FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Slides:



Advertisements
Similar presentations
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Advertisements

Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Access Control Methodologies
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Remote Access Network Management Kelly Given Allison Traina.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Virtual Private Network
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Chapter 10: Authentication Guide to Computer Network Security.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Mobile and Wireless Communication Security By Jason Gratto.
WIRELESS LAN SECURITY Using
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 11: Remote Access Fundamentals
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Cisco’s Secure Access Control Server (ACS)
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
1 Guide to Network Defense and Countermeasures Chapter 5.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Guide to Network Security First Edition Chapter Five Network Authentication and Remote Access Using VPN.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
KERBEROS SYSTEM Kumar Madugula.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
1 Example security systems n Kerberos n Secure shell.
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Port Based Network Access Control
Understand User Authentication LESSON 2.1A Security Fundamentals.
Radius, LDAP, Radius used in Authenticating Users
Radius, LDAP, Radius, Kerberos used in Authenticating Users
Protection Mechanisms in Security Management
Presentation transcript:

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology

Learning Objectives  Explain why authentication is a critical aspect of network security  Explain why firewalls authenticate and how they identify users  Describe user, client, and session authentication  List the advantages and disadvantages of popular centralized authentication systems  Discuss the potential weaknesses of password security systems  Discuss the use of password security tools  Describe common authentication protocols used by firewalls Slide 2Firewalls & Network Security, 2nd ed. - Chapter 10

The Authentication Process in General  The act of identifying users and providing network services to them based on their identity  Two forms –Local authentication –Centralized authentication service (often uses two-factor authentication) Slide 3Firewalls & Network Security, 2nd ed. - Chapter 10

How Firewalls Implement the Authentication Process 1.Client makes request to access a resource 2.Firewall intercepts the request and prompts the user for name and password 3.User submits information to firewall 4.User is authenticated 5.Request is checked against firewall’s rule base 6.If request matches existing allow rule, user is granted access 7.User accesses desired resources Slide 4Firewalls & Network Security, 2nd ed. - Chapter 10

How Firewalls Implement the Authentication Process (continued) Slide 5Firewalls & Network Security, 2nd ed. - Chapter 10

Firewall Authentication Methods  User authentication  Client authentication  Session authentication Slide 6Firewalls & Network Security, 2nd ed. - Chapter 10

User Authentication  Basic authentication; user supplies username and password to access networked resources  Users who need to legitimately access your internal servers must be added to your access control lists (ACLs) Slide 7Firewalls & Network Security, 2nd ed. - Chapter 10

User Authentication (continued) Slide 8Firewalls & Network Security, 2nd ed. - Chapter 10

Client Authentication  Same as user authentication but with additional time limit or usage limit restrictions  When configuring, set up one of two types of authentication systems –Standard sign-on system –Specific sign-on system Slide 9Firewalls & Network Security, 2nd ed. - Chapter 10

Client Authentication (continued) Slide 10Firewalls & Network Security, 2nd ed. - Chapter 10

Session Authentication  Required any time the client establishes a session with a server of other networked resource Slide 11Firewalls & Network Security, 2nd ed. - Chapter 10

Comparison of Authentication Methods Slide 12Firewalls & Network Security, 2nd ed. - Chapter 10

Centralized Authentication  Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network  Most common methods –Kerberos –TACACS+ (Terminal Access Controller Access Control System) –RADIUS (Remote Authentication Dial-In User Service) Slide 13Firewalls & Network Security, 2nd ed. - Chapter 10

Process of Centralized Authentication Slide 14Firewalls & Network Security, 2nd ed. - Chapter 10

Kerberos  Provides authentication and encryption through standard clients and servers  Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources  Used internally on Windows 2000/XP  Advantages –Passwords are not stored on the system –Widely used in UNIX environment; enables authentication across operating systems Slide 15Firewalls & Network Security, 2nd ed. - Chapter 10

Kerberos Authentication Slide 16Firewalls & Network Security, 2nd ed. - Chapter 10

TACACS+  Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems)  Provides AAA services –Authentication –Authorization –Auditing  Uses MD5 algorithm to encrypt data Slide 17Firewalls & Network Security, 2nd ed. - Chapter 10

RADIUS  Centralized dial-in authentication service that uses UDP  Transmits authentication packets unencrypted across the network  Provides lower level of security than TACACS+ but more widely supported Slide 18Firewalls & Network Security, 2nd ed. - Chapter 10

TACACS+ and RADIUS Compared  Strength of security  Filtering characteristics  Proxy characteristics  NAT characteristics Slide 19Firewalls & Network Security, 2nd ed. - Chapter 10

Strength of Security Slide 20Firewalls & Network Security, 2nd ed. - Chapter 10

Filtering Characteristics Slide 21Firewalls & Network Security, 2nd ed. - Chapter 10

Proxy Characteristics  RADIUS –Doesn’t work with generic proxy systems, but a RADIUS server can function as a proxy server  TACACS+ –Works with generic proxy systems Slide 22Firewalls & Network Security, 2nd ed. - Chapter 10

NAT Characteristics  RADIUS –Doesn’t work with NAT  TACACS+ –Should work through NAT systems Slide 23Firewalls & Network Security, 2nd ed. - Chapter 10

Password Security Issues  Passwords that can be cracked (accessed by an unauthorized user)  Password vulnerabilities  Lax security habits Slide 24Firewalls & Network Security, 2nd ed. - Chapter 10

Passwords That Can Be Cracked  Ways to crack passwords –Find a way to authenticate without knowing the password –Uncover password from system that holds it –Guess the password  To avoid the issue –Protect passwords effectively –Observe security habits Slide 25Firewalls & Network Security, 2nd ed. - Chapter 10

Password Vulnerabilities  Built-in vulnerabilities –Often easy to guess –Often stored visibly –Social engineering  To avoid the issues –Choose complicated passwords –Memorize passwords –Never give passwords out to anyone Slide 26Firewalls & Network Security, 2nd ed. - Chapter 10

Lax Security Habits  To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU) Slide 27Firewalls & Network Security, 2nd ed. - Chapter 10

Password Security Tools  One-time password software  Shadow password system Slide 28Firewalls & Network Security, 2nd ed. - Chapter 10

One-Time Password Software  Password is generated using a secret key  Password is used only once, when the user authenticates  Different passwords are used for each authentication session  Types –Challenge-response passwords –Password list passwords Slide 29Firewalls & Network Security, 2nd ed. - Chapter 10

Shadow Password System  A feature of Linux that stores passwords in another file that has restricted access  Passwords are stored only after being encrypted by a randomly generated value and an encoding formula Slide 30Firewalls & Network Security, 2nd ed. - Chapter 10

Other Authentication Systems  Single-password systems  One-time password systems  Certificate-based authentication  802.1x Wi-Fi authentication Slide 31Firewalls & Network Security, 2nd ed. - Chapter 10

Single-Password Systems  Operating system password  Internal firewall password Slide 32Firewalls & Network Security, 2nd ed. - Chapter 10

One-Time Password Systems  Single Key (S/Key)  SecurID  Axent Pathways Defender Slide 33Firewalls & Network Security, 2nd ed. - Chapter 10

Single Key (S/Key)  Uses multiple-word rather than single word passwords –User specifies single-word password and the number of times it is to be encrypted –Password is processed by a hash function n times; resulting encrypted passwords are stored on the server  Never stores original password on the server Slide 34Firewalls & Network Security, 2nd ed. - Chapter 10

SecurID  Uses two-factor authentication –Physical object –Piece of knowledge  Most frequently used one-time password solution with FireWall-1 Slide 35Firewalls & Network Security, 2nd ed. - Chapter 10

SecurID Tokens Slide 36Firewalls & Network Security, 2nd ed. - Chapter 10

Axent Pathways Defender  Uses two-factor authentication and a challenge- response system Slide 37Firewalls & Network Security, 2nd ed. - Chapter 10

Certificate-Based Authentication  FireWall-1 supports the use of digital certificates to authenticate users  Organization sets up a public key infrastructure (PKI) that generates keys to users –User receives a code (public key) that is generated using the server’s private key and uses the public key to send encrypted information to the server –Server receives the public key and can decrypt the information using its private key Slide 38Firewalls & Network Security, 2nd ed. - Chapter 10

802.1x Wi-Fi Authentication  Supports wireless Ethernet connections  Not supported by FireWall-1  802.1x protocol provides for authentication of users on wireless networks  Wi-Fi uses Extensible Authentication Protocol (EAP) Slide 39Firewalls & Network Security, 2nd ed. - Chapter 10

Wireless Authentication Slide 40Firewalls & Network Security, 2nd ed. - Chapter 10

Chapter Summary  Overview of authentication and its importance to network security  How and why firewalls perform authentication services  Types of authentication performed by firewalls –User –Client –Session Slide 41Firewalls & Network Security, 2nd ed. - Chapter 10

Chapter Summary (continued)  Generally, users supply: –Something they have (such as a smart card) or –Something they know (such as a password) or –Both  Latest authentication systems measure or evaluate a physical attribute, such as a fingerprint or voiceprint Slide 42Firewalls & Network Security, 2nd ed. - Chapter 10

Chapter Summary (continued)  In a centralized authentication system: –Firewall works with an authentication server –Authentication server handles Username and password maintenance/generation Login requests Auditing  Examples of centralized authentication systems: –Kerberos –TACACS+ –RADIUS Firewalls & Network Security, 2nd ed. - Chapter 10 Slide 43

Chapter Summary (continued)  Passwords –Important part of virtually every authentication system –Take one of two general forms: Single-word –User password compared against database of passwords; access granted if match is made –Vulnerable to ability of hackers to determine passwords, to user error, and to bad security habits One-time passwords –Generated dynamically each time user attempts to log on to network –Secret key used to generate single- or multiple- word password Firewalls & Network Security, 2nd ed. - Chapter 10 Slide 44

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.