Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication



Similar documents
Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Cisco Secure Access Control Server 4.2 for Windows

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Extensible Authentication Protocol (EAP) Security Issues

Cisco Virtual Office Express

How To Create A Virtual Network With A Router And Network Operating System (Ip) For A Network (Ipv) (Ip V2) (Netv) And A Virtualization) (Network) (Wired) (Virtual) (Wire)

Cisco Virtual Office Flexibility and Productivity for the Remote Workforce

7.1. Remote Access Connection

Enhancing Web Application Security

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Network Security and AAA

Application Note: Onsight Device VPN Configuration V1.1

Particularities of security design for wireless networks in small and medium business (SMB)

Network Security 1. Module 4 Trust and Identity Technology. Ola Lundh ola.lundh@edu.falkenberg.se

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Remote Access Security

Network Security 1 Module 4 Trust and Identity Technology

Domain 6.0: Network Security

Security + Certification (ITSY 1076) Syllabus

The Importance of Wireless Security

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

ADVANCE AUTHENTICATION TECHNIQUES

Directory and File Transfer Services. Chapter 7

Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN. Daniel Schwarz

VPN. Date: 4/15/2004 By: Heena Patel

(d-5273) CCIE Security v3.0 Written Exam Topics

Deploying iphone and ipad Virtual Private Networks

ViSolve Open Source Solutions

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

Securing Wireless LANs with LDAP

RSA SecurID Two-factor Authentication

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

Link Layer and Network Layer Security for Wireless Networks

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

Security. TestOut Modules

Product Summary RADIUS Servers

On-boarding and Provisioning with Cisco Identity Services Engine

ClickShare Network Integration

Multi-factor authentication

WIRELESS SECURITY IN (WI-FI ) NETWORKS

ADDING STRONGER AUTHENTICATION for VPN Access Control

SSL VPN vs. IPSec VPN

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Using Entrust certificates with VPN

WIRELESS NETWORK SECURITY

802.1x in the Enterprise Network

2 factor + 2. Authentication. way

RAD-Series RADIUS Server Version 7.1

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Wireless security. Any station within range of the RF receives data Two security mechanism

The following chart provides the breakdown of exam as to the weight of each section of the exam.

freeradius A High Performance, Open Source, Pluggable, Scalable (but somewhat complex) RADIUS Server Aurélien Geron, Wifirst, January 7th 2011

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Developing Network Security Strategies

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

CTS2134 Introduction to Networking. Module Network Security

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Cisco Secure Access Control Server Deployment Guide

Scenario: IPsec Remote-Access VPN Configuration

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Vidder PrecisionAccess

Recommended Wireless Local Area Network Architecture

Executive Summary. This white paper includes the following sections: A.What Does 802.1x Do? B. An Overview of the 802.1x Standard

Network Access Security. Lesson 10

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Secure PostgreSQL Deployments

Configuring Security Solutions

Chapter 10 Security Protocols of the Data Link Layer

A Dynamic Extensible Authentication Protocol for Device Authentication in Transport Layer Raghavendra.K 1, G. Raghu 2, Sumith N 2

Modern Multi-factor and Remote Access Technologies

Defender 5.7. Remote Access User Guide

Authentication: Password Madness

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

The next generation of knowledge and expertise Wireless Security Basics

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Defender EAP Agent Installation and Configuration Guide

WLAN Security: Identifying Client and AP Security

ipad in Business Security

Authentication in WLAN

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Google Identity Services for work

Deploying iphone and ipad Security Overview

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

AAA & Captive Portal Cloud Service TM and Virtual Appliance

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Technical papers Virtual private networks

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

Transcription:

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication Objectives Define authentication Describe the different types of authentication credentials List and explain the authentication models Define authentication servers Describe the different extended authentication protocols Explain how a virtual private network functions Definition of Authentication Authentication can be defined in two contexts: 1) Authentication as it relates to access control 2) A member of one of the three key elements of security: Authentication Authorization Accounting Also known as Triple A (AAA) Authentication and Access Control Terminology Definitions Access Control: The process by which resources or services are granted or denied Identification: The presentation of credentials Authentication: Verification of presented credentials Authorization: Granting permission for admittance Access: The right to use specific resource(s) Authentication, Authorization, and Accounting (AAA) Authentication provides mechanism to identify the user (typically via password) prior to granting access Authorization determines if the user has the authority to carry out certain tasks (defined as process of enforcing policies) Accounting measures the resources a user consumes during each network session Authentication, Authorization, and Accounting (AAA) (cont.) AAA Information uses 1) Find evidence of problems 2) Billing (based on consumed resources) 3) Planning (current utilization vs. future capacity requirements) AAA server

1) Dedicated to performing AAA functions 2) Can provide significant advantages in a network Authentication Credentials Types of authentication / authentication credentials: 1) Passwords 2) One-time passwords 3) Standard biometrics 4) Behavioral biometrics 5) Cognitive biometrics One-Time Passwords Standard passwords Static for a set period of time (password reset interval) One-time passwords (OTP) 1) Dynamic generated unique passwords 2) Not reusable 3) Most common type is a time-synchronized OTP Used in conjunction with a token 4) Token and the authentication server use the same algorithm 5) Each seed for each token is unique Time-Synchronized OTP Sequence One-Time Passwords (cont.) There are several variations of OTP systems Challenge-based OTPs 1) Authentication server displays a challenge (a random number) to the user 2) User then enters the challenge number into the token 3) Token generates the password response to challenge number 4) Authentication server compares users response and grants or denies access Standard Biometrics Uses a person s unique characteristics for authentication (something the are ) 1) Examples: fingerprints, faces, hands, irises, retinas Fingerprint Scanner Types: 1) Static 2) Dynamic Disadvantages 1) Costs 2) Potential False Positives (errors) Standard Biometrics (cont.) Behavioral Biometrics

Authenticates by normal actions that the user performs 3 types of Behavioral Biometrics Keystroke Dynamics Voice Recognition Computer Footprinting Behavioral Biometrics Keystroke dynamics 1) Attempt to recognize a user s unique typing rhythm 2) Uses two unique typing variables: Dwell time Flight time Behavioral Biometrics (cont.) Voice recognition 1) Authenticate user based on the unique characteristics of a person s voice 2) Phonetic cadence Speaking two words together in a way that one word bleeds into the next word Becomes part of each user s speech pattern Computer footprint 1) When and from where a user normally accesses a system Cognitive Biometrics Related to the perception, thought process, and understanding of the user Considered to be much easier for the user to remember because it is based on the user s life experiences Examples: 1) Life experiences that the user remembers 2) User must identify specific faces from their life experiences Authentication Models Single and multi-factor authentication 1) One-factor authentication Using only one authentication credential 2) Two-factor authentication Enhances security, particularly if different types of authentication methods are used 3) Three-factor authentication Requires that a user present three different types of authentication credentials

Authentication Models (cont.) Single sign-on 1) Identity management Using a single authenticated ID to be shared across multiple networks 2) Federated Identity Management (FIM) When those networks are owned by different organizations 3) One application of FIM is called single sign-on (SSO) Using one authentication to access multiple accounts, applications, or directory services controlled by one or more groups Authentication Models (cont.) Windows Live ID 1) Introduced in 1999 as.net Passport 2) User to create a standard username and password 3) Requires web site to support Windows Live ID User will first be redirected to the nearest authentication server 4) Once authenticated, the user is given an encrypted time-limited global cookie Authentication Models (cont.) Windows CardSpace 1) Windows feature intended to provide users with control of their digital identities 2) Helps to manage privacy 3) Creates Virtual Business Card for exchange with other users 4) Types of Cards Manage cards Site Specific Personal cards General purpose information cards 5) Identities downloaded and verified by Identity Providers 6) Authentication Models (cont.) Authentication Models (cont.) OpenID 1) Decentralized open source federated identity 2) No unique software installed on client 3) A URL based identity system An OpenID identity is only a URL backed up by a username and password OpenID provides a means to prove that the user owns that specific URL Currently used by: 1) Facebook, twitter, Google Single or Multi-Factor Authentication methods Single Sign On (SSO)

1) Supports multiple resources, providers, directories 2) Federated Identity Management (FIM) supports multiple directory owners Windows Live provides a time-limited global cookie 1) OpenID provides decentralized open source federated identity without unique client software 2) Authentication Servers Network Authentication is perform by a dedicated AAA or authentication server Most common types of servers are: 1) RADIUS 2) Kerberos 3) TACACS+ 4) Lightweight Directory Access Protocol (LDAP) RADIUS RADIUS (Remote Authentication Dial in User Service) 1) Developed in 1992 2) Industry standard with widespread support 3) Suitable for high-volume service control applications 4) Provides centralized AAA management 802.1x port security has caused increased demand for RADIUS use RADIUS (cont.) RADIUS Client: Typically a device such as a dial-up server or wireless access point (AP) 1) Responsible for sending user credentials and connection parameters in the form of a RADIUS message to a RADIUS server 2) Sends accounting messages to RADIUS server RADIUS Server: Authenticates and authorizes the RADIUS client request 1) Sends back a RADIUS response message RADIUS (Cont.) Kerberos Kerberos 1) Authentication system developed by MIT 2) Deployed in Enterprises, requires back-end and client infrastructure support 3) Used to verify the identity of networked users 4) Provides encryption & authentication services 5) Identifies authorized subject, roles, and resources 6) Issues a ticket (software certificate) valid for a specified period of time 7) Supported by Windows W2K3 >, Mac OS X, and Linux 8) Kerberos

Process: 1) Users authenticates to network 2) User is provided a ticket that is issued by the Kerberos authentication server 3) The user presents this ticket to the network for each service or resource accessed 4) The service then examines the ticket to verify identity of the user (subject) 5) Validate subjects access rights to resource Terminal Access Control Access Control System (TACACS+) Terminal Access Control Access Control System (TACACS+) 1) Industry standard protocol specification 2) Forwards username and password information to a centralized server Can be either a centralized server or TACACS+ database 1) Supports Linux or UNIX password file with TACACS protocol support 2) Used by CISCO and other vender implementations for centralized network hardware authentication services Lightweight Directory Access Protocol (LDAP) Directory service 1) A database stored on the network itself that contains information about users, devices, and permissions 2) Supported in Windows Server, MAC, Linux, and Unix X.500 1) A standard for directory services 2) Created by ISO White-pages service 1) Capability to look up information by name Yellow-pages service 1) Browse and search for information by category Lightweight Directory Access Protocol (LDAP) (cont.) The information is held in a directory information base (DIB) Entries arranged in a tree structure called the directory information tree (DIT) Directory Access Protocol (DAP) 1) Protocol for a client application to access an X.500 directory 2) DAP is too large to run on a personal computer Lightweight Directory Access Protocol (LDAP) (cont.)

Lightweight Directory Access Protocol (LDAP) 1) Sometimes called X.500 Lite 2) A simpler subset of DAP Primary differences 1) LDAP was designed to run over TCP/IP 2) LDAP has simpler functions 3) LDAP encodes its protocol elements in a less complex way than X.500 LDAP is an open protocol Most Common Types of Authentication Servers: 1) RADIUS: Authenticates clients, provides connection parameters, sends accounting messages 2) Kerberos: Issues ticket with specified permissions; ticket has limited lifetime; requires back-end infrastructure to implement; supported by most mainstream OS s 3) TACACS+: Leverages Linux / Unix / and network infrastructure access databases 4) Lightweight Directory Access Protocol (LDAP): Uses tree database structure; open source; provides client data lookup capabilities 5) Extended Authentication Protocols (EAP) Extensible Authentication Protocol (EAP) 6) Management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server 7) An envelope that can carry many different kinds of exchange data used for authentication EAP s Three protocols categories: 1) Authentication legacy protocols 2) EAP weak protocols 3) EAP strong protocols Extended Authentication Protocols Authentication Legacy Protocols No longer extensively used for authentication Three legacy protocols: 1) Password Authentication Protocol (PAP) 2) Challenge-Handshake Authentication Protocol (CHAP) 3) Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) Instructors Note: Still covered on the Certification Test EAP Weak Protocols Still used but have security vulnerabilities EAP Weak protocols: 1) Extended Authentication Protocol MD5 (EAP-MD5)

Not suitable for wifi authentication Should only be used in low-risk wired environments 2) Lightweight EAP (LEAP) Used in CISCO Wifi authentication environments Subject to Dictionary attacks EAP Strong Protocols EAP Strong protocols include: 1) EAP with Transport Layer Security (EAP-TLS) Uses PKI Certificates Uses encrypted tunneling for authentication communication Resistant to dictionary attacks 2) EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP) Uses Windows authentication credentials for authentication More flexible than EAP-TLS Remote Authentication and Security Important to maintain strong security for remote communications 1) Transmissions are routed through networks or devices that the organization does not manage and secure Managing remote authentication and security usually includes: 1) Using remote access services 2) Installing a virtual private network 3) Maintaining a consistent remote access policy Remote Access Services (RAS) 1) Combination of hardware and software that enables remote users access to a local internal network from an off-lan location 2) Provides remote users with the same access and functionality as local users Virtual private network (VPN) 1) One of the most common types of RAS 2) Uses an unsecured public network, (e.g. Internet), to create a tunnel 3) Connects remote client to internal network as if plugged in to the LAN directly 4) Encrypts all data that is transmitted between the remote device and the network 5) Hardware or software based Common types of VPNs 1) Remote-access VPN or virtual private dial-up network (VPDN)

2) Site-to-site VPN Virtual Private Networks (VPNs) (cont.) Transmissions are achieved through communicating with endpoints Endpoint 1) End of the tunnel between VPN devices VPN concentrator 1) Aggregates hundreds or thousands of multiple connections Depending upon the type of endpoint client software may be required Virtual Private Networks (VPNs) (continued) Hardware vs. Software VPN s 1) Software-based VPNs: Most flexibility in how network traffic is managed 2) Hardware-based VPNs: Generally tunnel all traffic they handle regardless of the protocol 3) Better performance than software-based solutions Virtual Private Networks (VPNs) (cont.) Advantages: 1) Cost savings 2) Scalability 3) Full protection 4) Speed 5) Transparency 6) Authentication 7) Industry standards Remote Access Policies Establishing strong remote access policies is important Remote Access Policy Recommendations: 1) Should be consistent for all users 2) Responsibility of the IT department 3) Empower a working group to create standards that all departments will agree to Summary Access control: Process by resources or services are denied or granted There are three types of authentication methods Authentication credentials can be combined to provide extended security Authentication can be provided on a network by a dedicated AAA or authentication server The management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server is known as the Extensible Authentication Protocol (EAP)

Organizations need to provide avenues for remote users to access corporate resources as if they were sitting at a desk in the office

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information