Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users.

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Guide to Network Defense and Countermeasures Second Edition
Access Control Chapter 3 Part 3 Pages 209 to 227.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Access Control Methodologies
Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Chapter 10: Authentication Guide to Computer Network Security.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Hands-On Microsoft Windows Server 2008
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
Chapter 21 Distributed System Security Copyright © 2008.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Chapter 3: Security Basics Security+ Guide to Network Security Fundamentals Second Edition.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.
Module 7: Implementing Security Using Group Policy.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
Guide to Network Security First Edition Chapter Five Network Authentication and Remote Access Using VPN.
Privilege Management Chapter 22.
CPT 123 Internet Skills Class Notes Internet Security Session B.
CSCE 201 Identification and Authentication Fall 2015.
Access Control Chapter 3 Part 4 Pages 227 to 241.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Security Methods and Practice CET4884
Working at a Small-to-Medium Business or ISP – Chapter 8
Chapter One: Mastering the Basics of Security
Configuring and Troubleshooting Routing and Remote Access
Radius, LDAP, Radius used in Authenticating Users
CompTIA Security+ Study Guide (SY0-401)
Security in Networking
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users

Guide to Firewalls and VPNs, 3 rd Edition Overview Explain why authentication is a critical aspect of perimeter defense Explain why firewalls authenticate and how they identify users Describe user, client, and session authentication List the advantages and disadvantages of popular centralized authentication systems Discuss the potential weaknesses of password security systems 2

Guide to Firewalls and VPNs, 3 rd Edition Overview (cont’d.) Describe the use of password security tools 3

Guide to Firewalls and VPNs, 3 rd Edition Introduction Firewall authentication –Reliably determine whether persons or entities are who or what they claim to be Access controls –Learn how and why firewalls serve as access controls in providing authentication services Main types of authentication performed by firewalls: –Client, user, and session 4

Guide to Firewalls and VPNs, 3 rd Edition Introduction (cont’d.) Different types of centralized authentication methods that firewalls can use: –Kerberos, TACACS+, and RADIUS 5

Guide to Firewalls and VPNs, 3 rd Edition Access Controls Four processes: –Identification: obtaining the identity of the entity requesting access to a logical or physical area –Authentication: confirming the identity of the entity seeking access to a logical or physical area –Authorization: determining which actions that entity can perform in that physical or logical area –Accountability: documenting the activities of the authorized individual and systems 6

Guide to Firewalls and VPNs, 3 rd Edition Access Controls (cont’d.) Address the admission of users into a trusted area of the organization Integrate a number of key principles: –Least privilege: employees are provided access to the minimal amount of information for the least duration of time necessary to perform their duties –Need to know: limits individuals’ information access to what is required to perform their jobs –Separation of duties: more than one individual be responsible for a particular information asset, process, or task 7

Guide to Firewalls and VPNs, 3 rd Edition Access Controls (cont’d.) Classified based on function: –Preventive: help the organization avoid an incident –Deterrent: discourage or deter an incident from occurring –Detective: detect or identify an incident or threat when it occurs –Corrective: remedy a circumstance or mitigate the damage caused during an incident –Recovery: restore operating conditions to normal –Compensating: use alternate controls to resolve shortcomings 8

Guide to Firewalls and VPNs, 3 rd Edition Mandatory Access Control (MAC) Data classification scheme and a personnel clearance scheme Assigns each collection or type of information to a sensitivity level Each user rated with a sensitivity level called a clearance Lattice-based access control –Variation of MAC –Users are assigned a matrix of authorizations for various areas of access 9

Guide to Firewalls and VPNs, 3 rd Edition Data Classification Model U.S. Department of Defense (DoD) classification scheme –Relies on a more complex categorization system than the schemes of most corporations –Five-level classification scheme Unclassified data Sensitive But Unclassified (SBU) data Confidential data Secret data Top secret data 10

Guide to Firewalls and VPNs, 3 rd Edition Wikileaks Cables Link Ch 3d 11

Guide to Firewalls and VPNs, 3 rd Edition Anonymous' FBI Document (may be a forgery) Link Ch 3e 12

Guide to Firewalls and VPNs, 3 rd Edition Data Classification Model (cont’d.) Most organizations do not need the detailed level of classification –Suggested classifications: Public For Official Use Only Sensitive Classified 13

Guide to Firewalls and VPNs, 3 rd Edition Security Clearances Each user of an information asset is assigned an authorization level –Indicates the level of information classification he or she can access Assign each employee a titular role –Data entry clerk, development programmer, information security analyst, or even CIO 14

Guide to Firewalls and VPNs, 3 rd Edition Nondiscretionary Access Controls Determined by a central authority in the organization Role-based access controls or RBAC –Based on roles Task-based access controls –Based on a specified set of tasks 15

Guide to Firewalls and VPNs, 3 rd Edition Discretionary Access Controls (DACs) Implemented at the discretion of the data user Rule-based access controls –Granted based on a set of rules specified by the central authority Content-dependent access controls –Dependent on the information’s content 16

Guide to Firewalls and VPNs, 3 rd Edition Discretionary Access Controls (DACs) (cont’d.) Constrained user interfaces –Systems designed specifically to restrict the information that an individual user can access Temporal (time-based) isolation –Information can only be accessed depending on what time of day it is 17

Guide to Firewalls and VPNs, 3 rd Edition Centralized vs. Decentralized Access Controls Collection of users with access to the same data typically have a centralized access control authority –Even using a discretionary access control model Varies by organization and type of information protected 18

Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process Authentication –Act of confirming the identity of a potential user Verify identity by providing one or more of: –Something you know –Something you have –Something you are –Something you do 19

Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process (cont’d.) Strong authentication –Authentication system uses two or more different forms of confirming the proposed identity Network authentication forms: –Local authentication Most common form of authentication –Centralized authentication service Most commonly set up as a form of auditing 20

Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process (cont’d.) Tokens Synchronous tokens –Use the present time to generate an authentication number entered during the user login Asynchronous tokens –Use a challenge-response system 21

Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process (cont’d.) 22 Figure 3-1 Access Control Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition RSA Hacked Link Ch 3f 23

Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process (cont’d.) Biometrics –Retinal scans, fingerprints, etc. –Mainly done by large, security-minded entities 24

Guide to Firewalls and VPNs, 3 rd Edition How Firewalls Implement the Authentication Process Many organizations depend on firewalls to provide more secure authentication than conventional systems Firewall uses authentication to identify individuals –Apply the rules that are associated with those individuals 25

Guide to Firewalls and VPNs, 3 rd Edition How Firewalls Implement the Authentication Process (cont’d.) General process: –The client makes a request to access a resource –Firewall intercepts the request and prompts the user for name and password –User submits the requested information to firewall –The user is authenticated –Request checked against the firewall’s rule base –If the request matches an existing allow rule, the user is granted access –The user accesses the desired resources 26

Guide to Firewalls and VPNs, 3 rd Edition How Firewalls Implement the Authentication Process (cont’d.) 27 Figure 3-2 Basic User Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Firewall Authentication Methods Some firewalls provide a variety of authentication methods –Including user, client, or session authentication 28

Guide to Firewalls and VPNs, 3 rd Edition User Authentication Simplest type of authentication program Prompts the user for a username and password. Software checks the information against a list of usernames and passwords in its database Authorized users added to your access control lists (ACLs) Only allows Telnet, HTTP, FTP and RLOGIN attempts (for Checkpoint firewalls) –See link Ch 3a 29

Guide to Firewalls and VPNs, 3 rd Edition User Authentication (cont’d.) 30 Figure 3-3 NetProxy Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Client Authentication Establish limits to user access Firewall enables the authenticated user to access the desired resources for a specific period of time or a specific number of times Configure client authentication –Standard sign-on system –Specific sign-on system Allows any protocol for the specified time (for Checkpoint firewalls) 31

Guide to Firewalls and VPNs, 3 rd Edition Client Authentication (cont’d.) 32 Figure 3-4 Example of Time-Limited Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Session Authentication Requires authentication whenever a client system attempts to connect to a network resource and establish a session Requires session agent software to be installed on each client (for Checkpoint firewalls) Some advanced firewalls offer multiple authentication methods 33

Guide to Firewalls and VPNs, 3 rd Edition Session Authentication (cont’d.) 34 Table 3-1 Authentication Methods

Guide to Firewalls and VPNs, 3 rd Edition Centralized Authentication Alleviates the need to provide each server on the network with a separate database of usernames and passwords Substantial downside: –Authentication server becomes a single point of failure 35

Guide to Firewalls and VPNs, 3 rd Edition Centralized Authentication (cont’d.) 36 Figure 3-5 Centralized Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Centralized Authentication (cont’d.) Different authentication methods –Kerberos, –TACACS+ –RADIUS 37

Guide to Firewalls and VPNs, 3 rd Edition Kerberos Developed at the Massachusetts Institute of Technology (MIT) Provides authentication and encryption on standard clients and servers –Both client and server place their trust in the Kerberos server Used internally on many Windows systems –Never sends or stores passwords in cleartext (Serious error in textbook on page 79!) –See links Ch 3b, Ch 3c. 38

Guide to Firewalls and VPNs, 3 rd Edition Kerberos (cont’d.) 39 Figure 3-6 Kerberos Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Kerberos (cont’d.) Advantage of using Kerberos –Passwords are not stored on the system –Cannot be intercepted by hackers –Tickets tend to have a time limit –Widely used in the UNIX environment 40

Guide to Firewalls and VPNs, 3 rd Edition TACACS+ Terminal Access Controller Access Control System Plus (TACACS+) Latest and strongest version of a set of authentication protocols developed by Cisco Systems Provide the AAA services –Authentication, authorization, accounting Uses a hashing algorithm (MD5) to keep the password itself a secret 41

Guide to Firewalls and VPNs, 3 rd Edition RADIUS Remote Authentication Dial-In User Service (RADIUS) Does not transmit cleartext passwords Stores cleartext passwords on the server 42

Guide to Firewalls and VPNs, 3 rd Edition TACACS+ and RADIUS Compared Strength of security –See Table 3-2 Filtering characteristics –TACACS+ uses TCP Port 49 –RADIUS uses UDP Port 1812 and 1813 –See Table 3-3 Proxy characteristics –RADIUS doesn’t work with generic proxy systems –RADIUS server can function as a proxy server 43

Guide to Firewalls and VPNs, 3 rd Edition TACACS+ and RADIUS Compared (cont’d.) NAT characteristics –RADIUS doesn’t work with Network Address Translation (NAT) –TACACS+ should work with NAT systems –Static IP address mappings work best for both 44

Guide to Firewalls and VPNs, 3 rd Edition TACACS+ and RADIUS Compared (cont’d.) 45 Table 3-2 Security Characteristics of TACACS+ and RADIUS

Guide to Firewalls and VPNs, 3 rd Edition TACACS+ and RADIUS Compared (cont’d.) 46 Table 3-3 Filtering Rules for TACACS+ and RADIUS

Guide to Firewalls and VPNs, 3 rd Edition Password Security Issues Many authentication systems depend in part or entirely on passwords Method is truly secure only for controlling outbound Internet access –Password guessing and eavesdropping attacks are likely on inbound access attempts 47

Guide to Firewalls and VPNs, 3 rd Edition Preventing Passwords from Being Cracked Avoid vulnerabilities by ensuring that network’s authorized users –Protect their passwords effectively –Observe some simple security habits 48

Guide to Firewalls and VPNs, 3 rd Edition The Shadow Password System Linux stores passwords in the /etc/passwd file –In encrypted format using a one-way hash function Shadow password system –Feature of the Linux operating system –Enables the secure storage of passwords –File has restricted access –Passwords are stored only after being encrypted with the salt value and an encoding algorithm 49

Guide to Firewalls and VPNs, 3 rd Edition One-Time Password Software Two types of one-time passwords are available: –Challenge-response passwords Authenticating computer or firewall generates a random number (the challenge) and sends it to the user, who enters a secret PIN or password (the response) –Password list passwords User enters a seed phrase, and the password system generates a list of passwords 50

Guide to Firewalls and VPNs, 3 rd Edition Other Authentication Systems Most firewalls make use of one or more well-known systems –RADIUS and TACACS+ Other systems for authentication: –Certificate-based –802.1x Wi-Fi 51

Guide to Firewalls and VPNs, 3 rd Edition Certificate-Based Authentication Use of digital certificates to authenticate users Must set up a Public-Key Infrastructure (PKI) –Generates keys for users User receives a code called a public key –Generated using the server’s private key –Uses the public key to send encrypted information to the serve 52

Guide to Firewalls and VPNs, 3 rd Edition 802.1x Wi-Fi Authentication Provides for authentication of users on wireless networks Can use many authentication methods, including smart card, digital certificate, or hashed passwords –Error on page 84: Other methods besides smart card & certificate are possible –Link Ch 3g Wi-Fi uses of Extensible Authentication Protocol (EAP) –Enables a system that uses Wi-Fi to authenticate users on other kinds of network operating systems 53

Guide to Firewalls and VPNs, 3 rd Edition54 Figure 3-7 Wireless Cengage Learning 2012

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.