Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ Guide to Network Security Fundamentals, Third Edition

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security+ Guide to Network Security Fundamentals, Third Edition"— Presentation transcript:

1 Security+ Guide to Network Security Fundamentals, Third Edition
Chapter 8 Authentication

2 Objectives Define authentication
Describe the different types of authentication credentials List and explain the authentication models Security+ Guide to Network Security Fundamentals, Third Edition

3 Objectives (continued)
Define authentication servers Describe the different extended authentication protocols Explain how a virtual private network functions Security+ Guide to Network Security Fundamentals, Third Edition

4 Definition of Authentication
Authentication can be defined in two contexts The first is viewing authentication as it relates to access control The second is to look at it as one of the three key elements of security—authentication, authorization, and accounting Security+ Guide to Network Security Fundamentals, Third Edition

5 Authentication and Access Control Terminology
Access control is the process by which resources or services are granted or denied Identification The presentation of credentials or identification Authentication The verification of the credentials to ensure that they are genuine and not fabricated Authorization Granting permission for admittance Access is the right to use specific resources Security+ Guide to Network Security Fundamentals, Third Edition

6 Authentication, Authorization, and Accounting (AAA)
Authentication in AAA provides a way of identifying a user Typically by having them enter a valid password before granting access Authorization is the process that determines whether the user has the authority to carry out certain tasks Often defined as the process of enforcing policies Accounting measures the resources a user “consumes” during each network session Security+ Guide to Network Security Fundamentals, Third Edition

7 Authentication, Authorization, and Accounting (AAA) (continued)
The information can then be used in different ways: To find evidence of problems For billing For planning AAA servers Servers dedicated to performing AAA functions Can provide significant advantages in a network Security+ Guide to Network Security Fundamentals, Third Edition

8 Authentication Credentials
Types of authentication, or authentication credentials Passwords One-time passwords Standard biometrics Behavioral biometrics Cognitive biometrics Security+ Guide to Network Security Fundamentals, Third Edition

9 One-Time Passwords Standard passwords are typically static in nature
One-time passwords (OTP) Dynamic passwords that change frequently Systems using OTPs generate a unique password on demand that is not reusable The most common type is a time-synchronized OTP Used in conjunction with a token The token and a corresponding authentication server share the same algorithm Each algorithm is different for each user’s token Security+ Guide to Network Security Fundamentals, Third Edition

10 One-Time Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition

11 Security+ Guide to Network Security Fundamentals, Third Edition

12 One-Time Passwords (continued)
There are several variations of OTP systems Challenge-based OTPs Authentication server displays a challenge (a random number) to the user User then enters the challenge number into the token Which then executes a special algorithm to generate a password Because the authentication server has this same algorithm, it can also generate the password and compare it against that entered by the user Security+ Guide to Network Security Fundamentals, Third Edition

13 Standard Biometrics Standard biometrics Types of fingerprint scanners
Uses a person’s unique characteristics for authentication (what he is) Examples: fingerprints, faces, hands, irises, retinas Types of fingerprint scanners Static fingerprint scanner Dynamic fingerprint scanner Disadvantages Costs Readers are not always foolproof Security+ Guide to Network Security Fundamentals, Third Edition

14 Standard Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition

15 Behavioral Biometrics
Authenticates by normal actions that the user performs Keystroke dynamics Attempt to recognize a user’s unique typing rhythm Keystroke dynamics uses two unique typing variables Dwell time Flight time Security+ Guide to Network Security Fundamentals, Third Edition

16 Behavioral Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition

17 Behavioral Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition

18 Behavioral Biometrics (continued)
Voice recognition Used to authenticate users based on the unique characteristics of a person’s voice Phonetic cadence Speaking two words together in a way that one word “bleeds” into the next word Becomes part of each user’s speech pattern Computer footprint When and from where a user normally accesses a system Security+ Guide to Network Security Fundamentals, Third Edition

19 Cognitive Biometrics Cognitive biometrics
Related to the perception, thought process, and understanding of the user Considered to be much easier for the user to remember because it is based on the user’s life experiences One example of cognitive biometrics is based on a life experience that the user remembers Another example of cognitive biometrics requires the user to identify specific faces Security+ Guide to Network Security Fundamentals, Third Edition

20 Security+ Guide to Network Security Fundamentals, Third Edition

21 Authentication Models
Single and multi-factor authentication One-factor authentication Using only one authentication credential Two-factor authentication Enhances security, particularly if different types of authentication methods are used Three-factor authentication Requires that a user present three different types of authentication credentials Security+ Guide to Network Security Fundamentals

22 Authentication Models (continued)
Single sign-on Identity management Using a single authenticated ID to be shared across multiple networks Federated identity management (FIM) When those networks are owned by different organizations One application of FIM is called single sign-on (SSO) Using one authentication to access multiple accounts or applications Security+ Guide to Network Security Fundamentals, Third Edition

23 Authentication Models (continued)
Windows Live ID Originally introduced in 1999 as .NET Passport Requires a user to create a standard username and password When the user wants to log into a Web site that supports Windows Live ID The user will first be redirected to the nearest authentication server Once authenticated, the user is given an encrypted time-limited “global” cookie Security+ Guide to Network Security Fundamentals, Third Edition

24 Authentication Models (continued)
Windows CardSpace Feature of Windows that is intended to provide users with control of their digital identities while helping them to manage privacy Types of cards Manage cards Personal cards Security+ Guide to Network Security Fundamentals, Third Edition

25 Authentication Models (continued)
Security+ Guide to Network Security Fundamentals, Third Edition

26 Authentication Models (continued)
OpenID A decentralized open source FIM that does not require specific software to be installed on the desktop A uniform resource locator (URL)-based identity system An OpenID identity is only a URL backed up by a username and password OpenID provides a means to prove that the user owns that specific URL Security+ Guide to Network Security Fundamentals, Third Edition

27 Authentication Servers
Authentication can be provided on a network by a dedicated AAA or authentication server The most common type of authentication and AAA servers are RADIUS, Kerberos, TACACS+, and generic servers built on the Lightweight Directory Access Protocol (LDAP) Security+ Guide to Network Security Fundamentals, Third Edition

28 RADIUS RADIUS (Remote Authentication Dial in User Service)
Developed in 1992 Quickly became the industry standard with widespread support Suitable for what are called “high-volume service control applications” With the development of IEEE 802.1x port security for both wired and wireless LANs RADIUS has recently seen even greater usage Security+ Guide to Network Security Fundamentals, Third Edition

29 RADIUS (continued) A RADIUS client is typically a device such as a dial-up server or wireless access point (AP) Responsible for sending user credentials and connection parameters in the form of a RADIUS message to a RADIUS server The RADIUS server authenticates and authorizes the RADIUS client request Sends back a RADIUS message response RADIUS clients also send RADIUS accounting messages to RADIUS servers Security+ Guide to Network Security Fundamentals, Third Edition

30 Security+ Guide to Network Security Fundamentals, Third Edition

31 Kerberos Kerberos Kerberos process
An authentication system developed by the Massachusetts Institute of Technology (MIT) Used to verify the identity of networked users Kerberos process User is provided a ticket that is issued by the Kerberos authentication server The user presents this ticket to the network for a service The service then examines the ticket to verify the identity of the user Security+ Guide to Network Security Fundamentals, Third Edition

32 Terminal Access Control Access Control System (TACACS+)
An industry standard protocol specification that forwards username and password information to a centralized server The centralized server can either be a TACACS+ database Or a database such as a Linux or UNIX password file with TACACS protocol support Security+ Guide to Network Security Fundamentals, Third Edition

33 Lightweight Directory Access Protocol (LDAP)
Directory service A database stored on the network itself that contains information about users and network devices X.500 A standard for directory services Created by ISO White-pages service Capability to look up information by name Yellow-pages service Browse and search for information by category Security+ Guide to Network Security Fundamentals, Third Edition

34 Lightweight Directory Access Protocol (LDAP) (continued)
The information is held in a directory information base (DIB) Entries in the DIB are arranged in a tree structure called the directory information tree (DIT) Directory Access Protocol (DAP) Protocol for a client application to access an X.500 directory DAP is too large to run on a personal computer Security+ Guide to Network Security Fundamentals, Third Edition

35 Lightweight Directory Access Protocol (LDAP) (continued)
Sometimes called X.500 Lite A simpler subset of DAP Primary differences LDAP was designed to run over TCP/IP LDAP has simpler functions LDAP encodes its protocol elements in a less complex way than X.500 LDAP is an open protocol Security+ Guide to Network Security Fundamentals, Third Edition

36 Extended Authentication Protocols (EAP)
Extensible Authentication Protocol (EAP) Management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server An “envelope” that can carry many different kinds of exchange data used for authentication The EAP protocols can be divided into three categories: Authentication legacy protocols, EAP weak protocols, and EAP strong protocols Security+ Guide to Network Security Fundamentals, Third Edition

37 Security+ Guide to Network Security Fundamentals, Third Edition

38 Authentication Legacy Protocols
No longer extensively used for authentication Three authentication legacy protocols include: Password Authentication Protocol (PAP) Challenge-Handshake Authentication Protocol (CHAP) Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) Security+ Guide to Network Security Fundamentals, Third Edition

39 EAP Weak Protocols Still used but have security vulnerabilities
EAP weak protocols include: Extended Authentication Protocol–MD5 (EAP-MD5) Lightweight EAP (LEAP) Security+ Guide to Network Security Fundamentals, Third Edition

40 EAP Strong Protocols EAP strong protocols include:
EAP with Transport Layer Security (EAP-TLS) EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP) Security+ Guide to Network Security Fundamentals, Third Edition

41 Remote Authentication and Security
Important to maintain strong security for remote communications Transmissions are routed through networks or devices that the organization does not manage and secure Managing remote authentication and security usually includes: Using remote access services Installing a virtual private network Maintaining a consistent remote access policy Security+ Guide to Network Security Fundamentals, Third Edition

42 Remote Access Services (RAS)
Any combination of hardware and software that enables access to remote users to a local internal network Provides remote users with the same access and functionality as local users Security+ Guide to Network Security Fundamentals, Third Edition

43 Virtual Private Networks (VPNs)
Virtual private network (VPN) One of the most common types of RAS Uses an unsecured public network, such as the Internet, as if it were a secure private network Encrypts all data that is transmitted between the remote device and the network Common types of VPNs Remote-access VPN or virtual private dial-up network (VPDN) Site-to-site VPN Security+ Guide to Network Security Fundamentals, Third Edition

44 Security+ Guide to Network Security Fundamentals, Third Edition

45 Virtual Private Networks (VPNs) (continued)
VPN transmissions are achieved through communicating with endpoints Endpoint End of the tunnel between VPN devices VPN concentrator Aggregates hundreds or thousands of multiple connections Depending upon the type of endpoint that is being used, client software may be required on the devices that are connecting to the VPN Security+ Guide to Network Security Fundamentals, Third Edition

46 Virtual Private Networks (VPNs) (continued)
VPNs can be software-based or hardware-based Software-based VPNs offer the most flexibility in how network traffic is managed Hardware-based VPNs generally tunnel all traffic they handle regardless of the protocol Generally, software based VPNs do not have as good of performance or security as a hardware-based VPN Security+ Guide to Network Security Fundamentals, Third Edition

47 Virtual Private Networks (VPNs) (continued)
Advantages of VPN technology: Cost savings Scalability Full protection Speed Transparency Authentication Industry standards Security+ Guide to Network Security Fundamentals, Third Edition

48 Virtual Private Networks (VPNs) (continued)
Disadvantages to VPN technology: Management Availability and performance Interoperability Additional protocols Performance impact Expense Security+ Guide to Network Security Fundamentals, Third Edition

49 Remote Access Policies
Establishing strong remote access policies is important Some recommendations for remote access policies: Remote access policies should be consistent for all users Remote access should be the responsibility of the IT department Form a working group and create a standard that all departments will agree to Security+ Guide to Network Security Fundamentals, Third Edition

50 Summary Access control is the process by which resources or services are denied or granted There are three types of authentication methods Authentication credentials can be combined to provide extended security Authentication can be provided on a network by a dedicated AAA or authentication server The management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server is known as the Extensible Authentication Protocol (EAP) Security+ Guide to Network Security Fundamentals, Third Edition

51 Summary (continued) Organizations need to provide avenues for remote users to access corporate resources as if they were sitting at a desk in the office Security+ Guide to Network Security Fundamentals, Third Edition

Download ppt "Security+ Guide to Network Security Fundamentals, Third Edition"

Similar presentations

Authentication.

Authentication.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Access Control Methodologies

Access Control Methodologies
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Remote Access Network Management Kelly Given Allison Traina.

Remote Access Network Management Kelly Given Allison Traina.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.

Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
.  Define authentication  Authentication credentials  Authentication models  Authentication servers  Extended authentication protocols  Virtual.

.  Define authentication  Authentication credentials  Authentication models  Authentication servers  Extended authentication protocols  Virtual.

Similar presentations

Ads by Google