Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition

Chapter 8Authentication


Objectives

Define authentication Describe the different types of authentication

credentials List and explain the authentication models

2


Objectives (continued)

Define authentication servers Describe the different extended authentication

protocols Explain how a virtual private network

functions

3


Definition of Authentication

Authentication can be defined in ________ contexts The first is viewing authentication as it _________

________________________ The second is to look at it as one of the ________

____________ of security —___________, ______________, and __________________

4


Authentication and Access Control Terminology (Review…) Access control is the process by which resources or

services are granted or denied Identification

The presentation of credentials or identification ________________________

The ____________________________ to ensure that they are __________________ and not fabricated

Authorization Granting permission for admittance

Access is the right to use specific resources

5


Authentication, Authorization, and Accounting (_____________) Authentication in AAA provides _________

________________________________ Typically by having them enter a valid ___________ before

granting access Authorization is the process that determines

whether the _____________________ to carry out certain tasks Often defined as the process of ______________

Accounting measures the ______________ _______________ during each network session

6


Authentication, Authorization, and Accounting (AAA) (continued) The information can then be used in different

ways: To find evidence of problems For billing For capacity planning activities

AAA servers ______________ to performing ______________

7


Authentication Credentials

Types of authentication, or authentication credentials Passwords One-time passwords Standard biometrics Behavioral biometrics Cognitive biometrics

More to come on these…

8


One-Time Passwords _____________ passwords are typically ________

in nature One-time passwords (_____________)

______________ passwords that change frequently Systems using OTPs generate a _______________ on

demand that is __________________ The most common type is a ___________________

OTP Used in _____________ with a _______________

The token and a corresponding authentication server ____________________________________ Each algorithm is different for each user’s token

9


One-Time Passwords (continued)

10

Security+ Guide to Network Security Fundamentals, Third Edition 11


One-Time Passwords (continued) There are several variations of OTP systems _____________________OTPs

Authentication server displays a challenge (a __________________) to the user

User then __________________________ into the token Which then executes a special algorithm to __________

a _____________________________ Because the ____________________ has this same

algorithm, it can also generate the password and __________________________________________

12


Standard Biometrics

______________________________ Uses a ______________________________ for

authentication (what he is) Examples: ___________________________, irises, retinas

Types of fingerprint scanners ________________ fingerprint scanner _______________ fingerprint scanner

Disadvantages __________ hardware scanning devices must be installed Readers are ______________________________

13


_________________ Biometrics Authenticates by ____________________ that

the user __________________ Keystroke dynamics

Attempt to ____________________________ Keystroke dynamics uses two unique typing

variables User must authenticate by typing ______________

__________________________ Those along with _____________ (used when typing

username and password) are sent to authentication server If _______________ do not match stored sample, user is

___________________________

14


Behavioral Biometrics (continued) Voice recognition

Used to authenticate users based on the unique _______________________________

Highly unlikely issue but still a concern Attacker able to __________________ and then create

a recording to use for authentication

Computer footprint __________________________ a user

______________ accesses a system

15


Cognitive Biometrics _________________ biometrics

Related to the ________________________, and ____________________ of the user

Considered to be much ___________________ to remember because it is based on the user’s life experiences

One example of cognitive biometrics is based on a life experience that the user remembers

Another example of cognitive biometrics requires the user to identify specific faces

16

Authentication Models Authentication credentials can be

___________ to provide _______________ Single and multi-factor authentication

One-factor authentication Using only _______________________

_________________authentication _________________, particularly if different types of

authentication methods are used Three-factor authentication

Requires that a user present ___________________ of authentication credentials

Security+ Guide to Network Security Fundamentals 17


Authentication Models (continued) ___________________________

Identity management Using a single authenticated ID to be ___________

____________________________ Federated identity management (_________)

When those networks are owned by ________________________________________

One application of FIM is single sign-on (SSO)

18


Authentication Models (continued) Windows _____________________

Originally introduced in 1999 as .NET Passport Requires a user to create a standard username

and password Originally designed as an ________________

___________ and as a ____________________ When the user wants to log into a Web site that

supports Windows Live ID Once authenticated, the user is given an

encrypted time-limited “global” cookie

19


Authentication Models (continued) Windows _______________________

Feature of Windows that is ________________ ______________________ while helping them to manage privacy Allows users to _______________________________

Types of cards Managed cards Personal cards

20


Authentication Models (continued)


Authentication Models (continued) ________________________

A decentralized __________________________ that does _______________________ to be installed on the desktop

A uniform resource locator ________________________ An OpenID identity is only a URL backed up by a

__________________________________ OpenID provides a means to prove that the user

owns that specific URL Weakness- depends on being ________________

_________________ for authentication Depends on ____________ which has it own weaknesses

22


Authentication Servers Authentication can be provided on a network

by a _________ AAA or authentication server The most common type of authentication and

AAA servers are _______________________________ and

generic servers built on the Lightweight Directory Access Protocol (_____________)

More to come on all of these…

23


RADIUS RADIUS (Remote Authentication Dial in

User Service) Developed in 1992 Quickly became the _____________________

with widespread support Suitable for what are called “________________

control applications” With the development of IEEE 802.1x port

security for both wired and wireless LANs RADIUS has recently seen even _____________

24


RADIUS (continued) A RADIUS _____________ is typically a device

such as a __________________ or wireless access point (___________) This device is responsible for __________________ and

connection parameters in the form of a RADIUS message __________________________________

The RADIUS _____________________________ the RADIUS client request Sends back a RADIUS message response

RADIUS clients also send RADIUS ___________ __________________ to RADIUS servers

25



Kerberos ______________________

An _________________ developed by the Massachusetts Institute of Technology (MIT)

Used to ________________________________ Uses ___________ and ________________ for security

Kerberos process User is provided a _________ that is issued by the

Kerberos authentication server The ____ _________________ to the network for a service The ________________________ to verify the identity of

the user If all checks out, user is authenticated

27


Terminal Access Control Access Control System (TACACS+) Terminal Access Control Access Control

System ____________________ An industry standard protocol specification that

___________________________________ to a ________________________

The centralized server can be a TACACS+ database

Designed to support ______________ of remote connections

28


Lightweight Directory Access Protocol (______________) ___________________ - A database stored

on the network itself that contains _________ ___________________________________

_______________ A ____________ for directory services created by

__________________ Outlining uniformity on ________________________ Capability to look up information by ___________

(White-pages service) Browse and search for information by ______________

(Yellow-pages service)

29


X.500 (continued) and DAP

The information is held in a directory information base (DIB)

Entries in the DIB are arranged in a tree structure called the __________________ ______________ (DIT)

X.500 _______ Directory Access Protocol (DAP) ___________ for a client application to ________

an X.500 directory DAP is too large to run on a personal computer

30


LDAP (continued) Lightweight Directory Access Protocol

(_______________) Sometimes called ________________ A _________________________

Primary differences _________ was designed to _______________ LDAP has _________________ LDAP encodes its protocol elements in a _____

___________ than X.500 LDAP is an ____________ protocol

31


Extended Authentication Protocols (EAP) Extensible Authentication Protocol (____)

_____________ protocol of IEEE 802.1x that governs the __________________________, _______________, and _________________

An “envelope” that can carry many ____________ of _______________ used for authentication

The EAP protocols can be divided into _____ categories: ________________ protocols, ___________

protocols, and _______________ protocols

32



Authentication Legacy Protocols _____________________ for authentication Three authentication legacy protocols

include: Password Authentication Protocol (PAP) Challenge-Handshake Authentication Protocol

(CHAP) Microsoft Challenge-Handshake Authentication

Protocol (MS-CHAP)

34


EAP Weak Protocols

____________________________________ EAP weak protocols include:

Extended Authentication Protocol–MD5 (EAP-MD5)

Lightweight EAP (LEAP)

35


EAP Strong Protocols

EAP strong protocols acceptable for use in WLANs as well include: EAP with _______________________ (EAP-TLS)

Generally found in large Windows-based organizations EAP with Tunneled TLS (EAP-TTLS) and

Protected EAP (PEAP) Creates ___________________________ between

client and authentication server

36


Remote Authentication and Security Important to _______________________ for

_______________ communications Transmissions are routed through networks or

devices that the organization does not manage and secure

_____________ remote authentication and security usually includes: __________________ services Installing a _______________________ Maintaining a consistent remote access ________

37


Remote Access Services (RAS) Remote Access Services (__________)

Any __________________________ that enables ______________________________________

Provides remote users with the _________ access and functionality as local users

38


Virtual Private Networks (VPNs) Virtual private network (__________)

One of the most common types of RAS Uses an _________________, such as the

Internet, as if it were a __________________ ______________ all data that is transmitted

between the remote device and the network ___________ common types of VPNs

__________________ aka virtual private dial-up network (VPDN)

__________________

39



Virtual Private Networks (continued) VPN transmissions are achieved through

____________________________ _________________

_________________ between VPN devices VPN ______________ _____________________

Aggregates hundreds or thousands of multiple connections Depending upon the type of endpoint that is being

used, __________________________ on the devices that are connecting to the VPN

41


Virtual Private Networks (continued) VPNs can be_________-based or ________-based ________________ VPNs offer the ____________

in how network traffic is managed Preferred in instances where _____________________

________________________________________ _________________ VPNs generally ___________

_________________ regardless of the protocol Generally, __________ based VPNs ___________

___________________ as a hardware-based VPN and are not as easy to manage __________________ VPNs generally tunnel all traffic

they handle regardless of the protocol ________________________________

42


Virtual Private Networks (continued)

_____________ of VPN technology: _____________ no more need for leased

connections ________________ Full ______________ encrypted transmission ______________ compresses data _________________ invisible to end user __________________ Industry wide __________________

43


Virtual Private Networks (continued)

_______________ to VPN technology: _______________ in depth understanding of

security issues needed ________________________ __________________ Additional protocols _____________________ ____________________

44


Remote Access Policies Establishing ___________ _______________

is ______________________ Potential security risk possible

Some recommendations for remote access policies: Remote access policies should be ____________

for all users Remote access should be the ______________

_____________________ Form a working group and create a __________

______________ will agree to

45


Summary

Access control is the process by which resources or services are denied or granted

There are three types of authentication methods

Authentication credentials can be combined to provide extended security

Authentication can be provided on a network by a dedicated AAA or authentication server

46


Summary (continued)

The management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server is known as the Extensible Authentication Protocol (EAP)

Organizations need to provide avenues for remote users to access corporate resources as if they were sitting at a desk in the office

47

Security+ Guide to Network Security Fundamentals, Third Edition

Documents

network security fundamentals

editionsecurity guide

network session

authenticationsecurity

authentication models

editiononetime passwords

natureonetime passwords

different ways