Download - Authenticating Users
Authenticating Users
Chapter 6
Learning Objectives
Understand why authentication is a critical aspect of network securityDescribe why firewalls authenticate and how they identify usersDescribe user, client, and session authenticationList advantages and disadvantages of popular centralized authentication systems
continued
Learning Objectives
Be aware of potential weaknesses of password security systems
Understand the use of password security tools
Be familiar with common authentication protocols used by firewalls
The Authentication Process in General
The act of identifying users and providing network services to them based on their identity
Three forms Basic authentication Challenge-response authentication Centralized authentication service (often uses
two-factor authentication)
How Firewalls Implement the Authentication Process
1. Client makes request to access a resource2. Firewall intercepts the request and prompts the
user for name and password3. User submits information to firewall4. User is authenticated5. Request is checked against firewall’s rule base6. If request matches existing allow rule, user is
granted access7. User accesses desired resources
How Firewalls Implement the Authentication Process
Types of Authentication with Firewalls
User authentication
Client authentication
Session authentication
User Authentication
Basic authentication; user supplies username and password to access networked resources
Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)
User Authentication
Client Authentication
Same as user authentication but with additional time limit or usage limit restrictions
When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system
Client Authentication
Session Authentication
Required any time the client establishes a session with a server of other networked resource
Comparison of Authentication Methods
Centralized Authentication
Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network
Most common methods Kerberos TACACS+ (Terminal Access Controller Access
Control System) RADIUS (Remote Authentication Dial-In User
Service)
Process of Centralized Authentication
Kerberos Authentication
Provides authentication and encryption through standard clients and serversUses a Key Distribution Center (KDC) to issue tickets to those who want access to resourcesUsed internally on Windows 2000/XPAdvantages Passwords are not stored on the system Widely used in UNIX environment; enables
authentication across operating systems
Kerberos Authentication
TACACS+
Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems)Provides AAA services Authentication Authorization Auditing
Uses MD5 algorithm to encrypt data
RADIUS
Centralized dial-in authentication service that uses UDP
Transmits authentication packets unencrypted across the network
Provides lower level of security than TACACS+ but more widely supported
TACACS+ and RADIUS Compared
Strength of security
Filtering characteristics
Proxy characteristics
NAT characteristics
Strength of Security
Filtering Characteristics
Proxy Characteristics
RADIUS Doesn’t work with generic proxy systems, but a
RADIUS server can function as a proxy server
TACACS+ Works with generic proxy systems
NAT Characteristics
RADIUS Doesn’t work with NAT
TACACS+ Should work through NAT systems
Password Security Issues
Passwords that can be cracked (accessed by an unauthorized user)
User error with passwords
Lax security habits
Passwords That Can Be Cracked
Ways to crack passwords Find a way to authenticate without knowing the
password Uncover password from system that holds it Guess the password
To avoid the issue Protect passwords effectively Observe security habits
User Error with Passwords
Built-in vulnerabilities Often easy to guess Often stored visibly Social engineering
To avoid the issues Choose complicated passwords Memorize passwords Never give passwords out to anyone
Lax Security Habits
To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU)
Password Security Tools
One-time password software
Shadow password system
One-Time Password Software
Password is generated using a secret keyPassword is used only once, when the user authenticatesDifferent passwords are used for each authentication sessionTypes Challenge-response passwords Password list passwords
Shadow Password System
A feature of Linux that stores passwords in another file that has restricted access
Passwords are stored only after being encrypted by a randomly generated value and an encoding formula
Other Authentication Systems
Single-password systems
One-time password systems
Certificate-based authentication
802.1x Wi-Fi authentication
Single-Password Systems
Operating system password
Internal firewall password
One-Time Password Systems
Single Key (S/Key)
SecurID
Axent Pathways Defender
Single Key (S/Key) Password Authentication
Uses multiple-word rather than single word passwords User specifies single-word password and the
number of times it is to be encrypted Password is processed by a hash function n
times; resulting encrypted passwords are stored on the server
Never stores original password on the server
SecurID Password Authentication
Uses two-factor authentication Physical object Piece of knowledge
Most frequently used one-time password solution with FireWall-1
SecurID Tokens
Axent Pathways Defender Password Authentication
Uses two-factor authentication and a challenge-response system
Certificate-Based Authentication
FireWall-1 supports the use of digital certificates to authenticate users
Organization sets up a Public Key Infrastructure (PKI) that generates keys to users User receives a code (public key) that is generated
using the server’s private key and uses the public key to send encrypted information to the server
Server receives the public key and can decrypt the information using its private key
802.1x Wi-Fi Authentication
Supports wireless Ethernet connections
Not supported by FireWall-1
802.1x protocol provides for authentication of users on wireless networks
Wi-Fi uses Extensible Authentication Protocol (EAP)
802.1x Wi-Fi Authentication
Chapter Summary
Overview of authentication and its importance to network security
How and why firewalls perform authentication services
Types of authentication performed by firewalls Client User Session
continued
Chapter Summary
Centralized authentication methods that firewalls can use Kerberos TACACS+ RADIUS
Password security issues and special password security toolsAuthentication protocols used by full-featured enterprise-level firewalls