ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users
Dec 21, 2015
ISA 3200NETWORK SECURITY
Chapter 10: Authenticating Users
Learning Objectives
Explain why authentication is a critical aspect of network security
Explain why firewalls authenticate and how they identify users
Describe user, client, and session authentication List the advantages and disadvantages of popular
centralized authentication systems Discuss the potential weaknesses of password security
systems Discuss the use of password security tools Describe common authentication protocols used by
firewalls
2
7/14IS 3200, Summer 2010
The Authentication Process in General
The act of identifying users and providing network services to them based on their identity
Two forms Local authentication Centralized authentication service (often
uses two-factor authentication)
3
7/14IS 3200, Summer 2010
How Firewalls Implement the Authentication Process
1. Client makes request to access a resource2. Firewall intercepts the request and prompts
the user for name and password3. User submits information to firewall4. User is authenticated5. Request is checked against firewall’s rule
base6. If request matches existing allow rule, user
is granted access7. User accesses desired resources
4
7/14IS 3200, Summer 2010
How Firewalls Implement the Authentication Process (continued)
5
7/14IS 3200, Summer 2010
Firewall Authentication Methods
User authentication Client authentication Session authentication
6
7/14IS 3200, Summer 2010
User Authentication
Basic authentication; user supplies username and password to access networked resources
Users who need to legitimately access your internal servers must be added to your access control lists (ACLs)
7
7/14IS 3200, Summer 2010
User Authentication (continued)8
7/14IS 3200, Summer 2010
Client Authentication
Same as user authentication but with additional time limit or usage limit restrictions
When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system
9
7/14IS 3200, Summer 2010
Client Authentication (continued)10
7/14IS 3200, Summer 2010
Session Authentication
Required any time the client establishes a session with a server of other networked resource
11
7/14IS 3200, Summer 2010
Comparison of Authentication Methods12
7/14IS 3200, Summer 2010
Centralized Authentication
Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network
Most common methods Kerberos TACACS+ (Terminal Access Controller
Access Control System) RADIUS (Remote Authentication Dial-In User
Service)
13
7/14IS 3200, Summer 2010
Process of Centralized Authentication
14
7/14IS 3200, Summer 2010
Kerberos
Provides authentication and encryption through standard clients and servers
Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources
Used internally on Windows 2000/XP Advantages
Passwords are not stored on the system Widely used in UNIX environment; enables
authentication across operating systems
15
7/14IS 3200, Summer 2010
Kerberos Authentication16
7/14IS 3200, Summer 2010
TACACS+
Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems)
Provides AAA services Authentication Authorization Auditing
Uses MD5 algorithm to encrypt data
17
7/14IS 3200, Summer 2010
RADIUS
Centralized dial-in authentication service that uses UDP
Transmits authentication packets unencrypted across the network
Provides lower level of security than TACACS+ but more widely supported
18
7/14IS 3200, Summer 2010
TACACS+ and RADIUS Compared
Strength of security Filtering characteristics Proxy characteristics NAT characteristics
19
7/14IS 3200, Summer 2010
Strength of Security20
7/14IS 3200, Summer 2010
Filtering Characteristics21
7/14IS 3200, Summer 2010
Proxy Characteristics
RADIUS Doesn’t work with generic proxy systems,
but a RADIUS server can function as a proxy server
TACACS+ Works with generic proxy systems
22
7/14IS 3200, Summer 2010
NAT Characteristics
RADIUS Doesn’t work with NAT
TACACS+ Should work through NAT systems
23
7/14IS 3200, Summer 2010
Password Security Issues
Passwords that can be cracked (accessed by an unauthorized user)
Password vulnerabilities Lax security habits
24
7/14IS 3200, Summer 2010
Passwords That Can Be Cracked
Ways to crack passwords Find a way to authenticate without knowing
the password Uncover password from system that holds it Guess the password
To avoid the issue Protect passwords effectively Observe security habits
25
7/14IS 3200, Summer 2010
Password Vulnerabilities
Built-in vulnerabilities Often easy to guess Often stored visibly Social engineering
To avoid the issues Choose complicated passwords Memorize passwords Never give passwords out to anyone
26
7/14IS 3200, Summer 2010
Lax Security Habits
To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU)
27
7/14IS 3200, Summer 2010
Password Security Tools
One-time password software Shadow password system
28
7/14IS 3200, Summer 2010
One-Time Password Software
Password is generated using a secret key Password is used only once, when the
user authenticates Different passwords are used for each
authentication session Types
Challenge-response passwords Password list passwords
29
7/14IS 3200, Summer 2010
Shadow Password System
A feature of Linux that stores passwords in another file that has restricted access
Passwords are stored only after being encrypted by a randomly generated value and an encoding formula
30
7/14IS 3200, Summer 2010
Other Authentication Systems
Single-password systems One-time password systems Certificate-based authentication 802.1x Wi-Fi authentication
31
7/14IS 3200, Summer 2010
Single-Password Systems
Operating system password Internal firewall password
32
7/14IS 3200, Summer 2010
One-Time Password Systems
Single Key (S/Key) SecurID Axent Pathways Defender
33
7/14IS 3200, Summer 2010
Single Key (S/Key)
Uses multiple-word rather than single word passwords User specifies single-word password and
the number of times it is to be encrypted Password is processed by a hash function n
times; resulting encrypted passwords are stored on the server
Never stores original password on the server
34
7/14IS 3200, Summer 2010
SecurID
Uses two-factor authentication Physical object Piece of knowledge
Most frequently used one-time password solution with FireWall-1
35
7/14IS 3200, Summer 2010
SecurID Tokens36
7/14IS 3200, Summer 2010
Axent Pathways Defender
Uses two-factor authentication and a challenge-response system
37
7/14IS 3200, Summer 2010
Certificate-Based Authentication
FireWall-1 supports the use of digital certificates to authenticate users
Organization sets up a public key infrastructure (PKI) that generates keys to users User receives a code (public key) that is
generated using the server’s private key and uses the public key to send encrypted information to the server
Server receives the public key and can decrypt the information using its private key
38
7/14IS 3200, Summer 2010
802.1x Wi-Fi Authentication
Supports wireless Ethernet connections Not supported by FireWall-1 802.1x protocol provides for
authentication of users on wireless networks
Wi-Fi uses Extensible Authentication Protocol (EAP)
39
7/14IS 3200, Summer 2010
Wireless Authentication40
7/14IS 3200, Summer 2010
Chapter Summary
Overview of authentication and its importance to network security
How and why firewalls perform authentication services
Types of authentication performed by firewalls User Client Session
41
7/14IS 3200, Summer 2010
Chapter Summary (continued)
Generally, users supply: Something they have (such as a smart
card) or Something they know (such as a password)
or Both
Latest authentication systems measure or evaluate a physical attribute, such as a fingerprint or voiceprint
42
7/14IS 3200, Summer 2010
Chapter Summary (continued)
In a centralized authentication system: Firewall works with an authentication server Authentication server handles
Username and password maintenance/generation
Login requests Auditing
Examples of centralized authentication systems: Kerberos TACACS+ RADIUS
43
7/14IS 3200, Summer 2010
Chapter Summary (continued)
Passwords Important part of virtually every authentication
system Take one of two general forms:
Single-word User password compared against database of
passwords; access granted if match is made Vulnerable to ability of hackers to determine
passwords, to user error, and to bad security habits One-time passwords
Generated dynamically each time user attempts to log on to network
Secret key used to generate single- or multiple-word password
44
7/14IS 3200, Summer 2010