Cisco’s Secure Access Control Server (ACS)

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Access Control Methodologies
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.
Ariel Eizenberg PPP Security Features Ariel Eizenberg
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Georgy Melamed Eran Stiller
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
© 2004, Cisco Systems, Inc. All rights reserved.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Mobile and Wireless Communication Security By Jason Gratto.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
WIRELESS LAN SECURITY Using
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
70-411: Administering Windows Server 2012
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Chapter 3: Authentication, Authorization, and Accounting
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.
RADIUS What it is Remote Authentication Dial-In User Service
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Authentication Protocols Natalie DeKoker, Lindsay Haley, Jordan Lunda, Matty Ott.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Configuring and Troubleshooting Routing and Remote Access
Radius, LDAP, Radius used in Authenticating Users
Cisco Real Exam Dumps IT-Dumps
On and Off Premise Secure Access
Network Access Control
Presentation transcript:

Cisco’s Secure Access Control Server (ACS) ACS: Cisco’s AAA server A centralized access control solution Supports both RADIUS and TACACS+ Supports Cisco’s Network Access Control (NAC, aka Network Admission Control)

Network Access Control Source: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/nac.html AAA clients: aka NAD (network access devices), NAS (network access servers) Posture validation/assessment: whether a host complies to security policies (e.g., antivirus s/w version & patches) In a NAC deployment, the host that is running the Cisco Trust Agent (CTA) application collects posture data from the computer and from any NAC-compliant applications that are installed on the computer. T. A. Yang Network Security

ACS Extensive support for common authentication protocols for end users/devices: Passwords PAP CHAP ARAP MS-CHAP LEAP EAP-MD5 EAP-TLS PEAP T. A. Yang Network Security

Shared Profile Components (SPC) A shared profile is a set of authorization components that may be applied to one or more users or groups of users, and referenced by name within their profiles. Benefits: scalability (by avoiding repetitions in configuring long lists of devices for commands and other authorization parameters) e.g., Downloadable IP ACLs Network access filters (NAF) RADIUS authorization components (RAC) Shell command authorization sets … T. A. Yang Network Security

Downloadable IP ACLs A predefined and named set of ACL definitions (aka ACL contents) that can be associated to each applicable user or group of users by referencing its name No need to repetitively define the same ACLs for each of the users and groups of users RADIUS authentication is required for this feature to work with a client. T. A. Yang Network Security

Downloadable IP ACLs operate this way Source: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/c.html#wp696775 When ACS grants a user access to the network, ACS determines whether a downloadable IP ACL is assigned to that user or the user's group. If ACS locates a downloadable IP ACL that is assigned to the user or the user's group, it determines whether an ACL content entry is associated with the AAA client that sent the RADIUS authentication request. ACS sends, as part of the user session, RADIUS access-accept packet an attribute specifying the named ACL and the version of the named ACL. If the AAA client responds that it does not have the current version of the ACL in its cache (that is, the ACL is new or has changed), ACS sends the ACL (new or updated) to the device. T. A. Yang Network Security

Network access filters (NAF) Source: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/c.html#wp696560 a named group of any combination of one or more of the following network elements: IP addresses, AAA clients (network devices), Network device groups (NDGs) You can add a NAF that contains any combination of NDG, network devices (AAA clients), or IP addresses. Benefits: Defining a NAF saves you the effort of listing each AAA client explicitly. Network devices (e.g., all NAC-L3-IP devices or all NAC-L2-IP devices) can be included in a single NAF for easy reference and application of authentication functions. T. A. Yang Network Security

Discussions Bahiji p.294: “Before NAF, per-device access restriction was not an option. … With NAF, granular application of access restrictions and downloadable ACLs is now possible, …” p.293: “NAF regulates the access control on the basis of a AAA client’s IP address. Hence, ACLs can be uniquely tailored on a per-user, per-device basis.” Q: Do you agree with the author that per-device access restriction is the primary benefit of using NAF? T. A. Yang Network Security

RADIUS authorization components (RAC) T. A. Yang Network Security

Shell command authorization sets T. A. Yang Network Security

Network access restrictions (NAR) T. A. Yang Network Security

Machine access restrictions (MAR) T. A. Yang Network Security

Network access profiles (NAP) T. A. Yang Network Security

Support for NAC (Network Access Control) Goal of NAC: A self-defending network (meaning?) In addition to verifying the user identity, the NAS also validates the user computer’s posture. Two implementation options: Cisco NAC Appliance Solution (Cisco package) Cisco NAC Framework (with 3rd party products) More later … T. A. Yang Network Security

ACS support for Multifactor Authentication Two or more factor authentication is desirable (and more secure). ACS supports two-factor authentication: ASCII Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Extensible Authentication Protocol Generic Token Card (EAP-GTC), using token servers ? T. A. Yang Network Security

Vulnerability with Static Passwords Static passwords are used over a period of time Subject to brute force attacks and dictionary attacks Eavesdropping attack Replayed passwords Q: Would encryption help? Solution: Continually change the passwords  One-time passwords (OTP) T. A. Yang Network Security

One-Time Passwords A different password is sent to the authentication server each time a user is authenticated. A password is used one time only.  A replayed password is useless. Three mechanisms: Math algorithm Initial seed + hash(previous password)  next password Challenge/Response Prerequisite? Time-synchronized T. A. Yang Network Security

Authentication Factors What the user knows What the user has Smart cards, tokens (h/w or s/w) What the user is Biometric features Where the user is GPS based authentication Combination of the above factors T. A. Yang Network Security

RSA SecureID A h/w or s/w token Each token has a built-in random key (the seed) time-synchronized OTP Q: What are the two factors? T. A. Yang Network Security

ACS’s Support for Token Servers ACS supports two types of token servers: RADIUS token server A token server with RADIUS i/f ACS communicates with the token server using the RADIUS i/f. Non-RADIUS token server RSA SecureID token servers do not support the RADIUS protocol. ACS uses RSA’s client s/w to communicate with the RSA token server. T. A. Yang Network Security

Authentication using Token Servers http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter09186a00803deae1.html#wp1015122 T. A. Yang Network Security

ACS’s Support for Token Servers Cisco Secure ACS software supports authentication from these authentication servers: CRYPTOCard SecurID ACE/Server SafeWord from Secure Computing For each token server you plan to support, make sure you have properly installed the corresponding software before installing the Cisco Secure ACS.  T. A. Yang Network Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.