Network Access Control and Cloud Security

Similar documents
Security+ SY0-501 Study Guide Table of Contents

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Block Cipher Operation

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Implementing X Security Solutions for Wired and Wireless Networks

Wireless Network Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Cloud Customer Architecture for Securing Workloads on Cloud Services

Network Access Flows APPENDIXB

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Authentication and Security: IEEE 802.1x and protocols EAP based

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

ISE Primer.

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

802.1X: Background, Theory & Implementation

Key Management and Distribution

Chapter 4 Configuring 802.1X Port Security

Mobile WiMAX Security

FAQ on Cisco Aironet Wireless Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Router Virtualization Protocols

The Common Controls Framework BY ADOBE

Configuring Port-Based and Client-Based Access Control (802.1X)

Topics of Discussion

Geneva, 6-7 December 2010 Addressing security challenges on a global scale

NLETS & CLOUD SECURITY. Bill Phillips, Information Security Officer

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

REMOTE AUTHENTICATION DIAL IN USER SERVICE

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Cisco 5921 Embedded Services Router

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Chapter 24 Wireless Network Security

Part II. Raj Jain. Washington University in St. Louis

TRACKVIA SECURITY OVERVIEW

HIPAA Security and Privacy Policies & Procedures

Network Security and Cryptography. 2 September Marking Scheme

Operation Manual Security. Table of Contents

Controlled/uncontrolled port and port authorization status

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

ENHANCING PUBLIC WIFI SECURITY

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Cloud Security Best Practices

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Version 1/2018. GDPR Processor Security Controls

PrecisionAccess Trusted Access Control

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology

Cloud-Security: Show-Stopper or Enabling Technology?

Building a More Secure Cloud Architecture

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Virtual Private Networks.

Wireless Network Security Spring 2015

Auditing the Cloud. Paul Engle CISA, CIA

Block Encryption and DES

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

802.1x Configuration. FSOS 802.1X Configuration

Virtual Private Networks (VPNs)

Table of Contents 1 AAA Overview AAA Configuration 2-1

Cloud Computing, SaaS and Outsourcing

Internet 3.0: Ten Problems with Current Internet Architecture and a Proposal for the Next Generation

COPYRIGHTED MATERIAL. Contents

Managing SaaS risks for cloud customers

Authentication and Security: IEEE 802.1x and protocols EAP based

Network Encryption 3 4/20/17

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Security Models for Cloud

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Cloud First Policy General Directorate of Governance and Operations Version April 2017

SECURITY & PRIVACY DOCUMENTATION

Data Sheet NCP Exclusive Remote Access Client Windows

Cloud Storage Securing CDMI. Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems

Data Security: Public Contracts and the Cloud

The Business of Security in the Cloud

Overview of Authentication Systems

Security Camp 2016 Cloud Security. August 18, 2016

Application Note. Using RADIUS with G6 Devices

PCI DSS Compliance. White Paper Parallels Remote Application Server

Cloud Essentials for Architects using OpenStack

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

Data Security and Privacy Principles IBM Cloud Services

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Cloud Computing Lectures. Cloud Security

Mobile IPv6. Washington University in St. Louis

Oracle Data Cloud ( ODC ) Inbound Security Policies

THE DATA CENTER AS A COMPUTER

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Advanced iscsi Management April, 2008

CIS Controls Measures and Metrics for Version 7

Transcription:

Network Access Control and Cloud Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@wustl.edu Audio/Video recordings of this lecture are available at: 16-1 1. Network Access Control (NAC) 2. RADIUS 3. Extensible Authentication Protocol () 4. over LAN (OL) 5. 802.1X 6. Cloud Security These slides are based partly on Lawrie Brown s slides supplied with William Stallings s book Cryptography and Network Security: Principles and Practice, 7 th Ed, 2017. 16-2 AAA: Network Access Control (NAC) Authentication: Is the user legit? Authorization: What is he allowed to do? Accounting: Keep track of usage Components: Supplicant: User Authenticator: Network edge device Authentication Server: Remote Access Server (RAS) or Policy Server Backend policy and access control Supplicant Authenticator Authentication Server 16-3 Network Access Enforcement Methods IEEE 802.1X used in Ethernet, WiFi Firewall DHCP Management VPN VLANs 16-4

RADIUS Remote Authentication Dial-In User Service Central point for Authorization, Accounting, and Auditing data AAA server Network Access servers get authentication info from RADIUS servers Allows RADIUS Proxy Servers ISP roaming alliances Uses UDP: In case of server failure, the request must be re-sent to backup Application level retransmission required TCP takes too long to indicate failure RADIUS Customer Network Remote Access Server Proxy RADIUS ISP Net Ref: http://en.wikipedia.org/wiki/radius 16-5 Network Access Server User Extensible Authentication Protocol () Old Methods: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP) Each authentication protocols required a new protocol Extensible Authentication Protocol Allows using many different authentication methods Single-Step Protocol Only one packet in flight Duplicate elimination and retransmission Ack/Nack Can run over lossy link No fragmentation. Individual authentication methods can deal with fragmentation. One frag/round trip Many round trips Allows using a backend authentication server Authenticator does not have to know all the authentication methods Can run on any link layer (PPP, 802,...). Does not require IP. RFC 3748,, June 2004. Ref: http://en.wikipedia.org/wiki/extensible_authentication_protocol 16-6 (Cont) Terminology Peer: Entity to be authenticated = Supplicant Authenticator: Authenticating entity at network boundary Authentication Server: Has authentication database server = Authenticator if there is no backend Authentication Server otherwise authentication server Master Session Key (MSK) = Keying material agreed by the peer and the server. At least 64b. Generally given by the server to authenticator. Peer Authenticator Authentication Server 16-7 16-8

Exchange Message Format: Code Identifier Length [Type] 8b Only four message codes: 8b 16b 8b Request (01) Response (02) Supplicant Success (03) Failure (04) Authenticator Identifier is incremented for each message. Identifier in response is set equal to that in request. Type field in the request/response indicates the authentication. Assigned by Internet Assigned Number Authority (IANA) 16-9 Data Types 1 = Identity 2 = Notification (messages to be displayed to user) 3 = Nack 4 = MD5 Challenge (CHAP) 5 = One time password 6 = Generic Token card (GTC) 254 = Expanded types (allows vendor specific options) 255 = Experimental Notification requests are responded by notification responses. Nack type is valid only for responses. Expanded types include a 3B vendor ID and 4B vendor msg type. Expanded Nack is used in response to requests of type 254 and may include alternative suggestions for methods. 16-10 Method X Peer Peer Layer Layer Lower Layer Multiplexing Model Method Y Layer demultiplexes using code. Code 1 (request), 3 (success), and 4 (failure) are delivered to the peer layer Code 2 (response) is delivered to the authenticator layer. Both ends may need to implement peer layer and authenticator layer for mutual authentication Lower layer may be unreliable but it must provide error detection (CRC) Lower layer should provide MTU of 1020B or greater Ref: RFC 3748 16-11 Method X Authenticator Method Y Auth. Layer Layer Lower Layer Pass through Authenticator Peer Method X Peer Layer Lower Layer Peer/Auth layers demultiplex using type field. Pass-thru Authenticator Peer Auth Layer Lower Layer 16-12 Auth Layer AAA/IP Authentication Server Method X Auth Layer AAA/IP

Upper Layer Protocols Lightweight (L): Uses MS-CHAP. Not secure. -TLS: Transport Level Security. Both sides need certificates -TTLS: Tunneled TLS. Only server certificates. Secure tunnel for peer. -FAST: Flexible Authentication via Secure Tunneling. Certificates optional. Protected tunnels. Protected (P): Server Certificates. Client password. Pv1 or -GTC: Generic Token Cards. Client uses secure tokens. -SIM: Subscriber Identity Module used in GSM. 64b keys. -AKA: Authentication and Key Agreement. Used in 3G. 128b keys. -PSK: Pre-shared key+aes-128 to generate keys -IKEv2: Internet Key Exchange. Mutual authentication. Certificate, Password, or Shared secret Ref: http://en.wikipedia.org/wiki/protected_extensible_authentication_protocol 16-13 over LAN (OL) was designed for Point-to-point line IEEE extended it for LANs OL Added a few more messages and fields Five types of OL messages: OL Start: Sent to a multicast address OL Key: Contains encryption and other keys sent by the authenticator to supplicant OL packet: Contains message (Request, Response, Success, Failure) OL Logoff: Disconnect OL Encapsulated-ASF-Alert: Management alert Message Format: Version=1, Type=start, key,, Ethernet Header Version Type Packet Body Len Packet Body Ref: http://en.wikipedia.org/wiki/eapol 16-14 OL (Cont) 802.1X Authentication framework for IEEE802 networks Supplicant (Client), Authenticator (Access point), Authentication server No per packet overhead Can run at any speed Need to upgrade only driver on NIC and firmware on switches User is not allowed to send any data until authenticated Authentication Server Authenticator Authenticator 16-15 External Device Network Ref: http://en.wikipedia.org/wiki/802.1x 16-16 Connected Device

802.1X Authentication with RADIUS Station Can I connect please? What s your user name? Access Point Associate Identity Request Authentication Server My user name is john Identity Response Identity Response What s your password? Auth Request Auth Request My password is mary? You can connect! -Success -Success Authentication method can be changed without upgrading switches and access points Only the client and authentication server need to implement the authentication method Auth Response 16-17 Auth Response 16-18 Cloud Computing Using remote resources (Processor, Storage, Network, software, services) Five Characteristics 1. Shared: Resource Pooling 2. Ubiquitous: Broad network access 3. Rapidly Provisioned: Rapid Elasticity 4. Configurable: Measured Service 5. On-demand Self-Service Three Service Models 1. Infrastructure as a Service (IaaS):CPU 2. Platform as a Service (PaaS):CPU+OS 3. Software as a Service (SaaS): Application Four Deployment models 1. Public 2. Private 3. Hybrid 4. Community Ref: M. Schultz, A Survey of Cloud Security Issues and Offerings, http://www.cse.wustl.edu/~jain/cse571-11/cloud.htm 16-19 Roles Cloud Consumer Cloud Service Provider (CSP) Cloud Broker Cloud Auditor Cloud Carrier: Internet service Provider (ISP) 16-20

Cloud Security Risks and Countermeasures 7 Risks and Countermeasures 1. Abuse and Criminal Use: Strict user authentication Intrusion detection Monitoring public blacklists for own network blocks 2. Malicious Insiders: Comprehensive assessment of CSP Human resource requirement as a part of the legal contract Transparency into overall security management Security breach notification process Risks and Countermeasures (Cont) 3. Insecure Interfaces and API s: Analyze security models of CSP interface Ensure strong authentication and encryption 4. Shared Technology Issues: Monitor environment for unauthorized changes Strong authentication and access control for adminstrators SLAs for patching vulnerability remediation Conduct vulnerability scanning and configuration audits 16-21 16-22 Risks and Countermeasures (Cont) 5. Data Loss or Leakage: Strong API access control Encrypt data in transit Analyze data protection at design and runtime Strong key generation, storage, management, and destruction 6. Account or Service Hijacking: No sharing of credentials between users and services Strong two-factor authentication Intrusion detection Understand CSP security policies and SLAs Risks and Countermeasures (Cont) 7. Unknown Risk Profile: Disclosure of applicable logs and data Partial/full disclosure of infrastructure details Monitoring and alerting on necessary information 16-23 16-24

NIST Guidelines on Cloud Security 9 Guidelines 1. Governance: Extend organizational policies and procedures to cloud Audit mechanisms to ensure that policies are followed 2. Compliance: Understand legal and regulatory obligations Ensure that the contract meets these obligations Ensure that CSP s discovery capabilities do not compromise security and privacy of data 3. Trust: NIST Guidelines (Cont) Visibility into the security and privacy controls of CSP Clear exclusive ownership of data Institute a risk management system Continuously monitor the system 4. Architecture: Understand CSP s provisioning methods and their impact on the security over the entire life cycle 5. Identity and Access Management: Ensure strong authentication, authorization, and identity management 16-25 16-26 6. Software Isolation: NIST Guidelines (Cont) Understand the virtualization techniques and their risks 7. Data Protection: Evaluate CSP s ability to control access to data at rest, in transit, and in use and to sanitize data Access risk of collating data with other organizations with high threat value Understand CSP s cryptographic key management 8. Availability: NIST Guidelines (Cont) Assess procedures for data backup, recovery, and disaster recovery Ensure critical operations can be resumed immediately after a disaster and other operations can be eventually resumed 9. Incident Response: Ensure contract provisions for incident response meet your requirements Ensure that CSP has a transparent process to share information during and after an incident Ensure that you can respond to incident in coordination with CSP 16-27 16-28

Data Protection Risks Two database service models: 1. Multi-instance model: Each subscriber gets a unique DBMS on a VM Subscriber has complete control over role definition, user authorization, and other administrative tasks related to security 2. Multi-tenant model: Subscriber shares a predefined environment with other tenants, typically by tagging data with a subscriber identifier CSP needs to establish and maintain a sound secure database environment 16-29 Data Protection in the Cloud Data must be secured while at rest, in transit, and in use, and access to the data must be controlled Use encryption to protect data in transit Key management responsibilities for the CSP Store only encrypted data in the cloud CSP has no access to the encryption key Encrypt the entire database and not provide the encryption/decryption keys to CSP Can t access individual data items based on searches or indexing on key parameters Need to download entire tables from the database, decrypt the tables, and work with the results To provide more flexibility it must be possible to work with the database in its encrypted form 16-30 Data Protection (Cont) Cloud Security as a Service (SecaaS) 16-31 SecaaS: Provisioning of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers on-premise systems SecaaS Categories of Service: 1. Identity and access management 2. Data loss prevention 3. Web security 4. E-mail security 5. Security assessments 6. Intrusion management 7. Security information and event management 8. Encryption 9. Business continuity and disaster recovery 10. Network security 16-32

Summary 1. RADIUS allows centralized authentication server and allows roaming 2. allows many different authentication methods to use a common framework Authenticators do not need to know about authentication methods 3. Many variations of authentication methods depending upon certificates, shared secrets, passwords 4. 802.1X adds authentication to LAN and uses OL 5. Cloud computing uses a shared pool of resources. Numerous security issues and counter measures. Homework 16 Read RFC 3748 on. Is clear text password one of the authentication method? If yes, what is the code for this. If not, why not? 16-33 16-34 Lab 16: Netcat Netcat is an application for creating a backdoor and file transfer. It can be used by attackers to control a victim machine or by administrators to move data out of the victim machines You need two computers: A victim with Windows and an attacker with any operating system. You can perform the lab in one of the following ways: Your computer and your classmate s computer (one of them is windows) You computer (windows) and any type of virtual machine (Ubuntu, Kali,..) On the lab computers (CSE571XPS and DL9150) using your accounts Download netcat Lab 16: Netcat (Cont) For Windows https://joncraton.org/files/nc111nt.zip For Mac: http://macappstore.org/netcat/ For Linux: sudo apt-get install netcat-traditional Already installed under c:\program files (or c:\program files (86)) in the lab machines Run netcat and explore its various options You need to be in the netcat directory in case of Windows Ref: https://en.wikipedia.org/wiki/netcat 16-35 16-36

Lab 16: Netcat (Cont) 1. Use netcat as a messaging system On the victim machine, use netcat to listen to port 9999 From the other machine, use netcat to connect to the victim machine on the same port with vv option Write anything on one of the machine s command window (cmd) and notice what happens on the other machine Submit a screenshot along with commands used 2. Use netcat as a backdoor to implant a file On the victim machine, use netcat to listen to port 9999 and save the output to a file On the attacker machine, create a text file called hacked.txt and transfer it to the victim Submit the screenshots along with the commands used Lab 16: Netcat (Cont) 3. Use netcat for backdoor command access On the victim machine, use netcat to listen to port 9999 and allow the execution of cmd.exe application (use netcat d e c:\windows\system32\cmd.exe along with other options to open the port and listen to it. Make sure that cmd is allowed to run by remote users.) On the other machine, use netcat to connect to the port and get access to the command window Submit a screenshot along with commands used 16-37 16-38 Acronyms Acronyms (Cont) AAA Authentication, Authorization, and Accounting AES Advanced Encryption Standard AKA Authentication and Key Agreement API Application Programming Interface AR Access Requester ASF Alerting Standards Forum CHAP Challenge Handshake Protocol CP Cloud Provider = CSP CPU Central Processing Unit CRC Cyclic Redundancy Check CSP Cloud Service Provider DCHP Dynamic Host Control Protocol -AKA with Authentication and Key Agreement -FAST with Flexible Authentication via Secure Tunneling -IKEv2 with Internet Key Exchange version 2 -PSK with Pre-shared key -SIM with Subscriber Identity Module -TLS with Transport Level Security -TTLS with Tunneled Transport Level Security Extensible Authentication Protocol OL over LAN FAST Flexible Authentication via Secure Tunneling GSM Global System for Mobile Communications GTC Generic Token card IaaS Infrastructure as a Service IANA Internet Assigned Number Authority ID Identifier IEEE Institution of Electrical and Electronic Engineers IKEv2 Internet Key Exchange version 2 IP Internet Protocol ISP Internet Service Provider LAN Local Area Network 16-39 16-40

Acronyms (Cont) Acronyms (Cont) L Lightweight Extensible Authentication Protocol MD5 Message Digest 5 MS-CHAP Microsoft Challenge Handshake Protocol MS Microsoft MSK Master Session Key MTU Maximum Transmission Unit NAC Network Access Control NAK Negative Acknowledgement NAS Network Access Server NIC Network Interface Card NIST National Institute of Science and Technology OS Operating System PaaS Platform as a Service PAP Password Authentication Protocol P Protected Extensible Authentication Protocol Pv1 P version 1 16-41 PPP Point-to-Point Protocol PSK Pre-shared key RADIUS Remote Access Dial-In Server RAS Remote Access Server RFC Request for Comments SaaS Software as a Service SecaaS Security as a Service SIM Subscriber Identity Module SLA Service Level Aggrement TCP Transmission Control Protocol TLS Transport Level Security TTLS Tunneled Transport Level Security UDP User Datagram Protocol VLAN Virtual Local Area Network VM Virtual Machine VPN Virtual Private Network WiFi Wireless Fidelity 16-42 Scan This to Download These Slides Related Modules CSE571S: Network Security (Spring 2017), index.html CSE473S: Introduction to Computer Networks (Fall 2016), http://www.cse.wustl.edu/~jain/cse473-16/index.html Raj Jain http://rajjain.com Wireless and Mobile Networking (Spring 2016), http://www.cse.wustl.edu/~jain/cse574-16/index.html CSE571S: Network Security (Fall 2014), http://www.cse.wustl.edu/~jain/cse571-14/index.html Audio/Video Recordings and Podcasts of Professor Raj Jain's Lectures, https://www.youtube.com/channel/ucn4-5wznp9-ruozqms-8nuw 16-43 16-44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback