Ciscos Secure Access Control Server ACS ACS Ciscos

  • Slides: 22
Download presentation
Cisco’s Secure Access Control Server (ACS) • • ACS: Cisco’s AAA server A centralized

Cisco’s Secure Access Control Server (ACS) • • ACS: Cisco’s AAA server A centralized access control solution Supports both RADIUS and TACACS+ Supports Cisco’s Network Access Control (NAC, aka Network Admission Control)

Network Access Control • Source: http: //www. cisco. com/en/US/docs/net_mgmt/cisco_secure_access_cont rol_server_for_windows/4. 0/user/guide/nac. html • AAA

Network Access Control • Source: http: //www. cisco. com/en/US/docs/net_mgmt/cisco_secure_access_cont rol_server_for_windows/4. 0/user/guide/nac. html • AAA clients: aka NAD (network access devices), NAS (network access servers) • Posture validation/assessment: whether a host complies to security policies (e. g. , antivirus s/w version & patches) T. A. Yang Network Security 2

ACS • Extensive support for common authentication protocols for end users/devices: Passwords PAP CHAP

ACS • Extensive support for common authentication protocols for end users/devices: Passwords PAP CHAP ARAP MS-CHAP LEAP EAP-MD 5 EAP-TLS PEAP T. A. Yang Network Security 3

Shared Profile Components (SPC) • A shared profile is a set of authorization components

Shared Profile Components (SPC) • A shared profile is a set of authorization components that may be applied to one or more users or groups of users, and referenced by name within their profiles. • Benefits: scalability (by avoiding repetitions in configuring long lists of devices for commands and other authorization parameters) • e. g. , – – – Downloadable IP ACLs Network access filters (NAF) RADIUS authorization components (RAC) Shell command authorization sets … T. A. Yang Network Security 4

Downloadable IP ACLs • A predefined and named set of ACL definitions (aka ACL

Downloadable IP ACLs • A predefined and named set of ACL definitions (aka ACL contents) that can be associated to each applicable user or group of users by referencing its name • No need to repetitively define the same ACLs for each of the users and groups of users • RADIUS authentication is required for this feature to work with a client. T. A. Yang Network Security 5

Downloadable IP ACLs operate this way • Source: http: //www. cisco. com/en/US/docs/net_mgmt/cisco_secure_access_ control_server_for_windows/4. 0/user/guide/c.

Downloadable IP ACLs operate this way • Source: http: //www. cisco. com/en/US/docs/net_mgmt/cisco_secure_access_ control_server_for_windows/4. 0/user/guide/c. html#wp 696775 1. When ACS grants a user access to the network, ACS determines whether a downloadable IP ACL is assigned to that user or the user's group. 2. If ACS locates a downloadable IP ACL that is assigned to the user or the user's group, it determines whether an ACL content entry is associated with the AAA client that sent the RADIUS authentication request. 3. ACS sends, as part of the user session, RADIUS access-accept packet an attribute specifying the named ACL and the version of the named ACL. 4. If the AAA client responds that it does not have the current version of the ACL in its cache (that is, the ACL is new or has changed), ACS sends the ACL (new or updated) to the device. T. A. Yang Network Security 6

Network access filters (NAF) Source: http: //www. cisco. com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_wi ndows/4. 0/user/guide/c. html#wp 696560 •

Network access filters (NAF) Source: http: //www. cisco. com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_wi ndows/4. 0/user/guide/c. html#wp 696560 • a named group of any combination of one or more of the following network elements: IP addresses, AAA clients (network devices), Network device groups (NDGs) • You can add a NAF that contains any combination of NDG, network devices (AAA clients), or IP addresses. • Benefits: – Defining a NAF saves you the effort of listing each AAA client explicitly. – Network devices (e. g. , all NAC-L 3 -IP devices or all NAC-L 2 -IP devices) can be included in a single NAF for easy reference and application of authentication functions. T. A. Yang Network Security 7

Discussions • Bahiji – p. 294: “Before NAF, per-device access restriction was not an

Discussions • Bahiji – p. 294: “Before NAF, per-device access restriction was not an option. … With NAF, granular application of access restrictions and downloadable ACLs is now possible, …” – p. 293: “NAF regulates the access control on the basis of a AAA client’s IP address. Hence, ACLs can be uniquely tailored on a per-user, per-device basis. ” • Q: Do you agree with the author that per-device access restriction is the primary benefit of using NAF? T. A. Yang Network Security 8

RADIUS authorization components (RAC) T. A. Yang Network Security 9

RADIUS authorization components (RAC) T. A. Yang Network Security 9

Shell command authorization sets T. A. Yang Network Security 10

Shell command authorization sets T. A. Yang Network Security 10

Network access restrictions (NAR) T. A. Yang Network Security 11

Network access restrictions (NAR) T. A. Yang Network Security 11

Machine access restrictions (MAR) T. A. Yang Network Security 12

Machine access restrictions (MAR) T. A. Yang Network Security 12

Network access profiles (NAP) T. A. Yang Network Security 13

Network access profiles (NAP) T. A. Yang Network Security 13

Support for NAC (Network Access Control) • Goal of NAC: A self-defending network (meaning?

Support for NAC (Network Access Control) • Goal of NAC: A self-defending network (meaning? ) • In addition to verifying the user identity, the NAS also validates the user computer’s posture. • Two implementation options: 1. Cisco NAC Appliance Solution (Cisco package) 2. Cisco NAC Framework (with 3 rd party products) • More later … T. A. Yang Network Security 14

ACS support for Multifactor Authentication • Two or more factor authentication is desirable (and

ACS support for Multifactor Authentication • Two or more factor authentication is desirable (and more secure). • ACS supports two-factor authentication: – – ASCII Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Extensible Authentication Protocol Generic Token Card (EAP-GTC), using token servers –? T. A. Yang Network Security 15

Vulnerability with Static Passwords • Static passwords are used over a period of time

Vulnerability with Static Passwords • Static passwords are used over a period of time – Subject to brute force attacks and dictionary attacks – Eavesdropping attack – Replayed passwords Q: Would encryption help? • Solution: Continually change the passwords One-time passwords (OTP) T. A. Yang Network Security 16

One-Time Passwords • A different password is sent to the authentication server each time

One-Time Passwords • A different password is sent to the authentication server each time a user is authenticated. • A password is used one time only. A replayed password is useless. • Three mechanisms: 1. Math algorithm Initial seed + hash(previous password) next password 2. Challenge/Response Prerequisite? 3. Time-synchronized Prerequisite? T. A. Yang Network Security 17

Authentication Factors • What the user knows • What the user has – Smart

Authentication Factors • What the user knows • What the user has – Smart cards, tokens (h/w or s/w) • What the user is – Biometric features • Where the user is – GPS based authentication • Combination of the above factors T. A. Yang Network Security 18

RSA Secure. ID • A h/w or s/w token • Each token has a

RSA Secure. ID • A h/w or s/w token • Each token has a built-in random key (the seed) • time-synchronized OTP Q: What are the two factors? T. A. Yang Network Security 19

ACS’s Support for Token Servers • ACS supports two types of token servers: 1.

ACS’s Support for Token Servers • ACS supports two types of token servers: 1. RADIUS token server • A token server with RADIUS i/f • ACS communicates with the token server using the RADIUS i/f. 1. Non-RADIUS token server • • T. A. Yang RSA Secure. ID token servers do not support the RADIUS protocol. ACS uses RSA’s client s/w to communicate with the RSA token server. Network Security 20

Authentication using Token Servers • http: //www. cisco. com/en/US/products/sw/secursw/ps 4911/products_user_guide_chap ter 09186 a 00803

Authentication using Token Servers • http: //www. cisco. com/en/US/products/sw/secursw/ps 4911/products_user_guide_chap ter 09186 a 00803 deae 1. html#wp 1015122 T. A. Yang Network Security 21

ACS’s Support for Token Servers • Cisco Secure ACS software supports authentication from these

ACS’s Support for Token Servers • Cisco Secure ACS software supports authentication from these authentication servers: – CRYPTOCard – Secur. ID ACE/Server – Safe. Word from Secure Computing • For each token server you plan to support, make sure you have properly installed the corresponding software before installing the Cisco Secure ACS. T. A. Yang Network Security 22