Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Transcription

1 Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication Objectives Define authentication Describe the different types of authentication credentials List and explain the authentication models Define authentication servers Describe the different extended authentication protocols Explain how a virtual private network functions Definition of Authentication Authentication can be defined in two contexts: 1) Authentication as it relates to access control 2) A member of one of the three key elements of security: Authentication Authorization Accounting Also known as Triple A (AAA) Authentication and Access Control Terminology Definitions Access Control: The process by which resources or services are granted or denied Identification: The presentation of credentials Authentication: Verification of presented credentials Authorization: Granting permission for admittance Access: The right to use specific resource(s) Authentication, Authorization, and Accounting (AAA) Authentication provides mechanism to identify the user (typically via password) prior to granting access Authorization determines if the user has the authority to carry out certain tasks (defined as process of enforcing policies) Accounting measures the resources a user consumes during each network session Authentication, Authorization, and Accounting (AAA) (cont.) AAA Information uses 1) Find evidence of problems 2) Billing (based on consumed resources) 3) Planning (current utilization vs. future capacity requirements) AAA server

2 1) Dedicated to performing AAA functions 2) Can provide significant advantages in a network Authentication Credentials Types of authentication / authentication credentials: 1) Passwords 2) One-time passwords 3) Standard biometrics 4) Behavioral biometrics 5) Cognitive biometrics One-Time Passwords Standard passwords Static for a set period of time (password reset interval) One-time passwords (OTP) 1) Dynamic generated unique passwords 2) Not reusable 3) Most common type is a time-synchronized OTP Used in conjunction with a token 4) Token and the authentication server use the same algorithm 5) Each seed for each token is unique Time-Synchronized OTP Sequence One-Time Passwords (cont.) There are several variations of OTP systems Challenge-based OTPs 1) Authentication server displays a challenge (a random number) to the user 2) User then enters the challenge number into the token 3) Token generates the password response to challenge number 4) Authentication server compares users response and grants or denies access Standard Biometrics Uses a person s unique characteristics for authentication (something the are ) 1) Examples: fingerprints, faces, hands, irises, retinas Fingerprint Scanner Types: 1) Static 2) Dynamic Disadvantages 1) Costs 2) Potential False Positives (errors) Standard Biometrics (cont.) Behavioral Biometrics

3 Authenticates by normal actions that the user performs 3 types of Behavioral Biometrics Keystroke Dynamics Voice Recognition Computer Footprinting Behavioral Biometrics Keystroke dynamics 1) Attempt to recognize a user s unique typing rhythm 2) Uses two unique typing variables: Dwell time Flight time Behavioral Biometrics (cont.) Voice recognition 1) Authenticate user based on the unique characteristics of a person s voice 2) Phonetic cadence Speaking two words together in a way that one word bleeds into the next word Becomes part of each user s speech pattern Computer footprint 1) When and from where a user normally accesses a system Cognitive Biometrics Related to the perception, thought process, and understanding of the user Considered to be much easier for the user to remember because it is based on the user s life experiences Examples: 1) Life experiences that the user remembers 2) User must identify specific faces from their life experiences Authentication Models Single and multi-factor authentication 1) One-factor authentication Using only one authentication credential 2) Two-factor authentication Enhances security, particularly if different types of authentication methods are used 3) Three-factor authentication Requires that a user present three different types of authentication credentials

4 Authentication Models (cont.) Single sign-on 1) Identity management Using a single authenticated ID to be shared across multiple networks 2) Federated Identity Management (FIM) When those networks are owned by different organizations 3) One application of FIM is called single sign-on (SSO) Using one authentication to access multiple accounts, applications, or directory services controlled by one or more groups Authentication Models (cont.) Windows Live ID 1) Introduced in 1999 as.net Passport 2) User to create a standard username and password 3) Requires web site to support Windows Live ID User will first be redirected to the nearest authentication server 4) Once authenticated, the user is given an encrypted time-limited global cookie Authentication Models (cont.) Windows CardSpace 1) Windows feature intended to provide users with control of their digital identities 2) Helps to manage privacy 3) Creates Virtual Business Card for exchange with other users 4) Types of Cards Manage cards Site Specific Personal cards General purpose information cards 5) Identities downloaded and verified by Identity Providers 6) Authentication Models (cont.) Authentication Models (cont.) OpenID 1) Decentralized open source federated identity 2) No unique software installed on client 3) A URL based identity system An OpenID identity is only a URL backed up by a username and password OpenID provides a means to prove that the user owns that specific URL Currently used by: 1) Facebook, twitter, Google Single or Multi-Factor Authentication methods Single Sign On (SSO)

5 1) Supports multiple resources, providers, directories 2) Federated Identity Management (FIM) supports multiple directory owners Windows Live provides a time-limited global cookie 1) OpenID provides decentralized open source federated identity without unique client software 2) Authentication Servers Network Authentication is perform by a dedicated AAA or authentication server Most common types of servers are: 1) RADIUS 2) Kerberos 3) TACACS+ 4) Lightweight Directory Access Protocol (LDAP) RADIUS RADIUS (Remote Authentication Dial in User Service) 1) Developed in ) Industry standard with widespread support 3) Suitable for high-volume service control applications 4) Provides centralized AAA management 802.1x port security has caused increased demand for RADIUS use RADIUS (cont.) RADIUS Client: Typically a device such as a dial-up server or wireless access point (AP) 1) Responsible for sending user credentials and connection parameters in the form of a RADIUS message to a RADIUS server 2) Sends accounting messages to RADIUS server RADIUS Server: Authenticates and authorizes the RADIUS client request 1) Sends back a RADIUS response message RADIUS (Cont.) Kerberos Kerberos 1) Authentication system developed by MIT 2) Deployed in Enterprises, requires back-end and client infrastructure support 3) Used to verify the identity of networked users 4) Provides encryption & authentication services 5) Identifies authorized subject, roles, and resources 6) Issues a ticket (software certificate) valid for a specified period of time 7) Supported by Windows W2K3 >, Mac OS X, and Linux 8) Kerberos

6 Process: 1) Users authenticates to network 2) User is provided a ticket that is issued by the Kerberos authentication server 3) The user presents this ticket to the network for each service or resource accessed 4) The service then examines the ticket to verify identity of the user (subject) 5) Validate subjects access rights to resource Terminal Access Control Access Control System (TACACS+) Terminal Access Control Access Control System (TACACS+) 1) Industry standard protocol specification 2) Forwards username and password information to a centralized server Can be either a centralized server or TACACS+ database 1) Supports Linux or UNIX password file with TACACS protocol support 2) Used by CISCO and other vender implementations for centralized network hardware authentication services Lightweight Directory Access Protocol (LDAP) Directory service 1) A database stored on the network itself that contains information about users, devices, and permissions 2) Supported in Windows Server, MAC, Linux, and Unix X.500 1) A standard for directory services 2) Created by ISO White-pages service 1) Capability to look up information by name Yellow-pages service 1) Browse and search for information by category Lightweight Directory Access Protocol (LDAP) (cont.) The information is held in a directory information base (DIB) Entries arranged in a tree structure called the directory information tree (DIT) Directory Access Protocol (DAP) 1) Protocol for a client application to access an X.500 directory 2) DAP is too large to run on a personal computer Lightweight Directory Access Protocol (LDAP) (cont.)

7 Lightweight Directory Access Protocol (LDAP) 1) Sometimes called X.500 Lite 2) A simpler subset of DAP Primary differences 1) LDAP was designed to run over TCP/IP 2) LDAP has simpler functions 3) LDAP encodes its protocol elements in a less complex way than X.500 LDAP is an open protocol Most Common Types of Authentication Servers: 1) RADIUS: Authenticates clients, provides connection parameters, sends accounting messages 2) Kerberos: Issues ticket with specified permissions; ticket has limited lifetime; requires back-end infrastructure to implement; supported by most mainstream OS s 3) TACACS+: Leverages Linux / Unix / and network infrastructure access databases 4) Lightweight Directory Access Protocol (LDAP): Uses tree database structure; open source; provides client data lookup capabilities 5) Extended Authentication Protocols (EAP) Extensible Authentication Protocol (EAP) 6) Management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server 7) An envelope that can carry many different kinds of exchange data used for authentication EAP s Three protocols categories: 1) Authentication legacy protocols 2) EAP weak protocols 3) EAP strong protocols Extended Authentication Protocols Authentication Legacy Protocols No longer extensively used for authentication Three legacy protocols: 1) Password Authentication Protocol (PAP) 2) Challenge-Handshake Authentication Protocol (CHAP) 3) Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) Instructors Note: Still covered on the Certification Test EAP Weak Protocols Still used but have security vulnerabilities EAP Weak protocols: 1) Extended Authentication Protocol MD5 (EAP-MD5)

8 Not suitable for wifi authentication Should only be used in low-risk wired environments 2) Lightweight EAP (LEAP) Used in CISCO Wifi authentication environments Subject to Dictionary attacks EAP Strong Protocols EAP Strong protocols include: 1) EAP with Transport Layer Security (EAP-TLS) Uses PKI Certificates Uses encrypted tunneling for authentication communication Resistant to dictionary attacks 2) EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP) Uses Windows authentication credentials for authentication More flexible than EAP-TLS Remote Authentication and Security Important to maintain strong security for remote communications 1) Transmissions are routed through networks or devices that the organization does not manage and secure Managing remote authentication and security usually includes: 1) Using remote access services 2) Installing a virtual private network 3) Maintaining a consistent remote access policy Remote Access Services (RAS) 1) Combination of hardware and software that enables remote users access to a local internal network from an off-lan location 2) Provides remote users with the same access and functionality as local users Virtual private network (VPN) 1) One of the most common types of RAS 2) Uses an unsecured public network, (e.g. Internet), to create a tunnel 3) Connects remote client to internal network as if plugged in to the LAN directly 4) Encrypts all data that is transmitted between the remote device and the network 5) Hardware or software based Common types of VPNs 1) Remote-access VPN or virtual private dial-up network (VPDN)

9 2) Site-to-site VPN Virtual Private Networks (VPNs) (cont.) Transmissions are achieved through communicating with endpoints Endpoint 1) End of the tunnel between VPN devices VPN concentrator 1) Aggregates hundreds or thousands of multiple connections Depending upon the type of endpoint client software may be required Virtual Private Networks (VPNs) (continued) Hardware vs. Software VPN s 1) Software-based VPNs: Most flexibility in how network traffic is managed 2) Hardware-based VPNs: Generally tunnel all traffic they handle regardless of the protocol 3) Better performance than software-based solutions Virtual Private Networks (VPNs) (cont.) Advantages: 1) Cost savings 2) Scalability 3) Full protection 4) Speed 5) Transparency 6) Authentication 7) Industry standards Remote Access Policies Establishing strong remote access policies is important Remote Access Policy Recommendations: 1) Should be consistent for all users 2) Responsibility of the IT department 3) Empower a working group to create standards that all departments will agree to Summary Access control: Process by resources or services are denied or granted There are three types of authentication methods Authentication credentials can be combined to provide extended security Authentication can be provided on a network by a dedicated AAA or authentication server The management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server is known as the Extensible Authentication Protocol (EAP)

10 Organizations need to provide avenues for remote users to access corporate resources as if they were sitting at a desk in the office