Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

Published byWillis Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication."— Presentation transcript:

1 Module 8: Designing Security for Authentication

2 Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication

3 Lesson 1: Creating a Security Plan for Authentication MSF and Security of Authentication Defense in Depth and Security of Authentication Authentication Security STRIDE Threat Model and Security of Authentication Activity: Identifying Threats to Authentication

4 MSF and Security of Authentication The MSF envisioning and planning phases help you to: Decide which locations your plan will help to protect Consider all the authentication used in your environment: Operating systems Applications Remote access Decide which locations your plan will help to protect Consider all the authentication used in your environment: Operating systems Applications Remote access 3 3 4 4 5 5 Plan Envision

5 Defense in Depth and Security of Authentication Policies, Procedures, and Awareness Physical Security Data Host Application Internal Network Perimeter

6 Authentication Security VulnerabilityText Passwords Passwords are transmitted in plaintext Password hashes are transmitted across the network Passwords are intercepted by Trojan horse applications Compatibility Older software uses weaker authentication methods Authentication protocols are weakened for use with other applications Incompatibility with non-Microsoft applications Encryption An application uses weak authentication Older operating systems use weaker authentication methods An attacker intercepts and relays authentication packets

7 STRIDE Threat Model and Security of Authentication An attacker intercepts and relays authentication packets Spoofing Passwords are transmitted in plaintext Tampering Authentication protocols are weakened for use with other applications Repudiation An application uses weak encryption Information disclosure Older software uses weak authentication methods Denial of service Incompatibility with non-Microsoft applications Elevation of privilege

8 Activity: Identifying Threats to Authentication In this practice you will: Read the scenario Answer the questions Discuss with the class Read the scenario Answer the questions Discuss with the class

9 Lesson 2: Creating a Design for Security of Authentication Determine Authentication Methods Considerations for Securing Authentication on a Network Considerations for Authenticating Web Users Considerations for Authenticating VPN Users What Is Multifactor Authentication? What Is RADIUS? Considerations for Authenticating Wireless Users Considerations for Authenticating Network Devices

10 To determine authentication requirements Analyze requirements for authentication security Identify compatibility requirements of operating systems Identify compatibility requirements of applications Identify authentication requirements of applications Design an implementation strategy Analyze requirements for authentication security Identify compatibility requirements of operating systems Identify compatibility requirements of applications Identify authentication requirements of applications Design an implementation strategy 1 1 3 3 4 4 5 5 2 2 Determine Authentication Methods

11 When using the Kerberos version 5 authentication protocol, consider: Considerations for Securing Authentication on a Network Interoperability with Kerberos realms Time synchronization Interoperability with Kerberos realms Time synchronization When using the LAN Manager and NTLM authentication protocols, consider: Removing LAN Manager password hashes Configuring the LAN Manager compatibility level Removing LAN Manager password hashes Configuring the LAN Manager compatibility level

12 Considerations for Authenticating Web Users IIS authenticationConsiderations Anonymous authentication Uses a single account Does not require users to provide credentials Basic authentication Sends user names and passwords in plaintext Supported by all browsers Secure with SSL or TLS Digest authentication Uses a user name, a password, and a nonce Supported by all web browsers Advanced digest authentication Uses credentials stored as part of Active Directory Internet Explorer only Integrated Windows authentication Internet Explorer only Cannot be used with proxy servers or firewalls Windows Live ID Users create a single sign-in name and password for access to all Windows Live ID-enabled Web sites Certificate-based authentication Requires a PKI Does not require a user to enter a password

13 Considerations for Authenticating VPN Users VPN authentication Considerations CHAP Requires that passwords are stored with reversible authentication Is compatible using Macintosh and UNIX-based clients Disallows data encryption MS-CHAP Used by client computers running Windows 95 Supports only client computers running Microsoft applications MS-CHAPv2 Performs mutual authentication Installed by default EAP-TLS Requires a PKI Enables multifactor authentication RADIUS RADIUS servers can provide a proxy service to forward authentication requests

14 What Is Multifactor Authentication? FactorsExamples Pass code User name and password PIN Physical item Smart card Hardware or software token Personal characteristic Thumbprint Voice

15 What Is RADIUS? Network VPN Server VPN Server RADIUS Server VPN User User connects to VPN server VPN server sends credentials to RADIUS server for authentication

16 Considerations for Authenticating Wireless Users Wireless authentication Consideration WEP Uses a shared key to control access Uses same key as a base for encrypting traffic MAC filtering Allows only a predefined group of client computers to access the network WPA or WPA2 Uses TKIP to continually change key, unlike WEP Can use a pre-shared key WPA2 uses stronger encryption algorithm PEAP A one-way authentication scheme that uses TLS to create an encrypted channel from the authentication server Does not require a PKI EAP-TLS Requires a PKI Provides mutual authentication

17 Considerations for Authenticating Network Devices To design user authentication for network devices, determine: How user accounts and passwords are stored How to integrate the authentication protocol with Windows-based computers How credentials are transmitted across the network How you can audit authentication How user accounts and passwords are stored How to integrate the authentication protocol with Windows-based computers How credentials are transmitted across the network How you can audit authentication

18 Lab: Designing Security for Authentication Exercise 1 Identifying Potential Authentication Vulnerabilities Exercise 2 Implementing Countermeasures

Download ppt "Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Network Security.

Network Security.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Implementing Security for Wireless Networks Presenter Name Job Title Company.

Implementing Security for Wireless Networks Presenter Name Job Title Company.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.

Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Similar presentations

Ads by Google