Network access control

Unit objectives
Explain network authentication methods Explain the basic concepts behind public key infrastructure Explain the methods of remote access security Explain the methods to secure a wireless network

Topic A
Topic A: Authentication Topic B: Public key cryptography Topic C: Remote access Topic D: Wireless security

AAA
Authentication Authorization Accounting

Usernames and passwords

Usernames
Unique identifier Can be simple or complex

Passwords
Simple passwords not recommended Complex passwords use letters, numbers, special characters Minimum password length

Combination provides user authentication

Password protection
Memorize password Use different passwords Use longer passwords Use upper- and lower-case letters, numbers and special characters Change frequently Avoid reusing passwords

Strong passwords
Balance difficulty of remembering with complexity Create from first letter of title or phrase pass phrase Mix letter cases, add numbers and special characters Avoid using personal information Common substitutions include
2 for to 4 for for $ for S ! for I Zero for O

Multiple passwords
Memorize Use password management tool
Remember a single password Some tools create complex passwords for you

Authentication factors
Something you know Something you have Something you are

One-factor authentication
Something you know Windows logon dialog box Username and password Something you are

Two-factor authentication
Something you know PLUS
Something you have Something you are

Token plus a PIN Something you are

Fingerprint Voice Retina

Three-factor authentication
Something you know PLUS something you have PLUS something you are A card, a PIN, and a fingerprint

Activity A-1

Comparing one, two, and three-factor authentication

Authentication protocols
Kerberos NTLM LM

Activity A-2

Hashing data

Preventing impersonation
Use strong authentication Dont allow authentication to be bypassed Secure stored authentication information Encrypt all authentication sent over the network

Identify proofing
Verify user is who they say they are KBA
Potential user provides information only they are likely to know

DBA
Uses public database

OOB
Uses channel outside of primary authentication channel

Single sign-on
User is authenticated to other resources based on strength of initial sign on SSL, LDAP Windows Live ID, Microsoft Passport, Open ID

Activity A-3

Identifying the requirements of a secure authentication system

Kerberos
Current version is 5 Provides authentication on physically insecure networks Freely available in US and Canada Authenticates users over open multiplatform network using single login

Kerberos system composed of

Principal Authentication Server Ticket-Granting Server Key Distribution Center Realm Remote Ticket-Granting Server

Kerberos data types

Credentials Session key Authentication Ticket Ticket-Granting Ticket

Kerberos authentication process

Kerberos security weaknesses

Subject to brute force attacks Assumes all network devices are physically secure Compromised passwords enable easy access to attackers Vulnerable to DoS attacks Authenticating devices need to be loosely synchronized Access to AS allows attacker to impersonate any authorized user Authenticating device identifiers shouldnt be reused on a short-time basis

Activity A-4

Examining the components of Kerberos

CHAP

EAP
PPP extension Used in wireless connections Can use token cards, one-time passwords, certificates, biometrics Runs over data link layers Defines formats
LEAP EAP-TLS EAP-FAST

Mutual authentication
Client and server authenticate to each other Also known as two-way authentication Trust other computers digital certificate Can block rogue services

Activity A-5

Comparing authentication systems

Topic B
Topic A: Authentication Topic B: Public key cryptography Topic C: Remote access Topic D: Wireless security

Cryptography
Science of encryption Encryption = convert to unreadable format Decryption = convert back to readable format Algorithm = procedure for encrypting or decrypting Cipher = encryption & decryption algorithm pair

ROT13 cipher

Keys
Secret information used by cipher Symmetric = same key for encryption and decryption Asymmetric = differing keys for encryption and decryption Key sharing and management issues

Symmetric encryption in action

Public key cryptography

Two keys
What one encrypts, only the other can decrypt One kept private One shared (public)

Encryption process Keys mathematically related

Asymmetric encryption in action

Public key cryptography characteristics It is mathematically difficult to derive the private key from the public key Data encrypted with the public key can be decrypted with only the private key Data encrypted with the private key can be decrypted with only the public key

Activity B-1

Exploring public key cryptography

Public key infrastructure

Certificate authority (CA) Registration authority (RA) Certificate server

Setup and initialization phase

Process components
Registration Key pair generation Certificate generation Certificate dissemination

Administration phase
Key storage Certificate retrieval and validation Backup or escrow Recovery

Cancellation and history phase

Expiration Renewal Revocation Suspension Destruction

Activity B-2

Understanding certificate life cycle and management

Topic C
Topic A: Authentication Topic B: Public key cryptography Topic C: Remote access Topic D: Wireless security

AAA
Authentication Authorization Accounting

RADIUS
Remote Authentication Dial-in User Service Client = network access server or device (e.g., wireless router) Server = AAA service provider

RADIUS authentication
1. User connects to NAS 2. RADIUS client requests authentication from server 3. User supplies logon credentials 4. Client encrypts and forwards to server 5. Server authenticates, returns message 6. Client receives message and acts
Accept Reject Challenge

Realms
Namespace Three possibilities
Named realm Default realm Empty realm

Cascading permitted

RADIUS security
Unique secret key for each clientserver pair Long secret keys: min 16, over 22 characters recommended Use MD5-hashed Message attribute Enable authentication attempt limits Use IPsec with ESP

RADIUS benefits
Improved security Scalable architecture Interoperability

Diameter
Successor to RADIUS Backwards compatible RFC 3588 AAA services

Diameter improvements
Data flow Error notification Message acknowledgment Processing requirements Security

Activity C-1

Examining RADIUS and Diameter authentication

LDAP and remote access

Lightweight Directory Access Protocol Stores information about
users network resources file systems applications

RADIUS and Diameter support LDAP

LDAP security
Breach of LDAP security
Access data Access network resources Modify LDAP data Impersonate LDAP

Breach of LDAP service security

Denial of service Redirect access requests Hide attacks and attempts

LDAP authentication/authorization
Simple Bind SASL Anonymous Bind

Activity C-2

Examining the role of LDAP in a remote access environment

TACACS+
Terminal Access Controller Access Control System (TACACS+)
TACACS XTACACS

AAA functions

TACACS+ versus RADIUS

TCP rather than UDP Message body fully encrypted AAA services provided independently Flexible
username/password, ARA, SLIP, PAP, CHAP, Telnet

Multiprotocol
TCP/IP, AppleTalk, NetBIOS Novell Asyc Services Interface, X.25

Activity C-3

Examining TACACS+ authentication

802.1x
Authentication protocol Device access control Works with RADIUS / TACACS+ Device roles
Supplicant (end user device) Authenticator Authentication server

Activity C-4

Examining how 802.1x adds security to your network

Virtual private networks

Secure networking over insecure network Remote access VPN Site-to-site VPN

VPN technologies
Authentication Tunneling Encryption

VPN security models

Authentication before connection Trusted delivery network Secure VPN

VPN protocols
PPTP L2F L2TP IPSec SSL/TLS

PPTP versus L2TP

PPTP L2TP

Encryption

Native PPP Negotiations in plaintext

IPsec

Authentication PPP with PAP, CHAP, or

MS-CHAP

RADIUS, TACACS+

Data protocols IP

IP, IPX, SNA, NetBEUI

1701 (UDP)

Port

1723 (TCP)

IPSec protocols
Authentication Header (AH) Encapsulating Security Payload (ESP) IP Payload Compression (IPcomp) Internet Key Exchange (IKE)

Encryption modes
Transport mode Tunnel mode

Secure shell (SSH)

Remote system access Telnet and FTP use plaintext SSH uses public-key encryption TCP port 22

VPN solutions
Remote access communication options
Internet Proprietary / closed networks

VPN hardware and software

Microsoft, Cisco, Juniper, OpenVPN

Service provider tunneling

Activity C-5

Comparing VPN protocols

Topic D
Topic A: Authentication Topic B: Public key cryptography Topic C: Remote access Topic D: Wireless security

802.11 standard
Wireless networking 2.4 2.5 GHz Data Link layer specifications Access point

Wireless security
Access control Encryption Authentication Isolation

Wireless vulnerabilities
Physical access Firmware vulnerabilities Default accounts

Activity D-1

Identifying wireless networking vulnerabilities

Wi-Fi scanners
Physical devices Laptop software
Airsnort or NetStumbler

War driving War chalking

Warchalking symbols

Activity D-2

Scanning for insecure access points

Unit summary
Explained network authentication methods Explained the basic concepts behind public key infrastructure Explained the methods of remote access security Explained the methods to secure a wireless network