authenticating users

Authenticating Users

Chapter 6

Learning Objectives

Understand why authentication is a critical aspect of network securityDescribe why firewalls authenticate and how they identify usersDescribe user, client, and session authenticationList advantages and disadvantages of popular centralized authentication systems

continued

Learning Objectives

Be aware of potential weaknesses of password security systems

Understand the use of password security tools

Be familiar with common authentication protocols used by firewalls

The Authentication Process in General

The act of identifying users and providing network services to them based on their identity

Three forms Basic authentication Challenge-response authentication Centralized authentication service (often uses

two-factor authentication)

How Firewalls Implement the Authentication Process

1. Client makes request to access a resource2. Firewall intercepts the request and prompts the

user for name and password3. User submits information to firewall4. User is authenticated5. Request is checked against firewall’s rule base6. If request matches existing allow rule, user is

granted access7. User accesses desired resources

How Firewalls Implement the Authentication Process

Types of Authentication with Firewalls

User authentication

Client authentication

Session authentication

User Authentication

Basic authentication; user supplies username and password to access networked resources

Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)

User Authentication

Client Authentication

Same as user authentication but with additional time limit or usage limit restrictions

When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system

Client Authentication

Session Authentication

Required any time the client establishes a session with a server of other networked resource

Comparison of Authentication Methods

Centralized Authentication

Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network

Most common methods Kerberos TACACS+ (Terminal Access Controller Access

Control System) RADIUS (Remote Authentication Dial-In User

Service)

Process of Centralized Authentication

Kerberos Authentication

Provides authentication and encryption through standard clients and serversUses a Key Distribution Center (KDC) to issue tickets to those who want access to resourcesUsed internally on Windows 2000/XPAdvantages Passwords are not stored on the system Widely used in UNIX environment; enables

authentication across operating systems

Kerberos Authentication

TACACS+

Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems)Provides AAA services Authentication Authorization Auditing

Uses MD5 algorithm to encrypt data

RADIUS

Centralized dial-in authentication service that uses UDP

Transmits authentication packets unencrypted across the network

Provides lower level of security than TACACS+ but more widely supported

TACACS+ and RADIUS Compared

Strength of security

Filtering characteristics

Proxy characteristics

NAT characteristics

Strength of Security

Filtering Characteristics

Proxy Characteristics

RADIUS Doesn’t work with generic proxy systems, but a

RADIUS server can function as a proxy server

TACACS+ Works with generic proxy systems

NAT Characteristics

RADIUS Doesn’t work with NAT

TACACS+ Should work through NAT systems

Password Security Issues

Passwords that can be cracked (accessed by an unauthorized user)

User error with passwords

Lax security habits

Passwords That Can Be Cracked

Ways to crack passwords Find a way to authenticate without knowing the

password Uncover password from system that holds it Guess the password

To avoid the issue Protect passwords effectively Observe security habits

User Error with Passwords

Built-in vulnerabilities Often easy to guess Often stored visibly Social engineering

To avoid the issues Choose complicated passwords Memorize passwords Never give passwords out to anyone

Lax Security Habits

To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU)

Password Security Tools

One-time password software

Shadow password system

One-Time Password Software

Password is generated using a secret keyPassword is used only once, when the user authenticatesDifferent passwords are used for each authentication sessionTypes Challenge-response passwords Password list passwords

Shadow Password System

A feature of Linux that stores passwords in another file that has restricted access

Passwords are stored only after being encrypted by a randomly generated value and an encoding formula

Other Authentication Systems

Single-password systems

One-time password systems

Certificate-based authentication

802.1x Wi-Fi authentication

Single-Password Systems

Operating system password

Internal firewall password

One-Time Password Systems

Single Key (S/Key)

SecurID

Axent Pathways Defender

Single Key (S/Key) Password Authentication

Uses multiple-word rather than single word passwords User specifies single-word password and the

number of times it is to be encrypted Password is processed by a hash function n

times; resulting encrypted passwords are stored on the server

Never stores original password on the server

SecurID Password Authentication

Uses two-factor authentication Physical object Piece of knowledge

Most frequently used one-time password solution with FireWall-1

SecurID Tokens

Axent Pathways Defender Password Authentication

Uses two-factor authentication and a challenge-response system

Certificate-Based Authentication

FireWall-1 supports the use of digital certificates to authenticate users

Organization sets up a Public Key Infrastructure (PKI) that generates keys to users User receives a code (public key) that is generated

using the server’s private key and uses the public key to send encrypted information to the server

Server receives the public key and can decrypt the information using its private key

802.1x Wi-Fi Authentication

Supports wireless Ethernet connections

Not supported by FireWall-1

802.1x protocol provides for authentication of users on wireless networks

Wi-Fi uses Extensible Authentication Protocol (EAP)

802.1x Wi-Fi Authentication

Chapter Summary

Overview of authentication and its importance to network security

How and why firewalls perform authentication services

Types of authentication performed by firewalls Client User Session

continued

Chapter Summary

Centralized authentication methods that firewalls can use Kerberos TACACS+ RADIUS

Password security issues and special password security toolsAuthentication protocols used by full-featured enterprise-level firewalls