1 / 43

Authenticating Users

Authenticating Users. Chapter 6. Learning Objectives. Understand why authentication is a critical aspect of network security Describe why firewalls authenticate and how they identify users Describe user, client, and session authentication

arty
Download Presentation

Authenticating Users

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authenticating Users Chapter 6

  2. Learning Objectives • Understand why authentication is a critical aspect of network security • Describe why firewalls authenticate and how they identify users • Describe user, client, and session authentication • List advantages and disadvantages of popular centralized authentication systems continued

  3. Learning Objectives • Be aware of potential weaknesses of password security systems • Understand the use of password security tools • Be familiar with common authentication protocols used by firewalls

  4. The Authentication Process in General • The act of identifying users and providing network services to them based on their identity • Three forms • Basic authentication • Challenge-response authentication • Centralized authentication service (often uses two-factor authentication)

  5. How Firewalls Implement the Authentication Process • Client makes request to access a resource • Firewall intercepts the request and prompts the user for name and password • User submits information to firewall • User is authenticated • Request is checked against firewall’s rule base • If request matches existing allow rule, user is granted access • User accesses desired resources

  6. How Firewalls Implement the Authentication Process

  7. Types of Authentication with Firewalls • User authentication • Client authentication • Session authentication

  8. User Authentication • Basic authentication; user supplies username and password to access networked resources • Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)

  9. User Authentication

  10. Client Authentication • Same as user authentication but with additional time limit or usage limit restrictions • When configuring, set up one of two types of authentication systems • Standard sign-on system • Specific sign-on system

  11. Client Authentication

  12. Session Authentication • Required any time the client establishes a session with a server of other networked resource

  13. Comparison of Authentication Methods

  14. Centralized Authentication • Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network • Most common methods • Kerberos • TACACS+ (Terminal Access Controller Access Control System) • RADIUS (Remote Authentication Dial-In User Service)

  15. Process of Centralized Authentication

  16. Kerberos Authentication • Provides authentication and encryption through standard clients and servers • Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources • Used internally on Windows 2000/XP • Advantages • Passwords are not stored on the system • Widely used in UNIX environment; enables authentication across operating systems

  17. Kerberos Authentication

  18. TACACS+ • Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) • Provides AAA services • Authentication • Authorization • Auditing • Uses MD5 algorithm to encrypt data

  19. RADIUS • Centralized dial-in authentication service that uses UDP • Transmits authentication packets unencrypted across the network • Provides lower level of security than TACACS+ but more widely supported

  20. TACACS+ and RADIUS Compared • Strength of security • Filtering characteristics • Proxy characteristics • NAT characteristics

  21. Strength of Security

  22. Filtering Characteristics

  23. RADIUS Doesn’t work with generic proxy systems, but a RADIUS server can function as a proxy server TACACS+ Works with generic proxy systems Proxy Characteristics

  24. NAT Characteristics • RADIUS • Doesn’t work with NAT • TACACS+ • Should work through NAT systems

  25. Password Security Issues • Passwords that can be cracked (accessed by an unauthorized user) • User error with passwords • Lax security habits

  26. Passwords That Can Be Cracked • Ways to crack passwords • Find a way to authenticate without knowing the password • Uncover password from system that holds it • Guess the password • To avoid the issue • Protect passwords effectively • Observe security habits

  27. User Error with Passwords • Built-in vulnerabilities • Often easy to guess • Often stored visibly • Social engineering • To avoid the issues • Choose complicated passwords • Memorize passwords • Never give passwords out to anyone

  28. Lax Security Habits • To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU)

  29. Password Security Tools • One-time password software • Shadow password system

  30. One-Time Password Software • Password is generated using a secret key • Password is used only once, when the user authenticates • Different passwords are used for each authentication session • Types • Challenge-response passwords • Password list passwords

  31. Shadow Password System • A feature of Linux that stores passwords in another file that has restricted access • Passwords are stored only after being encrypted by a randomly generated value and an encoding formula

  32. Other Authentication Systems • Single-password systems • One-time password systems • Certificate-based authentication • 802.1x Wi-Fi authentication

  33. Single-Password Systems • Operating system password • Internal firewall password

  34. One-Time Password Systems • Single Key (S/Key) • SecurID • Axent Pathways Defender

  35. Single Key (S/Key) Password Authentication • Uses multiple-word rather than single word passwords • User specifies single-word password and the number of times it is to be encrypted • Password is processed by a hash function n times; resulting encrypted passwords are stored on the server • Never stores original password on the server

  36. SecurID Password Authentication • Uses two-factor authentication • Physical object • Piece of knowledge • Most frequently used one-time password solution with FireWall-1

  37. SecurID Tokens

  38. Axent Pathways Defender Password Authentication • Uses two-factor authentication and a challenge-response system

  39. Certificate-Based Authentication • FireWall-1 supports the use of digital certificates to authenticate users • Organization sets up a Public Key Infrastructure (PKI) that generates keys to users • User receives a code (public key) that is generated using the server’s private key and uses the public key to send encrypted information to the server • Server receives the public key and can decrypt the information using its private key

  40. 802.1x Wi-Fi Authentication • Supports wireless Ethernet connections • Not supported by FireWall-1 • 802.1x protocol provides for authentication of users on wireless networks • Wi-Fi uses Extensible Authentication Protocol (EAP)

  41. 802.1x Wi-Fi Authentication

  42. Chapter Summary • Overview of authentication and its importance to network security • How and why firewalls perform authentication services • Types of authentication performed by firewalls • Client • User • Session continued

  43. Chapter Summary • Centralized authentication methods that firewalls can use • Kerberos • TACACS+ • RADIUS • Password security issues and special password security tools • Authentication protocols used by full-featured enterprise-level firewalls

More Related