430 likes | 533 Views
Authenticating Users. Chapter 6. Learning Objectives. Understand why authentication is a critical aspect of network security Describe why firewalls authenticate and how they identify users Describe user, client, and session authentication
E N D
Authenticating Users Chapter 6
Learning Objectives • Understand why authentication is a critical aspect of network security • Describe why firewalls authenticate and how they identify users • Describe user, client, and session authentication • List advantages and disadvantages of popular centralized authentication systems continued
Learning Objectives • Be aware of potential weaknesses of password security systems • Understand the use of password security tools • Be familiar with common authentication protocols used by firewalls
The Authentication Process in General • The act of identifying users and providing network services to them based on their identity • Three forms • Basic authentication • Challenge-response authentication • Centralized authentication service (often uses two-factor authentication)
How Firewalls Implement the Authentication Process • Client makes request to access a resource • Firewall intercepts the request and prompts the user for name and password • User submits information to firewall • User is authenticated • Request is checked against firewall’s rule base • If request matches existing allow rule, user is granted access • User accesses desired resources
Types of Authentication with Firewalls • User authentication • Client authentication • Session authentication
User Authentication • Basic authentication; user supplies username and password to access networked resources • Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)
Client Authentication • Same as user authentication but with additional time limit or usage limit restrictions • When configuring, set up one of two types of authentication systems • Standard sign-on system • Specific sign-on system
Session Authentication • Required any time the client establishes a session with a server of other networked resource
Centralized Authentication • Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network • Most common methods • Kerberos • TACACS+ (Terminal Access Controller Access Control System) • RADIUS (Remote Authentication Dial-In User Service)
Kerberos Authentication • Provides authentication and encryption through standard clients and servers • Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources • Used internally on Windows 2000/XP • Advantages • Passwords are not stored on the system • Widely used in UNIX environment; enables authentication across operating systems
TACACS+ • Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) • Provides AAA services • Authentication • Authorization • Auditing • Uses MD5 algorithm to encrypt data
RADIUS • Centralized dial-in authentication service that uses UDP • Transmits authentication packets unencrypted across the network • Provides lower level of security than TACACS+ but more widely supported
TACACS+ and RADIUS Compared • Strength of security • Filtering characteristics • Proxy characteristics • NAT characteristics
RADIUS Doesn’t work with generic proxy systems, but a RADIUS server can function as a proxy server TACACS+ Works with generic proxy systems Proxy Characteristics
NAT Characteristics • RADIUS • Doesn’t work with NAT • TACACS+ • Should work through NAT systems
Password Security Issues • Passwords that can be cracked (accessed by an unauthorized user) • User error with passwords • Lax security habits
Passwords That Can Be Cracked • Ways to crack passwords • Find a way to authenticate without knowing the password • Uncover password from system that holds it • Guess the password • To avoid the issue • Protect passwords effectively • Observe security habits
User Error with Passwords • Built-in vulnerabilities • Often easy to guess • Often stored visibly • Social engineering • To avoid the issues • Choose complicated passwords • Memorize passwords • Never give passwords out to anyone
Lax Security Habits • To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU)
Password Security Tools • One-time password software • Shadow password system
One-Time Password Software • Password is generated using a secret key • Password is used only once, when the user authenticates • Different passwords are used for each authentication session • Types • Challenge-response passwords • Password list passwords
Shadow Password System • A feature of Linux that stores passwords in another file that has restricted access • Passwords are stored only after being encrypted by a randomly generated value and an encoding formula
Other Authentication Systems • Single-password systems • One-time password systems • Certificate-based authentication • 802.1x Wi-Fi authentication
Single-Password Systems • Operating system password • Internal firewall password
One-Time Password Systems • Single Key (S/Key) • SecurID • Axent Pathways Defender
Single Key (S/Key) Password Authentication • Uses multiple-word rather than single word passwords • User specifies single-word password and the number of times it is to be encrypted • Password is processed by a hash function n times; resulting encrypted passwords are stored on the server • Never stores original password on the server
SecurID Password Authentication • Uses two-factor authentication • Physical object • Piece of knowledge • Most frequently used one-time password solution with FireWall-1
Axent Pathways Defender Password Authentication • Uses two-factor authentication and a challenge-response system
Certificate-Based Authentication • FireWall-1 supports the use of digital certificates to authenticate users • Organization sets up a Public Key Infrastructure (PKI) that generates keys to users • User receives a code (public key) that is generated using the server’s private key and uses the public key to send encrypted information to the server • Server receives the public key and can decrypt the information using its private key
802.1x Wi-Fi Authentication • Supports wireless Ethernet connections • Not supported by FireWall-1 • 802.1x protocol provides for authentication of users on wireless networks • Wi-Fi uses Extensible Authentication Protocol (EAP)
Chapter Summary • Overview of authentication and its importance to network security • How and why firewalls perform authentication services • Types of authentication performed by firewalls • Client • User • Session continued
Chapter Summary • Centralized authentication methods that firewalls can use • Kerberos • TACACS+ • RADIUS • Password security issues and special password security tools • Authentication protocols used by full-featured enterprise-level firewalls