4.2 Explain authentication and access controls. Flashcards
AAA framework
Identification - Usually your username
Authentication
Authorization
Accounting
Authentication
Prove you are who you say you are
Password and other authentication factors
Authorization
Based on your identification and authentication, what access do you have?
Accounting
Resources used: Login time, data sent and received, logout time
RADIUS (Remote Authentication Dial-in User Service)
One of the more common AAA protocols
Supported on a wide variety of platforms and devices
Not just for dial-in
Centralize authentication for users - Routers, switches, firewalls• Server authentication• Remote VPN access• 802.1X network access
RADIUS services available on almost any server operating system
TACACS
Terminal Access Controller Access-Control System
• Remote authentication protocol• Created to control access to dial-up lines to ARPANET
XTACACS (Extended TACACS)
A Cisco-created (proprietary) version of TACACS
Additional support for accounting and auditing
TACACS+
The latest version of TACACS, not backwards compatible
More authentication requests and response codes• Released as an open standard in 1993
Kerberos
Standard since the 1980s MIT RFC 4120 -Microsoft starting using Kerberos in Windows 2000
Network authentication protocol -Authenticate once, trusted by the system
Mutual authentication - the client and the server
Protect against man-in-the-middle or replay attacks
SSO with Kerberos
Authenticate one time
No constant username and password input! - Save time
Only works with Kerberos
LDAP (Lightweight Directory Access Protocol)
reading and writing directories over an IP network
Windows AD
LDAP is the protocol used to query and update an X.500 directory
MAC Apple OpenDirectory, OpenLDAP, etc
Builds a tree
Container objects
Country, organization, organizational units
Leaf objects
Users, computers, printers, files
Local authentication
Credentials are stored on the local device Does not use a centralized database
initial local account on device
Difficult to scale local accounts
Sometimes useful as a backup
Certificate-based authentication
Smart card
PIV (Personal Identity Verification) card
CAC (Common Access Card)
IEEE 802.1X
Smart card -
Private key is on the card
PIV (Personal Identity Verification) card
US Federal Government smart card
Picture and identification information
CAC (Common Access Card)
US Department of Defense smart card
Picture and identification
IEEE 802.1X
Gain access to the network using a certificate
On device storage or separate physical device
Auditing
Log all access details -OS logins, VPN, device access
Usage auditing
How are your resources used?• Are your systems and applications secure?
Time-of-day restrictions
Nobody needs to access the lab at 3 AM
Multi-factor authentication
More than one factor • Something you are • Something you have • Something you know • Somewhere you are • Something you do
Something you know
Password - Secret word/phrase, string of characters
PIN - Personal identification number
Pattern - Complete a series of patterns
Something you have
Integrates with devices
• May require a PIN
• USB token Certificate is on the USB device
• Hardware or software tokens
• Generates pseudo-random authentication codes
Your phone - SMS a code to your phone
Something you are
Biometric authentication -Fingerprint, iris scan, voiceprint
Somewhere you are
Provide a factor based on your location
IP address IPV4 only
Mobile device location services
Geolocation to a very specific area• Must be in a location that can receive GPS information or near an identified mobile or 802.11 network• Still not a perfect identifier of location
Something you do
A personal way of doing things - You’re special
Handwriting analysis - Signature comparison or writing technique
Very similar to biometrics - Close to something you are
Typing technique
Delays between keystrokes
Network Access Control (NAC)
IEEE 802.1X - Port-based
You don’t get access until you authenticate
Makes extensive use of EAP and RADIUS
physical interfaces Not TCP or UDP ports
Administrative enable/disable
Duplicate MAC address checking - Stop the spoofers
Port security
Prevent unauthorized users from connecting to a switch interface - Alert or disable the port
Based on the source MAC address
Each port has its own config
Port security operation
Configure a maximum number of source MAC addresses on an interface
The switch monitors the number of unique MAC addresses
Once you exceed the maximum, port security activates - Default is to disable the interface
MAC filtering
Security through obscurity
Media Access Control - The “hardware” address
Limit access through the physical hardware address
Easy to find working MAC addresses through wireless LAN analysis
Captive portal
Authentication to a network
Access table recognizes a lack of authentication
Username / password
Once proper authentication is provided, the web session continues
Access Control Lists (ACLs)
Used to allow or deny traffic - NAT, QoS, etc.
Defined on the ingress or egress of an interface
ACLs evaluate on certain criteria
Source IP, Destination IP, TCP port numbers, UDP port numbers, ICMP
Deny or permit - What happens when an ACL matches the traffic?
