Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users."— Presentation transcript:

1 ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users

2 Learning Objectives  Explain why authentication is a critical aspect of network security  Explain why firewalls authenticate and how they identify users  Describe user, client, and session authentication  List the advantages and disadvantages of popular centralized authentication systems  Discuss the potential weaknesses of password security systems  Discuss the use of password security tools  Describe common authentication protocols used by firewalls 2 7/14 IS 3200, Summer 2010

3 The Authentication Process in General  The act of identifying users and providing network services to them based on their identity  Two forms  Local authentication  Centralized authentication service (often uses two-factor authentication) 3 7/14 IS 3200, Summer 2010

4 How Firewalls Implement the Authentication Process 1. Client makes request to access a resource 2. Firewall intercepts the request and prompts the user for name and password 3. User submits information to firewall 4. User is authenticated 5. Request is checked against firewall’s rule base 6. If request matches existing allow rule, user is granted access 7. User accesses desired resources 4 7/14 IS 3200, Summer 2010

5 How Firewalls Implement the Authentication Process (continued) 5 7/14 IS 3200, Summer 2010

6 Firewall Authentication Methods  User authentication  Client authentication  Session authentication 6 7/14 IS 3200, Summer 2010

7 User Authentication  Basic authentication; user supplies username and password to access networked resources  Users who need to legitimately access your internal servers must be added to your access control lists (ACLs) 7 7/14 IS 3200, Summer 2010

8 User Authentication (continued) 8 7/14 IS 3200, Summer 2010

9 Client Authentication  Same as user authentication but with additional time limit or usage limit restrictions  When configuring, set up one of two types of authentication systems  Standard sign-on system  Specific sign-on system 9 7/14 IS 3200, Summer 2010

10 Client Authentication (continued) 10 7/14 IS 3200, Summer 2010

11 Session Authentication  Required any time the client establishes a session with a server of other networked resource 11 7/14 IS 3200, Summer 2010

12 Comparison of Authentication Methods 12 7/14 IS 3200, Summer 2010

13 Centralized Authentication  Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network  Most common methods  Kerberos  TACACS+ (Terminal Access Controller Access Control System)  RADIUS (Remote Authentication Dial-In User Service) 13 7/14 IS 3200, Summer 2010

14 Process of Centralized Authentication 14 7/14 IS 3200, Summer 2010

15 Kerberos  Provides authentication and encryption through standard clients and servers  Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources  Used internally on Windows 2000/XP  Advantages  Passwords are not stored on the system  Widely used in UNIX environment; enables authentication across operating systems 15 7/14 IS 3200, Summer 2010

16 Kerberos Authentication 16 7/14 IS 3200, Summer 2010

17 TACACS+  Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems)  Provides AAA services  Authentication  Authorization  Auditing  Uses MD5 algorithm to encrypt data 17 7/14 IS 3200, Summer 2010

18 RADIUS  Centralized dial-in authentication service that uses UDP  Transmits authentication packets unencrypted across the network  Provides lower level of security than TACACS+ but more widely supported 18 7/14 IS 3200, Summer 2010

19 TACACS+ and RADIUS Compared  Strength of security  Filtering characteristics  Proxy characteristics  NAT characteristics 19 7/14 IS 3200, Summer 2010

20 Strength of Security 20 7/14 IS 3200, Summer 2010

21 Filtering Characteristics 21 7/14 IS 3200, Summer 2010

22 Proxy Characteristics  RADIUS  Doesn’t work with generic proxy systems, but a RADIUS server can function as a proxy server  TACACS+  Works with generic proxy systems 22 7/14 IS 3200, Summer 2010

23 NAT Characteristics  RADIUS  Doesn’t work with NAT  TACACS+  Should work through NAT systems 23 7/14 IS 3200, Summer 2010

24 Password Security Issues  Passwords that can be cracked (accessed by an unauthorized user)  Password vulnerabilities  Lax security habits 24 7/14 IS 3200, Summer 2010

25 Passwords That Can Be Cracked  Ways to crack passwords  Find a way to authenticate without knowing the password  Uncover password from system that holds it  Guess the password  To avoid the issue  Protect passwords effectively  Observe security habits 25 7/14 IS 3200, Summer 2010

26 Password Vulnerabilities  Built-in vulnerabilities  Often easy to guess  Often stored visibly  Social engineering  To avoid the issues  Choose complicated passwords  Memorize passwords  Never give passwords out to anyone 26 7/14 IS 3200, Summer 2010

27 Lax Security Habits  To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU) 27 7/14 IS 3200, Summer 2010

28 Password Security Tools  One-time password software  Shadow password system 28 7/14 IS 3200, Summer 2010

29 One-Time Password Software  Password is generated using a secret key  Password is used only once, when the user authenticates  Different passwords are used for each authentication session  Types  Challenge-response passwords  Password list passwords 29 7/14 IS 3200, Summer 2010

30 Shadow Password System  A feature of Linux that stores passwords in another file that has restricted access  Passwords are stored only after being encrypted by a randomly generated value and an encoding formula 30 7/14 IS 3200, Summer 2010

31 Other Authentication Systems  Single-password systems  One-time password systems  Certificate-based authentication  802.1x Wi-Fi authentication 31 7/14 IS 3200, Summer 2010

32 Single-Password Systems  Operating system password  Internal firewall password 32 7/14 IS 3200, Summer 2010

33 One-Time Password Systems  Single Key (S/Key)  SecurID  Axent Pathways Defender 33 7/14 IS 3200, Summer 2010

34 Single Key (S/Key)  Uses multiple-word rather than single word passwords  User specifies single-word password and the number of times it is to be encrypted  Password is processed by a hash function n times; resulting encrypted passwords are stored on the server  Never stores original password on the server 34 7/14 IS 3200, Summer 2010

35 SecurID  Uses two-factor authentication  Physical object  Piece of knowledge  Most frequently used one-time password solution with FireWall-1 35 7/14 IS 3200, Summer 2010

36 SecurID Tokens 36 7/14 IS 3200, Summer 2010

37 Axent Pathways Defender  Uses two-factor authentication and a challenge-response system 37 7/14 IS 3200, Summer 2010

38 Certificate-Based Authentication  FireWall-1 supports the use of digital certificates to authenticate users  Organization sets up a public key infrastructure (PKI) that generates keys to users  User receives a code (public key) that is generated using the server’s private key and uses the public key to send encrypted information to the server  Server receives the public key and can decrypt the information using its private key 38 7/14 IS 3200, Summer 2010

39 802.1x Wi-Fi Authentication  Supports wireless Ethernet connections  Not supported by FireWall-1  802.1x protocol provides for authentication of users on wireless networks  Wi-Fi uses Extensible Authentication Protocol (EAP) 39 7/14 IS 3200, Summer 2010

40 Wireless Authentication 40 7/14 IS 3200, Summer 2010

41 Chapter Summary  Overview of authentication and its importance to network security  How and why firewalls perform authentication services  Types of authentication performed by firewalls  User  Client  Session 41 7/14 IS 3200, Summer 2010

42 Chapter Summary (continued)  Generally, users supply:  Something they have (such as a smart card) or  Something they know (such as a password) or  Both  Latest authentication systems measure or evaluate a physical attribute, such as a fingerprint or voiceprint 42 7/14 IS 3200, Summer 2010

43 Chapter Summary (continued)  In a centralized authentication system:  Firewall works with an authentication server  Authentication server handles Username and password maintenance/generation Login requests Auditing  Examples of centralized authentication systems:  Kerberos  TACACS+  RADIUS 43 7/14 IS 3200, Summer 2010

44 Chapter Summary (continued)  Passwords  Important part of virtually every authentication system  Take one of two general forms: Single-word User password compared against database of passwords; access granted if match is made Vulnerable to ability of hackers to determine passwords, to user error, and to bad security habits One-time passwords Generated dynamically each time user attempts to log on to network Secret key used to generate single- or multiple-word password 44 7/14 IS 3200, Summer 2010

Download ppt "ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users."

Similar presentations

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Access Control Methodologies

Access Control Methodologies
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Similar presentations

Ads by Google