830 likes | 1k Views
Network access control. Unit objectives Explain network authentication methods Explain the basic concepts behind public key infrastructure Explain the methods of remote access security Explain the methods to secure a wireless network. Topic A. Topic A: Authentication
E N D
Network access control • Unit objectives • Explain network authentication methods • Explain the basic concepts behind public key infrastructure • Explain the methods of remote access security • Explain the methods to secure a wireless network
Topic A • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security
AAA • Authentication • Authorization • Accounting
Usernames and passwords • Usernames • Unique identifier • Can be simple or complex • Passwords • Simple passwords not recommended • Complex passwords use letters, numbers, special characters • Minimum password length • Combination provides user authentication
Password protection • Memorize password • Use different passwords • Use longer passwords • Use upper- and lower-case letters, numbers and special characters • Change frequently • Avoid reusing passwords
Strong passwords • Balance difficulty of remembering with complexity • Create from first letter of title or phrase – pass phrase • Mix letter cases, add numbers and special characters • Avoid using personal information • Common substitutions include • 2 for “to” • 4 for “for” • $ for “S” • ! for “I” • Zero for “O”
Multiple passwords • Memorize • Use password management tool • Remember a single password • Some tools create complex passwords for you
Authentication factors • Something you know • Something you have • Something you are
One-factor authentication • Something you know • Windows logon dialog box • Username and password • Something you are
Two-factor authentication • Something you know PLUS • Something you have • Something you are • Token plus a PIN • Something you are • Fingerprint • Voice • Retina
Three-factor authentication • Something you know PLUS something you have PLUS something you are • A card, a PIN, and a fingerprint
Activity A-1 Comparing one, two, and three-factor authentication
Authentication protocols • Kerberos • NTLM • LM
Activity A-2 Hashing data
Preventing impersonation • Use strong authentication • Don’t allow authentication to be bypassed • Secure stored authentication information • Encrypt all authentication sent over the network
Identify proofing • Verify user is who they say they are • KBA • Potential user provides information only they are likely to know • DBA • Uses public database • OOB • Uses channel outside of primary authentication channel
Single sign-on • User is authenticated to other resources based on strength of initial sign on • SSL, LDAP • Windows Live ID, Microsoft Passport, Open ID
Activity A-3 Identifying the requirements of a secure authentication system
Kerberos • Current version is 5 • Provides authentication on physically insecure networks • Freely available in US and Canada • Authenticates users over open multi-platform network using single login
Kerberos system composed of • Principal • Authentication Server • Ticket-Granting Server • Key Distribution Center • Realm • Remote Ticket-Granting Server
Kerberos data types • Credentials • Session key • Authentication • Ticket • Ticket-Granting Ticket
Kerberos security weaknesses • Subject to brute force attacks • Assumes all network devices are physically secure • Compromised passwords enable easy access to attackers • Vulnerable to DoS attacks • Authenticating devices need to be loosely synchronized • Access to AS allows attacker to impersonate any authorized user • Authenticating device identifiers shouldn’t be reused on a short-time basis
Activity A-4 Examining the components of Kerberos
EAP • PPP extension • Used in wireless connections • Can use token cards, one-time passwords, certificates, biometrics • Runs over data link layers • Defines formats • LEAP • EAP-TLS • EAP-FAST
Mutual authentication • Client and server authenticate to each other • Also known as two-way authentication • Trust other computer’s digital certificate • Can block rogue services
Activity A-5 Comparing authentication systems
Topic B • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security
Cryptography • Science of encryption • Encryption = convert to unreadable format • Decryption = convert back to readable format • Algorithm = procedure for encrypting or decrypting • Cipher = encryption & decryption algorithm pair
Keys • Secret information used by cipher • Symmetric = same key for encryption and decryption • Asymmetric = differing keys for encryption and decryption • Key sharing and management issues
Public key cryptography • Two keys • What one encrypts, only the other can decrypt • One kept private • One shared (public) • Encryption process • Keys mathematically related
Public key cryptography characteristics • It is mathematically difficult to derive the private key from the public key • Data encrypted with the public key can be decrypted with only the private key • Data encrypted with the private key can be decrypted with only the public key
Activity B-1 Exploring public key cryptography
Public key infrastructure • Certificate authority (CA) • Registration authority (RA) • Certificate server
Setup and initialization phase • Process components • Registration • Key pair generation • Certificate generation • Certificate dissemination
Administration phase • Key storage • Certificate retrieval and validation • Backup or escrow • Recovery
Cancellation and history phase • Expiration • Renewal • Revocation • Suspension • Destruction
Activity B-2 Understanding certificate life cycle and management
Topic C • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security
AAA • Authentication • Authorization • Accounting
RADIUS • Remote Authentication Dial-in User Service • Client = network access server or device (e.g., wireless router) • Server = AAA service provider
RADIUS authentication • User connects to NAS • RADIUS client requests authentication from server • User supplies logon credentials • Client encrypts and forwards to server • Server authenticates, returns message • Client receives message and acts • Accept • Reject • Challenge
Realms • Namespace • Three possibilities • Named realm • Default realm • Empty realm • Cascading permitted
RADIUS security • Unique secret key for each client-server pair • Long secret keys: min 16, over 22 characters recommended • Use MD5-hashed Message attribute • Enable authentication attempt limits • Use IPsec with ESP
RADIUS benefits • Improved security • Scalable architecture • Interoperability
Diameter • Successor to RADIUS • Backwards compatible • RFC 3588 • AAA services