Security Guide to Network Security Fundamentals Third Edition
- Slides: 51
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication
Objectives • Define authentication • Describe the different types of authentication credentials • List and explain the authentication models Security+ Guide to Network Security Fundamentals, Third Edition 2
Objectives (continued) • Define authentication servers • Describe the different extended authentication protocols • Explain how a virtual private network functions Security+ Guide to Network Security Fundamentals, Third Edition 3
Definition of Authentication • Authentication can be defined in two contexts – The first is viewing authentication as it relates to access control – The second is to look at it as one of the three key elements of security—authentication, authorization, and accounting Security+ Guide to Network Security Fundamentals, Third Edition 4
Authentication and Access Control Terminology • Access control is the process by which resources or services are granted or denied • Identification – The presentation of credentials or identification • Authentication – The verification of the credentials to ensure that they are genuine and not fabricated • Authorization – Granting permission for admittance • Access is the right to use specific resources Security+ Guide to Network Security Fundamentals, Third Edition 5
Authentication, Authorization, and Accounting (AAA) • Authentication in AAA provides a way of identifying a user – Typically by having them enter a valid password before granting access • Authorization is the process that determines whether the user has the authority to carry out certain tasks – Often defined as the process of enforcing policies • Accounting measures the resources a user “consumes” during each network session Security+ Guide to Network Security Fundamentals, Third Edition 6
Authentication, Authorization, and Accounting (AAA) (continued) • The information can then be used in different ways: – To find evidence of problems – For billing – For planning • AAA servers – Servers dedicated to performing AAA functions – Can provide significant advantages in a network Security+ Guide to Network Security Fundamentals, Third Edition 7
Authentication Credentials • Types of authentication, or authentication credentials – – – Passwords One-time passwords Standard biometrics Behavioral biometrics Cognitive biometrics Security+ Guide to Network Security Fundamentals, Third Edition 8
One-Time Passwords • Standard passwords are typically static in nature • One-time passwords (OTP) – Dynamic passwords that change frequently – Systems using OTPs generate a unique password on demand that is not reusable • The most common type is a time-synchronized OTP – Used in conjunction with a token • The token and a corresponding authentication server share the same algorithm – Each algorithm is different for each user’s token Security+ Guide to Network Security Fundamentals, Third Edition 9
One-Time Passwords (continued) Security+ Guide to Network Security Fundamentals, Third Edition 10
Security+ Guide to Network Security Fundamentals, Third Edition 11
One-Time Passwords (continued) • There are several variations of OTP systems • Challenge-based OTPs – Authentication server displays a challenge (a random number) to the user – User then enters the challenge number into the token • Which then executes a special algorithm to generate a password – Because the authentication server has this same algorithm, it can also generate the password and compare it against that entered by the user Security+ Guide to Network Security Fundamentals, Third Edition 12
Standard Biometrics • Standard biometrics – Uses a person’s unique characteristics for authentication (what he is) – Examples: fingerprints, faces, hands, irises, retinas • Types of fingerprint scanners – Static fingerprint scanner – Dynamic fingerprint scanner • Disadvantages – Costs – Readers are not always foolproof Security+ Guide to Network Security Fundamentals, Third Edition 13
Standard Biometrics (continued) Security+ Guide to Network Security Fundamentals, Third Edition 14
Behavioral Biometrics • Behavioral biometrics – Authenticates by normal actions that the user performs • Keystroke dynamics – Attempt to recognize a user’s unique typing rhythm – Keystroke dynamics uses two unique typing variables • Dwell time • Flight time Security+ Guide to Network Security Fundamentals, Third Edition 15
Behavioral Biometrics (continued) Security+ Guide to Network Security Fundamentals, Third Edition 16
Behavioral Biometrics (continued) Security+ Guide to Network Security Fundamentals, Third Edition 17
Behavioral Biometrics (continued) • Voice recognition – Used to authenticate users based on the unique characteristics of a person’s voice – Phonetic cadence • Speaking two words together in a way that one word “bleeds” into the next word • Becomes part of each user’s speech pattern • Computer footprint – When and from where a user normally accesses a system Security+ Guide to Network Security Fundamentals, Third Edition 18
Cognitive Biometrics • Cognitive biometrics – Related to the perception, thought process, and understanding of the user – Considered to be much easier for the user to remember because it is based on the user’s life experiences • One example of cognitive biometrics is based on a life experience that the user remembers • Another example of cognitive biometrics requires the user to identify specific faces Security+ Guide to Network Security Fundamentals, Third Edition 19
Security+ Guide to Network Security Fundamentals, Third Edition 20
Authentication Models • Single and multi-factor authentication – One-factor authentication • Using only one authentication credential – Two-factor authentication • Enhances security, particularly if different types of authentication methods are used – Three-factor authentication • Requires that a user present three different types of authentication credentials Security+ Guide to Network Security Fundamentals 21
Authentication Models (continued) • Single sign-on – Identity management • Using a single authenticated ID to be shared across multiple networks – Federated identity management (FIM) • When those networks are owned by different organizations – One application of FIM is called single sign-on (SSO) • Using one authentication to access multiple accounts or applications Security+ Guide to Network Security Fundamentals, Third Edition 22
Authentication Models (continued) • Windows Live ID – Originally introduced in 1999 as. NET Passport – Requires a user to create a standard username and password – When the user wants to log into a Web site that supports Windows Live ID • The user will first be redirected to the nearest authentication server – Once authenticated, the user is given an encrypted time-limited “global” cookie Security+ Guide to Network Security Fundamentals, Third Edition 23
Authentication Models (continued) • Windows Card. Space – Feature of Windows that is intended to provide users with control of their digital identities while helping them to manage privacy – Types of cards • Manage cards • Personal cards Security+ Guide to Network Security Fundamentals, Third Edition 24
Authentication Models (continued) Security+ Guide to Network Security Fundamentals, Third Edition 25
Authentication Models (continued) • Open. ID – A decentralized open source FIM that does not require specific software to be installed on the desktop – A uniform resource locator (URL)-based identity system • An Open. ID identity is only a URL backed up by a username and password • Open. ID provides a means to prove that the user owns that specific URL Security+ Guide to Network Security Fundamentals, Third Edition 26
Authentication Servers • Authentication can be provided on a network by a dedicated AAA or authentication server • The most common type of authentication and AAA servers are – RADIUS, Kerberos, TACACS+, and generic servers built on the Lightweight Directory Access Protocol (LDAP) Security+ Guide to Network Security Fundamentals, Third Edition 27
RADIUS • RADIUS (Remote Authentication Dial in User Service) – Developed in 1992 – Quickly became the industry standard with widespread support – Suitable for what are called “high-volume service control applications” • With the development of IEEE 802. 1 x port security for both wired and wireless LANs – RADIUS has recently seen even greater usage Security+ Guide to Network Security Fundamentals, Third Edition 28
RADIUS (continued) • A RADIUS client is typically a device such as a dialup server or wireless access point (AP) – Responsible for sending user credentials and connection parameters in the form of a RADIUS message to a RADIUS server • The RADIUS server authenticates and authorizes the RADIUS client request – Sends back a RADIUS message response • RADIUS clients also send RADIUS accounting messages to RADIUS servers Security+ Guide to Network Security Fundamentals, Third Edition 29
Security+ Guide to Network Security Fundamentals, Third Edition 30
Kerberos • Kerberos – An authentication system developed by the Massachusetts Institute of Technology (MIT) – Used to verify the identity of networked users • Kerberos process – User is provided a ticket that is issued by the Kerberos authentication server – The user presents this ticket to the network for a service – The service then examines the ticket to verify the identity of the user Security+ Guide to Network Security Fundamentals, Third Edition 31
Terminal Access Control System (TACACS+) • Terminal Access Control System (TACACS+) – An industry standard protocol specification that forwards username and password information to a centralized server • The centralized server can either be a TACACS+ database – Or a database such as a Linux or UNIX password file with TACACS protocol support Security+ Guide to Network Security Fundamentals, Third Edition 32
Lightweight Directory Access Protocol (LDAP) • Directory service – A database stored on the network itself that contains information about users and network devices • X. 500 – A standard for directory services – Created by ISO • White-pages service – Capability to look up information by name • Yellow-pages service – Browse and search for information by category Security+ Guide to Network Security Fundamentals, Third Edition 33
Lightweight Directory Access Protocol (LDAP) (continued) • The information is held in a directory information base (DIB) • Entries in the DIB are arranged in a tree structure called the directory information tree (DIT) • Directory Access Protocol (DAP) – Protocol for a client application to access an X. 500 directory – DAP is too large to run on a personal computer Security+ Guide to Network Security Fundamentals, Third Edition 34
Lightweight Directory Access Protocol (LDAP) (continued) • Lightweight Directory Access Protocol (LDAP) – Sometimes called X. 500 Lite – A simpler subset of DAP • Primary differences – LDAP was designed to run over TCP/IP – LDAP has simpler functions – LDAP encodes its protocol elements in a less complex way than X. 500 • LDAP is an open protocol Security+ Guide to Network Security Fundamentals, Third Edition 35
Extended Authentication Protocols (EAP) • Extensible Authentication Protocol (EAP) – Management protocol of IEEE 802. 1 x that governs the interaction between the system, authenticator, and RADIUS server – An “envelope” that can carry many different kinds of exchange data used for authentication • The EAP protocols can be divided into three categories: – Authentication legacy protocols, EAP weak protocols, and EAP strong protocols Security+ Guide to Network Security Fundamentals, Third Edition 36
Security+ Guide to Network Security Fundamentals, Third Edition 37
Authentication Legacy Protocols • No longer extensively used for authentication • Three authentication legacy protocols include: – Password Authentication Protocol (PAP) – Challenge-Handshake Authentication Protocol (CHAP) – Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) Security+ Guide to Network Security Fundamentals, Third Edition 38
EAP Weak Protocols • Still used but have security vulnerabilities • EAP weak protocols include: – Extended Authentication Protocol–MD 5 (EAP-MD 5) – Lightweight EAP (LEAP) Security+ Guide to Network Security Fundamentals, Third Edition 39
EAP Strong Protocols • EAP strong protocols include: – EAP with Transport Layer Security (EAP-TLS) – EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP) Security+ Guide to Network Security Fundamentals, Third Edition 40
Remote Authentication and Security • Important to maintain strong security for remote communications – Transmissions are routed through networks or devices that the organization does not manage and secure • Managing remote authentication and security usually includes: – Using remote access services – Installing a virtual private network – Maintaining a consistent remote access policy Security+ Guide to Network Security Fundamentals, Third Edition 41
Remote Access Services (RAS) • Remote Access Services (RAS) – Any combination of hardware and software that enables access to remote users to a local internal network – Provides remote users with the same access and functionality as local users Security+ Guide to Network Security Fundamentals, Third Edition 42
Virtual Private Networks (VPNs) • Virtual private network (VPN) – One of the most common types of RAS – Uses an unsecured public network, such as the Internet, as if it were a secure private network – Encrypts all data that is transmitted between the remote device and the network • Common types of VPNs – Remote-access VPN or virtual private dial-up network (VPDN) – Site-to-site VPN Security+ Guide to Network Security Fundamentals, Third Edition 43
Security+ Guide to Network Security Fundamentals, Third Edition 44
Virtual Private Networks (VPNs) (continued) • VPN transmissions are achieved through communicating with endpoints • Endpoint – End of the tunnel between VPN devices • VPN concentrator – Aggregates hundreds or thousands of multiple connections • Depending upon the type of endpoint that is being used, client software may be required on the devices that are connecting to the VPN Security+ Guide to Network Security Fundamentals, Third Edition 45
Virtual Private Networks (VPNs) (continued) • VPNs can be software-based or hardware-based • Software-based VPNs offer the most flexibility in how network traffic is managed – Hardware-based VPNs generally tunnel all traffic they handle regardless of the protocol • Generally, software based VPNs do not have as good of performance or security as a hardwarebased VPN Security+ Guide to Network Security Fundamentals, Third Edition 46
Virtual Private Networks (VPNs) (continued) • Advantages of VPN technology: – – – – Cost savings Scalability Full protection Speed Transparency Authentication Industry standards Security+ Guide to Network Security Fundamentals, Third Edition 47
Virtual Private Networks (VPNs) (continued) • Disadvantages to VPN technology: – – – Management Availability and performance Interoperability Additional protocols Performance impact Expense Security+ Guide to Network Security Fundamentals, Third Edition 48
Remote Access Policies • Establishing strong remote access policies is important • Some recommendations for remote access policies: – Remote access policies should be consistent for all users – Remote access should be the responsibility of the IT department – Form a working group and create a standard that all departments will agree to Security+ Guide to Network Security Fundamentals, Third Edition 49
Summary • Access control is the process by which resources or services are denied or granted • There are three types of authentication methods • Authentication credentials can be combined to provide extended security • Authentication can be provided on a network by a dedicated AAA or authentication server • The management protocol of IEEE 802. 1 x that governs the interaction between the system, authenticator, and RADIUS server is known as the Extensible Authentication Protocol (EAP) Security+ Guide to Network Security Fundamentals, Third Edition 50
Summary (continued) • Organizations need to provide avenues for remote users to access corporate resources as if they were sitting at a desk in the office Security+ Guide to Network Security Fundamentals, Third Edition 51
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Fundamentals of corporate finance third canadian edition
- Fundamentals of corporate finance, third canadian edition
- Computer security fundamentals 4th edition
- William stallings network security essentials 5th edition
- Cryptography and network security 6th edition
- Cryptography and network security 6th edition pdf
- Cryptography and network security 4th edition
- Cryptographic systems are generically classified by
- Cryptography and network security pearson
- Forward caries definition
- Caries profunda definition
- Fundamentals of information systems 9th edition
- Fundamentals of information systems 9th edition
- Fluid mechanics fundamentals and applications 3rd edition
- Digital fundamentals 10th edition
- Machining fundamentals 10th edition
- Fundamentals of organizational communication
- Fundamentals of organizational communication 9th edition
- Digital fundamentals 10th edition
- Floyd digital fundamentals 10th edition pdf
- Dc/ac fundamentals 1st edition
- Management fundamentals 8th edition
- Fundamentals of information systems
- Fundamentals of corporate finance fifth edition
- Corporate finance 6th edition
- Abnormal psychology ronald j comer 9th edition
- Fundamentals of information systems 9th edition
- Critical radius of insulation for cylinder
- The fundamentals of political science research 2nd edition
- Principles of economics third edition politeknik
- Organic chemistry (3rd) edition chapter 1 problem 20s
- Organic chemistry third edition david klein
- Business mathematics third edition
- Modern operating systems tanenbaum
- Lifespan development third edition
- Lifespan development third edition
- Essential cell biology
- Dr ruth yates
- What is the osi security architecture?
- Wireless security in cryptography and network security
- Electronic mail security in network security
- Using mis (10th edition) 10th edition
- Zulily case study
- Private secruity
- Ccna exploration network fundamentals
- Campus network design fundamentals
- Florida real estate broker's guide 6th edition
- Florida real estate broker's guide 6th edition
- A pocket guide to public speaking 6th edition free