Chapter 06
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Chapter 06 as PDF for free.
More details
- Words: 957
- Pages: 43
Authenticating Users Chapter 6
Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate and how they identify users Describe user, client, and session authentication List advantages and disadvantages of popular centralized authentication systems continued
Learning Objectives Be aware of potential weaknesses of password security systems Understand the use of password security tools Be familiar with common authentication protocols used by firewalls
The Authentication Process in General The act of identifying users and providing network services to them based on their identity Three forms
Basic authentication Challenge-response authentication Centralized authentication service (often uses two-factor authentication)
How Firewalls Implement the Authentication Process
Client makes request to access a resource Firewall intercepts the request and prompts the user for name and password User submits information to firewall User is authenticated Request is checked against firewall’s rule base If request matches existing allow rule, user is granted access User accesses desired resources
How Firewalls Implement the Authentication Process
Types of Authentication with Firewalls User authentication Client authentication Session authentication
User Authentication Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)
User Authentication
Client Authentication Same as user authentication but with additional time limit or usage limit restrictions When configuring, set up one of two types of authentication systems
Standard sign-on system Specific sign-on system
Client Authentication
Session Authentication Required any time the client establishes a session with a server of other networked resource
Comparison of Authentication Methods
Centralized Authentication Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network Most common methods
Kerberos TACACS+ (Terminal Access Controller Access Control System) RADIUS (Remote Authentication Dial-In User Service)
Process of Centralized Authentication
Kerberos Authentication Provides authentication and encryption through standard clients and servers Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources Used internally on Windows 2000/XP Advantages
Passwords are not stored on the system Widely used in UNIX environment; enables authentication across operating systems
Kerberos Authentication
TACACS+ Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) Provides AAA services
Authentication Authorization Auditing
Uses MD5 algorithm to encrypt data
RADIUS Centralized dial-in authentication service that uses UDP Transmits authentication packets unencrypted across the network Provides lower level of security than TACACS+ but more widely supported
TACACS+ and RADIUS Compared Strength of security Filtering characteristics Proxy characteristics NAT characteristics
Strength of Security
Filtering Characteristics
Proxy Characteristics RADIUS
Doesn’t work with generic proxy systems, but a RADIUS server can function as a proxy server
TACACS+
Works with generic proxy systems
NAT Characteristics RADIUS
Doesn’t work with NAT
TACACS+
Should work through NAT systems
Password Security Issues Passwords that can be cracked (accessed by an unauthorized user) User error with passwords Lax security habits
Passwords That Can Be Cracked Ways to crack passwords
Find a way to authenticate without knowing the password Uncover password from system that holds it Guess the password
To avoid the issue
Protect passwords effectively Observe security habits
User Error with Passwords Built-in vulnerabilities
Often easy to guess Often stored visibly Social engineering
To avoid the issues
Choose complicated passwords Memorize passwords Never give passwords out to anyone
Lax Security Habits To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU)
Password Security Tools One-time password software Shadow password system
One-Time Password Software Password is generated using a secret key Password is used only once, when the user authenticates Different passwords are used for each authentication session Types
Challenge-response passwords Password list passwords
Shadow Password System A feature of Linux that stores passwords in another file that has restricted access Passwords are stored only after being encrypted by a randomly generated value and an encoding formula
Other Authentication Systems Single-password systems One-time password systems Certificate-based authentication 802.1x Wi-Fi authentication
Single-Password Systems Operating system password Internal firewall password
One-Time Password Systems Single Key (S/Key) SecurID Axent Pathways Defender
Single Key (S/Key) Password Authentication Uses multiple-word rather than single word passwords
User specifies single-word password and the number of times it is to be encrypted Password is processed by a hash function n times; resulting encrypted passwords are stored on the server
Never stores original password on the server
SecurID Password Authentication Uses two-factor authentication
Physical object Piece of knowledge
Most frequently used one-time password solution with FireWall-1
SecurID Tokens
Axent Pathways Defender Password Authentication Uses two-factor authentication and a challenge-response system
Certificate-Based Authentication FireWall-1 supports the use of digital certificates to authenticate users Organization sets up a Public Key Infrastructure (PKI) that generates keys to users
User receives a code (public key) that is generated using the server’s private key and uses the public key to send encrypted information to the server Server receives the public key and can decrypt the information using its private key
802.1x Wi-Fi Authentication Supports wireless Ethernet connections Not supported by FireWall-1 802.1x protocol provides for authentication of users on wireless networks Wi-Fi uses Extensible Authentication Protocol (EAP)
802.1x Wi-Fi Authentication
Chapter Summary Overview of authentication and its importance to network security How and why firewalls perform authentication services Types of authentication performed by firewalls
Client User Session continued
Chapter Summary Centralized authentication methods that firewalls can use
Kerberos TACACS+ RADIUS
Password security issues and special password security tools Authentication protocols used by full-featured enterprise-level firewalls
Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate and how they identify users Describe user, client, and session authentication List advantages and disadvantages of popular centralized authentication systems continued
Learning Objectives Be aware of potential weaknesses of password security systems Understand the use of password security tools Be familiar with common authentication protocols used by firewalls
The Authentication Process in General The act of identifying users and providing network services to them based on their identity Three forms
Basic authentication Challenge-response authentication Centralized authentication service (often uses two-factor authentication)
How Firewalls Implement the Authentication Process
Client makes request to access a resource Firewall intercepts the request and prompts the user for name and password User submits information to firewall User is authenticated Request is checked against firewall’s rule base If request matches existing allow rule, user is granted access User accesses desired resources
How Firewalls Implement the Authentication Process
Types of Authentication with Firewalls User authentication Client authentication Session authentication
User Authentication Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)
User Authentication
Client Authentication Same as user authentication but with additional time limit or usage limit restrictions When configuring, set up one of two types of authentication systems
Standard sign-on system Specific sign-on system
Client Authentication
Session Authentication Required any time the client establishes a session with a server of other networked resource
Comparison of Authentication Methods
Centralized Authentication Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network Most common methods
Kerberos TACACS+ (Terminal Access Controller Access Control System) RADIUS (Remote Authentication Dial-In User Service)
Process of Centralized Authentication
Kerberos Authentication Provides authentication and encryption through standard clients and servers Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources Used internally on Windows 2000/XP Advantages
Passwords are not stored on the system Widely used in UNIX environment; enables authentication across operating systems
Kerberos Authentication
TACACS+ Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) Provides AAA services
Authentication Authorization Auditing
Uses MD5 algorithm to encrypt data
RADIUS Centralized dial-in authentication service that uses UDP Transmits authentication packets unencrypted across the network Provides lower level of security than TACACS+ but more widely supported
TACACS+ and RADIUS Compared Strength of security Filtering characteristics Proxy characteristics NAT characteristics
Strength of Security
Filtering Characteristics
Proxy Characteristics RADIUS
Doesn’t work with generic proxy systems, but a RADIUS server can function as a proxy server
TACACS+
Works with generic proxy systems
NAT Characteristics RADIUS
Doesn’t work with NAT
TACACS+
Should work through NAT systems
Password Security Issues Passwords that can be cracked (accessed by an unauthorized user) User error with passwords Lax security habits
Passwords That Can Be Cracked Ways to crack passwords
Find a way to authenticate without knowing the password Uncover password from system that holds it Guess the password
To avoid the issue
Protect passwords effectively Observe security habits
User Error with Passwords Built-in vulnerabilities
Often easy to guess Often stored visibly Social engineering
To avoid the issues
Choose complicated passwords Memorize passwords Never give passwords out to anyone
Lax Security Habits To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU)
Password Security Tools One-time password software Shadow password system
One-Time Password Software Password is generated using a secret key Password is used only once, when the user authenticates Different passwords are used for each authentication session Types
Challenge-response passwords Password list passwords
Shadow Password System A feature of Linux that stores passwords in another file that has restricted access Passwords are stored only after being encrypted by a randomly generated value and an encoding formula
Other Authentication Systems Single-password systems One-time password systems Certificate-based authentication 802.1x Wi-Fi authentication
Single-Password Systems Operating system password Internal firewall password
One-Time Password Systems Single Key (S/Key) SecurID Axent Pathways Defender
Single Key (S/Key) Password Authentication Uses multiple-word rather than single word passwords
User specifies single-word password and the number of times it is to be encrypted Password is processed by a hash function n times; resulting encrypted passwords are stored on the server
Never stores original password on the server
SecurID Password Authentication Uses two-factor authentication
Physical object Piece of knowledge
Most frequently used one-time password solution with FireWall-1
SecurID Tokens
Axent Pathways Defender Password Authentication Uses two-factor authentication and a challenge-response system
Certificate-Based Authentication FireWall-1 supports the use of digital certificates to authenticate users Organization sets up a Public Key Infrastructure (PKI) that generates keys to users
User receives a code (public key) that is generated using the server’s private key and uses the public key to send encrypted information to the server Server receives the public key and can decrypt the information using its private key
802.1x Wi-Fi Authentication Supports wireless Ethernet connections Not supported by FireWall-1 802.1x protocol provides for authentication of users on wireless networks Wi-Fi uses Extensible Authentication Protocol (EAP)
802.1x Wi-Fi Authentication
Chapter Summary Overview of authentication and its importance to network security How and why firewalls perform authentication services Types of authentication performed by firewalls
Client User Session continued
Chapter Summary Centralized authentication methods that firewalls can use
Kerberos TACACS+ RADIUS
Password security issues and special password security tools Authentication protocols used by full-featured enterprise-level firewalls
Related Documents
Chapter 06
June 2020 8
Chapter 06
November 2019 14
Chapter 06
October 2019 15
Chapter 06
May 2020 10
Chapter 06
November 2019 30