Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Access Control Chapter 3 Part 3 Pages 209 to 227.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Access Control Methodologies
Security+ Guide to Network Security Fundamentals, Fourth Edition
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Ariel Eizenberg PPP Security Features Ariel Eizenberg
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Virtual Private Network
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Chapter 10: Authentication Guide to Computer Network Security.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Mobile and Wireless Communication Security By Jason Gratto.
WIRELESS LAN SECURITY Using
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Module 11: Remote Access Fundamentals
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Unit 1: Protection and Security for Grid Computing Part 2
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Cisco’s Secure Access Control Server (ACS)
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
1 Guide to Network Defense and Countermeasures Chapter 5.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Guide to Firewalls and VPNs, 3 rd Edition Chapter Three Authenticating Users.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
KERBEROS SYSTEM Kumar Madugula.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Authentication Protocols Natalie DeKoker, Lindsay Haley, Jordan Lunda, Matty Ott.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
1 Example security systems n Kerberos n Secure shell.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Port Based Network Access Control
Understand User Authentication LESSON 2.1A Security Fundamentals.
Radius, LDAP, Radius used in Authenticating Users
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
Radius, LDAP, Radius, Kerberos used in Authenticating Users
Presentation transcript:

Authenticating Users Chapter 6

Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate and how they identify users Describe user, client, and session authentication List advantages and disadvantages of popular centralized authentication systems continued

Learning Objectives Be aware of potential weaknesses of password security systems Understand the use of password security tools Be familiar with common authentication protocols used by firewalls

The Authentication Process in General The act of identifying users and providing network services to them based on their identity Three forms Basic authentication Challenge-response authentication Centralized authentication service (often uses two-factor authentication)

How Firewalls Implement the Authentication Process 1.Client makes request to access a resource 2.Firewall intercepts the request and prompts the user for name and password 3.User submits information to firewall 4.User is authenticated 5.Request is checked against firewall’s rule base 6.If request matches existing allow rule, user is granted access 7.User accesses desired resources

How Firewalls Implement the Authentication Process

Types of Authentication with Firewalls User authentication Client authentication Session authentication

User Authentication Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)

User Authentication

Client Authentication Same as user authentication but with additional time limit or usage limit restrictions When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system

Client Authentication

Session Authentication Required any time the client establishes a session with a server of other networked resource

Comparison of Authentication Methods

Centralized Authentication Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network Most common methods Kerberos TACACS+ (Terminal Access Controller Access Control System) RADIUS (Remote Authentication Dial-In User Service)

Process of Centralized Authentication

Kerberos Authentication Provides authentication and encryption through standard clients and servers Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources Used internally on Windows 2000/XP Advantages Passwords are not stored on the system Widely used in UNIX environment; enables authentication across operating systems

Kerberos Authentication

TACACS+ Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) Provides AAA services Authentication Authorization Auditing Uses MD5 algorithm to encrypt data

RADIUS Centralized dial-in authentication service that uses UDP Transmits authentication packets unencrypted across the network Provides lower level of security than TACACS+ but more widely supported

TACACS+ and RADIUS Compared Strength of security Filtering characteristics Proxy characteristics NAT characteristics

Strength of Security

Filtering Characteristics

Proxy Characteristics RADIUS Doesn’t work with generic proxy systems, but a RADIUS server can function as a proxy server TACACS+ Works with generic proxy systems

NAT Characteristics RADIUS Doesn’t work with NAT TACACS+ Should work through NAT systems

Password Security Issues Passwords that can be cracked (accessed by an unauthorized user) User error with passwords Lax security habits

Passwords That Can Be Cracked Ways to crack passwords Find a way to authenticate without knowing the password Uncover password from system that holds it Guess the password To avoid the issue Protect passwords effectively Observe security habits

User Error with Passwords Built-in vulnerabilities Often easy to guess Often stored visibly Social engineering To avoid the issues Choose complicated passwords Memorize passwords Never give passwords out to anyone

Lax Security Habits To maintain some level of integrity, draw up a formal Memorandum of Understanding (MOU)

Password Security Tools One-time password software Shadow password system

One-Time Password Software Password is generated using a secret key Password is used only once, when the user authenticates Different passwords are used for each authentication session Types Challenge-response passwords Password list passwords

Shadow Password System A feature of Linux that stores passwords in another file that has restricted access Passwords are stored only after being encrypted by a randomly generated value and an encoding formula

Other Authentication Systems Single-password systems One-time password systems Certificate-based authentication 802.1x Wi-Fi authentication

Single-Password Systems Operating system password Internal firewall password

One-Time Password Systems Single Key (S/Key) SecurID Axent Pathways Defender

Single Key (S/Key) Password Authentication Uses multiple-word rather than single word passwords User specifies single-word password and the number of times it is to be encrypted Password is processed by a hash function n times; resulting encrypted passwords are stored on the server Never stores original password on the server

SecurID Password Authentication Uses two-factor authentication Physical object Piece of knowledge Most frequently used one-time password solution with FireWall-1

SecurID Tokens

Axent Pathways Defender Password Authentication Uses two-factor authentication and a challenge-response system

Certificate-Based Authentication FireWall-1 supports the use of digital certificates to authenticate users Organization sets up a Public Key Infrastructure (PKI) that generates keys to users User receives a code (public key) that is generated using the server’s private key and uses the public key to send encrypted information to the server Server receives the public key and can decrypt the information using its private key

802.1x Wi-Fi Authentication Supports wireless Ethernet connections Not supported by FireWall x protocol provides for authentication of users on wireless networks Wi-Fi uses Extensible Authentication Protocol (EAP)

802.1x Wi-Fi Authentication

Chapter Summary Overview of authentication and its importance to network security How and why firewalls perform authentication services Types of authentication performed by firewalls Client User Session continued

Chapter Summary Centralized authentication methods that firewalls can use Kerberos TACACS+ RADIUS Password security issues and special password security tools Authentication protocols used by full-featured enterprise-level firewalls

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.