Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Published bySamuel Marsh Modified over 8 years ago

Similar presentations

Presentation on theme: "Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC."— Presentation transcript:

1

2 Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC

3 Security+ Chapter 1 – Basics of Security Brian E. Brzezicki

4 First Some Terms (NB) First we have to discuss some terms we will use again and again Protocol – an official set of steps or language for communication Algorithm – a specific set of steps to solve a problem or do some task String – a series of characters. Example if a character can be a- z and 0-9 an 8 character string might be “ar01z14b” Control – a countermeasure or attempt to mitigate a security risk. Example. A firewall is technical control. Policies are HR controls. Encryption is a technical control.

5 CIA No… Not that CIA

6 CIA (54-57) 3 Fundamental Principles of Security Confidentiality  controls Integrity  controls Availability  Controls Closely related Non-repudiation  controls

7 Defense in Depth (58-59) No one security control should be completely relied upon. Instead have many overlapping security controls. Network based firewall Host based firewall IDS system Access controls Proper patching and maintenance practices This is also referred to as “Layered Security”

8 Diversity of Defense (n/b) With a single control type, use multiple vendors/models. Why Examples

9 Implicit Deny (59) Fundamental security rule. If you do NOT explicitly have authorization, then you are implicitly DENIED access. Should be the default rule for ALL access controls. Usually seen in firewalls and access control lists

10 Use Devices as Intended (60) Security Devices have been fortified for security, do NOT intermingle security and non-security devices as you weaken the security and provide attack vectors. Similarly try to have every service in your network on a separate server that’s dedicated only to that tasks. Virtualization makes this EASY today!

11 Authentication Proving that you are who you say you are 3 factors Something you __________________ (more details of each in next slides)

12 Something you know (61-65) Passwords –what’s a password? Use strong passwords  What does that mean Do not write down passwords Do not share passwords Change passwords regularly  How often Do not reuse passwords Use account lockout policies  What is a lockout policy Change system default passwords Inform users of Previous Logons

13 Something You Know Passphrase I Like Iced Tea And Lemon With Cranberry I L I T A L W C 1 L 1 t @ ! w c

14 Something You Have (65-67)

15 Something You Are (67-69) Biometrics Physically Based or Behaviorally Based What is the difference between these two Type 1, Type 2 errors, CER (images in a few slides) Finger printVoice Print Iris Scan (see next slide)Retinal Scan (see next slide) Face GeometryKeystroke Dynamics

16 Finger Print

17 Retina Scan

18 Iris Scan

19 CER (n/b) Crossover Error Rate (CER) is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false positive rate. Use CER to compare vendors products objectively Lower number CER is better/more accurate. (3 is better than an 4) Also called Equal Error Rate

20 CER (n/b)

21 Multifactor Authentication (69) For best security, use 2 or more of these for authentication. This is called “multi-factor” authentication or “strong authentication Why use Multifactor Authentication? Is a password and a passphrase multifactor? ”

22 Identity Proofing (69) Verifying someone is who they say they are before issuing authentication credentials initially or after they are lost This is NOT authentication but works hand in hand. Someone must prove their identity before getting authentication credentials.

23 Password Reset Systems (71) Allows users to reset their passwords, often saves IT staff time and money. Cognitive Passwords Issues? Email a password reset link Physically mail a new PIN

24 Kerberos (71)

25 A network authentication protocol designed from MITs project Athena. Kerberos tries to ensure authentication security in an insecure environment Used in Windows2000+ and some Unix Allows for single sign on Never transfers passwords Uses PRIVATE key encryption to verify Identifications

26 Kerberos Components Principals – users or network services KDC – Key Distribution Center, stores secret keys (passwords) for principals Tickets Ticket Granting Ticket (TGT) gets you more tickets Service Tickets – access to specific network services (ex. File sharing) Realms – a grouping of principals that a KDC provides service for, looks like a domain name Example: somedepartment.mycompany.com

27 Kerberos Concerns Computers must have clocks synchronized within 5 minutes of each other Tickets are stored on the workstation. If the workstation is compromised your identity can be forged. Single point of failure if no backup KDC If your KDC is hacked, security is lost Use TCP and UDP port 88

28 LDAP (73) A centralized Directory of Users and Objects. LDAP is a protocol to access a X.500 compliant database Active Directory Implements LDAP LDAP ports are TCP / 389 TCP / 636 (SSL/secure)

29 Mutual Authentication (73) The process of having BOTH the client authenticate to the server AND the server authenticate to the client. Are you safe when you go to a website that asks for a username and password? How do you really know it’s the website? Should the client authenticate to the server first, or the server to the client? Does it matter which order?

30 Single Sign On I love having 40 different passwords… I just carry them all around in a laminated card in my wallet ;-) What’s the purpose of single sign on? Advantages Disadvantages

31 SIDS and UIDS (74) In any environment where you want to have access control, you MUST uniquely identifier subjects. Most systems have a friendly username however the system tracks by a number (similar to a SSN) SID (Windows) Ex. S 1 5 21-3623811015-3361044348-30300820 1014 500 = Administrator, 512 = Domain Admin Group UID (Unix) Ex. 5125 0 is the superuser UID on Unix systems

32 Windows ACLs The basic permissions ACL permissions are Full Control Modify Read Read and Execute Write

33 Network Authentication (78) There are Different types of ways to validate your identity over the network. For the security+ exam you should be aware of the following that will be discuss on the upcoming slides PAP CHAP MS-CHAP MS-CHAPv2 RADIUS TACACS+

34 PAP (79) Password Authentication Protocol – Simply put your username and password over the wire. Advantages Disadvantages

35 CHAP

36 CHAP (79 - 81) Challenge Handshake Authentication Protocol – Avoids ever sending a password. Server knows your password, as do you 1.Server creates a “challenge”, example: banana and an increasing number 2.You take the challenge + number + your password and do a hash of it, send the hash to the server 3.Server calculates the hash the same way, and compares if your hash is the same as it’s hash, if so you must be who you say you are. Advantages Avoids reply attacks Never sends password in plaintext

37 MS-CHAP (81) A Microsoft version of CHAP does not require the password stored in clear text MS-CHAPv2 Allows for mutual authentication

38 Radius (83) Network AAA protocol Connectionless protocol, using UDP Ports used 1812 / UDP (authentication) 1813 (accounting) Main messages sent Access-Request Access-Challenge Access-Accept Access-Reject (more)

39 Radius (83)

40 Uses “attribute/pair” values (256 different possible attributes/8 bits) Ex: Framed-IP-Address: 192.168.1.1 Can use PAP, CHAP, EAP for authentication Problems No encryption of data (except login info) Minimal number of permissions (8 bits worth) Server cannot “kick off users” from NAS

41 TACACS+ Similar to Radius Used for network AAA Created by Cisco Attribute/Value Pairs Designed to separate each of the AAA components Uses TCP / 49

Download ppt "Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC."

Similar presentations

Authentication.

Authentication.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access Control Methodologies

Access Control Methodologies
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
Authentication & Kerberos

Authentication & Kerberos
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.

Similar presentations

Ads by Google