Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users.

Published byMary Horton Modified over 9 years ago

Similar presentations

Presentation on theme: "Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users."— Presentation transcript:

1 Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users

2 Guide to Firewalls and VPNs, 3 rd Edition Overview Explain why authentication is a critical aspect of perimeter defense Explain why firewalls authenticate and how they identify users Describe user, client, and session authentication List the advantages and disadvantages of popular centralized authentication systems Discuss the potential weaknesses of password security systems 2

3 Guide to Firewalls and VPNs, 3 rd Edition Overview (cont’d.) Describe the use of password security tools 3

4 Guide to Firewalls and VPNs, 3 rd Edition Introduction Firewall authentication –Reliably determine whether persons or entities are who or what they claim to be Access controls –Learn how and why firewalls serve as access controls in providing authentication services Main types of authentication performed by firewalls: –Client, user, and session 4

5 Guide to Firewalls and VPNs, 3 rd Edition Introduction (cont’d.) Different types of centralized authentication methods that firewalls can use: –Kerberos, TACACS+, and RADIUS 5

6 Guide to Firewalls and VPNs, 3 rd Edition Access Controls Four processes: –Identification: obtaining the identity of the entity requesting access to a logical or physical area –Authentication: confirming the identity of the entity seeking access to a logical or physical area –Authorization: determining which actions that entity can perform in that physical or logical area –Accountability: documenting the activities of the authorized individual and systems 6

7 Guide to Firewalls and VPNs, 3 rd Edition Access Controls (cont’d.) Address the admission of users into a trusted area of the organization Integrate a number of key principles: –Least privilege: employees are provided access to the minimal amount of information for the least duration of time necessary to perform their duties –Need to know: limits individuals’ information access to what is required to perform their jobs –Separation of duties: more than one individual be responsible for a particular information asset, process, or task 7

8 Guide to Firewalls and VPNs, 3 rd Edition Access Controls (cont’d.) Classified based on function: –Preventive: help the organization avoid an incident –Deterrent: discourage or deter an incident from occurring –Detective: detect or identify an incident or threat when it occurs –Corrective: remedy a circumstance or mitigate the damage caused during an incident –Recovery: restore operating conditions to normal –Compensating: use alternate controls to resolve shortcomings 8

9 Guide to Firewalls and VPNs, 3 rd Edition Mandatory Access Control (MAC) Data classification scheme and a personnel clearance scheme Assigns each collection or type of information to a sensitivity level Each user rated with a sensitivity level called a clearance Lattice-based access control –Variation of MAC –Users are assigned a matrix of authorizations for various areas of access 9

10 Guide to Firewalls and VPNs, 3 rd Edition Data Classification Model U.S. Department of Defense (DoD) classification scheme –Relies on a more complex categorization system than the schemes of most corporations –Five-level classification scheme Unclassified data Sensitive But Unclassified (SBU) data Confidential data Secret data Top secret data 10

11 Guide to Firewalls and VPNs, 3 rd Edition Wikileaks Cables Link Ch 3d 11

12 Guide to Firewalls and VPNs, 3 rd Edition Anonymous' FBI Document (may be a forgery) Link Ch 3e 12

13 Guide to Firewalls and VPNs, 3 rd Edition Data Classification Model (cont’d.) Most organizations do not need the detailed level of classification –Suggested classifications: Public For Official Use Only Sensitive Classified 13

14 Guide to Firewalls and VPNs, 3 rd Edition Security Clearances Each user of an information asset is assigned an authorization level –Indicates the level of information classification he or she can access Assign each employee a titular role –Data entry clerk, development programmer, information security analyst, or even CIO 14

15 Guide to Firewalls and VPNs, 3 rd Edition Nondiscretionary Access Controls Determined by a central authority in the organization Role-based access controls or RBAC –Based on roles Task-based access controls –Based on a specified set of tasks 15

16 Guide to Firewalls and VPNs, 3 rd Edition Discretionary Access Controls (DACs) Implemented at the discretion of the data user Rule-based access controls –Granted based on a set of rules specified by the central authority Content-dependent access controls –Dependent on the information’s content 16

17 Guide to Firewalls and VPNs, 3 rd Edition Discretionary Access Controls (DACs) (cont’d.) Constrained user interfaces –Systems designed specifically to restrict the information that an individual user can access Temporal (time-based) isolation –Information can only be accessed depending on what time of day it is 17

18 Guide to Firewalls and VPNs, 3 rd Edition Centralized vs. Decentralized Access Controls Collection of users with access to the same data typically have a centralized access control authority –Even using a discretionary access control model Varies by organization and type of information protected 18

19 Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process Authentication –Act of confirming the identity of a potential user Verify identity by providing one or more of: –Something you know –Something you have –Something you are –Something you do 19

20 Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process (cont’d.) Strong authentication –Authentication system uses two or more different forms of confirming the proposed identity Network authentication forms: –Local authentication Most common form of authentication –Centralized authentication service Most commonly set up as a form of auditing 20

21 Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process (cont’d.) Tokens Synchronous tokens –Use the present time to generate an authentication number entered during the user login Asynchronous tokens –Use a challenge-response system 21

22 Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process (cont’d.) 22 Figure 3-1 Access Control Tokens @ Cengage Learning 2012

23 Guide to Firewalls and VPNs, 3 rd Edition RSA Hacked Link Ch 3f 23

24 Guide to Firewalls and VPNs, 3 rd Edition The Authentication Process (cont’d.) Biometrics –Retinal scans, fingerprints, etc. –Mainly done by large, security-minded entities 24

25 Guide to Firewalls and VPNs, 3 rd Edition How Firewalls Implement the Authentication Process Many organizations depend on firewalls to provide more secure authentication than conventional systems Firewall uses authentication to identify individuals –Apply the rules that are associated with those individuals 25

26 Guide to Firewalls and VPNs, 3 rd Edition How Firewalls Implement the Authentication Process (cont’d.) General process: –The client makes a request to access a resource –Firewall intercepts the request and prompts the user for name and password –User submits the requested information to firewall –The user is authenticated –Request checked against the firewall’s rule base –If the request matches an existing allow rule, the user is granted access –The user accesses the desired resources 26

27 Guide to Firewalls and VPNs, 3 rd Edition How Firewalls Implement the Authentication Process (cont’d.) 27 Figure 3-2 Basic User Authentication @ Cengage Learning 2012

28 Guide to Firewalls and VPNs, 3 rd Edition Firewall Authentication Methods Some firewalls provide a variety of authentication methods –Including user, client, or session authentication 28

29 Guide to Firewalls and VPNs, 3 rd Edition User Authentication Simplest type of authentication program Prompts the user for a username and password. Software checks the information against a list of usernames and passwords in its database Authorized users added to your access control lists (ACLs) Only allows Telnet, HTTP, FTP and RLOGIN attempts (for Checkpoint firewalls) –See link Ch 3a 29

30 Guide to Firewalls and VPNs, 3 rd Edition User Authentication (cont’d.) 30 Figure 3-3 NetProxy Authentication @ Cengage Learning 2012

31 Guide to Firewalls and VPNs, 3 rd Edition Client Authentication Establish limits to user access Firewall enables the authenticated user to access the desired resources for a specific period of time or a specific number of times Configure client authentication –Standard sign-on system –Specific sign-on system Allows any protocol for the specified time (for Checkpoint firewalls) 31

32 Guide to Firewalls and VPNs, 3 rd Edition Client Authentication (cont’d.) 32 Figure 3-4 Example of Time-Limited Authentication @ Cengage Learning 2012

33 Guide to Firewalls and VPNs, 3 rd Edition Session Authentication Requires authentication whenever a client system attempts to connect to a network resource and establish a session Requires session agent software to be installed on each client (for Checkpoint firewalls) Some advanced firewalls offer multiple authentication methods 33

34 Guide to Firewalls and VPNs, 3 rd Edition Session Authentication (cont’d.) 34 Table 3-1 Authentication Methods

35 Guide to Firewalls and VPNs, 3 rd Edition Centralized Authentication Alleviates the need to provide each server on the network with a separate database of usernames and passwords Substantial downside: –Authentication server becomes a single point of failure 35

36 Guide to Firewalls and VPNs, 3 rd Edition Centralized Authentication (cont’d.) 36 Figure 3-5 Centralized Authentication @ Cengage Learning 2012

37 Guide to Firewalls and VPNs, 3 rd Edition Centralized Authentication (cont’d.) Different authentication methods –Kerberos, –TACACS+ –RADIUS 37

38 Guide to Firewalls and VPNs, 3 rd Edition Kerberos Developed at the Massachusetts Institute of Technology (MIT) Provides authentication and encryption on standard clients and servers –Both client and server place their trust in the Kerberos server Used internally on many Windows systems –Never sends or stores passwords in cleartext (Serious error in textbook on page 79!) –See links Ch 3b, Ch 3c. 38

39 Guide to Firewalls and VPNs, 3 rd Edition Kerberos (cont’d.) 39 Figure 3-6 Kerberos Authentication @ Cengage Learning 2012

40 Guide to Firewalls and VPNs, 3 rd Edition Kerberos (cont’d.) Advantage of using Kerberos –Passwords are not stored on the system –Cannot be intercepted by hackers –Tickets tend to have a time limit –Widely used in the UNIX environment 40

41 Guide to Firewalls and VPNs, 3 rd Edition TACACS+ Terminal Access Controller Access Control System Plus (TACACS+) Latest and strongest version of a set of authentication protocols developed by Cisco Systems Provide the AAA services –Authentication, authorization, accounting Uses a hashing algorithm (MD5) to keep the password itself a secret 41

42 Guide to Firewalls and VPNs, 3 rd Edition RADIUS Remote Authentication Dial-In User Service (RADIUS) Does not transmit cleartext passwords Stores cleartext passwords on the server 42

43 Guide to Firewalls and VPNs, 3 rd Edition TACACS+ and RADIUS Compared Strength of security –See Table 3-2 Filtering characteristics –TACACS+ uses TCP Port 49 –RADIUS uses UDP Port 1812 and 1813 –See Table 3-3 Proxy characteristics –RADIUS doesn’t work with generic proxy systems –RADIUS server can function as a proxy server 43

44 Guide to Firewalls and VPNs, 3 rd Edition TACACS+ and RADIUS Compared (cont’d.) NAT characteristics –RADIUS doesn’t work with Network Address Translation (NAT) –TACACS+ should work with NAT systems –Static IP address mappings work best for both 44

45 Guide to Firewalls and VPNs, 3 rd Edition TACACS+ and RADIUS Compared (cont’d.) 45 Table 3-2 Security Characteristics of TACACS+ and RADIUS

46 Guide to Firewalls and VPNs, 3 rd Edition TACACS+ and RADIUS Compared (cont’d.) 46 Table 3-3 Filtering Rules for TACACS+ and RADIUS

47 Guide to Firewalls and VPNs, 3 rd Edition Password Security Issues Many authentication systems depend in part or entirely on passwords Method is truly secure only for controlling outbound Internet access –Password guessing and eavesdropping attacks are likely on inbound access attempts 47

48 Guide to Firewalls and VPNs, 3 rd Edition Preventing Passwords from Being Cracked Avoid vulnerabilities by ensuring that network’s authorized users –Protect their passwords effectively –Observe some simple security habits 48

49 Guide to Firewalls and VPNs, 3 rd Edition The Shadow Password System Linux stores passwords in the /etc/passwd file –In encrypted format using a one-way hash function Shadow password system –Feature of the Linux operating system –Enables the secure storage of passwords –File has restricted access –Passwords are stored only after being encrypted with the salt value and an encoding algorithm 49

50 Guide to Firewalls and VPNs, 3 rd Edition One-Time Password Software Two types of one-time passwords are available: –Challenge-response passwords Authenticating computer or firewall generates a random number (the challenge) and sends it to the user, who enters a secret PIN or password (the response) –Password list passwords User enters a seed phrase, and the password system generates a list of passwords 50

51 Guide to Firewalls and VPNs, 3 rd Edition Other Authentication Systems Most firewalls make use of one or more well-known systems –RADIUS and TACACS+ Other systems for authentication: –Certificate-based –802.1x Wi-Fi 51

52 Guide to Firewalls and VPNs, 3 rd Edition Certificate-Based Authentication Use of digital certificates to authenticate users Must set up a Public-Key Infrastructure (PKI) –Generates keys for users User receives a code called a public key –Generated using the server’s private key –Uses the public key to send encrypted information to the serve 52

53 Guide to Firewalls and VPNs, 3 rd Edition 802.1x Wi-Fi Authentication Provides for authentication of users on wireless networks Can use many authentication methods, including smart card, digital certificate, or hashed passwords –Error on page 84: Other methods besides smart card & certificate are possible –Link Ch 3g Wi-Fi uses of Extensible Authentication Protocol (EAP) –Enables a system that uses Wi-Fi to authenticate users on other kinds of network operating systems 53

54 Guide to Firewalls and VPNs, 3 rd Edition54 Figure 3-7 Wireless Authentication @ Cengage Learning 2012

Download ppt "Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Access Control Methodologies

Access Control Methodologies
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Similar presentations

Ads by Google