9781435420168_PPT_CH10
Download
Report
Transcript 9781435420168_PPT_CH10
FIREWALLS & NETWORK SECURITY with
Intrusion Detection and VPNs, 2nd ed.
10
Authenticating Users
By Whitman, Mattord, & Austin
© 2008 Course Technology
Learning Objectives
Explain why authentication is a critical aspect of
network security
Explain why firewalls authenticate and how they
identify users
Describe user, client, and session authentication
List the advantages and disadvantages of popular
centralized authentication systems
Discuss the potential weaknesses of password
security systems
Discuss the use of password security tools
Describe common authentication protocols used
by firewalls
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 2
The Authentication Process in General
The act of identifying users and providing
network services to them based on their identity
Two forms
– Local authentication
– Centralized authentication service (often uses
two-factor authentication)
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 3
How Firewalls Implement the
Authentication Process
1. Client makes request to access a resource
2. Firewall intercepts the request and prompts
the user for name and password
3. User submits information to firewall
4. User is authenticated
5. Request is checked against firewall’s rule
base
6. If request matches existing allow rule, user is
granted access
7. User accesses desired resources
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 4
How Firewalls Implement the
Authentication Process (continued)
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 5
Firewall Authentication Methods
User authentication
Client authentication
Session authentication
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 6
User Authentication
Basic authentication; user supplies username
and password to access networked resources
Users who need to legitimately access your
internal servers must be added to your access
control lists (ACLs)
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 7
User Authentication (continued)
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 8
Client Authentication
Same as user authentication but with additional
time limit or usage limit restrictions
When configuring, set up one of two types of
authentication systems
– Standard sign-on system
– Specific sign-on system
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 9
Client Authentication (continued)
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 10
Session Authentication
Required any time the client establishes a
session with a server of other networked
resource
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 11
Comparison of Authentication Methods
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 12
Centralized Authentication
Centralized server maintains all authorizations
for users regardless of where user is located
and how user connects to network
Most common methods
– Kerberos
– TACACS+ (Terminal Access Controller Access
Control System)
– RADIUS (Remote Authentication Dial-In User
Service)
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 13
Process of Centralized Authentication
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 14
Kerberos
Provides authentication and encryption through
standard clients and servers
Uses a Key Distribution Center (KDC) to issue
tickets to those who want access to resources
Used internally on Windows 2000/XP
Advantages
– Passwords are not stored on the system
– Widely used in UNIX environment; enables
authentication across operating systems
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 15
Kerberos Authentication
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 16
TACACS+
Latest and strongest version of a set of
authentication protocols for dial-up access
(Cisco Systems)
Provides AAA services
– Authentication
– Authorization
– Auditing
Uses MD5 algorithm to encrypt data
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 17
RADIUS
Centralized dial-in authentication service that
uses UDP
Transmits authentication packets unencrypted
across the network
Provides lower level of security than TACACS+
but more widely supported
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 18
TACACS+ and RADIUS Compared
Strength of security
Filtering characteristics
Proxy characteristics
NAT characteristics
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 19
Strength of Security
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 20
Filtering Characteristics
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 21
Proxy Characteristics
RADIUS
– Doesn’t work with generic proxy systems, but a
RADIUS server can function as a proxy server
TACACS+
– Works with generic proxy systems
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 22
NAT Characteristics
RADIUS
– Doesn’t work with NAT
TACACS+
– Should work through NAT systems
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 23
Password Security Issues
Passwords that can be cracked (accessed by
an unauthorized user)
Password vulnerabilities
Lax security habits
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 24
Passwords That Can Be Cracked
Ways to crack passwords
– Find a way to authenticate without knowing the
password
– Uncover password from system that holds it
– Guess the password
To avoid the issue
– Protect passwords effectively
– Observe security habits
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 25
Password Vulnerabilities
Built-in vulnerabilities
– Often easy to guess
– Often stored visibly
– Social engineering
To avoid the issues
– Choose complicated passwords
– Memorize passwords
– Never give passwords out to anyone
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 26
Lax Security Habits
To maintain some level of integrity, draw up a
formal Memorandum of Understanding (MOU)
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 27
Password Security Tools
One-time password software
Shadow password system
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 28
One-Time Password Software
Password is generated using a secret key
Password is used only once, when the user
authenticates
Different passwords are used for each
authentication session
Types
– Challenge-response passwords
– Password list passwords
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 29
Shadow Password System
A feature of Linux that stores passwords in
another file that has restricted access
Passwords are stored only after being
encrypted by a randomly generated value and
an encoding formula
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 30
Other Authentication Systems
Single-password systems
One-time password systems
Certificate-based authentication
802.1x Wi-Fi authentication
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 31
Single-Password Systems
Operating system password
Internal firewall password
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 32
One-Time Password Systems
Single Key (S/Key)
SecurID
Axent Pathways Defender
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 33
Single Key (S/Key)
Uses multiple-word rather than single word
passwords
– User specifies single-word password and the
number of times it is to be encrypted
– Password is processed by a hash function n
times; resulting encrypted passwords are stored
on the server
Never stores original password on the server
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 34
SecurID
Uses two-factor authentication
– Physical object
– Piece of knowledge
Most frequently used one-time password
solution with FireWall-1
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 35
SecurID Tokens
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 36
Axent Pathways Defender
Uses two-factor authentication and a challengeresponse system
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 37
Certificate-Based Authentication
FireWall-1 supports the use of digital certificates
to authenticate users
Organization sets up a public key infrastructure
(PKI) that generates keys to users
– User receives a code (public key) that is
generated using the server’s private key and
uses the public key to send encrypted
information to the server
– Server receives the public key and can decrypt
the information using its private key
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 38
802.1x Wi-Fi Authentication
Supports wireless Ethernet connections
Not supported by FireWall-1
802.1x protocol provides for authentication of
users on wireless networks
Wi-Fi uses Extensible Authentication Protocol
(EAP)
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 39
Wireless Authentication
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 40
Chapter Summary
Overview of authentication and its importance to
network security
How and why firewalls perform authentication
services
Types of authentication performed by firewalls
– User
– Client
– Session
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 41
Chapter Summary (continued)
Generally, users supply:
– Something they have (such as a smart card) or
– Something they know (such as a password) or
– Both
Latest authentication systems measure or
evaluate a physical attribute, such as a
fingerprint or voiceprint
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 42
Chapter Summary (continued)
In a centralized authentication system:
– Firewall works with an authentication server
– Authentication server handles
• Username and password maintenance/generation
• Login requests
• Auditing
Examples of centralized authentication systems:
– Kerberos
– TACACS+
– RADIUS
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 43
Chapter Summary (continued)
Passwords
– Important part of virtually every authentication
system
– Take one of two general forms:
• Single-word
– User password compared against database of
passwords; access granted if match is made
– Vulnerable to ability of hackers to determine
passwords, to user error, and to bad security habits
• One-time passwords
– Generated dynamically each time user attempts to
log on to network
– Secret key used to generate single- or multipleword password
Firewalls & Network Security, 2nd ed. - Chapter 10
Slide 44