Presentation is loading. Please wait.

Presentation is loading. Please wait.

T Computer Networks II AAA

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "T Computer Networks II AAA"— Presentation transcript:

1 T-110.5110 Computer Networks II AAA 2.11.2009
Prof. Sasu Tarkoma

2 Contents Introduction Security basics PAP, CHAP, EAP Radius Diameter
Examples

3 AAA AAA Authentication, Authorization, Accounting
RFC 2903 (Generic AAA Architecture) RFC 2904 (AAA Authorization Framework) AAAA AAA and Auditing Accounting and billing Accounting is gathering information for billing, balancing, or other purposes Billing is a process to generate a bill for customers based on gathered information

4 Motivation for AAA Service organizations to host multiple organizations requiring dial-in facilities User organizations to outsourcing their dial-in service to one or more 3rd parties Agreements can be implemented using a standards based protocol (RADIUS) RADIUS allows User organizations or Agents to migrate to other Service Providers. An agent, using proxy AAA to change its service without affecting the agreement with its customers A service organization to have ultimate authority over its users

5 Scenarios: Remote Dial-In
AAA Server User Network Access Server (NAS)

6 Scenarios: Mobile Dial-In
Home ISP Visited ISP AAA Server AAA Server User Network Access Server (NAS)

7 Scenarios: IP-Telephony
AAA brokers Home domain Called domain Visited domain CHx AAA server AAA server AAA server CHy SIP Phone SIP Proxy SIP Proxy SIP Proxy SIP Phone

8 ISP A AAA AAA AAA ISP B AAA USER SERVICE ORGANIZATIONS
NETWORK ACCESS SERVERS AAA USER HOME ORGANIZATIONS User RADIUS RADIUS AAA Internet AAA ISP B User NETWORK ACCESS SERVERS RADIUS AAA User RADIUS Internet

9 Generic AAA Architecture (RFC2903)
Policy Decision Point The point where policy decisions are made. Policy Repository Request Decision Policy Enforcement Point The point where the policy decisions are actually enforced. GOAL: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.

10 AAA Authorization Framework
Push sequence Tokens, Tickets, AC’s etc. Pull sequence NAS (remote access) RSVP (network QoS) Agent sequence Agents, Brokers, Proxy’s. Service AAA User 1 2 3 4 Service AAA User 1 2 3 4 Service AAA User 1 2 3 4

11 AAAA Authentication Are you who you say you are? Authorization
Are you allowed to do what you want to do? Accounting Keeping track of who is using how much of each resource Auditing/Accountability

12 Authentication Many authentication methods can be used IP address
Easily forged May change Does not really identify a single end-host User ID and password Requires additional security measures to make it work One-time pads support strong security

13 Authentication II Challenge-response
Require proof of password, ownership, computational capability, perception, .. Shared secret Symmetric key in cryptography Never sent over the network Requires a way to derive keys Key negotiation protocols Diffie-Hellman Asymmeric keying / public key cryptography Can identify individuals Encryption and signature Hard to break without knowledge of the private key

14 Authentication III Strong
Token cards / soft tokens using one time pads Secret key (one time pads) Authentication Aging username / password Static username / password No username or password Weak Low High Ease of use

15 Need to know the message, digest, and algorithm (f.e. SHA1)
Digital Signatures Need to know the message, digest, and algorithm (f.e. SHA1) Message Digest Message SIGN VERIFY Signature Pass/Fail Private key Public key Asymmetric Key Pair

16 Encryption Encrypt Decrypt Public key Private key Asymmetric Key Pair

17 HTTPS, S/MIME, PGP,WS-Security, Radius, Diameter, SAML 2.0 ..
Application Application Transport Transport TSL, SSH, .. HIP Network Network IPsec Link PAP, CHAP, WEP, .. Link Physical Physical

18 Attacks against authentication
Eavesdropping passwords and credentials Password guessing / brute force (sniffing) Replaying credentials Man-in-the-Middle (MiTM) Opportunistic protocols are prone Solved using mutual authentication Authenticated diffie-hellman Time synchronization based attacks (if timestamps are used) Resource exhaustion Any exhaustion attack on resources Signature checking, token creation Entropy attacks

19 Authorization After a user has been authenticated, authorization is used to grant privileges for performing certain actions Mapping from user identity and system state to authorized actions is needed Many techniques Physical presence Token-based authorization PKI-based authorization Current systems rely on assertions SAML 2.0

20 Authentication during initial connection attempt
PAP and CHAP Password Authentication Protocol (PAP) Originally described in RFC 1334 for use with the Point-to- Point Protocol (PPP) Username/passphrase challenge-response protocol Authenticator sends a challenge to the client, and the response is validated by the authenticator Authentication during initial connection attempt CHAP is detailed in RFC 1334 as a more secure alternative to PAP Challenge Handshake Authentication Protocol Periodic challenges during a session Protection against replay attacks Usernames as clear, passwords as hash values Microsoft CHAP version 2 Mutual authentication by piggybacking a second set of authentication handshakes over the original CHAP packets

21 CHAP 3-way handhake User Server Link layer connectivity
Challenge (random bitstring) Hash(password,challenge) Ack

22 EAP Extensible Authentication Protocol (EAP) is defined in RFC 3748
Set of guidelines authentication message formats Universal authentication framework EAP Transport Layer security (EAP-TLS) Client-side certificates Strong authentication methods through the use of PKI Peers exchange certificates and use public key crypto to share keying material EAP Tunneled Transport Layer Security (EAP-TTLS) Extends EAP-TLS EAP-TTLS provides mutual authentication Server authenticated using certificate Client is authenticated over secure tunnel

23 EAP EAP parties: EAP peer, EAP server/AAA server, authenticator
Basic scenarios Peer and authenticator speak some other protocol, authenticator and AAA server speak AAA protocol This is basic AAA usage (prior to EAP) Peer and authenticator speak EAP; authenticator and EAP server/AAA server speak EAP over AAA This is the basic EAP/AAA scenario (e.g i) Peer and authenticator speak some other protocol, but use keys derived from a previous EAP conversation between the same EAP peer and EAP server This is a new application not yet defined.

24 PEAP Protected Extensible Authentication Protocol (PEAP)
Similar to EAP-TTLS Strong mutual authentication Inner authentication protocol must be EAP variant PEAP is supported by Microsoft and Cisco systems

25 WPA2 / i The original WLAN security standard based on WEP had security flaws that made implementations vulnerable to weak key attacks. 802.11i provides frame level encryption, authentication, and integrity protections for WLAN traffic. It also provides mutual authentication mechanisms based on the 802.1x protocol and Pre-Shared Key (PSK) methods. WLAN products that are tested and certified as being compliant with the i standard are known as “WPA2 compliant”.

26 IEEE 802.1X IEEE standard for port-based Network Access Control
Authentication to devices attached to a LAN port Based on EAP Used in closed wireless access points Client-only authentication or mutual authentication with EAP-TLS/EAP-TTLS Blocking on data link layer, EAP traffic goes through (EAP-request, ..)

27 802.1X Security Source:

28 Six Security Design Principles
Securing WLANs using i %20Rec%20Practice.pdf Apply a Defense-in-Depth approach. Separate and segment the WLAN from the wired LAN. Require mutually authenticated access to the WLAN for all users and devices. Protect WLAN traffic by implementing strong security at the Layer-2 level. Restrict traffic between the WLAN and the wired network Monitor the WLAN to detect intrusion attempts.

29 Sixteen Security Recommended Practices 1/3
1) Recommendation: Create a WLAN security policy. 2) Recommendation: Do not rely on default security configurations of WLAN access points and adapters. 3) Recommendation: Employ MAC address filtering on the access points. 4) Recommendation: Disable SSID beacon transmissions. 5) Recommendation: Use non-suggestive SSID naming conventions. 6) Recommendation: Utilize i security, not WEP, for Layer-2 security.

30 Sixteen Security Recommended Practices 2/3
7) Recommendation: Unless absolutely needed, disable direct station-to-station “Ad Hoc Mode” transmission. 8) Recommendation: Unless absolutely needed, disable station-to-station communication through the access point. 9) Recommendation: Protect the WLAN end-points and stations (especially in mobile applications) through technical and administrative hardening methods. 10) Recommendation: Employ static IP addressing of devices on the WLAN instead of dynamic assignment if possible when IP is the next higher-layer network protocol.

31 Sixteen Security Recommended Practices 3/3
11) Recommendation: Use static ARP entries on WLAN stations and access points. 12) Recommendation: Limit RF power transmission to minimum required levels. 13) Recommendation: Use directional antennas if possible. 14) Recommendation: Deploy or leverage existing wireless intrusion detection capability. 15) Recommendation: If the IP protocol is used as the network layer protocol, employ a private IP addressing scheme. 16) Recommendation: Ensure that ARP broadcasts from the wired network do not propagate to the WLAN.

32 RADIUS

33 Radius Remote Authentication Dial In User Service (RADIUS) is defined in RFC 2865 Designed to authenticate dial-in-access customers Used for dial-in lines and 3G networks Idea to have a centralized user database for passwords and other user information Cost efficient Easy to configure Radius is used together with an authentication protocol such as PAP or CHAP

34 Radius A client-server protocol
Network Access Server (NAS) is the client Radius Server is a server Security based on previously shared secret More than one server can serve a single client A server can act as a proxy Based on UDP on efficiency reasons No keep-alive signaling

35 Parameters for NAS The specific IP address to be assigned to the user
The address pool from which the user's IP should be chosen The maximum length that the user may remain connected An access list, priority queue or other restrictions on a user's access Layer 2 Tunneling Protocol (L2TP) parameters (for VPNs.. )

36 Accounting NAS can use RADIUS accounting packets to notify the RADIUS server of events such as The user's session start The user's session end Total packets transferred during the session Volume of data transferred during the session Reason for session ending

37 RADIUS Radius server Client POTS NAS IP Network Radius Server

38 Radius and CHAP User NAS Radius server Link layer connectivity
Challenge (random bitstring) Hash(password,challenge) Hash(password,challenge) Ack Ack

39 Steps CHAP authentication challenge to the user
User responds with a password using a one-way hash function NAS wraps the challenge and response in a RADIUS access-request RADIUS searches the password corresponding to the user ID and computes hash values corresponding to the password and the challenge If a hash value matches the user response, the RADIUS server returns an access-accept message to the NAS NAs sends a successful CHAP ack to the user

40 Radius Signals The RFC defines the following signals: 1 Access-Request
2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server 13 Status-Client 255 Reserved

41 Radius Limitations Scalability
No explicit support for agents, proxies, .. Manual configuration of shared secrets Reliability UDP not reliable, accounting info may be lost Does not define failover mechanisms Implementation specific Mobility support Security Applied usually in trusted network segments or VPNs Application layer authentication and integrity only for use with Response packets No per packet confidentiality Diameter addresses some of the security issues

42 DIAMETER

43 Diameter A network protocol for providing AAA services to roaming users Replacement for RADIUS, Kerberos, TACACS+ Open base protocol provides transport, message delivery, and error handling services Diameter Base Protocol is defined in RFC 3588 Defines the following facilities Delivery of AVPs (attribute value pairs) Capabilities negotiation Error notification Extensibility through additional new commands and AVPs Basic services necessary for applications Handling of user sessions, Accounting, ..

44 Diameter Uses TCP and SCTP for communications
Can be secured using IPSEC and TLS End-to-end security is recommended but not mandatory Based on request-answer signal pairs In the Diameter network there can be clients, relays, proxies, and redirect and translation agents

45 Required Features Diameter protocol to support the following required features: Transporting of user authentication information, for the purposes of enabling the Diameter server to authenticate the user. Transporting of service specific authorization information, between client and servers, allowing the peers to decide whether a user's access request should be granted. Exchanging resource usage information, which MAY be used for accounting purposes, capacity planning, etc. Relaying, proxying and redirecting of Diameter messages through a server hierarchy.

46 Features SCTP replaced UDP
Reliable transport, congestion avoidance, flow control Keep-alive messages implemented Diameter can detect local failure of a peer Failover Peer-to-peer replaces Client-server Any node can initiate a request Peer discovery and capabilities exchange Timestamp support Prevents replay attacks Support for extensions IPsec and TLS support End-to-end security support

47 Header

48 Applications for Diameter
NASREQ Diameter Network Access Server Requirement Remote dial-in support RFC 2477, RFC 3169 EAP, PAP, CHAP Mobile IPv4 Diameter AAA servers act as Key Distribution Centers (KDC) EAP EAP info in AVPs Various applications in 3GPP IP Multimedia Subsystem

49 Diameter Client Relay Server peer connection A peer connection B
User session X State management MAY be useful for resource limiting, and per user auditing

50 Diameter 1. Request 2. Request NAS DRL HMS 4. Answer 3. Answer
Diameter Relay (DRL) can insert/remove information Forwarding based on realm A relay or proxy MUST include Route-Record AVP to all requests forwarded Home Diameter Server (HMS)

51 3. Redirection Notification
Diameter Redirect agent (DRD) returns HMS contact information DRD 2. Request 3. Redirection Notification 1. Request 4. Request NAS DRL HMS 6. Answer 5. Answer Diameter Relay (DRL) can insert/remove information Home Diameter Server (HMS)

52 Translation between RADIUS and Diameter
1. RADIUS Request 2. Diameter Request NAS TLS HMS 3. Diameter Answer 4. RADIUS Answer Translation Agent (TLS) Must be stateful and must maintain transaction state

53 Web services security

54 Source: http://msdn. microsoft. com/library/default. asp

55 Summary AAA and AAAA are integral parts of today’s networks
Policy Decision Points, Policy Enforcement Points RADIUS Diameter PAP, CHAP, EAP SAML 2.0

Download ppt "T Computer Networks II AAA"

Similar presentations

Authentication.

Authentication.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Network Security.

Network Security.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
T-110.5110 Computer Networks II AAA 3.11.2008 Prof. Sasu Tarkoma.

T Computer Networks II AAA Prof. Sasu Tarkoma.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Chapter 8 Web Security.

Chapter 8 Web Security.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Similar presentations

Ads by Google