FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Similar documents
Radius, LDAP, Radius used in Authenticating Users

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Network Access Flows APPENDIXB

Security Setup CHAPTER

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Network Security and Cryptography. 2 September Marking Scheme

User Authentication. Modified By: Dr. Ramzi Saifan

(2½ hours) Total Marks: 75

Configuring the Client Adapter through the Windows XP Operating System

User Authentication. Modified By: Dr. Ramzi Saifan

Authentication. Chapter 2

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Indicate whether the statement is true or false.

5. Authentication Contents

Configuring Authentication Proxy

Cisco IOS Firewall Authentication Proxy

Configuring Authentication Proxy

- PIX Advanced IPSEC Lab -

Fundamentals of Network Security v1.1 Scope and Sequence

Configuring RADIUS Clients

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Configuring Authentication Proxy

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Security+ SY0-501 Study Guide Table of Contents

Chapter 19 Security. Chapter 19 Security

WPA SECURITY (Wi-Fi Protected Access) Presentation. Douglas Cheathem (csc Spring 2007)

Upon completion of this chapter, you will be able to perform the following tasks: Describe the Features and Architecture of Cisco Secure ACS 3.

Configuring the Client Adapter through the Windows XP Operating System

Configuring L2TP over IPsec

AT&T Global Network Client for Mac User s Guide Version 2.0.0

SSH. Partly a tool, partly an application Features:

IT Exam Training online / Bootcamp

Syllabus: The syllabus is broadly structured as follows:

MCSA Guide to Networking with Windows Server 2016, Exam

Cisco PIX. Quick Start Guide. Copyright 2006, CRYPTOCard Corporation, All Rights Reserved

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps


User Databases. ACS Internal Database CHAPTER

Most Common Security Threats (cont.)

Exam Questions SY0-401

802.1x Port Based Authentication

Top-Down Network Design

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Ethical Hacking and Prevention

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Configuring Switch-Based Authentication

Post-Class Quiz: Access Control Domain

Zebra Mobile Printer, Zebra Setup Utility, Cisco ACS, Cisco Controller PEAP and WPA-PEAP

Securing Wireless LANs with Certificate Services

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

Network Security and Cryptography. December Sample Exam Marking Scheme

Using your ios Device on the BUMC 802.1x Wireless Network

CSN11111 Network Security

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Using TU Eindhoven s VPN with Ubuntu

Understanding ACS 5.4 Configuration

CS System Security 2nd-Half Semester Review

Chapter 12. AAA. Upon completion of this chapter, you will be able to perform the following tasks:

Overview. RADIUS Protocol CHAPTER

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

This primer covers the following major topics: 1. Getting Familiar with ACS. 2. ACS Databases and Additional Server Interaction

Securing a Wireless LAN

CPSC 467b: Cryptography and Computer Security

Configuring the Client Adapter through Windows CE.NET

Configuring Authentication, Authorization, and Accounting

Unit-VI. User Authentication Mechanisms.

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Access Controls. CISSP Guide to Security Essentials Chapter 2

FAQ on Cisco Aironet Wireless Security

WatchGuard Firebox and MUVPN. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

Security in IEEE Networks

Lab Configuring LEAP/EAP using Cisco Secure ACS (OPTIONAL)

Wireless Attacks and Countermeasures

AT&T Global Network Client for Mac User s Guide Version 1.7.3

Configuring RADIUS Servers

LESSON 12: WI FI NETWORKS SECURITY

How to Configure Authentication and Access Control (AAA)

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Children s Health System. Remote User Policy

TSIN02 - Internetworking

REMOTE AUTHENTICATION DIAL IN USER SERVICE

CompTIA Network+ Study Guide Table of Contents

Firewalls, Tunnels, and Network Intrusion Detection

RADIUS - QUICK GUIDE AAA AND NAS?

Configuring the Client Adapter

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

AAA Configuration. Terms you ll need to understand:

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Controller, PEAP and WPA-PEAP

Verteilte Systeme (Distributed Systems)

Apple Computer, Inc. ios

Setup L2TP/IPsec VPN Server on SoftEther VPN Server

CompTIA JK CompTIA Academic/E2C Security+ Certification. Download Full Version :

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Transcription:

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Learning Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify users Describe user, client, and session authentication List the advantages and disadvantages of popular centralized authentication systems Discuss the potential weaknesses of password security systems Discuss the use of password security tools Describe common authentication protocols used by firewalls Slide 2

The Authentication Process in General The act of identifying users and providing network services to them based on their identity Two forms Local authentication Centralized authentication service (often uses two-factor authentication) Slide 3

How Firewalls Implement the Authentication Process 1. Client makes request to access a resource 2. Firewall intercepts the request and prompts the user for name and password 3. User submits information to firewall 4. User is authenticated 5. Request is checked against firewall s rule base 6. If request matches existing allow rule, user is granted access 7. User accesses desired resources Slide 4

How Firewalls Implement the Authentication Process (continued) Slide 5

Firewall Authentication Methods User authentication Client authentication Session authentication Slide 6

User Authentication Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access your internal servers must be added to your access control lists (ACLs) Slide 7

User Authentication (continued) Slide 8

Client Authentication Same as user authentication but with additional time limit or usage limit restrictions When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system Slide 9

Client Authentication (continued) Slide 10

Session Authentication Required any time the client establishes a session with a server of other networked resource Slide 11

Comparison of Authentication Methods Slide 12

Centralized Authentication Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network Most common methods Kerberos TACACS+ (Terminal Access Controller Access Control System) RADIUS (Remote Authentication Dial-In User Service) Slide 13

Process of Centralized Authentication Slide 14

Kerberos Provides authentication and encryption through standard clients and servers Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources Used internally on Windows 2000/XP Advantages Passwords are not stored on the system Widely used in UNIX environment; enables authentication across operating systems Slide 15

Kerberos Authentication Slide 16

TACACS+ Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) Provides AAA services Authentication Authorization Auditing Uses MD5 algorithm to encrypt data Slide 17

RADIUS Centralized dial-in authentication service that uses UDP Transmits authentication packets unencrypted across the network Provides lower level of security than TACACS+ but more widely supported Slide 18

TACACS+ and RADIUS Compared Strength of security Filtering characteristics Proxy characteristics NAT characteristics Slide 19

Strength of Security Slide 20

Filtering Characteristics Slide 21

Proxy Characteristics RADIUS Doesn t work with generic proxy systems, but a RADIUS server can function as a proxy server TACACS+ Works with generic proxy systems Slide 22

NAT Characteristics RADIUS Doesn t work with NAT TACACS+ Should work through NAT systems Slide 23

Password Security Issues Passwords that can be cracked (accessed by an unauthorized user) Password vulnerabilities Lax security habits Slide 24

Passwords That Can Be Cracked Ways to crack passwords Find a way to authenticate without knowing the password Uncover password from system that holds it Guess the password To avoid the issue Protect passwords effectively Observe security habits Slide 25

Password Vulnerabilities Built-in vulnerabilities Often easy to guess Often stored visibly Social engineering To avoid the issues Choose complicated passwords Memorize passwords Never give passwords out to anyone Slide 26

Lax Security Habits To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU) Slide 27

Password Security Tools One-time password software Shadow password system Slide 28

One-Time Password Software Password is generated using a secret key Password is used only once, when the user authenticates Different passwords are used for each authentication session Types Challenge-response passwords Password list passwords Slide 29

Shadow Password System A feature of Linux that stores passwords in another file that has restricted access Passwords are stored only after being encrypted by a randomly generated value and an encoding formula Slide 30

Other Authentication Systems Single-password systems One-time password systems Certificate-based authentication 802.1x Wi-Fi authentication Slide 31

Single-Password Systems Operating system password Internal firewall password Slide 32

One-Time Password Systems Single Key (S/Key) SecurID Axent Pathways Defender Slide 33

Single Key (S/Key) Uses multiple-word rather than single word passwords User specifies single-word password and the number of times it is to be encrypted Password is processed by a hash function n times; resulting encrypted passwords are stored on the server Never stores original password on the server Slide 34

SecurID Uses two-factor authentication Physical object Piece of knowledge Most frequently used one-time password solution with FireWall-1 Slide 35

SecurID Tokens Slide 36

Axent Pathways Defender Uses two-factor authentication and a challengeresponse system Slide 37

Certificate-Based Authentication FireWall-1 supports the use of digital certificates to authenticate users Organization sets up a public key infrastructure (PKI) that generates keys to users User receives a code (public key) that is generated using the server s private key and uses the public key to send encrypted information to the server Server receives the public key and can decrypt the information using its private key Slide 38

802.1x Wi-Fi Authentication Supports wireless Ethernet connections Not supported by FireWall-1 802.1x protocol provides for authentication of users on wireless networks Wi-Fi uses Extensible Authentication Protocol (EAP) Slide 39

Wireless Authentication Slide 40

Chapter Summary Overview of authentication and its importance to network security How and why firewalls perform authentication services Types of authentication performed by firewalls User Client Session Slide 41

Chapter Summary (continued) Generally, users supply: Something they have (such as a smart card) or Something they know (such as a password) or Both Latest authentication systems measure or evaluate a physical attribute, such as a fingerprint or voiceprint Slide 42

Chapter Summary (continued) In a centralized authentication system: Firewall works with an authentication server Authentication server handles Username and password maintenance/generation Login requests Auditing Examples of centralized authentication systems: Kerberos TACACS+ RADIUS Slide 43

Chapter Summary (continued) Passwords Important part of virtually every authentication system Take one of two general forms: Single-word User password compared against database of passwords; access granted if match is made Vulnerable to ability of hackers to determine passwords, to user error, and to bad security habits One-time passwords Generated dynamically each time user attempts to log on to network Secret key used to generate single- or multipleword password Slide 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback