. CIS 3500 1 Identity and Access Services Chapter #19: Identity and Access Management Chapter Objectives n Learn how to install and configure identity and access services n Understand how to compare and contrast the different identity and access services Identity and Access Services 2 Identity and Access Services n To use a system, one must identify themselves with the system in some form or fashion n Identity and access services are comprised of hardware, software, and protocol elements Identity and Access Services 3 LDAP n A directory is a data storage mechanism n It is designed and optimized for reading data n A directory offers a static view of data - easy to change n The Lightweight Directory Access Protocol (LDAP) is used to handle user authentication and authorization and to control access to Active Directory objects n To enable interoperability, the X.500 standard was created n Works over TCP Identity and Access Services 4
7
Embed
Host-based Security - Metropolitan State University of …rowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter19.pdf · 2015-06-15 · Examine host-based security controls and applications
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
.
CIS 3500 1
Identity and Access Services
Chapter #19:
Identity and Access Management
Chapter Objectives
n Learn how to install and configure identity and access
services
n Understand how to compare and contrast the different
identity and access services
Identity and Access Services2
Identity and Access Services
n To use a system, one must identify themselves with the
system in some form or fashion
n Identity and access services are comprised of hardware,
software, and protocol elements
Identity and Access Services3
LDAP
n A directory is a data storage mechanism
n It is designed and optimized for reading data
n A directory offers a static view of data - easy to change
n The Lightweight Directory Access Protocol (LDAP) is used to
handle user authentication and authorization and to control
access to Active Directory objects
n To enable interoperability, the X.500 standard was created
n Works over TCP
Identity and Access Services4
.
CIS 3500 2
Kerberos
n Kerberos is a network authentication protocol designed for a
client/server environment
n It is built around a trusted third party –key distribution center (KDC),
which has two logically separate parts:
n a n a u t h e n t ic a t io n s e r v e r ( A S ) a n d
n a t i c k e t - g r a n t in g s e r v e r ( T G S )
n Kerberos communicates via “tickets” that proves the identity of users;
knows all the users IDs and has shared secrets with other services
n Kerberos uses strong encryption so that the players can check each
other’s identityIdentity and Access Services5
Kerberos
n The user presents credentials and requests a ticket from the Key
Distribution Server (KDS)
n The KDS verifies credentials and issues a TGT (ticket-granting ticket)
n The user presents a TGT and request for service to the KDS
n The KDS verifies authorization and issues a client-to-server ticket
n The user presents a request and a client-to-server ticket to the
desired service
n If the client-to-server ticket is valid, service is granted to the client
Identity and Access Services6
TACACS+
n The Terminal Access Controller Access Control System+
n Typically operating over TCP port 49 (both TCP and UDP are
reserved)
n AAA protocol – with separated optional functions for each
n Client/server protocol
Identity and Access Services7
TACACS+
Identity and Access Services8
.
CIS 3500 3
TACACS+ Authentication
n A l lo w s a r b i t r a r y le n g t h a n d c o n t e n t in t h e a u t h e n t ic a t io n e n a b l in g m a n y
d i f f e r e n t m e c h a n is m s t o b e u s e d
n A u t h e n t ic a t io n i s o p t io n a l – s i t e - c o n f ig u r a b le o p t io n
n S u p p o r t s P o in t - t o - P o in t P r o t o c o l ( P P P ) w i t h P a s s w o r d A u t h e n t ic a t io n
P r o t o c o l ( P A P ) , C h a l le n g e H a n d s h a k e A u t h e n t ic a t io n P r o t o c o l ( C H A P ) , o r
E x t e n s ib le A u t h e n t ic a t io n P r o t o c o l ( E A P ) , t o k e n c a r d s , a n d K e r b e r o s
n T h r e e d i f f e r e n t p a c k e t t y p e s : S T A R T , C O N T I N U E , a n d R E P L Y
S T A R T a n d C O N T I N U E p a c k e t s o r ig in a t e f r o m t h e c l ie n t a n d a r e d i r e c t e d
t o t h e T A C A C S + s e r v e r
T h e R E P L Y p a c k e t i s u s e d t o c o m m u n ic a t e f r o m t h e T A C A C S + s e r v e r t o
t h e c l ie n tIdentity and Access Services9
TACACS+ Authorization
n TACACS+ authorization – determining permission associated
with a user action; site specific, can be optional
n Default state is “unknown user”
n Authorization follows the authentication process (optional) and
uses the confirmed user identity
n It is using two message types: REQUEST and RESPONSE
The client issues an authorization REQUEST message
The RESPONSE message is not a simple yes or no: can include
qualifying information, such as a user time limit or IP restrictionsIdentity and Access Services10
TACACS+ Accounting
n W h e n u t i l iz e d , i t t y p ic a l ly fo l lo w s th e o th e r s e r v ic e s
n R e c o rd s w h a t a u s e r o r p r o c e s s h a s d o n e
n P u rp o s e :
n a cco u n t fo r se rv ice s , p o ss ib ly fo r b ill in g p u rp o se s
n g e n e ra t in g se cu r ity a u d it tra ils
n I t h a s in fo rm a t io n f r o m a u th e n t ic a t io n a n d a u th o r iz a t io n
n T h re e t y p e s o f r e c o r d s : S T A R T , S T O P , a n d U P D A T E
n T h e s e a r e r e c o r d t y p e s , n o t m e s s a g e t y p e s
S T A R T r e c o r d s th e t im e a n d u s e r o r p r o c e s s th a t b e g a n
S T O P r e c o r d s th e s to p t im e s fo r s p e c if ic a c t io n s
U P D A T E r e c o rd s in te rm e d ia r y n o t ic e s th a t a p a r t ic u la r t a s k is s t i l l b e in g
p e r fo rm e dIdentity and Access Services11
CHAP
n C h a l le n g e H a n d s h a k e A u th e n t ic a t io n P r o to c o l ( C H A P ) p ro v id e s a u th e n t ic a t io n
a c r o s s a p o in t - to - p o in t l in k u s in g P P P
n A f te r th e l in k h a s b e e n e s ta b l is h e d a u th e n t ic a t io n is n o t m a n d a to r y
n C H A P p r o v id e s a u th e n t ic a t io n p e r io d ic a l ly th r o u g h th e u s e o f a
c h a l le n g e / r e s p o n s e s y s te m
n The initial challenge (a randomly generated number) is sent to the client
n The client uses a one-way hashing function to calculate what the response should be and then
sends this back
n The server compares the response to what it calculated the response should be
n If they match, communication continues
n If the two values don’t match, then the connection is terminated
n This mechanism relies on a shared secret between the two entities so that the correct values can
be calculated Identity and Access Services12
.
CIS 3500 4
PAP
n Password Authentication Protocol (PAP) authentication
involves a two-way handshake
n The username and password are sent across the link in
clear text
n PAP authentication does not provide any protection against
playback and line sniffing
n PAP is now a deprecated standard
Identity and Access Services13
MSCHAP
n Microsoft Challenge Handshake Authentication Protocol (MSCHAP)
is the Microsoft variant of CHAP
n MSCHAPv1, defined in RFC 2433, has been deprecated and
dropped in Windows Vista
n MSCHAPv2, RFC 2759, which was introduced with Windows 2000
n It offers mutual authentication, verifying both users in an
exchange
n It also offers improved cryptographic support including separate
cryptographic keys for transmitted and received data
Identity and Access Services14
RADIUS
Identity and Access Services15
RADIUS
n Remote Authentication Dial-In User Service (RADIUS) is an AAA
protocol
n Connectionless protocol utilizing UDP port 1812 for authentication and
authorization and 1813 for accounting functions
n RADIUS is a client/server protocol
n The RADIUS client is typically a network access server (NAS)
n The RADIUS server is a process or daemon running on a UNIX or
Windows Server machine
n Communications between a RADIUS client and RADIUS server are
encrypted using a shared secretIdentity and Access Services16
.
CIS 3500 5
RADIUS Authentication
n Remote Authentication Dial-In User Service (RADIUS) is an
AAA protocol
n Connectionless protocol utilizing User Datagram Protocol
port 1812 for authentication and authorization and 1813 for
accounting functions
n RADIUS is a client/server protocol
Identity and Access Services17
RADIUS Authentication
n It can support PPP, PAP, CHAP, or UNIX login
n A user initiates PPP authentication to the NAS
n The NAS prompts for username and password (if PAP),
or challenge (if CHAP)
n User replies with credentials.
n RADIUS client sends username and encrypted password to the
RADIUS server
n RADIUS server responds with Accept, Reject, or Challenge
n The RADIUS client acts upon services requested by userIdentity and Access Services18
RADIUS Authorization
n Authentication and authorization steps are performed
together in response to a single Access-Request message –
although they are sequential steps
n Authorization parameters include
n the service type allowed (shell or framed),
n the protocols allowed,
n the IP address to assign to the user (static or dynamic), and
n the access list to apply or static route to place in the NAS
routing tableIdentity and Access Services19
RADIUS Accounting
n It is performed independently
n Functions are designed to allow data to be transmitted at
the beginning and end of a session
n It can indicate resource utilization, such as time, bandwidth
n When RADIUS was first designed, the role of ISP NASs was
relatively simple
n Today, the Internet and its access methods have changed,
and so have the AAA requirements
Identity and Access Services20
.
CIS 3500 6
SAML
n S e cu r ity A sse rt io n M a rk u p La n g u a g e (S A M L ) is a s in g le s ig n -o n (S S O ) ca p a b ility u se d
fo r w e b a p p lic a t io n s
n I t d e fin e s s ta n d a rd s fo r e x ch a n g in g a u th e n t ica t io n a n d a u th o r iz a t io n d a ta b e tw e e n
se cu r ity d o m a in s
n Im p o rta n t w ith c lo u d -b a se d so lu t io n s a n d w ith S o ftw a re -a s -a -S e rv ice (S a a S )
a p p lica t io n s
n I t is a n X M L -b a se d p ro to co l th a t u se s se cu r ity to k e n s a n d a sse rt io n s to p a ss
in fo rm a tio n a b o u t a “p r in c ip a l” ( ty p ica lly a n e n d u se r) w ith a S A M L a u th o r ity (a n
“ id e n t ity p ro v id e r” o r Id P ) a n d th e se rv ice p ro v id e r (S P )
n T h e p r in c ip a l re q u e s ts a se rv ice fro m th e S P , w h ich th e n re q u e s ts a n d o b ta in s a n
id e n t ity a s se rt io n fro m th e Id P
n T h e S P ca n th e n g ra n t a cce ss o r p e r fo rm th e re q u e s te d se rv ice fo r th e p r in c ip a l
Identity and Access Services21
OAUTH
n OAuth (Open Authorization) is an open protocol for secure,
token-based authorization on the Internet from web, mobile,
and desktop applications
n Users can share information about their accounts with third-
party applications or websites
n OAuth 1.0 was a Twitter OpenID implementation
n OAuth 2.0 (not backward compatible) – main strength is that it
can be used by an external partners without having to re-
authenticate the user - instead submit a tokenIdentity and Access Services22
OpenID Connect
n OpenID Connect is a simple identity layer on top of the OAuth
2.0 protocol
n Allows clients of all types, including mobile, JavaScript, and
web-based clients, to request and receive information about
authenticated sessions and end users
n OpenID is commonly paired with OAuth 2.0
n Federated authentication that lets a third party authenticate
users using accounts that they already have
Identity and Access Services23
Shibboleth
n Shibboleth – single sign-on and federated identity-based
authentication and authorization across networks
n It is a web-based technology that is built using SAML
n Shibboleth uses the HTTP/POST to push profiles of SAML,
including both identity provider (IdP) and service provider
(SP) components
n It is included by many services that use SAML for identity
management
Identity and Access Services24
.
CIS 3500 7
Secure Token
n A secure token service is responsible for issuing, validating,
renewing, and cancelling security tokens in a claims-based
identity framework, e.g. OASIS WS-Trust
n Secure tokens solve the problem of authentication across
stateless platforms
n U s e r r e q u e s t s a c c e s s w i t h u s e r n a m e / p a s s w o r d
n S e c u r e t o k e n s e r v ic e v a l id a t e s c r e d e n t ia ls
n S e c u r e t o k e n s e r v ic e p r o v id e s a s ig n e d t o k e n t o t h e c l ie n t
n C l ie n t s t o r e s t h a t t o k e n a n d s e n d s i t a lo n g w i t h e v e r y r e q u e s t
n S e r v e r v e r i f ie s t o k e n a n d r e s p o n d s w i t h d a t aIdentity and Access Services25
NTLM
n NT LAN Manager (NTLM) is Windows’ Challenge/Response
n It provides authentication, integrity, and confidentiality
n It is the successor to the authentication protocol in Microsoft LAN
Manager (LANMAN)
n Replaced by Microsoft’s Kerberos implementation, although NTLM is
still used for logon authentication on stand-alone Windows machines
n Uses an encrypted challenge/response protocol to authenticate a user
without sending the user’s password over the wire, but the