KEMBAR78
Authentication | PPTX
Uploaded byprimeteacher32
PPTX, PDF1,887 views

Authentication

Authentication is the process of verifying a user's identity by requiring them to provide credentials like a password or certificate. Common authentication methods include centralized authentication services like RADIUS, TACACS+, and Kerberos which verify credentials on a network authentication server. Firewalls can integrate with these authentication servers to provide user authentication and authorization when accessing the network.

Downloaded 25 times
AUTHENTICATION
THE AUTHENTICATION PROCESS • AUTHENTICATION • ACT OF CONFIRMING THE IDENTITY OF A POTENTIAL USER • VERIFY IDENTITY BY PROVIDING ONE OR MORE OF: • SOMETHING YOU KNOW • SOMETHING YOU HAVE • SOMETHING YOU ARE • SOMETHING YOU DO • MULTIFACTOR • NETWORK AUTHENTICATION FORMS: • LOCAL AUTHENTICATION • MOST COMMON FORM OF AUTHENTICATION • CENTRALIZED AUTHENTICATION SERVICE
AUTHENTICATION SERVICES • AUTHENTICATION - PROCESS OF VERIFYING CREDENTIALS • AUTHENTICATION SERVICES PROVIDED ON A NETWORK TO AUTHENTICATE, AUTHORIZE, AND ACCOUNTABILITY • COMMON TYPES OF AUTHENTICATION SERVERS: • KERBEROS • RADIUS • TACACS • LDAP • SAML
CENTRALIZED AUTHENTICATION • ALLEVIATES THE NEED TO PROVIDE EACH SERVER ON THE NETWORK WITH A SEPARATE DATABASE OF USERNAMES AND PASSWORDS • SUBSTANTIAL DOWNSIDE: • AUTHENTICATION SERVER BECOMES A SINGLE POINT OF FAILURE • DIFFERENT AUTHENTICATION METHODS • KERBEROS, • TACACS+ • RADIUS 4
RADIUS • RADIUS (REMOTE AUTHENTICATION DIAL IN USER SERVICE) - DEVELOPED IN 1992 AND BECAME INDUSTRY STANDARD • ORIGINALLY DESIGNED FOR REMOTE DIAL-IN ACCESS TO CORPORATE NETWORK • TRANSMITS UNENCRYPTED AUTHENTICATION PACKETS ACROSS THE NETWORK • REMOTE IN NAME ALMOST MISNOMER: RADIUS AUTHENTICATION USED FOR MORE THAN CONNECTING TO REMOTE NETWORKS • WITH DEVELOPMENT OF IEEE 802.1X PORT SECURITY FOR BOTH WIRED AND WIRELESS LANS, RADIUS SEEN EVEN GREATER USAGE
RADIUS: CLIENTS • RADIUS CLIENT IS NOT DEVICE REQUESTING AUTHENTICATION • RADIUS CLIENT IS DEVICE LIKE WIRELESS AP OR DIAL-UP SERVER RESPONSIBLE FOR SENDING USER CREDENTIALS AND CONNECTION PARAMETERS IN FORM OF RADIUS MESSAGE TO RADIUS SERVER • RADIUS SERVER AUTHENTICATES AND AUTHORIZES RADIUS CLIENT REQUEST AND SENDS BACK RADIUS MESSAGE RESPONSE • RADIUS CLIENTS ALSO SEND RADIUS ACCOUNTING MESSAGES TO RADIUS SERVERS
KERBEROS • KERBEROS - AUTHENTICATION SYSTEM DEVELOPED AT MIT THAT USES ENCRYPTION AND AUTHENTICATION FOR SECURITY • MOST OFTEN USED IN EDUCATIONAL AND GOVERNMENT SETTINGS • NOT RECOMMENDED FOR AUTHENTICATION OF OUTSIDE USERS • SENDS PASSWORDS IN CLEARTEXT • KERBEROS TICKET: • CONTAINS INFORMATION LINKING IT TO THE USER • USER PRESENTS TICKET TO NETWORK FOR A SERVICE • DIFFICULT TO COPY • EXPIRES AFTER A FEW HOURS OR A DAY
FIREWALLS • SOME FIREWALLS PROVIDE A VARIETY OF AUTHENTICATION METHODS • FIREWALLS ARE NOT JUST FOR PACKET FILTERING ANYMORE • MOST FIREWALLS MAKE USE OF ONE OR MORE WELL-KNOWN SYSTEMS • RADIUS AND TACACS+
TERMINAL ACCESS CONTROL ACCESS CONTROL SYSTEM (TACACS) • TERMINAL ACCESS CONTROL ACCESS CONTROL SYSTEM PLUS(TACACS+) - AUTHENTICATION SERVICE COMMONLY USED ON UNIX DEVICES • COMMUNICATES BY FORWARDING USER AUTHENTICATION INFORMATION TO A CENTRALIZED SERVER • LATEST AND STRONGEST VERSION OF A SET OF AUTHENTICATION PROTOCOLS DEVELOPED BY CISCO SYSTEMS • PROVIDE THE AAA SERVICES • AUTHENTICATION, AUTHORIZATION, ACCOUNTING • USES A HASHING ALGORITHM (MD5) TO KEEP THE PASSWORD ITSELF A SECRET
COMPARISON OF RADIUS AND TACACS+ • FILTERING CHARACTERISTICS • TACACS+ USES TCP PORT 49 • RADIUS USES UDP PORT 1812 AND 1813 • SEE TABLE 3-3 • NAT CHARACTERISTICS • RADIUS DOESN’T WORK WITH NETWORK ADDRESS TRANSLATION (NAT) • TACACS+ SHOULD WORK WITH NAT SYSTEMS • STATIC IP ADDRESS MAPPINGS WORK BEST FOR BOTH
PASSWORD SECURITY ISSUES • MANY AUTHENTICATION SYSTEMS DEPEND IN PART OR ENTIRELY ON PASSWORDS • METHOD IS TRULY SECURE ONLY FOR CONTROLLING OUTBOUND INTERNET ACCESS • PASSWORD GUESSING AND EAVESDROPPING ATTACKS ARE LIKELY ON INBOUND ACCESS ATTEMPTS • AVOID VULNERABILITIES BY ENSURING THAT NETWORK’S AUTHORIZED USERS • PROTECT THEIR PASSWORDS EFFECTIVELY • OBSERVE SOME SIMPLE SECURITY HABITS
THE SHADOW PASSWORD SYSTEM • LINUX STORES PASSWORDS IN THE /ETC/SHADOW FILE • IN ENCRYPTED FORMAT USING A ONE-WAY HASH FUNCTION • LINUX STORES USER NAMES IN THE /ETC/SHADOW FILE • SHADOW PASSWORD SYSTEM • FEATURE OF THE LINUX OPERATING SYSTEM • ENABLES THE SECURE STORAGE OF PASSWORDS • FILE HAS RESTRICTED ACCESS • PASSWORDS ARE STORED ONLY AFTER BEING ENCRYPTED WITH THE SALT VALUE AND AN ENCODING ALGORITHM • ON WINDOWS THE FILE IS CALLED SAM • THE HASHES ARE STORED IN THE WINDOWS SAM FILE. THIS FILE IS LOCATED ON YOUR SYSTEM AT C:WINDOWSSYSTEM32CONFIG BUT IS NOT ACCESSIBLE WHILE THE OPERATING SYSTEM IS BOOTED UP.
ONE-TIME PASSWORD SOFTWARE • TWO TYPES OF ONE-TIME PASSWORDS ARE AVAILABLE: • CHALLENGE-RESPONSE PASSWORDS • AUTHENTICATING COMPUTER OR FIREWALL GENERATES A RANDOM NUMBER (THE CHALLENGE) AND SENDS IT TO THE USER, WHO ENTERS A SECRET PIN OR PASSWORD (THE RESPONSE) • PASSWORD LIST PASSWORDS • USER ENTERS A SEED PHRASE, AND THE PASSWORD SYSTEM GENERATES A LIST OF PASSWORDS
CERTIFICATE BASED AUTHENTICATION • USE OF DIGITAL CERTIFICATES TO AUTHENTICATE USERS • MUST SET UP A PUBLIC-KEY INFRASTRUCTURE (PKI) • GENERATES KEYS FOR USERS • USER RECEIVES A CODE CALLED A PUBLIC KEY • GENERATED USING THE SERVER’S PRIVATE KEY • USES THE PUBLIC KEY TO SEND ENCRYPTED INFORMATION TO THE SERVE
802.1X WI-FI AUTHENTICATION • PROVIDES FOR AUTHENTICATION OF USERS ON WIRELESS NETWORKS • REQUIRES THE USE OF A SMART CARD OR DIGITAL CERTIFICATE • WI-FI USES OF EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) • ENABLES A SYSTEM THAT USES WI-FI TO AUTHENTICATE USERS ON OTHER KINDS OF NETWORK OPERATING
SUMMARY • FIREWALLS CAN MAKE USE OF MANY DIFFERENT AUTHENTICATION SCHEMES: USER, CLIENT, SESSION • CENTRALIZED AUTHENTICATION SYSTEM • FIREWALL WORKS IN TANDEM WITH AUTHENTICATION SERVER • SINGLE-WORD, STATIC PASSWORD SYSTEMS • RECEIVE A PASSWORD FROM A USER, COMPARE IT AGAINST A DATABASE OF PASSWORDS, AND THEN GRANT ACCESS IF A MATCH IS MADE • ONE-TIME PASSWORD SYSTEMS • GENERATE A PASSWORD EACH TIME THE USER ATTEMPTS TO LOG ON TO THE NETWORK

More Related Content

PPT
Network security and protocols
byOnline
 
PPTX
Authentication(pswrd,token,certificate,biometric)
byAli Raw
 
PPTX
Rootkits
byTharinduUdaraRanasin
 
PPTX
Password Attack
bySina Manavi
 
PPTX
Mandatory access control for information security
byAjit Dadresa
 
PPT
Access control matrix
byAravindharamanan S
 
DOCX
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
byRajkumars275092
 
PPSX
Web security
bykareem zock
 
Network security and protocols
byOnline
 
Authentication(pswrd,token,certificate,biometric)
byAli Raw
 
Rootkits
byTharinduUdaraRanasin
 
Password Attack
bySina Manavi
 
Mandatory access control for information security
byAjit Dadresa
 
Access control matrix
byAravindharamanan S
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
byRajkumars275092
 
Web security
bykareem zock
 

What's hot

PDF
Authentication techniques
byIGZ Software house
 
PPTX
User authentication
byCAS
 
PPTX
x.509-Directory Authentication Service
bySwathy T
 
PPT
Symmetric & Asymmetric Cryptography
bychauhankapil
 
PPTX
Authentication vs authorization
byFrank Victory
 
PPTX
public key infrastructure
byvimal kumar
 
PPT
authentication.ppt
byjayarao21
 
PPTX
Web Security
byDipika Bambhaniya
 
PPTX
Key management
bySujata Regoti
 
PPTX
Transport Layer Security (TLS)
byArun Shukla
 
PPTX
Network defenses
byPrachi Gulihar
 
PPTX
Symmetric and asymmetric key
byTriad Square InfoSec
 
PPT
key distribution in network security
bybabak danyal
 
PPT
Software security
byRoman Oliynykov
 
PPTX
Footprinting and reconnaissance
byNishaYadav177
 
PPTX
Information Security (Digital Signatures)
byZara Nawaz
 
PDF
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
byJAINAM KAPADIYA
 
PPTX
SSL
byBadrul Alam bulon
 
PDF
Chapter 1 Introduction of Cryptography and Network security
byDr. Kapil Gupta
 
PPTX
Cryptography.ppt
byUday Meena
 
Authentication techniques
byIGZ Software house
 
User authentication
byCAS
 
x.509-Directory Authentication Service
bySwathy T
 
Symmetric & Asymmetric Cryptography
bychauhankapil
 
Authentication vs authorization
byFrank Victory
 
public key infrastructure
byvimal kumar
 
authentication.ppt
byjayarao21
 
Web Security
byDipika Bambhaniya
 
Key management
bySujata Regoti
 
Transport Layer Security (TLS)
byArun Shukla
 
Network defenses
byPrachi Gulihar
 
Symmetric and asymmetric key
byTriad Square InfoSec
 
key distribution in network security
bybabak danyal
 
Software security
byRoman Oliynykov
 
Footprinting and reconnaissance
byNishaYadav177
 
Information Security (Digital Signatures)
byZara Nawaz
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
byJAINAM KAPADIYA
 
SSL
byBadrul Alam bulon
 
Chapter 1 Introduction of Cryptography and Network security
byDr. Kapil Gupta
 
Cryptography.ppt
byUday Meena
 

Similar to Authentication

PPT
Ch08 Authentication
byInformation Technology
 
PPTX
PACE-IT, Security + 5.1: Summary of Authentication Services
byPace IT at Edmonds Community College
 
PPT
ok_mary_pki1234public_key_encryption.ppt
bySmeetaJavalagi
 
PPT
Introduction to distributed security concepts and public key infrastructure m...
byInformation Security Awareness Group
 
PPTX
DISTRIBUTED SECURITY: Promoting Security.pptx
byMcSkyzeZeg
 
PPT
ok_mary_pki.ppt an introduction to Distributed Concept
byHazemElabed2
 
PDF
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
byShumon Huque
 
PPT
Kerberos
bySou Jana
 
PDF
Ericas-Security-Plus-Study-Guide
byErica StJohn
 
PPTX
Kerberos
byRafatSamreen
 
PPT
6. Kerberos.ppt
byMadhusatish1
 
PPTX
9780840024220 ppt ch05
byKristin Harrison
 
PPT
Authentication Authorization-Lesson-2-Slides.ppt
byMuhammadAbdullah311866
 
PDF
CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PDF
An Introduction to Kerberos
byShumon Huque
 
PPT
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
byHarini737456
 
PPTX
Unit 5
byKRAMANJANEYULU1
 
PPT
Authentication Application in Network Security NS4
bykoolkampus
 
PPT
Network Security Chapter 7
byAfiqEfendy Zaen
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
Ch08 Authentication
byInformation Technology
 
PACE-IT, Security + 5.1: Summary of Authentication Services
byPace IT at Edmonds Community College
 
ok_mary_pki1234public_key_encryption.ppt
bySmeetaJavalagi
 
Introduction to distributed security concepts and public key infrastructure m...
byInformation Security Awareness Group
 
DISTRIBUTED SECURITY: Promoting Security.pptx
byMcSkyzeZeg
 
ok_mary_pki.ppt an introduction to Distributed Concept
byHazemElabed2
 
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
byShumon Huque
 
Kerberos
bySou Jana
 
Ericas-Security-Plus-Study-Guide
byErica StJohn
 
Kerberos
byRafatSamreen
 
6. Kerberos.ppt
byMadhusatish1
 
9780840024220 ppt ch05
byKristin Harrison
 
Authentication Authorization-Lesson-2-Slides.ppt
byMuhammadAbdullah311866
 
CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
An Introduction to Kerberos
byShumon Huque
 
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
byHarini737456
 
Unit 5
byKRAMANJANEYULU1
 
Authentication Application in Network Security NS4
bykoolkampus
 
Network Security Chapter 7
byAfiqEfendy Zaen
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 

More from primeteacher32

PPT
Software Development Life Cycle
byprimeteacher32
 
PPTX
Variable Scope
byprimeteacher32
 
PPTX
Returning Data
byprimeteacher32
 
PPTX
Intro to Functions
byprimeteacher32
 
PPTX
Introduction to GUIs with guizero
byprimeteacher32
 
PPTX
Function Parameters
byprimeteacher32
 
PPTX
Nested Loops
byprimeteacher32
 
PPT
Conditional Loops
byprimeteacher32
 
PPTX
Introduction to Repetition Structures
byprimeteacher32
 
PPTX
Input Validation
byprimeteacher32
 
PPTX
Windows File Systems
byprimeteacher32
 
PPTX
Nesting Conditionals
byprimeteacher32
 
PPTX
Conditionals
byprimeteacher32
 
PPT
Intro to Python with GPIO
byprimeteacher32
 
PPTX
Variables and Statements
byprimeteacher32
 
PPTX
Variables and User Input
byprimeteacher32
 
PPT
Intro to Python
byprimeteacher32
 
PPTX
Raspberry Pi
byprimeteacher32
 
PPT
Hardware vs. Software Presentations
byprimeteacher32
 
PPTX
Block chain security
byprimeteacher32
 
Software Development Life Cycle
byprimeteacher32
 
Variable Scope
byprimeteacher32
 
Returning Data
byprimeteacher32
 
Intro to Functions
byprimeteacher32
 
Introduction to GUIs with guizero
byprimeteacher32
 
Function Parameters
byprimeteacher32
 
Nested Loops
byprimeteacher32
 
Conditional Loops
byprimeteacher32
 
Introduction to Repetition Structures
byprimeteacher32
 
Input Validation
byprimeteacher32
 
Windows File Systems
byprimeteacher32
 
Nesting Conditionals
byprimeteacher32
 
Conditionals
byprimeteacher32
 
Intro to Python with GPIO
byprimeteacher32
 
Variables and Statements
byprimeteacher32
 
Variables and User Input
byprimeteacher32
 
Intro to Python
byprimeteacher32
 
Raspberry Pi
byprimeteacher32
 
Hardware vs. Software Presentations
byprimeteacher32
 
Block chain security
byprimeteacher32
 

Recently uploaded

PPTX
The Luxury Goods Explainer: A Crash Course
byMBA-Exchange
 
PDF
Mastering Version Control with Git & GitHub
bynhidiyoussef8
 
PDF
List of Donor.pdf List of Donor.pdf List of Donor.pdf
byMohammadZubair874462
 
PDF
reStartEvents 10:23 All-Clearances Employer Directory.pdf
byKen Fuller
 
PDF
biochemistry of urinary system and Gonads.pdf
byTaimurAlbux
 
PPTX
Artificial_Intelligence_in_Education.pptx
byMriduArora3
 
PPTX
Transport Plan Kalkudah Zone batticaloa.pptx
byKudumbimalaibattical
 
PDF
Agenda of the Expert Exchange at Weickmann & Weickmann
byMIPLM
 
PPTX
CAD_Cloud application developer- cad ____
byrashika1506
 
PPTX
Writing a Report for grade 9 senior phase
byAlice Shilubane
 
PDF
03 - Linux Material.pdf nux is a free and open-source operating system (OS) b...
byRohanPadhan1
 
PPT
265045909-Chapؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤter-4-EOR.ppt
byaljabbery
 
PPT
Prosthodontic management.ppt
byGaneshPavanKumarKarr
 
PDF
General Virtual Assistant | Mary Mercado | Portfolio
byvamartmercado
 
PPTX
The Process of Preparing Business Messages.pptx
byAhmadullahSamimi2
 
PDF
full stack web development course .pdf
byExcellence Academy
 
PDF
MADE EASY CURRENT AFFAIR MAGAZINE 2025 GATE EASE
byashk7579
 
DOCX
How to buying, LinkedIn Ads Accounts in 2025.docx
byBEST IT SMM
 
PDF
FPSC Junior Teacher Guide GreenPakistani
byGreenPakistani
 
PPTX
Emerging_Trends_Cybersecurity_AI_IoT_Q5uantum_202.pptx
bysancharsoftsancharso
 
The Luxury Goods Explainer: A Crash Course
byMBA-Exchange
 
Mastering Version Control with Git & GitHub
bynhidiyoussef8
 
List of Donor.pdf List of Donor.pdf List of Donor.pdf
byMohammadZubair874462
 
reStartEvents 10:23 All-Clearances Employer Directory.pdf
byKen Fuller
 
biochemistry of urinary system and Gonads.pdf
byTaimurAlbux
 
Artificial_Intelligence_in_Education.pptx
byMriduArora3
 
Transport Plan Kalkudah Zone batticaloa.pptx
byKudumbimalaibattical
 
Agenda of the Expert Exchange at Weickmann & Weickmann
byMIPLM
 
CAD_Cloud application developer- cad ____
byrashika1506
 
Writing a Report for grade 9 senior phase
byAlice Shilubane
 
03 - Linux Material.pdf nux is a free and open-source operating system (OS) b...
byRohanPadhan1
 
265045909-Chapؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤter-4-EOR.ppt
byaljabbery
 
Prosthodontic management.ppt
byGaneshPavanKumarKarr
 
General Virtual Assistant | Mary Mercado | Portfolio
byvamartmercado
 
The Process of Preparing Business Messages.pptx
byAhmadullahSamimi2
 
full stack web development course .pdf
byExcellence Academy
 
MADE EASY CURRENT AFFAIR MAGAZINE 2025 GATE EASE
byashk7579
 
How to buying, LinkedIn Ads Accounts in 2025.docx
byBEST IT SMM
 
FPSC Junior Teacher Guide GreenPakistani
byGreenPakistani
 
Emerging_Trends_Cybersecurity_AI_IoT_Q5uantum_202.pptx
bysancharsoftsancharso
 
In this document
Powered by AI

Overview of authentication, confirming user identity, and various authentication methods.

Details on the authentication process, methods, and centralized authentication services.

RADIUS overview, its origin, and its evolution as a standard for authentication services.

Description of RADIUS clients and how they communicate with RADIUS servers for authentication.

Overview of Kerberos system, its functionality, and common usage scenarios.

Explanation of how firewalls integrate different authentication systems for enhanced security.

Details on TACACS+, its communication methods, and security features.

Comparison of filtering characteristics and behavior with NAT between RADIUS and TACACS+.

Issues related to password security and recommendations for protecting user credentials.

Details on the shadow password system in Linux for secure password storage.

Overview of challenge-response and password list systems for one-time password generation.

Introduction to certificate-based authentication and the role of public-key infrastructure.

Authentication methods for wireless networks including smart cards and digital certificates.

Summary of authentication schemes, centralized systems, and security measures for user access.

Authentication

  • 1.
  • 2.
    THE AUTHENTICATION PROCESS •AUTHENTICATION • ACT OF CONFIRMING THE IDENTITY OF A POTENTIAL USER • VERIFY IDENTITY BY PROVIDING ONE OR MORE OF: • SOMETHING YOU KNOW • SOMETHING YOU HAVE • SOMETHING YOU ARE • SOMETHING YOU DO • MULTIFACTOR • NETWORK AUTHENTICATION FORMS: • LOCAL AUTHENTICATION • MOST COMMON FORM OF AUTHENTICATION • CENTRALIZED AUTHENTICATION SERVICE
  • 3.
    AUTHENTICATION SERVICES • AUTHENTICATION- PROCESS OF VERIFYING CREDENTIALS • AUTHENTICATION SERVICES PROVIDED ON A NETWORK TO AUTHENTICATE, AUTHORIZE, AND ACCOUNTABILITY • COMMON TYPES OF AUTHENTICATION SERVERS: • KERBEROS • RADIUS • TACACS • LDAP • SAML
  • 4.
    CENTRALIZED AUTHENTICATION • ALLEVIATESTHE NEED TO PROVIDE EACH SERVER ON THE NETWORK WITH A SEPARATE DATABASE OF USERNAMES AND PASSWORDS • SUBSTANTIAL DOWNSIDE: • AUTHENTICATION SERVER BECOMES A SINGLE POINT OF FAILURE • DIFFERENT AUTHENTICATION METHODS • KERBEROS, • TACACS+ • RADIUS 4
  • 5.
    RADIUS • RADIUS (REMOTEAUTHENTICATION DIAL IN USER SERVICE) - DEVELOPED IN 1992 AND BECAME INDUSTRY STANDARD • ORIGINALLY DESIGNED FOR REMOTE DIAL-IN ACCESS TO CORPORATE NETWORK • TRANSMITS UNENCRYPTED AUTHENTICATION PACKETS ACROSS THE NETWORK • REMOTE IN NAME ALMOST MISNOMER: RADIUS AUTHENTICATION USED FOR MORE THAN CONNECTING TO REMOTE NETWORKS • WITH DEVELOPMENT OF IEEE 802.1X PORT SECURITY FOR BOTH WIRED AND WIRELESS LANS, RADIUS SEEN EVEN GREATER USAGE
  • 6.
    RADIUS: CLIENTS • RADIUSCLIENT IS NOT DEVICE REQUESTING AUTHENTICATION • RADIUS CLIENT IS DEVICE LIKE WIRELESS AP OR DIAL-UP SERVER RESPONSIBLE FOR SENDING USER CREDENTIALS AND CONNECTION PARAMETERS IN FORM OF RADIUS MESSAGE TO RADIUS SERVER • RADIUS SERVER AUTHENTICATES AND AUTHORIZES RADIUS CLIENT REQUEST AND SENDS BACK RADIUS MESSAGE RESPONSE • RADIUS CLIENTS ALSO SEND RADIUS ACCOUNTING MESSAGES TO RADIUS SERVERS
  • 7.
    KERBEROS • KERBEROS -AUTHENTICATION SYSTEM DEVELOPED AT MIT THAT USES ENCRYPTION AND AUTHENTICATION FOR SECURITY • MOST OFTEN USED IN EDUCATIONAL AND GOVERNMENT SETTINGS • NOT RECOMMENDED FOR AUTHENTICATION OF OUTSIDE USERS • SENDS PASSWORDS IN CLEARTEXT • KERBEROS TICKET: • CONTAINS INFORMATION LINKING IT TO THE USER • USER PRESENTS TICKET TO NETWORK FOR A SERVICE • DIFFICULT TO COPY • EXPIRES AFTER A FEW HOURS OR A DAY
  • 8.
    FIREWALLS • SOME FIREWALLSPROVIDE A VARIETY OF AUTHENTICATION METHODS • FIREWALLS ARE NOT JUST FOR PACKET FILTERING ANYMORE • MOST FIREWALLS MAKE USE OF ONE OR MORE WELL-KNOWN SYSTEMS • RADIUS AND TACACS+
  • 9.
    TERMINAL ACCESS CONTROLACCESS CONTROL SYSTEM (TACACS) • TERMINAL ACCESS CONTROL ACCESS CONTROL SYSTEM PLUS(TACACS+) - AUTHENTICATION SERVICE COMMONLY USED ON UNIX DEVICES • COMMUNICATES BY FORWARDING USER AUTHENTICATION INFORMATION TO A CENTRALIZED SERVER • LATEST AND STRONGEST VERSION OF A SET OF AUTHENTICATION PROTOCOLS DEVELOPED BY CISCO SYSTEMS • PROVIDE THE AAA SERVICES • AUTHENTICATION, AUTHORIZATION, ACCOUNTING • USES A HASHING ALGORITHM (MD5) TO KEEP THE PASSWORD ITSELF A SECRET
  • 10.
    COMPARISON OF RADIUSAND TACACS+ • FILTERING CHARACTERISTICS • TACACS+ USES TCP PORT 49 • RADIUS USES UDP PORT 1812 AND 1813 • SEE TABLE 3-3 • NAT CHARACTERISTICS • RADIUS DOESN’T WORK WITH NETWORK ADDRESS TRANSLATION (NAT) • TACACS+ SHOULD WORK WITH NAT SYSTEMS • STATIC IP ADDRESS MAPPINGS WORK BEST FOR BOTH
  • 11.
    PASSWORD SECURITY ISSUES •MANY AUTHENTICATION SYSTEMS DEPEND IN PART OR ENTIRELY ON PASSWORDS • METHOD IS TRULY SECURE ONLY FOR CONTROLLING OUTBOUND INTERNET ACCESS • PASSWORD GUESSING AND EAVESDROPPING ATTACKS ARE LIKELY ON INBOUND ACCESS ATTEMPTS • AVOID VULNERABILITIES BY ENSURING THAT NETWORK’S AUTHORIZED USERS • PROTECT THEIR PASSWORDS EFFECTIVELY • OBSERVE SOME SIMPLE SECURITY HABITS
  • 12.
    THE SHADOW PASSWORDSYSTEM • LINUX STORES PASSWORDS IN THE /ETC/SHADOW FILE • IN ENCRYPTED FORMAT USING A ONE-WAY HASH FUNCTION • LINUX STORES USER NAMES IN THE /ETC/SHADOW FILE • SHADOW PASSWORD SYSTEM • FEATURE OF THE LINUX OPERATING SYSTEM • ENABLES THE SECURE STORAGE OF PASSWORDS • FILE HAS RESTRICTED ACCESS • PASSWORDS ARE STORED ONLY AFTER BEING ENCRYPTED WITH THE SALT VALUE AND AN ENCODING ALGORITHM • ON WINDOWS THE FILE IS CALLED SAM • THE HASHES ARE STORED IN THE WINDOWS SAM FILE. THIS FILE IS LOCATED ON YOUR SYSTEM AT C:WINDOWSSYSTEM32CONFIG BUT IS NOT ACCESSIBLE WHILE THE OPERATING SYSTEM IS BOOTED UP.
  • 13.
    ONE-TIME PASSWORD SOFTWARE •TWO TYPES OF ONE-TIME PASSWORDS ARE AVAILABLE: • CHALLENGE-RESPONSE PASSWORDS • AUTHENTICATING COMPUTER OR FIREWALL GENERATES A RANDOM NUMBER (THE CHALLENGE) AND SENDS IT TO THE USER, WHO ENTERS A SECRET PIN OR PASSWORD (THE RESPONSE) • PASSWORD LIST PASSWORDS • USER ENTERS A SEED PHRASE, AND THE PASSWORD SYSTEM GENERATES A LIST OF PASSWORDS
  • 14.
    CERTIFICATE BASED AUTHENTICATION •USE OF DIGITAL CERTIFICATES TO AUTHENTICATE USERS • MUST SET UP A PUBLIC-KEY INFRASTRUCTURE (PKI) • GENERATES KEYS FOR USERS • USER RECEIVES A CODE CALLED A PUBLIC KEY • GENERATED USING THE SERVER’S PRIVATE KEY • USES THE PUBLIC KEY TO SEND ENCRYPTED INFORMATION TO THE SERVE
  • 15.
    802.1X WI-FI AUTHENTICATION •PROVIDES FOR AUTHENTICATION OF USERS ON WIRELESS NETWORKS • REQUIRES THE USE OF A SMART CARD OR DIGITAL CERTIFICATE • WI-FI USES OF EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) • ENABLES A SYSTEM THAT USES WI-FI TO AUTHENTICATE USERS ON OTHER KINDS OF NETWORK OPERATING
  • 16.
    SUMMARY • FIREWALLS CANMAKE USE OF MANY DIFFERENT AUTHENTICATION SCHEMES: USER, CLIENT, SESSION • CENTRALIZED AUTHENTICATION SYSTEM • FIREWALL WORKS IN TANDEM WITH AUTHENTICATION SERVER • SINGLE-WORD, STATIC PASSWORD SYSTEMS • RECEIVE A PASSWORD FROM A USER, COMPARE IT AGAINST A DATABASE OF PASSWORDS, AND THEN GRANT ACCESS IF A MATCH IS MADE • ONE-TIME PASSWORD SYSTEMS • GENERATE A PASSWORD EACH TIME THE USER ATTEMPTS TO LOG ON TO THE NETWORK

Editor's Notes

  • #6 RADIUS RADIUS (Remote Authentication Dial In User Service) - Developed in 1992 and became industry standard Originally designed for remote dial-in access to corporate network Remote in name almost misnomer: RADIUS authentication used for more than connecting to remote networks With development of IEEE 802.1x port security for both wired and wireless LANs, RADIUS seen even greater usage
  • #12 Lightweight Directory Access Protocol (LDAP) X.500 defines protocol for client application access Directory Access Protocol (DAP) Lightweight Directory Access Protocol (LDAP) -Simpler subset of DAP Designed to run over TCP/IP Has simpler functions Encodes protocol elements simpler way than X.500 Secure LDAP - LDAP over SSL (LDAPS) LDAP injection attacks - Attacks when user input not properly filtered
  • #13 Lightweight Directory Access Protocol (LDAP) X.500 defines protocol for client application access Directory Access Protocol (DAP) Lightweight Directory Access Protocol (LDAP) -Simpler subset of DAP Designed to run over TCP/IP Has simpler functions Encodes protocol elements simpler way than X.500 Secure LDAP - LDAP over SSL (LDAPS) LDAP injection attacks - Attacks when user input not properly filtered
  • #15 Lightweight Directory Access Protocol (LDAP) X.500 defines protocol for client application access Directory Access Protocol (DAP) Lightweight Directory Access Protocol (LDAP) -Simpler subset of DAP Designed to run over TCP/IP Has simpler functions Encodes protocol elements simpler way than X.500 Secure LDAP - LDAP over SSL (LDAPS) LDAP injection attacks - Attacks when user input not properly filtered
  • #17 Security Assertion Markup Language (SAML): Steps 1-3 User attempts to reach website of service provider that requires username and password Service provider generates SAML authentication request encoded and embedded into URL Service provider sends redirect URL to user's browser that includes encoded SAML authentication request, which then sent to identity provider Identity provider decodes SAML request and extracts embedded URL, then attempts authenticate user either by asking for login credentials or checking for valid session cookies Identity provider generates SAML response that contains authenticated user's username Identity provider encodes SAML response and returns that information to the user's browser Within the SAML response, mechanism so that user’s browser can forward information back to service provider, either by displaying a form that requires the user to click on a Submit button or by automatically sending to the service provider. Service provider verifies the SAML response by using the identity provider’s public key; if response successfully verified, user is logged in