1 / 81

Network access control

Network access control. Unit objectives Explain network authentication methods Explain the basic concepts behind public key infrastructure Explain the methods of remote access security Explain the methods to secure a wireless network. Topic A. Topic A: Authentication

fauna
Download Presentation

Network access control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network access control • Unit objectives • Explain network authentication methods • Explain the basic concepts behind public key infrastructure • Explain the methods of remote access security • Explain the methods to secure a wireless network

  2. Topic A • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security

  3. AAA • Authentication • Authorization • Accounting

  4. Usernames and passwords • Usernames • Unique identifier • Can be simple or complex • Passwords • Simple passwords not recommended • Complex passwords use letters, numbers, special characters • Minimum password length • Combination provides user authentication

  5. Password protection • Memorize password • Use different passwords • Use longer passwords • Use upper- and lower-case letters, numbers and special characters • Change frequently • Avoid reusing passwords

  6. Strong passwords • Balance difficulty of remembering with complexity • Create from first letter of title or phrase – pass phrase • Mix letter cases, add numbers and special characters • Avoid using personal information • Common substitutions include • 2 for “to” • 4 for “for” • $ for “S” • ! for “I” • Zero for “O”

  7. Multiple passwords • Memorize • Use password management tool • Remember a single password • Some tools create complex passwords for you

  8. Authentication factors • Something you know • Something you have • Something you are

  9. One-factor authentication • Something you know • Windows logon dialog box • Username and password • Something you are

  10. Two-factor authentication • Something you know PLUS • Something you have • Something you are • Token plus a PIN • Something you are • Fingerprint • Voice • Retina

  11. Three-factor authentication • Something you know PLUS something you have PLUS something you are • A card, a PIN, and a fingerprint

  12. Activity A-1 Comparing one, two, and three-factor authentication

  13. Authentication protocols • Kerberos • NTLM • LM

  14. Activity A-2 Hashing data

  15. Preventing impersonation • Use strong authentication • Don’t allow authentication to be bypassed • Secure stored authentication information • Encrypt all authentication sent over the network

  16. Identify proofing • Verify user is who they say they are • KBA • Potential user provides information only they are likely to know • DBA • Uses public database • OOB • Uses channel outside of primary authentication channel

  17. Single sign-on • User is authenticated to other resources based on strength of initial sign on • SSL, LDAP • Windows Live ID, Microsoft Passport, Open ID

  18. Activity A-3 Identifying the requirements of a secure authentication system

  19. Kerberos • Current version is 5 • Provides authentication on physically insecure networks • Freely available in US and Canada • Authenticates users over open multi-platform network using single login

  20. Kerberos system composed of • Principal • Authentication Server • Ticket-Granting Server • Key Distribution Center • Realm • Remote Ticket-Granting Server

  21. Kerberos data types • Credentials • Session key • Authentication • Ticket • Ticket-Granting Ticket

  22. Kerberos authentication process

  23. Kerberos security weaknesses • Subject to brute force attacks • Assumes all network devices are physically secure • Compromised passwords enable easy access to attackers • Vulnerable to DoS attacks • Authenticating devices need to be loosely synchronized • Access to AS allows attacker to impersonate any authorized user • Authenticating device identifiers shouldn’t be reused on a short-time basis

  24. Activity A-4 Examining the components of Kerberos

  25. CHAP

  26. EAP • PPP extension • Used in wireless connections • Can use token cards, one-time passwords, certificates, biometrics • Runs over data link layers • Defines formats • LEAP • EAP-TLS • EAP-FAST

  27. Mutual authentication • Client and server authenticate to each other • Also known as two-way authentication • Trust other computer’s digital certificate • Can block rogue services

  28. Activity A-5 Comparing authentication systems

  29. Topic B • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security

  30. Cryptography • Science of encryption • Encryption = convert to unreadable format • Decryption = convert back to readable format • Algorithm = procedure for encrypting or decrypting • Cipher = encryption & decryption algorithm pair

  31. ROT13 cipher

  32. Keys • Secret information used by cipher • Symmetric = same key for encryption and decryption • Asymmetric = differing keys for encryption and decryption • Key sharing and management issues

  33. Symmetric encryption in action

  34. Public key cryptography • Two keys • What one encrypts, only the other can decrypt • One kept private • One shared (public) • Encryption process • Keys mathematically related

  35. Asymmetric encryption in action

  36. Public key cryptography characteristics • It is mathematically difficult to derive the private key from the public key • Data encrypted with the public key can be decrypted with only the private key • Data encrypted with the private key can be decrypted with only the public key

  37. Activity B-1 Exploring public key cryptography

  38. Public key infrastructure • Certificate authority (CA) • Registration authority (RA) • Certificate server

  39. Setup and initialization phase • Process components • Registration • Key pair generation • Certificate generation • Certificate dissemination

  40. Administration phase • Key storage • Certificate retrieval and validation • Backup or escrow • Recovery

  41. Cancellation and history phase • Expiration • Renewal • Revocation • Suspension • Destruction

  42. Activity B-2 Understanding certificate life cycle and management

  43. Topic C • Topic A: Authentication • Topic B: Public key cryptography • Topic C: Remote access • Topic D: Wireless security

  44. AAA • Authentication • Authorization • Accounting

  45. RADIUS • Remote Authentication Dial-in User Service • Client = network access server or device (e.g., wireless router) • Server = AAA service provider

  46. RADIUS authentication • User connects to NAS • RADIUS client requests authentication from server • User supplies logon credentials • Client encrypts and forwards to server • Server authenticates, returns message • Client receives message and acts • Accept • Reject • Challenge

  47. Realms • Namespace • Three possibilities • Named realm • Default realm • Empty realm • Cascading permitted

  48. RADIUS security • Unique secret key for each client-server pair • Long secret keys: min 16, over 22 characters recommended • Use MD5-hashed Message attribute • Enable authentication attempt limits • Use IPsec with ESP

  49. RADIUS benefits • Improved security • Scalable architecture • Interoperability

  50. Diameter • Successor to RADIUS • Backwards compatible • RFC 3588 • AAA services

More Related