The contents are presented in chapter 7: Define authentication, authentication credentials, authentication models, authentication servers, extended authentication protocols, Virtual Private Network (VPN). Inviting you to refer.
Trang 1
Authentication
Trang 2v Extended authentication protocols
v Virtual Private Network (VPN)
Trang 3Password-Guessing Attacks Surge
v Slow guessing and botnets conceal the attacks
v Countermeasures
v Strong password policy, restricting access to server by source IP, two-factor authentication
Trang 4Definition of Authentication
v Authentication can be defined in two contexts
v The first is viewing authentication as it relates to access control
v The second is to look at it as one of the three key elements of security:
v Authentication
v Authorization
v Accounting
Trang 5Authentication & Access Control
v Granting permission for admittance
v Access is the right to use specific resources
Trang 6Authentication, Authorization, and
Accounting
v Short term: AAA
v Authentication in AAA provides a way of identifying a user
v Typically with a password
v Authorization determines whether the user has the authority to carry out certain tasks
v The process of enforcing policies
v Accounting measures the resources a user “consumes” during each network session
Trang 7Uses of Accounting DATA
v To find evidence of problems
v For billing
v For planning
v AAA servers
v Servers dedicated to performing AAA functions
v Can provide significant advantages in a network
Trang 8v Extended authentication protocols
v Virtual Private Network (VPN)
Trang 9Authentication Credentials
v Credentials are something you have, something you are,
or something you know
v Types of authentication credentials
Trang 10One-Time Passwords
v Standard passwords are typically static in nature
v One-time passwords (OTP)
v Dynamic passwords that change frequently
v Systems using OTPs generate a unique password on demand that is not reusable
v The most common type is a time-synchronized OTP
v Used in conjunction with a token
v The token and a corresponding authentication server share the same algorithm
v Each algorithm is different for each user’s token
Trang 11One-Time Passwords
Trang 13Challenge-Based OTPs
v Authentication server displays a challenge (a random number) to the user
v User then enters the challenge number into the token
v Which then executes a special algorithm to generate a password
v Because the authentication server has this same algorithm, it can also generate the password and compare
it against that entered by the user
Trang 14Standard Biometrics
v Uses a person’s unique characteristics for authentication (what he is)
v Examples: fingerprints, faces, hands, irises, retinas
v Types of fingerprint scanners
v Static fingerprint scanner
v Dynamic fingerprint scanner (more secure)
v Disadvantages
v Costs
v Readers are not always foolproof
v How can you change your password if it's your fingerprint?
Trang 15Dynamic Fingerprint Scanner
Trang 16Behavioral Biometrics
v Authenticates by normal actions that the user performs
v Keystroke dynamics
v Attempt to recognize a user’s unique typing rhythm
v Keystroke dynamics uses two unique typing variables
v Dwell time
v Flight time
Trang 17Keystroke Dynamics
Trang 20Computer Footprinting in Online Banking
v A simple form of two-factor authentication
v Required by the US now
Trang 21v Another example of cognitive biometrics requires the user
to identify specific faces
Trang 22Cognitive Biometrics
Trang 23v Extended authentication protocols
v Virtual Private Network (VPN)
Trang 24Single and multi-factor authentication
Trang 25Single sign-on
v Identity management
v Using a single authenticated ID to be shared across multiple networks
v Federated identity management (FIM)
v When those networks are owned by different organizations
v One application of FIM is called single sign-on (SSO)
v Using one authentication to access multiple accounts or applications
Trang 26Windows Live ID
v Originally introduced in 1999 as NET Passport
v When the user wants to log into a Web site that supports Windows Live ID
v The user will first be redirected to the nearest authentication server
v Once authenticated, the user is given an encrypted limited “global” cookie
time-v Never became widely used
Trang 27Windows CardSpace
v New Windows feature
v Users control digital identities with digital ID cards
v Types of cards
v Managed cards
v Personal cards
Trang 28v A decentralized open source FIM
v Does not require specific software to be installed on the desktop
v An OpenID identity is only a URL backed up by a username and password
v OpenID provides a means to prove that the user owns that specific URL
v Not very secure dependent on DNS
Trang 29v Extended authentication protocols
v Virtual Private Network (VPN)
Trang 31v RADIUS: Remote Authentication Dial in User Service
v Developed in 1992
v The industry standard with widespread support
v Suitable for what are called “high-volume service control applications”
v With the development of IEEE 802.1x port security for both wired and wireless LANs
v RADIUS has recently seen even greater usage
Trang 32v The RADIUS server authenticates and authorizes the RADIUS client request
v Sends back a RADIUS message response
v RADIUS clients also send RADIUS accounting messages
to RADIUS servers
Trang 33RADIUS
Trang 34v An authentication system developed by the Massachusetts Institute of Technology (MIT)
v Used to verify the identity of networked users
v Kerberos authentication server issues a ticket to the user
v The user presents this ticket to the network for a service
v The service then examines the ticket to verify the identity of the user
Trang 35v Terminal Access Control Access Control System (TACACS+)
v Developed by Cisco to replace RADIUS
v More secure and reliable than RADIUS
v The centralized server can either be a TACACS+ database
v Or a database such as a Linux or UNIX password file with TACACS protocol support
Trang 36Lightweight Directory Access Protocol (LDAP)
Trang 37Lightweight Directory Access Protocol (LDAP)
v The information is held in a directory information base
(DIB)
v Entries in the DIB are arranged in a tree structure called the directory information tree (DIT)
v Directory Access Protocol (DAP)
v Protocol for a client application to access an X.500 directory
v DAP is too large to run on a personal computer
Trang 38Lightweight Directory Access Protocol (LDAP)
v Lightweight Directory Access Protocol (LDAP)
v Sometimes called X.500 Lite
v A simpler subset of DAP
v Primary differences
v LDAP was designed to run over TCP/IP
v LDAP has simpler functions
v LDAP encodes its protocol elements in a less complex way than X.500
v LDAP is an open protocol
Trang 39v Extended authentication protocols
v Virtual Private Network (VPN)
Trang 40Extended Authentication Protocols
(EAP)
v In IEEE 802.1x, EAP is the "envelope" that carries data used for authentication
v Three EAP protocol categories:
v Authentication legacy protocols
v EAP weak protocols
v EAP strong protocols
Trang 41Extended Authentication Protocols (EAP)
Trang 42Authentication Legacy Protocols
v No longer extensively used for authentication
v Password Authentication Protocol (PAP)
v Sends passwords in the clear
v Challenge-Handshake Authentication Protocol (CHAP)
v Safer than PAP, but vulnerable
v Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
Trang 43EAP Weak Protocols
v Still used but have security vulnerabilities
v Extended Authentication Protocol–MD5 (EAP-MD5)
v Vulnerable to offline dictionary attacks
v Lightweight EAP (LEAP)
v Also vulnerable to offline dictionary attacks
v Can be cracked faster than WEP
Trang 44EAP Strong Protocols
v EAP with Transport Layer Security (EAP-TLS)
v Uses certificates for both client and server
v Used in large Windows networks
v EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP)
v No client-side certificate
v Easier to implement than EAP-TLS
Trang 45v Extended authentication protocols
v Virtual Private Network (VPN)
Trang 46Remote Authentication and Security
v Important to maintain strong security for remote communications
v Transmissions are routed through networks or devices that the organization does not manage and secure
v Managing remote authentication and security usually includes:
v Using remote access services
v Installing a virtual private network
v Maintaining a consistent remote access policy
Trang 47Remote Access Services (RAS)
v Any combination of hardware and software that enables access to remote users to a local internal network
v Provides remote users with the same access and functionality as local users
Trang 48Virtual Private Networks (VPNs)
v One of the most common types of RAS
v Uses an unsecured public network, such as the Internet,
as if it were a secure private network
v Encrypts all data that is transmitted between the remote device and the network
v Common types of VPNs
v Remote-access VPN or virtual private dial-up network (VPDN)
v Site-to-site VPN
Trang 49Virtual Private Networks (VPNs)
Trang 50v VPN transmissions are achieved through communicating with endpoints
v Endpoint
v End of the tunnel between VPN devices
v VPN concentrator
v Aggregates hundreds or thousands of multiple connections
v Depending upon the type of endpoint that is being used, client software may be required on the devices that are connecting to the VPN
Trang 51Virtual Private Networks (VPNs)
v VPNs can be software-based or hardware-based
v Software-based VPNs offer the most flexibility in how network traffic is managed
v Hardware-based VPNs generally tunnel all traffic they handle regardless of the protocol
v Generally, software based VPNs do not have as good performance or security as a hardware-based VPN
Trang 52VPN Advantages
v Cost savings (no long-distance phone call)
v Scalability (easy to add more users)
v Full protection (all traffic is encrypted)
v Speed (faster than direct dial-up)
v Transparency (invisible to the user)
v Authentication (only authorized users can connect)
v Industry standards
Trang 54Remote Access Policies
v Establishing strong remote access policies is important
v Some recommendations for remote access policies:
v Remote access policies should be consistent for all users
v Remote access should be the responsibility of the IT department
v Form a working group and create a standard that all departments will agree to