Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Professionals

Published byNickolas Bell Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Security Professionals"— Presentation transcript:

1 Information Security Professionals
On Cisco Devices for Information Security Professionals A Roadmap for Authentication, Authorization and Accounting

2 AAA on Cisco Devices for Information Security Professionals
Security professionals come from many sectors of Information Technology and Business. The diversity of talent on any Security team provides an interesting atmosphere and a breadth of knowledge that is not often found in the current IT environment of increasing specialization. Network equipment poses a unique challenge to security experts since its functions and features have developed differently from other technologies. This presentation attempts to relate the network features of AAA (authentication, authorization and accounting) to well-known security principles.

3 AAA on Cisco Devices for Information Security Professionals
Cisco devices have multiple options for access and authentication. They can authenticate locally, use an external source, or be configured to do both. The default is to use local authentication. Configuring “aaa new-model” allows the device to specify a method list for authentication. This method list is exactly that – a list of authentication methods. Devices are normally configured to use a remote server for authentication (RADIUS or TACACS+) and local authentication is listed last. This does not mean that a user can authenticate to either method. The first method listed will be used unless it is unavailable.

4 AAA on Cisco Devices for Information Security Professionals
Method List Logic For a method list that specifies a remote server and then local authentication: Remote server is reachable Authentication by remote server Remote server is not reachable Authentication via local database As long as the remote server is reachable, all authentication will go to the remote server. If authentication fails, access is denied. If the username doesn’t exist, access is denied. [It does not go to the next method (or server) on authentication failure.] Once the remote server becomes unreachable, the locally configured (on the device) username and password becomes the only authentication method until the remote server is available again.

5 AAA on Cisco Devices for Information Security Professionals
A method list is not the only way to configure multiple authentication sources. If the method list specifies to use tacacs+ and then local authentication with multiple tacacs+ servers configured, authentication will occur using the first available server. In the example configuration below: tacacs-server host tacacs-server host The device will always use server to authenticate. It will authenticate against only after it attempts to reach the first server and gets no response (times out). And it will not use local authentication until every configured server times out.

6 AAA on Cisco Devices for Information Security Professionals
That was a lot of detailed information about method lists on Cisco devices. Why would anyone in Security need to know this? A. Logging Depending on the method and server performing the authentication, the location of the log entry recording this access may be found in any one of a number of places. Simply requesting the syslog entries as configured on the device itself may not show user access attempts. In addition, the authenticating server could be configured to log locally or send the logs to its configured syslog server. So when attempting to validate that user access attempts are logged, first determine where authentication is occurring. Then determine where the authentication server is sending its log entries. Those are the ones you want to request.

7 AAA on Cisco Devices for Information Security Professionals
RADIUS and TACACS+ Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized AAA management for users who connect and use a network service. Terminal Access Controller Access Control System Plus (TACACS+) is also a protocol that handles AAA services. The primary functional difference between the two is that RADIUS combines Authentication and Authorization and TACACS+ separates those functions. What that means in practical terms is that RADIUS doesn’t log the commands used by an administrator. It will only log start, stop and interim records. TACACS+ can perform per-command authorization and accounting. TACACS+ can also provide more granular control over who can run which commands on specified devices. Traditionally RADIUS is used for dial-in access and TACACS+ is used for device administration.

8 AAA on Cisco Devices for Information Security Professionals
The chart below gives the basic differences between the two protocols. Depending on your network environment, one may be “better” than the other. The commonly used Cisco Access Control Server (ACS) provides the capability to use either one.

9 AAA on Cisco Devices for Information Security Professionals
At first glance and in many circumstances, TACACS+ would be the better choice for device management. However, early versions of Cisco’s Identity Services Engine (ISE) only supported RADIUS and did not have support for TACACS+. [Newer versions now have TACACS+ support.] Cisco’s ISE combined with RADIUS can provide dynamic control of network access and provide advanced security functions such as TRUSTSEC, 802.1x, network identity awareness, BYOD onboarding, network and device context awareness and system-wide visibility into who, where and what is on a network. The point here is to show that it’s not the protocol that’s important, but the way it is implemented that matters the most.

10 AAA on Cisco Devices for Information Security Professionals
User Accounts An important item commonly reviewed by Security is user accounts. With the complexity of the possible AAA configurations on network devices, the review of user accounts may include multiple systems. The username configured on the device is only for local authentication. If a method list is configured, the user accounts for those methods are all potential access accounts. Similar to logging, the configuration needs to be reviewed to determine the location of the user accounts. Devices commonly point to an ACS server (configured as a RADIUS or TACACS+ server). The ACS server can use either local accounts or authenticate against Active Directory or LDAP. If you are reviewing items such as password complexity, shared accounts, password history and account lockout, the accounts in multiple systems may need to be reviewed. These systems may be under the administrative control of other teams and require coordination with those teams for a full review of the device’s access, monitoring and logging.

11 AAA on Cisco Devices for Information Security Professionals
Thank you for viewing this presentation and hopefully you have gained an appreciation for the complexities of reviewing network device security. So long and thanks for all the fish!

Download ppt "Information Security Professionals"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Rick Graziani PPP authentication protocols 1. Link establishment - (LCPs) 2. Authentication - Optional (LCPs) 3. Link quality determination.

Rick Graziani PPP authentication protocols 1. Link establishment - (LCPs) 2. Authentication - Optional (LCPs) 3. Link quality determination.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Hands-On Microsoft Windows Server 2008 1 Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.

Hands-On Microsoft Windows Server Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.

Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Similar presentations

Ads by Google