Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004, Cisco Systems, Inc. All rights reserved.

Published byEdward Andrews Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 © 2004, Cisco Systems, Inc. All rights reserved.
1 1 1

2 Module 4 – Trust and Identity Technology
Network Security 1 Module 4 – Trust and Identity Technology

3 Learning Objectives 4.1 AAA 4.2 Authentication Technologies
4.3 Identity Based Networking Services (IBNS) 4.4 Network Admission Control (NAC)

4 Module 1 – Trust and Identity Technology
4.1 AAA

5 AAA Model— Network Security Architecture
Authentication Who are you? “I am user student and my password validateme proves it.” Authorization What can you do? What can you access? “I can access host 2000_Server with Telnet.” Accounting What did you do? How long did you do it? How often did you do it? “I accessed host 2000_Server with Telnet 15 times.”

6 Implementing Cisco AAA
Remote client (SLIP, PPP, ARAP) Cisco Secure ACS NAS PSTN/ISDN Corporate file server Console Remote client (Cisco VPN Client) Internet Cisco Secure ACS appliance Router Administrative access—Console,Telnet, and Aux access Remote user network access—Async, group-async, BRI, and serial (PRI) access

7 Implementing AAA Using Local Services
Remote client Perimeter router 1 2 3 The client establishes connection with the router. The router prompts the user for their username and password. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database.

8 Implementing AAA Using External Servers
Perimeter router Cisco Secure ACS 1 2 3 4 Cisco Secure ACS appliance Remote client The client establishes a connection with the router. The router communicates with the Cisco Secure ACS (server or appliance). The Cisco Secure ACS prompts the user for their username and password. The Cisco Secure ACS authenticates the user. The user is authorized to access the network based on information found in the Cisco Secure ACS database.

9 The TACACS+ and RADIUS AAA Protocols
Security server Two different protocols are used to communicate between the AAA security servers and a router, NAS, or firewall. Cisco Secure ACS supports both TACACS+ and RADIUS: TACACS+ remains more secure than RADIUS. RADIUS has a robust API and strong accounting. Cisco Secure ACS TACACS+ RADIUS Router Network access server Firewall

10 TACACS TACACS XTACACS TACACS+
RFC 1492, forwards username and password information to a centralized server. XTACACS Extensions that Cisco added to the TACACS protocol Multi-protocol and can authorize connections with SLIP, enable, PPP IP or IPX, ARA, EXEC, and Telnet. TACACS+ Enhanced and continually improved version of TACACS that allows a TACACS+ server to provide the services of AAA independently. Completely new version of the TACACS protocol referenced by RFC 1492 and developed by Cisco. Not compatible with XTACACS. TACACS+ has been submitted to the IETF as a draft proposal.

11 RADIUS Alternative to TACACS+
RADIUS is an access server AAA protocol developed by Livingston Enterprises, Inc (now part of Lucent Technologies). Distributed security that secures remote access to networks and protects network services against unauthorized access. RADIUS is comprised of three components: Protocol with a frame format that uses UDP/IP Server Client

12 RADIUS 3 versions IETF with approximately 63 attributes – RFC 2138, and RADIUS accounting in RFC 2139. Cisco implementation supporting approximately 58 attributes. Cisco IOS software and Cisco Secure ACS. Lucent supporting over 254 attributes

13 RADIUS features Client/server Model
The RADIUS server can either use a local user database or can be integrated to use a Windows database or LDAP directory to validate the username and password. Transactions between the client and RADIUS server are authenticated using a shared secret Support PPP, PAP, CHAP, or MS-CHAP, UNIX login, and other authentication mechanisms.

14 TACACS and RADIUS comparison

15 Module 1 – Trust and Identity Technology
4.2 Authentication Technologies

16 Authentication Methods

17 Username / Password authentication
A static username/password authentication method Remains the same until changed by the system administrator or user. Playback attacks, eavesdropping, theft, and password cracking programs. The attacker will continue to have access until the administrator or user chooses to change it. Aging username/password authentication User is forced to change the password after a set time, usually 30 to 60 days. Mitigates some risk, still susceptible to attacks until the password is changed.

18 Authentication—Remote PC Username and Password

19 Authentication— One-Time Passwords, S/Key
List of one-time passwords Generated by S/Key program hash function Sent in clear text over network Server must support S/Key 308202A A B 310B 1E170D A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 Security server supports S/Key 308202A A B 310B 1E170D A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 S/Key password (clear text) S/Key passwords Workstation

20 Authentication— Token Cards and Servers
Cisco Secure ACS

21 Token Card and Server Methods
Two token card and server methods are used : Time-based Card contains a key and generates a token or password using a PIN number. Password is loosely synchronized to the token server Server compares the token received with a token generated internally Challenge-response Card contains a key Server sends a random character string to client Token card computes a cryptographic function using the stored key Results are sent back to the server

22 Digital Certificates Digital signature.
Encrypted hash that is appended to a document. Can be used to confirm the identity of the sender and the integrity of the document. Based on a combination of public key encryption and secure one-way hash function algorithms.

23 Digital Certificate contents

24 Digital Certificates - CA
A Certificate Authority (CA) signs the certificate. The CA is a third party that is explicitly trusted by the receiver to validate identities and to create digital certificates . To validate the CA’s signature, the receiver must first know the CA’s public key. Normally this is handled out of band or through an operation done at installation.

25 Digital Signatures

26 Digital Signatures Digital signatures are much more scalable than pre-shared keys. Without digital signatures and certificates keys must be manually shared new device added to the network requires a configuration change on every other device. Using digital certificates, each device is enrolled with a CA. When two devices wish to communicate, they exchange certificates and digitally sign data to authenticate each other. The two common digital signature algorithms are RSA and Directory System Agent (DSA).

27 Biometrics Measuring a unique physical characteristic about an individual as an identification mechanism. Most Common - Fingerprint scanning and voice recognition. Other technologies - Face recognition and signature recognition. The integration of biometrics in the security policy will provide a solid foundation for developing a secure environment.

28 Module 1 – Trust and Identity Technology
4.3 Identity Based Networking Services (IBNS)

29 Identity Based Network Services
Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, Cisco IOS Routers, PIX Firewalls Hard and Soft Tokens Cisco Secure ACS OTP Server VPN Clients Internet Router Firewall Remote Offices

30 Cisco Identity Based Networking Services (IBNS)
Integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources . Features and Benefits Intelligent adaptability for offering greater flexibility and mobility to stratified users – Creating user or group profiles with policies A combination of authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs – Providing security and greater flexibility for wired or wireless network access

31 Cisco Identity Based Networking Services (IBNS)
Solution for increasing the security of physical and logical access to an enterprise network that is built on the IEEE 802.1x standard. IBNS and 802.1x are supported on all Cisco switches, Cisco ACS Server, Cisco Aironet Access Points. Access control and policy enforcement at the user and port levels. Associates identified entities with policies Standards-based implementation of port security Centrally managed by a RADIUS server (Cisco Secure ACS)

32 802.1x Standardized framework defined by the IEEE, designed to provide port-based network access. 802.1x authenticates network clients using information unique to the client and with credentials known only to the client. This service is called port-level authentication It is offered to a single endpoint for a given physical port.

33 802.1x Components Supplicant - Endpoint that is seeking network access
Authenticator - Device to which the supplicant directly connects and through which the supplicant obtains network access permission Authentication server - Responsible for actually authenticating the supplicant.

34 802.1x Components

35 802.1x Process Consists of exchanges of Extensible Authentication Protocol (EAP) messages Occurs between the supplicant and the authentication server Authenticator Transparent relay Point of enforcement for any policy the authentication server send back New link layer protocol, 802.1x Between the supplicant and the authenticator. RADIUS protocol over UDP. Between the supplicant and authentication server

36 802.1x Authentication Server (RADIUS) Catalyst 2950 (switch) End User
(client)

37 802.1x Benefits Feature Benefit 802.1x Authenticator Support
Enables interaction between the supplicant component on workstations and application of appropriate policy. MAC Address Authentication Adds support for devices such as IP phones that do not presently include 802.1x supplicant support. Default Authorization Policy Permits access for unauthenticated devices to basic network service. Multiple DHCP Pools Authenticated users can be assigned IP addresses from a different IP range than unauthenticated users, allowing network traffic policy application by address range.

38 802.1x Wireless LAN Example Authentication Server (RADIUS)
Catalyst 2950 (switch) Access Point

39 Module 1 – Trust and Identity Technology
4.4 Network Admission Control (NAC)

40 NAC Uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from viruses and worms. Provide network access to endpoint devices - Fully compliant with established security policy. Identify noncompliant devices and deny them access, place them in a quarantined area, or give them restricted access to network resources. NAC is part of the Cisco Self-Defending Network Create greater intelligence in the network to automatically identify, prevent, and adapt to security threats By combining information about endpoint security status with network admission enforcement, NAC enables organizations to dramatically improve the security of their computing

41 NAC Components

42 NAC Components Endpoint security software, such as antivirus software, and the Cisco Trust Agent – collects security state information from software clients, and communicates this information to the connected Cisco network. Network access devices – Enforce admission control policy. These devices demand host credentials and relay this information to policy servers. Policy server – Responsible for evaluating the endpoint security information relayed from network devices and for determining the appropriate access policy to apply. Management system – Provision the appropriate NAC elements and provide monitoring and reporting operational tools. CiscoWorks VPN/Security Management Solution (VMS) CiscoWorks Security Information Management Solution (SIMS )

43 NAC Phases NAC Phase 1 Cisco routers communicating with the Cisco Trust Agent to gather endpoint security credentials and enforce admission control policy. The Cisco Trust Agent software allows NAC to use existing Cisco network devices, Cisco Security Agent software, and co-sponsor security software, including antivirus software. Router ACLs will restrict the communications between noncompliant hosts and other systems in the network. NAC currently support endpoints running Microsoft Windows NT, XP, and 2000 operating systems.

44 NAC Phases NAC Phase 2 Cisco switches will be able to assign noncompliant hosts to quarantine VLAN segments on which only remediation servers reside. NAC will also support IPSec remote access platforms, such as the VPN 3000 concentrators, and expand support for additional endpoint operating systems. Future NAC releases will support additional access devices, such as firewalls and wireless access points, and continue to expand the platforms which it will support.

45 NAC Operation

46 NAC vendor participation

47 © 2005, Cisco Systems, Inc. All rights reserved.
47 47 47

Download ppt "© 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations

Authentication.

Authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google