Network Security 1 Module 4 Trust and Identity Technology 1
Learning Objectives 4.1 AAA 4.2 Authentication Technologies 4.3 Identity Based Networking Services (IBNS) 4.4 Network Admission Control (NAC) 2
Module 1 Trust and Identity Technology 4.1 AAA 3
AAA Model Network Security Architecture Authentication Who are you? I am user student and my password validateme proves it. Authorization What can you do? What can you access? I can access host 2000_Server with Telnet. Accounting What did you do? How long did you do it? How often did you do it? I accessed host 2000_Server with Telnet 15 times. 4
Implementing Cisco AAA Remote client (SLIP, PPP, ARAP) NAS Cisco Secure ACS PSTN/ISDN Remote client (Cisco VPN Client) Console Corporate file server Internet Router Cisco Secure ACS appliance Administrative access Console,Telnet, and Aux access Remote user network access Async, group-async, BRI, and serial (PRI) access 5
Implementing AAA Using Local Services Remote client 1 Perimeter router 2 3 1. The client establishes connection with the router. 2. The router prompts the user for their username and password. 3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. 6
Implementing AAA Using External Servers 1 Perimeter router 2 Cisco Secure ACS 3 Remote client 4 Cisco Secure ACS appliance 1. The client establishes a connection with the router. 2. The router communicates with the Cisco Secure ACS (server or appliance). 3. The Cisco Secure ACS prompts the user for their username and password. 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the network based on information found in the Cisco Secure ACS database. 7
The TACACS+ and RADIUS AAA Protocols Two different protocols are used to communicate between the AAA security servers and a router, NAS, or firewall. Cisco Secure ACS supports both TACACS+ and RADIUS: TACACS+ remains more secure than RADIUS. RADIUS has a robust API and strong accounting. Security server Cisco Secure ACS TACACS+ RADIUS Firewall Router Network access server 8
Module 1 Trust and Identity Technology 4.2 Authentication Technologies 9
Authentication Methods 10
Authentication Remote PC Username and Password 11
Authentication One-Time Passwords, S/Key List of one-time passwords Generated by S/Key program hash function Sent in clear text over network Server must support S/Key 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 Security server supports S/Key S/Key passwords Workstation S/Key password (clear text) 12
Authentication Token Cards and Servers 1. 2. 3. (OTP) 4. Cisco Secure ACS Token server 13
AAA Example Authentication Via PPP Link TCP/IP and PPP client PPP PSTN or ISDN PPP Network access server PAP Password Authentication Protocol Clear text, repeated password Subject to eavesdropping and replay attacks CHAP Challenge Handshake Authentication Protocol Secret password, per remote user Challenge sent on link (random number) Challenge can be repeated periodically to prevent session hijacking The CHAP response is an MD5 hash of (challenge + secret) provides authentication Robust against sniffing and replay attacks MS-CHAP Microsoft CHAP v1 (supported in IOS > 11.3) and v1 or v2 (supported in IOS > 12.2) 14
Module 1 Trust and Identity Technology 4.3 Identity Based Networking Services (IBNS) 15
Identity Based Network Services Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, Cisco IOS Routers, PIX Firewalls Cisco Secure ACS OTP Server Hard and Soft Tokens Firewall Router Internet Remote Offices VPN Clients 16
Identity Based Networking Services Features and Benefits: Intelligent adaptability for offering greater flexibility and mobility to stratified users A combination of authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs 17
802.1x Components 18
802.1x End User (client) Catalyst 2950 (switch) Authentication Server (RADIUS) 19
802.1x Benefits Feature Benefit 802.1x Authenticator Support Enables interaction between the supplicant component on workstations and application of appropriate policy. MAC Address Authentication Default Authorization Policy Multiple DHCP Pools Adds support for devices such as IP phones that do not presently include 802.1x supplicant support. Permits access for unauthenticated devices to basic network service. Authenticated users can be assigned IP addresses from a different IP range than unauthenticated users, allowing network traffic policy application by address range. 20
802.1x Wireless LAN Example Access Point Catalyst 2950 (switch) Authentication Server (RADIUS) 21
Module 1 Trust and Identity Technology 4.4 Network Admission Control (NAC) 22
NAC Components 23
NAC Vendor Participation 24