Transcript Chapter 13
Chapter 13: Authentication and
Access Control• Click to edit Master subtitle
style
Chapter 13 Objectives
• The Following CompTIA Network+ Exam Objectives
Are Covered in This Chapter:
• 3.3 Given a scenario, implement network hardening
techniques
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• Switch port security
o MAC address filtering
• Use secure protocols
o TLS/SSL
• Access lists
o IP filtering
o Port filtering
• User authentication
o CHAP/MSCHAP
o EAP
o Kerberos
o Multifactor authentication
o Two-factor authentication
o Single sign-on
2
Chapter 13 Objectives (Cont)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
5.10 Given a scenario, configure and apply the appropriate ports and
protocols
• 3389 RDP
• 22 SSH
1.2 Compare and contrast the use of networking services and applications
• VPN
o Site to site/host to site/host to host
o Protocols
- IPsec
- GRE
- SSL VPN
- PTP/PPTP
• TACACS/RADIUS
• RAS
• Web services
• Unified voice services
• Network controllers
3.6 Explain the purpose of various network access control models
• 802.1x
• Posture assessment
3
• Guest network
• Persistent vs non-persistent agents
Security Filtering
How do we know who’s really at the other end of our connections?
The answer to the question may seem simple enough because the
computer or person on the other end of the connection has to
identify him/her/itself, right?
Wrong!
That’s just not good enough, because people—especially
hackers—lie!
The first line of defense is called security filtering,
which broadly refers to ways to let people securely
access your resources.
4
Access Control Lists (ACLs)
A can access B,
B can access if a secure
authenticated
connection is detected.
Network A
“Private” Network
Network B
“Public” Network
Router
•
•
•
•
Firewalls are tools implemented to prevent unauthorized users
from gaining access to your private network.
Firewalls can either be stand-alone devices or combined with
another hardware device like a server or a router.
Firewalls can use a lot of various technologies to restrict
information flow; the primary method is known as
an access control list (ACL).
ACLs typically reside on routers to determine which devices
are allowed to access them based on the requesting device’s
5
Internet Protocol (IP) address.
Tunneling
Internet
Single Private Path or Tunnel
Through the Internet
•
•
Tunneling is a concept which means encapsulating one protocol
within another to ensure that a transmission is secure.
Here’s an example:
The lion’s share of us use IP, known as a payload protocol, which
can be encapsulated within a delivery protocol like Internet
Protocol Security (IPSec).
If you took a look at each packet individually, you would see
that
6
they’re encrypted.
Tunneling Protocols
•
There are several tunneling protocols implemented you need
to be familiar with:
–
–
–
–
–
–
–
Virtual Private Network (VPN)
Secure Sockets Layer (SSL)
Secure Sockets Layer Virtual Private Network (SSL VPN)
Layer 2 Tunneling Protocol (L2TP)
Point to Point Tunneling Protocol (PPTP)
Internet Protocol Security (IPSec)
ISAKMP
7
Virtual Private Network (VPN)
Use a VPN is so a host can traverse an insecure network
(Internet) and become local to the remote network
Secure VLAN at
Dallas Corporate Office
Servers
Internet
My host In
Colorado
Now my host appears
local to the servers.
Secure Server Room
8
Virtual Private Network (VPN)
Use a VPN is so a host can traverse an insecure network
(Internet) and become local to the remote network
•
Remote access VPNs
– Remote access VPNs allow remote users like
telecommuters to securely access the corporate network
wherever and whenever they need to.
•
Site-to-site VPNs
– Site-to-site VPNs, or intranet VPNs, allow a company to
connect its remote sites to the corporate backbone
securely over a public medium like the Internet instead of
requiring more expensive wide area network (WAN)
connections like frame relay.
•
Extranet VPNs
– Extranet VPNs allow an organization’s suppliers,
partners, and customers to be connected to the
corporate network in a limited way for business-tobusiness (B2B) communications.
9
SSL and SSL VPN
•
Secure Sockets Layer (SSL). This security protocol was
developed by Netscape to work with its browser. It’s
based on Rivest, Shamir, and Adleman (RSA) publickey encryption and used to enable secure Session-layer
connections over the Internet between a web browser
and a web server.
Connection Request
Secure Connection Needed
Security Capabilities
SSL Session Established
PC
Server
The SSL connection process
•An SSL VPN is really the process of using SSL to create a10
Virtual Private Network (VPN).
L2TP and PPTP
•
L2TP
– Layer 2 Tunneling Protocol (L2TP) created by the
Internet Engineering Task Force (IETF), supports nonTCP/IP protocols in VPNs over the Internet.
– L2TP is a combination of Microsoft’s Point-to-Point
Tunneling Protocol (PPTP) and Cisco’s Layer 2
Forwarding (L2F) technologies.
•
PPTP
– Point-to-point Tunneling Protocol was developed jointly
by Microsoft, Lucent Technologies, 3COM, and a few
other companies.
– Not sanctioned by the IETF
– PPTP acts by combining an unsecured Point-to-Point
Protocol (PPP) session with a secured session using the
Generic Routing Encapsulation (GRE) protocol.
11
Figure 13.5
IPSec
IP Security (IPSec) was designed by the IETF for providing
authentication and encryption over the Internet.
It works at the Network layer of the OSI model (Layer 3) and
secures all applications that operate in the layers above it.
•
•
•
IPSec works in two modes: transport mode and tunnel mode.
Transport mode is the simpler of the two;
it creates a secure IP connection between two hosts.
The data is protected by authentication and/or encryption
13
IPSec – Tunnel Mode
•
•
•
In tunnel mode, the complete packet is encapsulated
within IPSec.
ESP gives us both authentication and encryption.
Tunnel mode is created between two endpoints, such
as two routers or two gateway servers, protecting all
traffic that goes through the tunnel
14
Encryption
•
Encryption works by running the data (which when
encoded is represented as numbers) through a special
encryption formula called a key that the designated sending
and receiving devices both “know.” When encrypted data
arrives at its specified destination, the receiving device
uses that key to decode the data back into its original form.
•
An encryption key is essentially a table or formula that
defines a specific character in the data that translates
directly to the key. Encryption keys come in two flavors:
public and private.
15
Encryption Standards
Data Encryption Standard (DES)
• IBM developed the most widely used private-key systems:
Data Encryption Standard (DES).
– It was made a standard in 1977 by the U.S government.
•
•
DES uses lookup and table functions and works much faster
than public-key systems.
DES uses 56-bit private keys.
Triple Data Encryption Standard (3DES)
• Triple Data Encryption Standard was originally developed in
the late 1970s
• The recommended method of implementing DES encryption
in 1999.
• 3DES encrypts three times, and it allows us to use one, two,
or three separate keys.
• 3DES is slow.
16
Encryption Standards (Cont)
Advanced Encryption Standard (AES)
• The Advanced Encryption Standard (also known as
Rijndael) has been the “official” encryption standard in
the United States since 2002.
• AES has key lengths of 128, 192, or 256 bits.
• The United States government has determined that
128-bit security is adequate for things like secure
transactions and all materials deemed Secret
• All Top Secret information must be encoded using
192- or 256-bit keys.
• The AES standard has proven amazingly difficult to
crack.
17
Public Key Encryption
Original Message
Encrypted Using
User Y’s Public Key
Original Message
Decrypted Using
User Y’s Private Key
Y&Z!8:”
>)(hb&
gf%^dc
yH98Y
milk
bread
eggs
cat food
Don’t
forget
the
chocolate!
>_<l)(+
<&n_(^
utrfytr
&(%pG
UDOPJ
User X
Reply Message
Encrypted Using
User X’s Public Key
•
•
•
•
User Y
Reply Message
Decrypted Using
User X’s Private Key
Public key encryption uses the Diffie-Hellman algorithm employing
a public key and a private key to encrypt and decrypt data.
The sending machine’s public key is used to encrypt a message to
the receiving machine
The receiver decrypts the message with its private key.
If the original sender doesn’t have a public key, the message can
still be sent with a digital certificate, often called a digital ID, which
18
verifies the sender of the message.
Pretty Good Privacy (PGP)
Encrypted with
Session Key
Encryption
Process
Document
Key Store
Encrypted with
Public Key
Clphertext + Encrypted
Session Key
Encrypted
Session Key
Recipient’s
Private Key
Clphertext
Session Key to
Decrypt Clphertext
Decryption
Process
Encrypted
Message
Document
19
RAS
Remote
Access Server
Remote
Resources
Remote
Access Client
•
•
Remote Access Services (RAS) is not a protocol but refers to
the combination of hardware and software required to make a
remote-access connection.
The term was popularized by Microsoft when the company
began referring to its Windows NT–based remote-access tools
under this name.
– Users would dial in via a modem.
– Be authenticated by the server.
– Asked for their username and password as if they were on the local
network.
20
– Once logged in, users had access to data on the internal network
just as if they were logged in locally.
Remote Access
RDP
• Remote Desktop Protocol (RDP) allows users to connect
to a computer running Microsoft’s Terminal Services.
Most Windows-based operating systems include an RDP
client
• After establishing a connection, the user sees a terminal
window that’s basically a preconfigured window that looks
like a Windows or other operating system’s desktop.
PPP
• Point to Point Protocol (PPP) is a Layer 2 protocol that
provides authentication, encryption, and compression
services to clients logging in remotely.
PPPoE
• Point to Point Protocol over Ethernet (PPPoE) is an
extension of PPP. Its purpose is to encapsulate PPP
frames within Ethernet frames.
21
Remote Access
ICA
• Independent Computing Architecture (ICA) is a
protocol designed by Citrix Systems to provide
communication between servers and clients.
• Citrix’s WinFrame uses ICA to allow administrators to
set up Windows applications on a Windows-based
server and then allow clients with virtually any
operating system to access those applications.
SSH
• Designed as an alternative to command-based
utilities such as Telnet that transmit requests and
responses in clear text
• Creates a secure channel between the devices and
provides confidentiality and integrity of the data
transmission. It uses public-key cryptography to
authenticate the remote computer and allow the
remote computer to authenticate the user, if
necessary.
22
User Account and Resource
Security
•
•
Network Resource-Sharing Security Models
– Share-Level Security
– User-Level Security
Managing User Accounts
– Disabling Accounts
– Setting Up Anonymous Accounts
– Limiting Connections
– Renaming the Maintenance Account
• Managing Passwords
– Minimum Length
– Complexity
23
User-Authentication Methods
Public Key Infrastructure (PKI)
Certificate Authority
Message
Mike
Certificate
Jeff
Jeff can verify that the
message with the
certificate from Mike is
valid if he trusts the CA.
•
•
Public Key Infrastructure (PKI) is a system that links users to
public key that verifies the user’s identity by using a certificate
authority (CA).
The CA as an online entity responsible for validating user IDs
and issuing unique identifiers to confirmed individuals to 24
certify
that their identity can really be trusted.
Chapter 13
PKI in action
Figure 13.12
Public Key Encryption at Work
This message
is for Jenny…
Joe creates a
message for
Jenny.
1
ehyeosy
Ayg9us3
el48vye
This message
is for Jenny…
The data gets
Jenny can read
sent across
the message.
the wire.
Joe uses
Jenny uses her
5
3
Jenny’s Public
Private key to
key to encrypt
decrypt the
the message.
message.
2
4
User-Authentication Methods
Kerberos
5
2
4
Client
1
3
Authentication Server
1 Request for ticket granting ticket
(TGT)
2 TGT returned by authentication
service
Application Server
4 Application ticket returned by ticket-
granting service
5 Request for service
(authenticated with application ticket)
3 Request for application ticket
(authenticated with TGT)
26
Authentication, Authorization,
and Accounting (AAA)
RADIUS
• Although its name implies it, Remote Authentication
Dial-In User Service (RADIUS) is not a dial-up server,
it’s evolved into more of a verification service.
• RADIUS is an authentication and accounting service
used for verifying users over various types of links,
including dial-up.
• RADIUS servers are a client-server based
authentication and encryption services and maintains
user profiles in a central database.
• RADIUS is also used in firewalls to verify the
credentials given; if successful, access is granted
27
Authentication, Authorization,
and Accounting (AAA)
TACACS+
• The Terminal Access Controller Access-Control System Plus
(TACACS+) protocol is an alternative AAA method to RADIUS.
• TACACS+ separates the two authentication and authorization
into two profiles (RADIUS uses one profile),.
• TACACS+ utilizes the connection-based TCP protocol
(RADIUS uses UDP).
• TACACS+ is considered more stable and secure than RADIUS.
28
Network Access Control (NAC)
•
•
•
Network Access Control (NAC) is a method of securing
network hosts before they’re allowed to access the
network.
NAC is commonly used in implementations in wireless
networking, where nodes are often added to and
removed from the network freely.
IEEE 802.1x is one of the most common forms of NAC
29
Challenge Handshake
Authentication Protocol (CHAP)
•
Challenge Handshake Authentication Protocol (CHAP) is a
secure authentication protocol because with CHAP, the
username and password never cross the wire. Instead,
both the client and server are configured with the same
text phrase that’s known as a shared secret.
30
Other AAA
MS-CHAP
• Microsoft has its own variation of CHAP known as Microsoft
Challenge Handshake Authentication Protocol (MS-CHAP).
• Unlike CHAP, which requires the shared secret to be stored
locally in clear text, MS-CHAP encrypts the secret locally.
• MS-CHAP version 2 is capable of mutual authentication so
that the client can be sure the server is legitimate as well.
Extensible Authentication Protocol (EAP)
• Extensible Authentication Protocol (EAP) is an extension to
PPP providing additional authentication methods for remote
access clients:
–
–
–
–
Smart cards
Certificates
Kerberos
Biometric schemes (retinal scans and fingerprint)
31
Summary
•
•
•
•
Summary
Exam Essentials Section
Written Labs
Review Questions
32