Team LiB
Previous Section Next Section

Encrypted Login

Similar to PC cardbased solutions and digital IDs, encrypted logins are critical in guaranteeing confidentiality, integrity, and authentication of data for remote connectivity across the Internet. Encrypted login sessions play a significant role in assuring that all three of these requirements are met.

Secure Shell Protocol

Secure Shell (SSH) login sessions can be used for securing remote Telnet sessions and remote logins. The SSH protocol is used to secure connections by encrypting data such as passwords, command-line entries, debug output, or even binary files. This section focuses solely on SSH as a protocol that provides a secure, remote connection to a Cisco IOS router.

Imagine an administrator logging in to the remote router with IP address 10.10.10.1. Figure 3-5 illustrates this remote login.

Figure 3-5. SSH Encrypted Connection

[View full size image]


This is a client-server setup in which the Cisco IOS router is a SSH Server and the administrator's laptop is the SSH client. The SSH server in Cisco IOS works with publicly and commercially available SSH clients. A shareware application, PuTTY, is used just for this example. The connection between the SSH client (laptop) and the SSH server (Cisco IOS router) is similar to that of an inbound Telnet session, except that the connection is encrypted. Using authentication and encryption, the SSH client allows for secure communication over an insecure medium.

There are two versions of SSH available, SSH Version 1 and SSH Version 2. More information can be found on the following web page:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:SSH

Kerberos Encrypted Login Sessions

A Kerberos Encrypted login session provides an alternative approach to SSH-encrypted login, whereby a trusted third-party authentication mechanism verifies the identity of the users. Kerberos is designed to ensure strong authentication in client-server scenarios by using secret key cryptography. SSH provides encrypted authentication as well as encrypted data transmission (sessions) end-to-end. Kerberos provides encrypted authentication only. More information can be found at the following web page:

http://www.cisco.com/en/US/tech/tk583/tk385/tech_protocol_family_home.html

Secure Socket Layer (HTTP versus HTTPS)

HTTP is nonsecure, and HTTPS is Secure Socket Layer (SSL) secured. As discussed in the first section of this chapter, digital IDs use HTTPS, whereby the data sent is encrypted and cannot be decrypted without the private key. In HTTP, the information is sent in plain text and is insecure. The main difference is this: HTTP has no encryption, and HTTPS uses the public/private key system for authentication.

SSL was originally developed by Netscape Communications to allow secure access of a browser to a web server. Nowadays, SSL has become the standard for web security. With the increasing number of high-availability, HTTPS-based transactions, the Cisco SSL products (content switches and standalone SSL appliances) simplify the support responsibilities for the website administrator. SSL-enabled websites provide a strong sense of confidentiality, message integrity, and server authentication to users who are using encrypted logins.

NOTE

Created by the Internet Engineering Task Force (IETF) for general communication authentication and encryption over TCP/IP networks, Transport Layer Security (TLS) is the successor protocol to SSL.


Chapter 7, "Web Security," presents more information on SSL. You can also check out the following web page:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns140/networking_solutions_package.html

    Team LiB
    Previous Section Next Section