Escolar Documentos
Profissional Documentos
Cultura Documentos
Unit objectives
Explain network authentication methods Explain the basic concepts behind public key infrastructure Explain the methods of remote access security Explain the methods to secure a wireless network
Topic A
Topic A: Authentication Topic B: Public key cryptography Topic C: Remote access Topic D: Wireless security
AAA
Authentication Authorization Accounting
Passwords
Simple passwords not recommended Complex passwords use letters, numbers, special characters Minimum password length
Password protection
Memorize password Use different passwords Use longer passwords Use upper- and lower-case letters, numbers and special characters Change frequently Avoid reusing passwords
Strong passwords
Balance difficulty of remembering with complexity Create from first letter of title or phrase pass phrase Mix letter cases, add numbers and special characters Avoid using personal information Common substitutions include
2 for to 4 for for $ for S ! for I Zero for O
Multiple passwords
Memorize Use password management tool
Remember a single password Some tools create complex passwords for you
Authentication factors
Something you know Something you have Something you are
One-factor authentication
Something you know Windows logon dialog box Username and password Something you are
Two-factor authentication
Something you know PLUS
Something you have Something you are
Three-factor authentication
Something you know PLUS something you have PLUS something you are A card, a PIN, and a fingerprint
Activity A-1
Authentication protocols
Kerberos NTLM LM
Activity A-2
Hashing data
Preventing impersonation
Use strong authentication Dont allow authentication to be bypassed Secure stored authentication information Encrypt all authentication sent over the network
Identify proofing
Verify user is who they say they are KBA
Potential user provides information only they are likely to know
DBA
Uses public database
OOB
Uses channel outside of primary authentication channel
Single sign-on
User is authenticated to other resources based on strength of initial sign on SSL, LDAP Windows Live ID, Microsoft Passport, Open ID
Activity A-3
Kerberos
Current version is 5 Provides authentication on physically insecure networks Freely available in US and Canada Authenticates users over open multiplatform network using single login
Activity A-4
CHAP
EAP
PPP extension Used in wireless connections Can use token cards, one-time passwords, certificates, biometrics Runs over data link layers Defines formats
LEAP EAP-TLS EAP-FAST
Mutual authentication
Client and server authenticate to each other Also known as two-way authentication Trust other computers digital certificate Can block rogue services
Activity A-5
Topic B
Topic A: Authentication Topic B: Public key cryptography Topic C: Remote access Topic D: Wireless security
Cryptography
Science of encryption Encryption = convert to unreadable format Decryption = convert back to readable format Algorithm = procedure for encrypting or decrypting Cipher = encryption & decryption algorithm pair
ROT13 cipher
Keys
Secret information used by cipher Symmetric = same key for encryption and decryption Asymmetric = differing keys for encryption and decryption Key sharing and management issues
Public key cryptography characteristics It is mathematically difficult to derive the private key from the public key Data encrypted with the public key can be decrypted with only the private key Data encrypted with the private key can be decrypted with only the public key
Activity B-1
Administration phase
Key storage Certificate retrieval and validation Backup or escrow Recovery
Activity B-2
Topic C
Topic A: Authentication Topic B: Public key cryptography Topic C: Remote access Topic D: Wireless security
AAA
Authentication Authorization Accounting
RADIUS
Remote Authentication Dial-in User Service Client = network access server or device (e.g., wireless router) Server = AAA service provider
RADIUS authentication
1. User connects to NAS 2. RADIUS client requests authentication from server 3. User supplies logon credentials 4. Client encrypts and forwards to server 5. Server authenticates, returns message 6. Client receives message and acts
Accept Reject Challenge
Realms
Namespace Three possibilities
Named realm Default realm Empty realm
Cascading permitted
RADIUS security
Unique secret key for each clientserver pair Long secret keys: min 16, over 22 characters recommended Use MD5-hashed Message attribute Enable authentication attempt limits Use IPsec with ESP
RADIUS benefits
Improved security Scalable architecture Interoperability
Diameter
Successor to RADIUS Backwards compatible RFC 3588 AAA services
Diameter improvements
Data flow Error notification Message acknowledgment Processing requirements Security
Activity C-1
LDAP security
Breach of LDAP security
Access data Access network resources Modify LDAP data Impersonate LDAP
LDAP authentication/authorization
Simple Bind SASL Anonymous Bind
Activity C-2
TACACS+
Terminal Access Controller Access Control System (TACACS+)
TACACS XTACACS
AAA functions
Multiprotocol
TCP/IP, AppleTalk, NetBIOS Novell Asyc Services Interface, X.25
Activity C-3
802.1x
Authentication protocol Device access control Works with RADIUS / TACACS+ Device roles
Supplicant (end user device) Authenticator Authentication server
Activity C-4
VPN technologies
Authentication Tunneling Encryption
VPN protocols
PPTP L2F L2TP IPSec SSL/TLS
Encryption
IPsec
RADIUS, TACACS+
Data protocols IP
Port
1723 (TCP)
IPSec protocols
Authentication Header (AH) Encapsulating Security Payload (ESP) IP Payload Compression (IPcomp) Internet Key Exchange (IKE)
Encryption modes
Transport mode Tunnel mode
VPN solutions
Remote access communication options
Internet Proprietary / closed networks
Activity C-5
Topic D
Topic A: Authentication Topic B: Public key cryptography Topic C: Remote access Topic D: Wireless security
802.11 standard
Wireless networking 2.4 2.5 GHz Data Link layer specifications Access point
Wireless security
Access control Encryption Authentication Isolation
Wireless vulnerabilities
Physical access Firmware vulnerabilities Default accounts
Activity D-1
Wi-Fi scanners
Physical devices Laptop software
Airsnort or NetStumbler
Warchalking symbols
Activity D-2
Unit summary
Explained network authentication methods Explained the basic concepts behind public key infrastructure Explained the methods of remote access security Explained the methods to secure a wireless network