Brian E. Brzezicki

First we have to discuss some terms we will use again and again
Protocol – an official set of steps or language for communication
Algorithm – a specific set of steps to solve a problem or do some task
String – a series of characters. Example if a character can be az and 09 an 8 character string might be “ar01z14b”
Control – a countermeasure or attempt to mitigate a security risk. Example. A firewall is technical control. Policies are HR controls. Encryption is a technical control.

3 Fundamental Principles of Security
• Confidentiality
 controls
• Integrity
 controls
• Availability
 Controls
Closely related
• Non-repudiation
 controls

No one security control should be completely relied upon. Instead have many overlapping security controls.
• Network based firewall
• Host based firewall
• IDS system
• Access controls
• Proper patching and maintenance practices
This is also referred to as “Layered Security”

With a single control type, use multiple vendors/models.
• Why
• Examples

Fundamental security rule. If you do NOT explicitly have authorization, then you are implicitly DENIED access.
Should be the default rule for ALL access controls.
Usually seen in firewalls and access control lists

Security Devices have been fortified for security, do NOT intermingle security and non-security devices as you weaken the security and provide attack vectors.
Similarly try to have every service in your network on a separate server that’s dedicated only to that tasks.
• Virtualization makes this EASY today!

Proving that you are who you say you are
3 factors
• Something you __________________
• Something you __________________
• Something you __________________
(more details of each in next slides)

Passwords –what’s a password?
• Use strong passwords
 What does that mean
• Do not write down passwords
• Do not share passwords
• Change passwords regularly
 How often
• Do not reuse passwords
• Use account lockout policies
 What is a lockout policy
• Change system default passwords
• Inform users of Previous Logons

Passphrase
I Like Iced Tea And Lemon With Cranberry
I L I T A L W C
1 L 1 t @ ! w c

Biometrics
Finger print
Iris Scan (see next slide)
Face Geometry
Voice Print
Retinal Scan (see next slide)
Keystroke Dynamics
Physically Based or Behaviorally Based
• What is the difference between these two
Type 1, Type 2 errors, CER (images in a few slides)

Crossover Error Rate (CER) is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false positive rate.
Use CER to compare vendors products objectively
Lower number CER is better/more accurate. (3 is better than an 4)
Also called Equal Error Rate

For best security, use 2 or more of these for authentication. This is called “multi-factor” authentication or “strong authentication
•”
• Why use Multifactor Authentication?
• Is a password and a passphrase multifactor?

Verifying someone is who they say they are before issuing authentication credentials initially or after they are lost
• This is NOT authentication but works hand in hand. Someone must prove their identity before getting authentication credentials.

Allows users to reset their passwords, often saves IT staff time and money.
• Cognitive Passwords
• Issues?
• Email a password reset link
• Physically mail a new PIN

A network authentication protocol designed from MITs project Athena. Kerberos tries to ensure authentication security in an insecure environment
• Used in Windows2000+ and some Unix
• Allows for single sign on
• Never transfers passwords
• Uses PRIVATE key encryption to verify
Identifications

Principals – users or network services
KDC – Key Distribution Center, stores secret keys
(passwords) for principals
Tickets
• Ticket Granting Ticket (TGT) gets you more tickets
• Service Tickets – access to specific network services
(ex. File sharing)
Realms – a grouping of principals that a KDC provides service for, looks like a domain name
• Example: somedepartment.mycompany.com

• Computers must have clocks synchronized within 5 minutes of each other
• Tickets are stored on the workstation. If the workstation is compromised your identity can be forged.
• Single point of failure if no backup KDC
• If your KDC is hacked, security is lost
• Use TCP and UDP port 88

A centralized Directory of Users and Objects.
• LDAP is a protocol to access a X.500 compliant database
• Active Directory Implements LDAP
• LDAP ports are
• TCP / 389
• TCP / 636 (SSL/secure)

The process of having BOTH the client authenticate to the server AND the server authenticate to the client.
Are you safe when you go to a website that asks for a username and password? How do you really know it’s the website?
Should the client authenticate to the server first, or the server to the client? Does it matter which order?

I love having 40 different passwords… I just carry them all around in a laminated card in my wallet ;-)
What’s the purpose of single sign on?
• Advantages
• Disadvantages

In any environment where you want to have access control, you MUST uniquely identifier subjects. Most systems have a friendly username however the system tracks by a number (similar to a SSN)
• SID (Windows)
Ex. S 1 5 21-3623811015-3361044348-30300820 1014
500 = Administrator , 512 = Domain Admin Group
• UID (Unix)
Ex. 5125
0 is the superuser UID on Unix systems

The basic permissions ACL permissions are
Full Control
Modify
Read
Read and Execute
Write

There are Different types of ways to validate your identity over the network. For the security+ exam you should be aware of the following that will be discuss on the upcoming slides
• PAP
• CHAP
• MS-CHAP
• MS-CHAPv2
• RADIUS
• TACACS+

Password Authentication Protocol – Simply put your username and password over the wire.
• Advantages
• Disadvantages

Challenge Handshake Authentication Protocol – Avoids ever sending a password.
Server knows your password, as do you
1.
Server creates a “challenge”, example: banana and an increasing number
2. You take the challenge + number + your password and do a hash of it, send the hash to the server
3. Server calculates the hash the same way, and compares if your hash is the same as it’s hash, if so you must be who you say you are.
Advantages
• Avoids reply attacks
• Never sends password in plaintext

A Microsoft version of CHAP
• does not require the password stored in clear text
MS-CHAPv2
• Allows for mutual authentication

Network AAA protocol
Connectionless protocol, using UDP
Ports used
• 1812 / UDP (authentication)
• 1813 (accounting)
Main messages sent
• Access-Request
• Access-Challenge
• Access-Accept
• Access-Reject
(more)

Uses “attribute/pair” values (256 different possible attributes/8 bits)
• Ex: Framed-IP-Address: 192.168.1.1
Can use PAP, CHAP, EAP for authentication
Problems
• No encryption of data (except login info)
• Minimal number of permissions (8 bits worth)
• Server cannot “kick off users” from NAS

Similar to Radius
• Used for network AAA
• Created by Cisco
• Attribute/Value Pairs
• Designed to separate each of the AAA components
• Uses TCP / 49