Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Chapter 10

advertisement 
Chapter 10
Authenticating Users
The Authentication Process in General
1.
Authentication is the act of identifying users and providing network services to them based on their
identity. Most types of authentication require the user to supply to the authenticating firewall or server one
of the following:
 A piece of information, such as a password
 Proof of physical possession of something, such as a smart card
 A piece of information that is part of your physical identity, such as a fingerprint, voiceprint, or
retinal scan
2.
In the field of network computing, authentication takes one of three specific forms.
Forms of Authentication



Basic authentication: A server maintains a local file of usernames and passwords that it refers to
for matching the username-password pair being supplied by a client.
Challenge-response authentication: The authenticating computer or firewall generates a random
code or number (the challenge) and sends it to the user who wishes to be authenticated.
Centralized authentication service: A centralized server handles three separate and essential
authentication practices: authentication, authorization, and auditing.
How Firewalls Implement the Authentication Process
1.
The exact steps that firewalls follow to perform authentication may vary from one firewall configuration to
another, but the general process is the same.
Authentication Steps
1)
2)
3)
4)
5)
6)
7)
The client makes a request to access a resource.
The firewall intercepts the request and prompts the user for name and password.
In return, the user submits the information to the firewall.
The user is authenticated.
The request is checked against the firewall’s rule base.
If the request matches an existing allow rule, the user is granted access.
The user accesses the desired resources.
Firewall Authentication Methods
1.
Some firewalls, such as Check Point FireWall-1, provide for a variety of different authentication
methods, including user, client, or session authentication.
User Authentication
1.
User authentication is the simplest type of authentication and the one with which you are most likely to be
familiar. Upon receiving a request, a program prompts the user for a username and password. When the
information is submitted, the software checks the information against a list of usernames and passwords in
its database. If a match is made, the user is authenticated.
Page 1 of 5
2.
User authentication is useful for the many different individuals who might need to legitimately gain access
to your internal servers, including:
 Employees who work remotely or who are traveling
 Contractors who work on-site
 Freelancers who work off-site
 Visitors who want to do some work or take a look at your system from your offices
 Employees in branch offices
 Interns who work for you
 Employees of partner companies
 Members of the public
Client Authentication
1.
In configuring client authentication, you need to set up one of two types of authentication systems:
 A standard sign-on system, in which the client, after being successfully authenticated, is allowed
to access whatever resources the user needs or perform any desired functions, such as transferring
files or viewing Web pages
 A specific sign-on system, in which the client is required to authenticate each time the user wants
to access a server or use a service on the network being protected
Session Authentication
1.
Session authentication calls for authentication to be made whenever a client wishes to connect to a network
resource and establish a session (a period when communications are exchanged). The following table lists
the different authentication methods and provides the reasons why they are used:
Method
User Authentication
Used Under These Conditions
• You want to scan the content of IP packets.
• The protocol in use is HTTP, HTTPS, FTP, rlogin, or Telnet.
• You need to authenticate for each session separately.
Client Authentication
• The individual user to be authenticated will come from a specific IP
address.
• The protocol in use is not HTTP, HTTPS, FTP, rlogin, or Telnet.
• You want a user to be authenticated for a specific length of time.
Session Authentication
• The individual user to be authenticated will come from a specific IP
address.
• The protocol in use is not HTTP, HTTPS, FTP, rlogin, or Telnet.
• You want a client to be authenticated for each session.
Centralized Authentication
1.
In a centralized authentication setup, a server, which is sometimes referred to as an Access Control Server
(ACS), alleviates the need to provide each server on the network with a separate database of usernames and
passwords, each of which would have to be updated individually if someone changed a password or a new
user was added.
Page 2 of 5
Kerberos
1.
Kerberos was developed at the Massachusetts Institute of Technology (MIT) in the university’s Athena
Project and is designed to provide authentication and encryption through standard clients and servers.
Instead of a server having to trust a client over an untrusted network, both client and server place their trust
in the Kerberos server.
2.
The Kerberos system of granting access to a client that requests a service is quite involved (and thus quite
secure). The steps are as follows:
Kerberos System
1)
2)
3)
4)
5)
6)
Client requests a file or other service.
Client is prompted for a username and password.
Client submits a username and password.
AS grants the TGT.
Client presents the TGT to a Ticket-Granting Server (TGS)
The TGS grants a session ticket. The TGS forwards the session ticket to the server holding the
requested file or service.
7) Client gains access.
TACACS+
1.
Terminal Access Controller Access Control System (TACACS+) is the latest and strongest version of a set
of authentication protocols developed by Cisco Systems. TACACS+ and its predecessor protocols all
provide authentication for dial-in users and are used primarily on UNIX-based networks. TACACS+ uses
the MD5 algorithm (a formula that produces a 128-bit code called a message digest) to encrypt data. It
provides centralized authentication services so that a network access server such as a router or firewall
doesn’t have to handle dial-in user authentication.
Remote Authentication Dial-In User Service (RADIUS)
1.
Remote Authentication Dial-In User Service (RADIUS) is the other common protocol used to provide dialin authentication. Note that RADIUS still transmits authentication packets unencrypted across the network,
which means they are vulnerable to attacks from packet sniffers.
6
TACACS+ and RADIUS Compared
1.
The following table describes the characteristics of TACACS+ versus RADIUS.
TACACS+
Uses TCP
Full packet encryption between client and
server
Independent authentication, authorization,
and accounting
Passwords in the database may be encrypted
RADIUS
Uses UDP
Encrypts only passwords; other
information is encrypted
Combines authentication and
authorization
Passwords in the database are in clear
text
Proxy Characteristics
1.
One important thing to note is that RADIUS does not work with generic proxy systems. However, a
RADIUS server can function as a proxy server, speaking to other RADIUS servers or other services that do
authorization, such as Windows domain authentication.
Page 3 of 5
NAT Characteristics
1.
RADIUS does not work with NAT. Addresses that are intended to go through NAT need to be static, not
dynamic.
2.
TACACS+ should work through NAT systems, but, because TACACS+ supports encryption using a secret
key shared between server and client, there is no way for the server to know which key to use if differing
clients make use of different keys.
Password Security Issues
1.
Many authentication systems depend in part or entirely on passwords. The simplest forms of authentication
require typing a user name and a reusable password. This method is truly secure for controlling only
outbound Internet access because password guessing and eavesdropping attacks are likely on inbound
access attempts.
Passwords That Can Be Cracked
1.
Systems that rely on passwords for authentication can be cracked (i.e., accessed by an unauthorized user) in
a number of different ways:
 Find a way to authenticate without knowing the password
 Uncover the password from the system that holds it
 Guess the password
Passwords Vulnerabilities
1.
Passwords have a number of built-in vulnerabilities. The more obvious ones include:
 Passwords are often easy to guess because they haven’t been thought through by users.
 Passwords are often stored on sticky notes or papers displayed in readily visible areas.
 Passwords can be uncovered by “social engineering”—fooling users into giving out
information.
Lax Security Habits
1.
To maintain some level of integrity, some corporations draw up a formal Memorandum of Understanding
(MOU) with their partner companies. In an MOU, both parties formally agree to observe a set of rules of
behavior. The MOU usually states what outsiders can do on the network or with passwords and states that
any other use is forbidden. An MOU spells out who bears responsibility for critical resources as well as
system maintenance, and it lists who to contact in case questions arise or help is needed.
Password Security Tools
1.
Password-based authentication can be undone by poor security habits on the part of users who do not
manage their passwords well. Such weaknesses can be offset by passwords that are generated for one-time
use with each session and then discarded.
One-Time Password Software
1.
The many problems associated with passwords and the ease of cracking them are alleviated by a one-time
password. Two types of one-time passwords are available:
 Challenge-response passwords: The authenticating computer or firewall generates a random
number (the challenge) and sends it to the user who enters a secret PIN or password (the
response). If the code and PIN or password match the information stored on the
authenticating server, the user gains access.
 Password list passwords: You enter a seed phrase, and the password system generates a list
of passwords you can use. You pick one from the list and submit it along with the seed
phrase to gain access.
Page 4 of 5
The Shadow Password System
1.
Linux stores passwords in the /etc/passwd file in encrypted format. The passwords are encrypted using a
one-way hash function: an algorithm that is easy to compute when encrypting passwords but very difficult
to decrypt.
2.
The shadow password system, which is a feature of the Linux operating system that enables the secure
storage of passwords, stores passwords in another file that has restricted access. In addition, passwords are
stored only after being encrypted by a randomly generated value and an encoding formula. The key is then
stored along with the encrypted password. When a user enters a password, it is encrypted using the same
formula and then compared to the stored password; if the passwords match, the user is granted access to the
requested system resources.
Other Authentication Systems
1.
Most firewalls that are capable of handling authentication make use of one or more well-known systems.
Check Point FireWall-1, for instance, handles the two centralized authentication protocols discussed earlier,
RADIUS and TACACS+.
One-Time Password Systems
1.
FireWall-1 overcomes the problems associated with a single-password system. Each time the user wishes to
authenticate and access resources, a different password is required. As long as the secret key used to
generate the password is not divulged, the scheme is secure because hackers cannot pretend to be a
particular user by intercepting a password.
Password Systems



Single Key (S/Key): One-time password authentication system that uses multiple-word rather than
single-word passwords
SecurID: An authentication system, developed by RSA Security Inc., that makes use of a highly
touted feature called two-factor authentication
Axent Pathways Defender: Another two-factor authentication system; it requires the administrator
to purchase a Defender Token that is used to enter and submit PIN numbers to the authentication
server
Certificate-Based Authentication
1.
FireWall-1 supports the use of digital certificates, rather than passwords, to authenticate users. The
organization using FireWall-1 would have to set up a Public Key Infrastructure (PKI) that generates keys to
users. The user receives a code called a public key that is generated using the server’s private key and uses
the public key to send encrypted information to the server. The server receives the public key and can
decrypt the information using its private key.
802.1x Wi-Fi Authentication
1.
IEEE 802.1x is one of the fastest growing standards being used in connection with enterprise networks
today. It’s popular because it supports wireless Ethernet connections (sometimes called “Wi-Fi”).
2.
This relatively new protocol is not supported by FireWall-1, but it deserves mention because of the
increasing popularity of wireless networks in corporate settings. Wireless networks make it easy for users
to connect to the network without having to string cables. At the same time, they present the security
administrator with a considerable challenge: without some kind of authentication, any hacker with a laptop
computer equipped with a wireless network card that ventures within a few hundred feet of the wireless
network can potentially connect to it.
Page 5 of 5
Related documents
CS 2813 - Loyola College
CS 2813 - Loyola College
Chapter 11 HW
Chapter 11 HW
password - Department of Computer Science
password - Department of Computer Science
Chapter 13
Chapter 13
sequence authentication
sequence authentication
windowsAuthentication
windowsAuthentication
I think that public-key`s authentication process and symmetric key`s
I think that public-key`s authentication process and symmetric key`s
attachment=65903
attachment=65903
Document
Document
Download
advertisement