Web Security
Download
Report
Transcript Web Security
Cisco’s Secure Access
Control Server (ACS)
•
•
•
•
ACS: Cisco’s AAA server
A centralized access control solution
Supports both RADIUS and TACACS+
Supports Cisco’s Network Access Control
(NAC, aka Network Admission Control)
Network Access Control
•
Source:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_cont
rol_server_for_windows/4.0/user/guide/nac.html
• AAA clients: aka NAD (network access
devices), NAS (network access servers)
• Posture validation/assessment:
whether a host complies to security
policies (e.g., antivirus s/w version &
patches)
T. A. Yang
Network Security
2
ACS
• Extensive support for common authentication
protocols for end users/devices:
Passwords
PAP
CHAP
ARAP
MS-CHAP
LEAP
EAP-MD5
EAP-TLS
PEAP
T. A. Yang
Network Security
3
Shared Profile Components (SPC)
• A shared profile is a set of authorization components
that may be applied to one or more users or groups of
users, and referenced by name within their profiles.
• Benefits: scalability (by avoiding repetitions in
configuring long lists of devices for commands and other
authorization parameters)
• e.g.,
–
–
–
–
–
Downloadable IP ACLs
Network access filters (NAF)
RADIUS authorization components (RAC)
Shell command authorization sets
…
T. A. Yang
Network Security
4
Downloadable IP ACLs
• A predefined and named set of ACL definitions
(aka ACL contents) that can be associated to each
applicable user or group of users by referencing its name
• No need to repetitively define the same ACLs for
each of the users and groups of users
• RADIUS authentication is required for this
feature to work with a client.
T. A. Yang
Network Security
5
Downloadable IP ACLs operate this way
• Source:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_
control_server_for_windows/4.0/user/guide/c.html#wp696775
1. When ACS grants a user access to the network, ACS determines
whether a downloadable IP ACL is assigned to that user or the
user's group.
2. If ACS locates a downloadable IP ACL that is assigned to the user
or the user's group, it determines whether an ACL content entry is
associated with the AAA client that sent the RADIUS authentication
request.
3. ACS sends, as part of the user session, RADIUS access-accept
packet an attribute specifying the named ACL and the version of the
named ACL.
4. If the AAA client responds that it does not have the current version
of the ACL in its cache (that is, the ACL is new or has changed),
ACS sends the ACL (new or updated) to the device.
T. A. Yang
Network Security
6
Network access filters (NAF)
Source:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_wi
ndows/4.0/user/guide/c.html#wp696560
• a named group of any combination of one or more of the
following network elements: IP addresses, AAA clients
(network devices), Network device groups (NDGs)
• You can add a NAF that contains any combination of
NDG, network devices (AAA clients), or IP addresses.
• Benefits:
– Defining a NAF saves you the effort of listing each AAA client
explicitly.
– Network devices (e.g., all NAC-L3-IP devices or all NAC-L2-IP
devices) can be included in a single NAF for easy reference and
application of authentication functions.
T. A. Yang
Network Security
7
Discussions
• Bahiji
– p.294: “Before NAF, per-device access restriction was
not an option. … With NAF, granular application of
access restrictions and downloadable ACLs is now
possible, …”
– p.293: “NAF regulates the access control on the basis
of a AAA client’s IP address. Hence, ACLs can be
uniquely tailored on a per-user, per-device basis.”
• Q: Do you agree with the author that per-device
access restriction is the primary benefit of using
NAF?
T. A. Yang
Network Security
8
RADIUS authorization
components (RAC)
T. A. Yang
Network Security
9
Shell command authorization
sets
T. A. Yang
Network Security
10
Network access restrictions
(NAR)
T. A. Yang
Network Security
11
Machine access restrictions
(MAR)
T. A. Yang
Network Security
12
Network access profiles (NAP)
T. A. Yang
Network Security
13
Support for NAC
(Network Access Control)
• Goal of NAC: A self-defending network
(meaning?)
• In addition to verifying the user identity, the NAS
also validates the user computer’s posture.
• Two implementation options:
1. Cisco NAC Appliance Solution (Cisco package)
2. Cisco NAC Framework (with 3rd party products)
• More later …
T. A. Yang
Network Security
14
ACS support for
Multifactor Authentication
• Two or more factor authentication is desirable
(and more secure).
• ACS supports two-factor authentication:
–
–
–
–
ASCII
Password Authentication Protocol (PAP)
Protected Extensible Authentication Protocol (PEAP)
Extensible Authentication Protocol Generic Token
Card (EAP-GTC), using token servers
–?
T. A. Yang
Network Security
15
Vulnerability with
Static Passwords
• Static passwords are used over a period of time
– Subject to brute force attacks and dictionary attacks
– Eavesdropping attack
– Replayed passwords
Q: Would encryption help?
• Solution: Continually change the passwords
One-time passwords (OTP)
T. A. Yang
Network Security
16
One-Time Passwords
• A different password is sent to the authentication
server each time a user is authenticated.
• A password is used one time only.
A replayed password is useless.
• Three mechanisms:
1.Math algorithm
Initial seed + hash(previous password) next password
2.Challenge/Response
Prerequisite?
3.Time-synchronized
Prerequisite?
T. A. Yang
Network Security
17
Authentication Factors
• What the user knows
• What the user has
– Smart cards, tokens (h/w or s/w)
• What the user is
– Biometric features
• Where the user is
– GPS based authentication
• Combination of the above factors
T. A. Yang
Network Security
18
RSA SecureID
• A h/w or s/w token
• Each token has a built-in random key (the
seed)
• time-synchronized OTP
Q: What are the two factors?
T. A. Yang
Network Security
19
ACS’s Support for
Token Servers
• ACS supports two types of token servers:
1. RADIUS token server
• A token server with RADIUS i/f
• ACS communicates with the token server using the RADIUS
i/f.
1. Non-RADIUS token server
• RSA SecureID token servers do not support the RADIUS
protocol.
• ACS uses RSA’s client s/w to communicate with the RSA
token server.
T. A. Yang
Network Security
20
Authentication using Token Servers
•
http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chap
ter09186a00803deae1.html#wp1015122
T. A. Yang
Network Security
21
ACS’s Support for
Token Servers
• Cisco Secure ACS software supports
authentication from these authentication servers:
– CRYPTOCard
– SecurID ACE/Server
– SafeWord from Secure Computing
• For each token server you plan to support, make
sure you have properly installed the
corresponding software before installing the
Cisco Secure ACS.
T. A. Yang
Network Security
22