Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations


Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 4 – Trust and Identity Technology

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 4.1 AAA 4.2 Authentication Technologies 4.3 Identity Based Networking Services (IBNS) 4.4 Network Admission Control (NAC)

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 1 – Trust and Identity Technology 4.1 AAA

5 5 © 2005 Cisco Systems, Inc. All rights reserved. AAA Model— Network Security Architecture Authentication Who are you? “I am user student and my password validateme proves it.” Authorization What can you do? What can you access? “I can access host 2000_Server with Telnet.” Accounting What did you do? How long did you do it? How often did you do it? “I accessed host 2000_Server with Telnet 15 times.”

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Implementing Cisco AAA Administrative access—Console,Telnet, and Aux access Remote user network access—Async, group-async, BRI, and serial (PRI) access Cisco Secure ACS Remote client (SLIP, PPP, ARAP) NAS Corporate file server Console PSTN/ISDN Internet Remote client (Cisco VPN Client) Router Cisco Secure ACS appliance

7 7 © 2005 Cisco Systems, Inc. All rights reserved. Implementing AAA Using Local Services 1.The client establishes connection with the router. 2.The router prompts the user for their username and password. 3.The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. 2 13 Perimeter router Remote client

8 8 © 2005 Cisco Systems, Inc. All rights reserved. Implementing AAA Using External Servers 1.The client establishes a connection with the router. 2.The router communicates with the Cisco Secure ACS (server or appliance). 3.The Cisco Secure ACS prompts the user for their username and password. 4.The Cisco Secure ACS authenticates the user. The user is authorized to access the network based on information found in the Cisco Secure ACS database.2 1 3 Perimeter router Remote client Cisco Secure ACS Cisco Secure ACS appliance4

9 9 © 2005 Cisco Systems, Inc. All rights reserved. The TACACS+ and RADIUS AAA Protocols Two different protocols are used to communicate between the AAA security servers and a router, NAS, or firewall. Cisco Secure ACS supports both TACACS+ and RADIUS: TACACS+ remains more secure than RADIUS. RADIUS has a robust API and strong accounting. Cisco Secure ACS Firewall Router Network access server TACACS+RADIUS Security server

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Module 1 – Trust and Identity Technology 4.2 Authentication Technologies

11 11 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Methods

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Authentication—Remote PC Username and Password

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Authentication— One-Time Passwords, S/Key List of one-time passwords Generated by S/Key program hash function Sent in clear text over network Server must support S/Key 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 S/Key passwordsWorkstation Security server supports S/Key S/Key password (clear text) 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Authentication— Token Cards and Servers 1.2. 4. 3. Cisco Secure ACS (OTP) Token server

15 15 © 2005 Cisco Systems, Inc. All rights reserved. AAA Example— Authentication Via PPP Link PAP—Password Authentication Protocol Clear text, repeated password Subject to eavesdropping and replay attacks CHAP—Challenge Handshake Authentication Protocol Secret password, per remote user Challenge sent on link (random number) Challenge can be repeated periodically to prevent session hijacking The CHAP response is an MD5 hash of (challenge + secret) provides authentication Robust against sniffing and replay attacks MS-CHAP—Microsoft CHAP v1 (supported in IOS > 11.3) and v1 or v2 (supported in IOS > 12.2) Network access server TCP/IP and PPP client PPP PSTN or ISDN PPP

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Module 1 – Trust and Identity Technology 4.3 Identity Based Networking Services (IBNS)

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Identity Based Network Services Cisco VPN Concentrators, Cisco IOS Routers, PIX Firewalls Unified Control of User Identity for the Enterprise Router Internet Cisco Secure ACS Firewall VPN Clients Hard and Soft Tokens Remote Offices OTP Server

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Identity Based Networking Services Features and Benefits: Intelligent adaptability for offering greater flexibility and mobility to stratified users A combination of authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs

19 19 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Components

20 20 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client)

21 21 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Benefits FeatureBenefit 802.1x Authenticator Support Enables interaction between the supplicant component on workstations and application of appropriate policy. MAC Address Authentication Adds support for devices such as IP phones that do not presently include 802.1x supplicant support. Default Authorization Policy Permits access for unauthenticated devices to basic network service. Multiple DHCP Pools Authenticated users can be assigned IP addresses from a different IP range than unauthenticated users, allowing network traffic policy application by address range.

22 22 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Wireless LAN Example Authentication Server (RADIUS) Catalyst 2950 (switch) Access Point

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Module 1 – Trust and Identity Technology 4.4 Network Admission Control (NAC)

24 24 © 2005 Cisco Systems, Inc. All rights reserved. NAC Components

25 25 © 2005 Cisco Systems, Inc. All rights reserved. NAC Vendor Participation

26 26 © 2005, Cisco Systems, Inc. All rights reserved.


Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations


Ads by Google