Public Key EncryptionIn public key encryption, data is encrypted using two keys: One is a key known only to a user that is, a private key, and the other is a public key associated with t
Trang 1Remote Access
As you have learned, many companies supply traveling employees, telecommuters, or distantvendors with remote access to their private LANs or WANs When working with remoteaccess, you must remember that any entry point to a LAN or WAN creates a potential secu-rity risk In other words, if an employee can get to your network in New York from his hotelroom in Rome, a smart hacker can likely do the same You can, however, take advantage oftechniques designed to minimize the possibility of such unauthorized remote access In thissection, you will learn about security measures tailored to remote access solutions, such asremote control and dial-up networking
Remote Control
Remote control systems enable a user to connect to a host system on a network from a distanceand use that system’s resources as if the user were sitting in front of it Although such remotecontrol systems can be convenient, they can also present serious security risks Most remotecontrol software programs (for example, Symantec Corporation’s pcAnywhere) offer featuresthat increase the security of remote control systems If you intend to allow remote control access
to a host on your LAN, you should investigate these security features and know how to ment them correctly Important security features that you should seek in a remote control pro-gram include the following:
imple-FIGURE 14-4 A proxy server used on a WAN
Often, firewall and proxy server features are combined in one device In other words,you might purchase a firewall and be able to configure it not only to block certaintypes of traffic from entering your network, but also to modify the addresses in thepackets leaving your network
Trang 2◆ A user name and password requirement for gaining access to the host system.
◆ The ability of the host system to call back This feature enables a remote user to dialinto the network, enter a user name, and hang up The host system then calls theuser back at a predetermined number (the authorized user’s modem number), thuspreventing a hacker from taking over a system even if he obtains the correct user IDand password for the host system
◆ Support for data encryption on transmissions between the remote user and the tem
sys-◆ The ability to leave the host system’s screen blank while a remote user works on it.This feature prevents people walking by from seeing potentially confidential data
◆ The ability to disable the host system’s keyboard and mouse This feature turns the hostsystem into a terminal that responds only to remote users
◆ The ability to restart the host system when a remote user disconnects from the tem This feature prevents anyone from reviewing what happened during the remoteuser’s session or gaining access if the session was accidentally terminated before theremote user could properly log off
◆ User name and password authentication
◆ The ability to log all dial-up connections, their sources, and their connection times
◆ The ability to perform callbacks to users who initiate connections
◆ Centralized management of dial-up users and their rights on the network
Dial-up network security depends on strict verification of a user’s credentials Methods ofachieving this verification are discussed later in the “Authentication Protocols” section of thischapter
Network Operating System Security
Regardless of whether you run your network on a Novell, Microsoft, Macintosh, Linux, orUNIX network operating system, you can implement basic security by restricting what usersare authorized to do on a network Every network administrator should understand whichresources on the server all users need to access The rights conferred to all users are called pub-lic rights, because anyone can have them and exercising them presents no security threat to the
NET+
3.7
NET+
3.1
Trang 3network In most cases, public rights are very limited They may include privileges to view andexecute programs from the server and to read, create, modify, delete, and execute files in a shareddata directory.
In addition, network administrators need to group users according to their security levels andassign additional rights that meet the needs of those groups As you know, creating groupssimplifies the process of granting rights to users For example, if you work in the IT Depart-ment at a large college, you will most likely need more than one person to create new user IDsand passwords for students and faculty Naturally, the staff in charge of creating new user IDsand passwords need the rights to perform this task You could assign the appropriate rights toeach staff member individually, but a more efficient approach is to put all of the personnel in
a group, and then assign the appropriate rights to the group as a whole
Logon Restrictions
In addition to restricting users’ access to files and directories on the server, a network istrator can constrain the ways in which users can access the server and its resources The fol-lowing is a list of additional restrictions that network administrators can use to strengthen thesecurity of their networks:
admin-◆ Time of day—Some user accounts may be valid only during specific hours—for
example, between 8:00 A.M and 5:00 P.M Specifying valid hours for an account canincrease security by preventing any account from being used by unauthorized per-sonnel after hours
◆ Total time logged on—Some user accounts may be restricted to a specific number of
hours per day of logged-on time Restricting total hours in this way can increasesecurity in the case of temporary user accounts For example, suppose that your orga-nization offers a WordPerfect training class to a group of high school students oneafternoon, and the WordPerfect program and training files reside on your staffserver You might create accounts that could log on for only four hours on that day
◆ Source address—You can specify that user accounts can log on only from certain
workstations or certain areas of the network (that is, domains or segments) Thisrestriction can prevent unauthorized use of user names from workstations outsidethe network
◆ Unsuccessful logon attempts—Hackers may repeatedly attempt to log on under a valid
user name for which they do not know the password As the network administrator,you can set a limit on how many consecutive unsuccessful logon attempts from a sin-gle user ID the server will accept before blocking that ID from even attempting tolog on
Another security technique that can be enforced by a network administrator through the NOS
is the selection of secure passwords The following section discusses the importance and acteristics of choosing a secure password
char-NET+
3.1
Trang 4Tips for making and keeping passwords secure include the following:
◆ Always change system default passwords after installing new programs or
equip-ment For example, after installing a router, the default administrator’s password onthe router might be set by the manufacturer to be “1234” or the router’s model num-ber
◆ Do not use familiar information, such as your name, nickname, birth date, sary, pet’s name, child’s name, spouse’s name, user ID, phone number, address, or anyother words or numbers that others might associate with you
anniver-◆ Do not use any word that might appear in a dictionary Hackers can use programsthat try a combination of your user ID and every word in a dictionary to gain access
to the network This is known as a dictionary attack, and it is typically the first
technique a hacker uses when trying to guess a password (besides asking the user forher password)
◆ Make the password longer than eight characters—the longer, the better Some ating systems require a minimum password length (often, eight characters), and
oper-some may also restrict the password to a maximum length
◆ Choose a combination of letters and numbers; add special characters, such as mation marks or hyphens, if allowed Also, if passwords are case sensitive, use a
excla-combination of uppercase and lowercase letters
◆ Do not write down your password or share it with others
◆ Change your password at least every 60 days, or more frequently, if desired If youare a network administrator, establish controls through the network operating system
to force users to change their passwords at least every 60 days If you have access tosensitive data, change your password even more frequently
◆ Do not reuse passwords
Password guidelines should be clearly communicated to everyone in your organization throughyour security policy Although users may grumble about choosing a combination of letters andnumbers and changing their passwords frequently, you can assure them that the company’sfinancial and personnel data is safer as a result No matter how much your colleagues protest,
do not back down from your password requirements Many companies mistakenly requireemployees only to use a password, and don’t help them choose a good one This oversightincreases the risk of security breaches
Trang 5Encryption is the use of an algorithm to scramble data into a format that can be read only by
reversing the algorithm—that is, by decrypting the data The purpose of encryption is to keepinformation private Many forms of encryption exist, with some being more secure than oth-ers Even as new forms of encryption are developed, new ways of cracking their codes emerge,too
Encryption is the last means of defense against data theft In other words, if an intruder hasbypassed all other methods of access, including physical security (for instance, he has brokeninto the telecommunications room) and network design security (for instance, he has defied afirewall’s packet-filtering techniques), data may still be safe if it is encrypted Encryption canprotect data stored on a medium, such as a hard disk, or in transit over a communications chan-nel To protect data, encryption provides the following assurances:
◆ Data was not modified after the sender transmitted it and before the receiver picked
it up
◆ Data can only be viewed by its intended recipient (or at its intended destination)
◆ All of the data received at the intended destination was truly issued by the statedsender and not forged by an intruder
The following sections describe data encryption techniques used to protect data stored on ortraveling across networks
Key Encryption
The most popular kind of encryption algorithm weaves a key (a random string of characters)
into the original data’s bits—sometimes several times in different sequences—to generate a
unique data block The scrambled data block is known as ciphertext The longer the key, the
less easily the ciphertext can be decrypted by an unauthorized system For example, a 128-bitkey allows for 2128possible character combinations, whereas a 16-bit key allows for 216possible
character combinations Hackers may attempt to crack, or discover, a key by using a brute force
attack, which means simply trying numerous possible character combinations to find the key
that will decrypt encrypted data (Typically a hacker runs an application to carry out the attack.)Through a brute force attack, a hacker could discover a 16-bit key quickly and without usingsophisticated computers, but would have difficulty discovering a 128-bit key
Adding 1 bit to an encryption key makes it twice (21times) as hard to crack For ple, a 129-bit key would be twice as hard to crack than a 128-bit key Similarly, a 130-bit key would be four (22) times harder to crack than a 128-bit key
exam-NOTENET+
3.7
Trang 6The process of key encryption is similar to what happens when you finish a card game, placeyour five-card hand into the deck, and then shuffle the deck numerous times After shuffling,
it might take you a while to retrieve your hand If you shuffled your five cards into four decks
of cards at once, it would be even more difficult to find your original hand In encryption, oretically only the user or program authorized to retrieve the data knows how to unshuffle theciphertext and compile the data in its original sequence Figure 14-5 provides a simplified view
the-of key encryption and decryption Note that actual key encryption does not simply weave a keyinto the data once, but rather inserts the key, shuffles the data, shuffles the key, inserts anothercopy of the shuffled key into the shuffled data, shuffles the data again, and so on for severaliterations
FIGURE 14-5 Key encryption and decryption
Keys are randomly generated, as needed, by the software that manages the encryption Forexample, an e-mail program or a Web browser program may be capable of generating its ownkeys to encrypt data In other cases, special encryption software is used to generate keys Thisencryption software works with other types of software, such as word-processing or spread-sheet programs, to encrypt data files before they are saved or transmitted
Private Key Encryption
Key encryption can be separated into two categories: private key and public key encryption In
private key encryption, data is encrypted using a single key that only the sender and the receiver know Private key encryption is also known as symmetric encryption, because the same
key is used during both the transmission and reception of the data
NET+
3.7
Trang 7Suppose John wants to send a secret message to Mary via private encryption Assume he has sen a private key Next, he must share his private key with Mary, as shown in Step 1 of Figure14-6 Then, John runs a program that encrypts his message by combining it with his private key,
cho-as shown in Step 2 Next, John sends Mary the encrypted message, cho-as shown in Step 3 AfterMary receives John’s encrypted message, she runs a program that uses John’s private key to decryptthe message, as shown in Step 4 The result is that Mary can read the original message John wrote
FIGURE 14-6 Private key encryption
The most popular private, or symmetric, key encryption is based on DES (pronounced “dez”), which stands for Data Encryption Standard DES, which uses a 56-bit key, was developed by
IBM in the 1970s When DES was released, a 56-bit key was secure; however, now such a keycould be cracked within days, given sufficient computer power For greater security, the mod-ern implementation of DES weaves a 56-bit key through data three times, using two or three
different keys This implementation is known as Triple DES (3DES).
A more recent private key encryption standard is the AES (Advanced Encryption Standard),
which weaves keys of 128, 160, 192, or 256 bits through data multiple times The algorithm
used in the most popular form of AES is known as Rijndael, after its two Belgian inventors,
Dr Vincent Rijmen and Dr Joan Daemen AES is considered more secure than DES andmuch faster than Triple DES AES has replaced DES in situations such as military commu-nications, which must have the highest level of security
The problem with private key encryption is that the sender must somehow share his key withthe recipient For example, John could call Mary and tell her his key, or he could send it to her
in an e-mail message But neither of these methods is very secure To overcome this potentialvulnerability, a method of associating publicly available keys with private keys was developed.This method is called public key encryption
NET+
3.7
Trang 8Public Key Encryption
In public key encryption, data is encrypted using two keys: One is a key known only to a user
(that is, a private key), and the other is a public key associated with the user A user’s publickey can be obtained the old-fashioned way—by asking that user—or it can be obtained from
a third-party source, such as a public key server A public key server is a publicly accessible
host (such as a server on the Internet) that freely provides a list of users’ public keys, much as
a telephone book provides a list of peoples’ phone numbers
Figure 14-7 illustrates the process of public key encryption
FIGURE 14-7 Public key encryption
NET+
3.7
Trang 9For example, suppose that Mary wants to use public key encryption to send John a message viathe Internet Assume John already established a private and a public key, as shown in Step 1
of Figure 14-7 He stores his public key on a key server on the Internet, as shown in Step 2,and keeps his private key to himself Before Mary can send John a message, she must know hispublic key John tells Mary where she can find his public key, as shown in Step 3 Next, Marywrites John a message, retrieves his public key from the public key server, and then uses herencryption software to scramble her message with John’s public key, as shown in Step 4 Marysends her encrypted message to John over the Internet, as shown in Step 5 When Johnreceives the message, his software recognizes that the message has been encrypted with hispublic key In other words, the public key has an association with the private key A messagethat has been encrypted with John’s public key can only be decrypted with his private key Theprogram then prompts John for his private key to decrypt the message, as shown in Step 6 Torespond to Mary in a publicly encrypted message, John must obtain Mary’s public key Then,the steps illustrated in Figure 14-7 are repeated, with John and Mary’s roles reversed
The combination of a public key and a private key is known as a key pair In the private key
encryption example discussed previously, John has a key pair, but only he knows his privatekey, whereas the public key is available to people, like Mary, who want to send him encryptedmessages Because public key encryption requires the use of two different keys, it is also known
its creators, Ronald Rivest, Adi Shamir, and Leonard Adleman), which was made public in
1977 In RSA, a key is created by first choosing two large prime numbers (numbers that not be divided evenly by anything but 1 or themselves) and multiplying them together RSA
can-is routinely used to secure e-commerce transactions RSA may be used in conjunction with
RC4, a key encryption technique that weaves a key with data multiple times, as a computer
issues the stream of data RC4 keys can be as long as 2048 bits In addition to being highlysecure, RC4 is fast It is used with many e-mail and browser programs, including Lotus Notesand Netscape
With the abundance of private and public keys, not to mention the number of places whereeach may be kept, users need easier key management One answer to this problem is using dig-
ital certificates A digital certificate is a password-protected and encrypted file that holds an
individual’s identification information, including a public key In the context of digital cates, the individual’s public key verifies the sender’s digital signature For example, on theInternet, certificate authorities such as VeriSign will, for a fee, keep your digital certificate ontheir server and ensure to all who want to send encrypted messages to you (for example, anorder via your e-commerce site) that the certificate is indeed yours
certifi-The following sections detail specific methods of encrypting data as it is transmitted over a work These methods use one or more of the encryption algorithms discussed in this section
net-NET+
3.7
Trang 10PGP (Pretty Good Privacy)
You have probably exchanged e-mail messages over the Internet without much concern forwhat happens with your message between the time you send it and when your intended recip-ient picks it up In addition, you have probably picked up e-mails from friends without think-
ing that they might not be from your friends, but rather from other users who are impersonating
your friends over the Internet In fact, typical e-mail communication is a highly insecure form
of data exchange The contents of a message are usually sent in clear (that is, unencrypted)text, which makes it readable by anyone who can capture the message on its way from you toyour recipient In addition, a person with malicious intentions can easily pretend he is some-one else For example, if your e-mail address is joe@trinketmakers.com, someone else couldassume your address and send messages that appear to be sent by joe@trinketmakers.com Tosecure e-mail transmissions, a computer scientist named Phil Zimmerman developed PGP in
the early 1990s PGP (Pretty Good Privacy) is a public key encryption system that can verify
the authenticity of an e-mail sender and encrypt e-mail data in transmission PGP, which isnow administered at MIT, is freely available as both an open source and a proprietary softwarepackage Since its release, it has become the most popular tool for encrypting e-mail How-ever, PGP can also be used to encrypt data on storage devices (for example, a hard disk) orwith applications other than e-mail (for example, IP telephony)
SSL (Secure Sockets Layer)
SSL (Secure Sockets Layer) is a method of encrypting TCP/IP transmissions—including Web
pages and data entered into Web forms—en route between the client and server using publickey encryption technology If you trade stocks or purchase goods on the Web, for example, youare most likely using SSL to transmit your order information SSL is popular and used widely.The most recent versions of Web browsers, such as Netscape and Internet Explorer, includeSSL client support in their software
If you have used the Web, you have probably noticed that URLs for most Web pages beginwith the HTTP prefix, which indicates that the request is handled by TCP/IP port 80 using
the HTTP protocol When Web page URLs begin with the prefix HTTPS (which stands for
HTTP over Secure Sockets Layer or HTTP Secure) hey require that their data be transferred
from server to client and vice versa using SSL encryption HTTPS uses the TCP port ber 443, rather than port 80 After an SSL connection has been established between a Webserver and client, the client’s browser indicates this by showing a padlock in the lower-rightcorner of the screen in the browser’s status bar (Some older browser versions might not dis-play the padlock, but almost all popular contemporary browsers do.)
num-Each time a client and server establish an SSL connection, they also establish a unique SSL
session, or an association between the client and server that is defined by an agreement on a
specific set of encryption techniques An SSL session allows the client and server to continue
to exchange data securely as long as the client is still connected to the server An SSL session
is created by the SSL handshake protocol, one of several protocols within SSL, and perhaps
the most significant As its name implies, the handshake protocol allows the client and server
to authenticate (or introduce) each other and establishes terms for how they will securely
NET+
2.17
Trang 11exchange data For example, when you are connected to the Web and you decide to open yourbank’s account access URL, your browser initiates an SSL connection with the handshake pro-
tocol The handshake protocol sends a special message to the server, called a client_hello
mes-sage, which contains information about what level of security your browser is capable ofaccepting and what type of encryption your browser can decipher (for example, RSA or Diffie-Hellman) The client_hello message also establishes a randomly generated number thatuniquely identifies your client and another number that identifies your SSL session The
server responds with a server_hello message that confirms the information it received from
your client and agrees to certain terms of encryption based on the options your client supplied.Depending on the Web server’s preferred encryption method, the server may choose to issueyour browser a public key or a digital certificate at this time After the client and server haveagreed on the terms of encryption, they begin exchanging data
SSL was originally developed by Netscape Since that time, the IETF has attempted to
stan-dardize SSL in a protocol called TLS (Transport Layer Security) Besides standardizing SSL
for use with software from multiple vendors, IETF also aims to create a version of SSL thatencrypts UDP as well as TCP transmissions TLS, which is supported by new Web browsers(such as Internet Explorer version 5.0 and higher and Netscape version 6.0 and higher), usesslightly different encryption algorithms than SSL, but otherwise is very similar to the mostrecent version of SSL
SSH (Secure Shell)
Earlier in this book, you learned about Telnet, the TCP/IP utility that provides remote nections to hosts For example, if you were a network administrator working at one of yourcompany’s satellite offices and had to modify the configuration on a router at the home office,you could telnet to the router (over a VPN, for example) and run commands to modify its con-figuration However, Telnet provides little security for establishing a connection (authenticat-
con-ing) and no security for transmitting data (encryption) SSH (Secure Shell) is a collection of
protocols that does both With SSH, you can securely log on to a host, execute commands onthat host, and copy files to or from that host SSH encrypts data exchanged throughout thesession It guards against a number of security threats, including: unauthorized access to ahost, IP spoofing, interception of data in transit (even if it must be transferred via intermedi-
ate hosts), and DNS spoofing, in which a hacker forges name server records to falsify his
host’s identity Depending on the version, SSH may use DES, Triple DES, RSA, Kerberos, oranother, less common encryption algorithm or method
SSH was developed by SSH Communications Security, and use of their SSH implementationrequires paying for a license However, open source versions of the protocol suite, such as
OpenSSH, are available for most computer platforms To form a secure connection, SSH
must be running on both the client and server Like Telnet, the SSH client is a utility that can
be run at the shell prompt on a UNIX-type of system or at the command prompt on a dows-based system Other versions of the program come with a graphical interface The SSHsuite of protocols is included with all modern UNIX and Linux distributions and with Mac
Win-OS X Server and Mac Win-OS X client operating systems For Windows-based computers, youmust download a freeware GUI SSH client, such as PuTTy or Tectia
NET+
2.17
NET+
2.10
Trang 12Before you can establish a secure SSH connection, you must first generate a public key and aprivate key on your client workstation by running the ssh keygencommand (or by choosingthe correct menu options in a graphical SSH program) The keys are saved in two different,encrypted files on your hard disk Next, you must transfer the public key to an authorizationfile on the host to which you want to connect Finally, you are ready to connect to the host viaSSH On a UNIX-type of computer, this is accomplished by running the slogin -l user-
of the host to which you are trying to connect The client and host then exchange public keys,and if both can be authenticated, the connection is completed On a Windows-based computer,follow the menu options in the SSH client application
SSH is highly configurable For example, it can be configured to use one of several types ofencryption for data en route between the client and host It can be configured to require that
the client enter a password in addition to a key It can also be configured to perform port
for-warding, which means it can redirect traffic that would normally use an insecure port (such as
FTP) to an SSH-secured port This allows you to use SSH for more than simply logging on
to a host and manipulating files With port forwarding you could, for example, exchangeHTTP traffic with a Web server via a secured SSH connection
SCP (Secure CoPy) and SFTP (Secure
File Transfer Protocol)
An extension to OpenSSH is the SCP (Secure CoPy) utility, which allows you to copy files
from one host to another securely SCP replaces insecure file copy protocols such as FTP, which
do not encrypt user names, passwords, or data while transferring them Most modernOpenSSH packages, such as those supplied with the UNIX, Linux, and Macintosh OS X(client and server version) operating systems, include the SCP utility Not all freeware SSHprograms available for Windows include SCP, but separate, freeware SCP applications, such
as WinSCP, exist
SCP is simple to use At the shell prompt of a UNIX-type of system, type scp filename1
name of the file on the target host Suppose you are copying a file from a server to your clientworkstation In that case, you also need to include your user name on the server and theserver’s host name in the command, as follows:
scp userid@hostname:filename1 filename2
In this command, userid is your user name on the server, hostname is the server’s fully qualified host name, filename1 is the name of the file on the server, and filename2 is what you want to
call the file on your client workstation On a Windows-based system, follow the menu options
in your SSH or SCP client for copying files with SCP
If your system uses the proprietary version of SSH, available from SSH Communications
Secu-rity, you need to use SFTP (Secure File Transfer Protocol) to copy files rather than SCP.
SFTP is slightly different from SCP, in that it does more than copy files Like FTP, SFTP
NET+
2.10
Trang 13first establishes a connection with a host and then allows a remote user to browse directories,list files, and copy files To open an SFTP connection from a UNIX-type of system, type sftp
which you want to connect To copy a file, type get filename1 filename2 , where filename1 is the name of the file on the source computer and filename2 is what you want to call the file on
the target computer To close the SFTP connection, type quitand then press Enter On a dows-based system, follow the menu options in the SSH or SFTP client for copying files withSFTP
Win-The following section describes another technique for encrypting data in transit on a network
IPSec (Internet Protocol Security)
IPSec (Internet Protocol Security) protocol defines encryption, authentication, and key
management for TCP/IP transmissions It is an enhancement to IPv4 and is native to the newerIPv6 standard IPSec is somewhat different from other methods of securing data in transit.Rather than apply encryption to a stream of data, IPSec actually encrypts data by adding secu-rity information to the header of all IP packets In effect, IPSec transforms the data packets
To do so, IPSec operates at the Network layer (Layer 3) of the OSI Model
IPSec accomplishes authentication in two phases The first phase is key management, and the
second phase is encryption Key management refers to the way in which two nodes agree on common parameters for the keys they will use IPSec relies on IKE (Internet Key Exchange)
for its key management IKE is a service that runs on UDP port 500 After IKE has lished the rules for the type of keys two nodes will use, IPSec invokes its second phase, encryp-
estab-tion In this phase, two types of encryption may be used: AH (authentication header) and ESP
(Encapsulating Security Payload) It is not important to know the inner workings of these
services to qualify for Network+ certification, but you should be aware that both types ofencryption provide authentication of the IP packet’s data payload through public key tech-niques In addition, EPS encrypts the entire IP packet for added security
IPSec can be used with any type of TCP/IP transmission However, it most commonly runs
on routers or other connectivity devices in the context of VPNs As you learned in Chapter 7,VPNs are used to transmit private data over public networks Therefore, they require strictencryption and authentication to ensure that data is not compromised
Authentication Protocols
You have learned that authentication is the process of verifying a user’s credentials (typically auser name and password) to grant the user access to secured resources on a system or network
Authentication protocols are the rules that computers follow to accomplish authentication.
Several types of authentication protocols exist They vary according to which encryptionschemes they rely on and the steps they take to verify credentials The following sectionsdescribe some common authentication protocols in more detail
NET+
2.10
NET+
2.17
Trang 14RADIUS and TACACS
In environments in which many simultaneous dial-up connections must be supported and
their user IDs and passwords managed, a service called RADIUS (Remote Authentication
Dial-In User Service) might be used to authenticate users RADIUS is a service defined by
the IETF that runs over UDP and provides centralized network authentication and ing for multiple users RADIUS can operate as a software application on a remote access
account-server or on a computer dedicated to this type of authentication, called a RADIUS account-server A
RADIUS server does not replace functions performed by the remote access server, but municates with the access server to manage user logons RADIUS is frequently used with dial-
com-up networking connections
RADIUS servers are highly scalable, as they can attach to pools containing hundreds ofmodems Many Internet service providers use a RADIUS server to allow their subscribers todial into their network and gain access to the Internet Other organizations employ it as a cen-tral authentication point for mobile or remote users RADIUS is also more secure than a sim-ple remote access solution because its method of authentication prevents users’ IDs andpasswords from traveling across the connection in clear text format
Figure 14-8 illustrates these two methods for allowing remote users to connect using RADIUSauthentication RADIUS can run on UNIX, Linux, Windows, Macintosh, or NetWare net-
works A similar, but earlier version of a centralized authentication system is TACACS
(Ter-minal Access Controller Access Control System).
FIGURE 14-8 A RADIUS server providing centralized authentication
NET+
2.18
Trang 15PAP (Password Authentication Protocol)
In Chapter 7’s discussion of remote access protocols, you were introduced to PPP Point Protocol), which belongs to the Data Link layer of the OSI Model and provides the foun-dation for connections between remote clients and hosts PPP alone, however, does not secureconnections For this it requires an authentication protocol
(Point-to-In fact, several types of authentication protocols can work over PPP One is PAP (Password
Authentication Protocol) After establishing a link with a server through PPP, a client uses
PAP to send an authentication request that includes its credentials—usually a user name andpassword The server compares the credentials to those in its user database If the credentialsmatch, the server responds to the client with an acknowledgment of authentication and grantsthe client access to secured resources If the credentials do not match, the server denies therequest to authenticate Figure 14-9 illustrates PAP’s two-step authentication process
FIGURE 14-9 Two-step authentication used in PAP
Thus, PAP is a simple authentication protocol, but it is not very secure It sends the client’scredentials in clear text, without encryption, and this opens the way for eavesdroppers to cap-ture a user name and password In addition, PAP does not protect against the possibility of amalicious intruder attempting to guess a user’s password through a brute force attack Forthese reasons, PAP is rarely used on modern networks Instead, more sophisticated protocols,such as those described in the following sections, are preferred
CHAP and MS-CHAP
CHAP (Challenge Handshake Authentication Protocol) is another authentication protocol
that operates over PPP Unlike PAP, CHAP encrypts user names and passwords for sion It also differs from PAP in that it requires three steps to complete the authentication
transmis-process Together, these steps are known as a three-way handshake.
In CHAP, the authenticating device (for example, the remote access server in a dial-up nario) takes the first step in authentication after PPP establishes a connection between it andthe computer requesting authentication (for example, a dial-up client) The server sends the
sce-client a randomly generated string of characters called the challenge In the second step, the
client adds its password to the challenge and encrypts the new string of characters It sendsthis new string of characters in a response to the server Meanwhile, the server also concate-nates the user’s password with the challenge and encrypts the new character string, using the
NET+
2.18