacks Traffic Analysis TELE301 Lecture 16: Remote Terminal Services 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information