1.12k likes | 1.85k Views
Network access control. Unit objectives Explain network authentication methods Explain the basic concepts behind public key infrastructure Explain the methods of remote access security Explain the methods to secure a wireless network. Topic A. Topic A: Authentication
E N D
Network access control • Unit objectives • Explain network authentication methods • Explain the basic concepts behind public key infrastructure • Explain the methods of remote access security • Explain the methods to secure a wireless network
Topic A • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security
AAA • Authentication • Authorization • Accounting
Usernames and passwords • Usernames • Unique identifier • Can be simple or complex • Passwords • Simple passwords not recommended • Complex passwords use letters, numbers, special characters • Minimum password length • Combination provides user authentication
Password protection • Memorize password • Use different passwords • Use longer passwords • Use upper- and lower-case letters, numbers and special characters • Change frequently • Avoid reusing passwords
Strong passwords • Balance difficulty of remembering with complexity • Create from first letter of title or phrase – pass phrase • Mix letter cases, add numbers and special characters • Avoid using personal information • Common substitutions include • 2 for “to” • 4 for “for” • $ for “S” • ! for “I” • Zero for “O”
Multiple passwords • Memorize • Use password management tool • Remember a single password • Some tools create complex passwords for you
Authentication factors • Something you know • Something you have • Something you are
One-factor authentication • Something you know • Windows logon dialog box • Username and password • Something you are
Two-factor authentication • Something you know PLUS • Something you have • Something you are • Token plus a PIN • Something you are • Fingerprint • Voice • Retina
Three-factor authentication • Something you know PLUS something you have PLUS something you are • A card, a PIN, and a fingerprint
Activity A-1 Comparing one, two, and three-factor authentication
Authentication protocols • Kerberos • NTLM • LM
Activity A-2 Hashing data
Preventing impersonation • Use strong authentication • Don’t allow authentication to be bypassed • Secure stored authentication information • Encrypt all authentication sent over the network
Identify proofing • Verify user is who they say they are • KBA • Potential user provides information only they are likely to know • DBA • Uses public database • OOB • Uses channel outside of primary authentication channel
Single sign-on • User is authenticated to other resources based on strength of initial sign on • SSL, LDAP • Windows Live ID, Microsoft Passport, Open ID
Activity A-3 Identifying the requirements of a secure authentication system
Kerberos • Current version is 5 • Provides authentication on physically insecure networks • Freely available in US and Canada • Authenticates users over open multi-platform network using single login
Kerberos system composed of • Principal • Authentication Server • Ticket-Granting Server • Key Distribution Center • Realm • Remote Ticket-Granting Server
Kerberos data types • Credentials • Session key • Authentication • Ticket • Ticket-Granting Ticket
Kerberos security weaknesses • Subject to brute force attacks • Assumes all network devices are physically secure • Compromised passwords enable easy access to attackers • Vulnerable to DoS attacks • Authenticating devices need to be loosely synchronized • Access to AS allows attacker to impersonate any authorized user • Authenticating device identifiers shouldn’t be reused on a short-time basis
Activity A-4 Examining the components of Kerberos
EAP • PPP extension • Used in wireless connections • Can use token cards, one-time passwords, certificates, biometrics • Runs over data link layers • Defines formats • LEAP • EAP-TLS • EAP-FAST
Mutual authentication • Client and server authenticate to each other • Also known as two-way authentication • Trust other computer’s digital certificate • Can block rogue services
Activity A-5 Comparing authentication systems
Topic B • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security
Cryptography • Science of encryption • Encryption = convert to unreadable format • Decryption = convert back to readable format • Algorithm = procedure for encrypting or decrypting • Cipher = encryption & decryption algorithm pair
Keys • Secret information used by cipher • Symmetric = same key for encryption and decryption • Asymmetric = differing keys for encryption and decryption • Key sharing and management issues
Public key cryptography • Two keys • What one encrypts, only the other can decrypt • One kept private • One shared (public) • Encryption process • Keys mathematically related
Public key cryptography characteristics • It is mathematically difficult to derive the private key from the public key • Data encrypted with the public key can be decrypted with only the private key • Data encrypted with the private key can be decrypted with only the public key
Activity B-1 Exploring public key cryptography
Public key infrastructure • Certificate authority (CA) • Registration authority (RA) • Certificate server
Setup and initialization phase • Process components • Registration • Key pair generation • Certificate generation • Certificate dissemination
Administration phase • Key storage • Certificate retrieval and validation • Backup or escrow • Recovery
Cancellation and history phase • Expiration • Renewal • Revocation • Suspension • Destruction
Activity B-2 Understanding certificate life cycle and management
Topic C • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security
AAA • Authentication • Authorization • Accounting
RADIUS • Remote Authentication Dial-in User Service • Client = network access server or device (e.g., wireless router) • Server = AAA service provider
RADIUS authentication • User connects to NAS • RADIUS client requests authentication from server • User supplies logon credentials • Client encrypts and forwards to server • Server authenticates, returns message • Client receives message and acts • Accept • Reject • Challenge
Realms • Namespace • Three possibilities • Named realm • Default realm • Empty realm • Cascading permitted
RADIUS security • Unique secret key for each client-server pair • Long secret keys: min 16, over 22 characters recommended • Use MD5-hashed Message attribute • Enable authentication attempt limits • Use IPsec with ESP
RADIUS benefits • Improved security • Scalable architecture • Interoperability
Diameter • Successor to RADIUS • Backwards compatible • RFC 3588 • AAA services