Access Control Authentication and Public Key Infrastructure Lesson

Access Control, Authentication, and Public Key Infrastructure Lesson 12 Access Control Solutions for Remote Workers © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved.

Remote Access Methods RADIUS RAS TACACS+ VPN Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 2

Identification, Authentication, and Authorization (IAA) Identification • The process of uniquely distinguishing an individual Authentication • The process of verifying that users are who they say they are Authorization • Determining which actions are allowed or not allowed by a user or system Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 3

Access Protocols to Minimize Risk § Authentication, Authorization, and Accounting (AAA) § Remote Authentication Dial In User Service (RADIUS) § Remote Access Server (RAS) § Terminal Access Controller Access Control System Plus (TACACS+), XTACACS, and TACACS+ Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 4

Authentication, Authorization, and Accounting (AAA) § Network services that provide security through: • A framework of access controls and policies • Enforcement of policies • Information needed for billing purposes § Framework that multiple protocols are based on • Example: RADIUS protocol uses the AAA framework to provide three AAA components, but supports authentication and authorization separately from accounting Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 5

Remote Authentication Dial In User Service (RADIUS) § A client/server protocol that provides authentication and authorization for remote users • Also provides accounting capabilities § A network protocol providing communication between a network access server (NAS) and an authentication server Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 6

RADIUS Infrastructure Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 7

Remote Access Server (RAS) § Provides authentication for remote access in an Internet and dial-up scenario § Process: 1. User connects to the RAS 2. Credentials are compared against database 3. If credentials match, authentication has occurred, and user is granted access to the network Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 8

TACACS+ § A Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers § Utilizes TCP, ensuring message delivery § Is an extension of TACACS but differs by: • Separating authentication, authorization, and accounting architecture • Encrypts the communication Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 9

RADIUS vs. TACACS+ Attributes RADIUS TACACS+ Transport Protocol User Datagram Protocol (UDP) Transmission Control Protocol/Internet Protocol (TCP/IP) Encryption Encrypts only password Encrypts the entire body of the packet Authentication, authorization, and accounting (AAA) Not considered a pure AAA architecture Pure AAA Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 10

Remote Authentication Protocols § Point-to-Point Protocol (PPP) § Challenge Handshake Authentication Protocol (CHAP) § Extensible Authentication Protocol (EAP) Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 11

EAP over RADIUS Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 12

Virtual Private Networks (VPNs) § A secure connection over an unsecure network—the Internet § Security over VPN is provided through encryption § Tunneling protocols § Point-to-Point Tunneling Protocol (PPTP) § Layer 2 Tunneling Protocol (L 2 TP) § Internet Protocol Security (IPSec) Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 13

VPN Essentials Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 14

Web Authentication § Ensuring users are who they say they are through a Web application § User ID and password is the basic form of authentication § Other forms of authentication: § One-time password authentication § Digital certificates § Knowledge-based authentication (KBA) Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 15

Best Practices for Remote Access Controls to Support Remote Workers § Determine the security risk associated with remote access § Select a remote access option that addresses security needs § Determine the appropriate level of authentication based on the security risk § Ensure the systems that are accessing the network meet the security policies of the organization § Ensure protection of the systems that remote workers access Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 16

INTEGRATE IDENTITY AS A SERVICE

Identity as a Service (IDaa. S) A combination of administration and account provisioning, authentication and authorization and reporting functions Cloud-based services that broker identity and access management functions 18

IDaa. S Functionality Identity Governance and Administration (IGA) Access Intelligence 19

Identity IDaa. S offers management of identity, or information, as a digital entity This identity can be used during electronic transactions Identity refers to a set of attributes associated with something to make it recognizable 20

Features & Benefits of Most Identity & Access Management Systems SSO Authentication Federation Granular authorization controls Administration Integration with internal directory services Integration with external services 21

Cloud IAM Considerations APIs Authorizati on Mapping Audit Privacy Latency App Identity Mobile 22

The Role of IDaa. S A component of a larger layered security strategy Primary responsibility is administrative Manages passwords and their synchronization across the enterprise 23

Week 12 assignment For this discussion board assignment, you will share your week 11 individual project with the class. Copy and paste your week 11 assignment into the discussion board thread area. You will then respond substantively to at least two classmates’ posts with no less than 100 words each. All initial posts are due by Wednesday, and all responses by Saturday. Failure to post by Wednesday, you will lose 50% of this assignment's score. Please ensure that all previous scholarly writing standards and guidelines are followed. Access Control, Authentication, and PKI © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www. jblearning. com All rights reserved. Page 24