Remote Authentication Landscape and Authentication Methods ...
Authentication
description
Transcript of Authentication
![Page 1: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/1.jpg)
Authentication
![Page 2: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/2.jpg)
Objectives Define authentication Authentication credentials Authentication models Authentication servers Extended authentication protocols Virtual Private Network (VPN)
![Page 3: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/3.jpg)
Password-Guessing Attacks Surge
Slow guessing and botnets conceal the attacks Countermeasures Strong password policy, restricting access to server by
source IP, two-factor authentication
![Page 4: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/4.jpg)
Definition of Authentication Authentication can be defined in two contexts The first is viewing authentication as it relates to access
control The second is to look at it as one of the three key
elements of security: Authentication Authorization Accounting
![Page 5: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/5.jpg)
Authentication & Access Control Terminology Access control is the process by which resources or
services are granted or denied Identification
The presentation of credentials or identification Authentication
The verification of the credentials to ensure that they are genuine and not fabricated
Authorization Granting permission for admittance
Access is the right to use specific resources
![Page 6: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/6.jpg)
Authentication, Authorization, and Accounting Short term: AAA Authentication in AAA provides a way of identifying a
user Typically with a password
Authorization determines whether the user has the authority to carry out certain tasks The process of enforcing policies
Accounting measures the resources a user “consumes” during each network session
![Page 7: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/7.jpg)
Uses of Accounting DATA To find evidence of problems For billing For planning
AAA servers Servers dedicated to performing AAA functions Can provide significant advantages in a network
![Page 8: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/8.jpg)
Objectives Define authentication Authentication credentials Authentication models Authentication servers Extended authentication protocols Virtual Private Network (VPN)
![Page 9: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/9.jpg)
Authentication Credentials Credentials are something you have, something you are,
or something you know Types of authentication credentials
Passwords One-time passwords Standard biometrics Behavioral biometrics Cognitive biometrics
![Page 10: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/10.jpg)
One-Time Passwords Standard passwords are typically static in nature One-time passwords (OTP)
Dynamic passwords that change frequently Systems using OTPs generate a unique password on
demand that is not reusable The most common type is a time-synchronized OTP
Used in conjunction with a token The token and a corresponding authentication server
share the same algorithm Each algorithm is different for each user’s token
![Page 11: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/11.jpg)
One-Time Passwords
![Page 12: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/12.jpg)
One-Time Passwords
![Page 13: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/13.jpg)
Challenge-Based OTPs Authentication server displays a challenge (a random
number) to the user User then enters the challenge number into the token
Which then executes a special algorithm to generate a password
Because the authentication server has this same algorithm, it can also generate the password and compare it against that entered by the user
![Page 14: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/14.jpg)
Standard Biometrics Uses a person’s unique characteristics for authentication
(what he is) Examples: fingerprints, faces, hands, irises, retinas Types of fingerprint scanners
Static fingerprint scanner Dynamic fingerprint scanner (more secure)
Disadvantages Costs Readers are not always foolproof How can you change your password if it's your fingerprint?
![Page 15: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/15.jpg)
Dynamic Fingerprint Scanner
![Page 16: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/16.jpg)
Behavioral Biometrics Authenticates by normal actions that the user performs Keystroke dynamics
Attempt to recognize a user’s unique typing rhythm Keystroke dynamics uses two unique typing variables
Dwell timeFlight time
![Page 17: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/17.jpg)
Keystroke Dynamics
![Page 18: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/18.jpg)
Keystroke Dynamics
![Page 19: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/19.jpg)
Behavioral Biometrics Voice recognition
Uses unique characteristics of a person’s voice Phonetic cadence
Speaking two words together in a way that one word “bleeds” into the next word
Becomes part of each user’s speech pattern Computer footprint
When and from where a user normally accesses a system
![Page 20: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/20.jpg)
Computer Footprinting in Online Banking A simple form of two-factor authentication Required by the US now
![Page 21: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/21.jpg)
Cognitive Biometrics Related to the perception, thought process, and
understanding of the user Easier for the user to remember because it is based on
the user’s life experiences One example of cognitive biometrics is based on a life
experience that the user remembers Another example of cognitive biometrics requires the user
to identify specific faces
![Page 22: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/22.jpg)
Cognitive Biometrics
![Page 23: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/23.jpg)
Objectives Define authentication Authentication credentials Authentication models Authentication servers Extended authentication protocols Virtual Private Network (VPN)
![Page 24: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/24.jpg)
Single and multi-factor authentication One-factor authentication
Using only one authentication credential, such as a password
Two-factor authentication Enhances security, particularly if different types of
authentication methods are used (password and token) Three-factor authentication
Requires that a user present three different types of authentication credentials
![Page 25: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/25.jpg)
Single sign-on Identity management
Using a single authenticated ID to be shared across multiple networks
Federated identity management (FIM) When those networks are owned by different organizations
One application of FIM is called single sign-on (SSO) Using one authentication to access multiple accounts or
applications
![Page 26: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/26.jpg)
Windows Live ID Originally introduced in 1999 as .NET Passport When the user wants to log into a Web site that supports
Windows Live ID The user will first be redirected to the nearest
authentication server Once authenticated, the user is given an encrypted time-
limited “global” cookie Never became widely used
![Page 27: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/27.jpg)
Windows CardSpace New Windows feature Users control digital identities with digital ID cards Types of cards
Managed cards Personal cards
![Page 28: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/28.jpg)
OpenID A decentralized open source FIM Does not require specific software to be installed on the
desktop An OpenID identity is only a URL backed up by a
username and password OpenID provides a means to prove that the user owns that
specific URL Not very secure--dependent on DNS
![Page 29: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/29.jpg)
Objectives Define authentication Authentication credentials Authentication models Authentication servers Extended authentication protocols Virtual Private Network (VPN)
![Page 30: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/30.jpg)
Authentication Servers Authentication can be provided on a network by a
dedicated AAA or authentication server The most common type of authentication and AAA servers
are RADIUS Kerberos TACACS+ Generic servers built on the Lightweight Directory Access
Protocol (LDAP)
![Page 31: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/31.jpg)
RADIUS RADIUS: Remote Authentication Dial in User Service Developed in 1992 The industry standard with widespread support Suitable for what are called “high-volume service control
applications” With the development of IEEE 802.1x port security for
both wired and wireless LANs RADIUS has recently seen even greater usage
![Page 32: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/32.jpg)
RADIUS A RADIUS client is typically a device such as a dial-up
server or wireless access point (AP) Responsible for sending user credentials and connection
parameters in the form of a RADIUS message to a RADIUS server
The RADIUS server authenticates and authorizes the RADIUS client request Sends back a RADIUS message response
RADIUS clients also send RADIUS accounting messages to RADIUS servers
![Page 33: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/33.jpg)
RADIUS
![Page 34: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/34.jpg)
Kerberos An authentication system developed by the Massachusetts
Institute of Technology (MIT) Used to verify the identity of networked users
Kerberos authentication server issues a ticket to the user The user presents this ticket to the network for a service The service then examines the ticket to verify the identity of
the user
![Page 35: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/35.jpg)
TACACS+ Terminal Access Control Access Control System
(TACACS+) Developed by Cisco to replace RADIUS More secure and reliable than RADIUS The centralized server can either be a TACACS+ database
Or a database such as a Linux or UNIX password file with TACACS protocol support
![Page 36: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/36.jpg)
Lightweight Directory Access Protocol (LDAP) Directory service
A database stored on the network itself that contains information about users and network devices
Can be used with RADIUS X.500
A standard for directory services Created by ISO
White-pages service Capability to look up information by name
Yellow-pages service Browse and search for information by category
![Page 37: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/37.jpg)
Lightweight Directory Access Protocol (LDAP) The information is held in a directory information base
(DIB) Entries in the DIB are arranged in a tree structure called
the directory information tree (DIT) Directory Access Protocol (DAP)
Protocol for a client application to access an X.500 directory DAP is too large to run on a personal computer
![Page 38: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/38.jpg)
Lightweight Directory Access Protocol (LDAP) Lightweight Directory Access Protocol (LDAP)
Sometimes called X.500 Lite A simpler subset of DAP
Primary differences LDAP was designed to run over TCP/IP LDAP has simpler functions LDAP encodes its protocol elements in a less complex way
than X.500 LDAP is an open protocol
![Page 39: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/39.jpg)
Objectives Define authentication Authentication credentials Authentication models Authentication servers Extended authentication protocols Virtual Private Network (VPN)
![Page 40: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/40.jpg)
Extended Authentication Protocols (EAP) In IEEE 802.1x, EAP is the "envelope" that carries data
used for authentication Three EAP protocol categories:
Authentication legacy protocols EAP weak protocols EAP strong protocols
![Page 41: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/41.jpg)
Extended Authentication Protocols (EAP)
![Page 42: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/42.jpg)
Authentication Legacy Protocols No longer extensively used for authentication Password Authentication Protocol (PAP)
Sends passwords in the clear Challenge-Handshake Authentication Protocol (CHAP)
Safer than PAP, but vulnerable Microsoft Challenge-Handshake Authentication Protocol
(MS-CHAP)
![Page 43: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/43.jpg)
EAP Weak Protocols Still used but have security vulnerabilities Extended Authentication Protocol–MD5 (EAP-MD5)
Vulnerable to offline dictionary attacks Lightweight EAP (LEAP)
Also vulnerable to offline dictionary attacks Can be cracked faster than WEP
![Page 44: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/44.jpg)
EAP Strong Protocols EAP with Transport Layer Security (EAP-TLS)
Uses certificates for both client and server Used in large Windows networks
EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP) No client-side certificate Easier to implement than EAP-TLS
![Page 45: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/45.jpg)
Objectives Define authentication Authentication credentials Authentication models Authentication servers Extended authentication protocols Virtual Private Network (VPN)
![Page 46: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/46.jpg)
Remote Authentication and Security
Important to maintain strong security for remote communications Transmissions are routed through networks or devices that
the organization does not manage and secure Managing remote authentication and security usually
includes: Using remote access services Installing a virtual private network Maintaining a consistent remote access policy
![Page 47: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/47.jpg)
Remote Access Services (RAS) Any combination of hardware and software that enables
access to remote users to a local internal network Provides remote users with the same access and
functionality as local users
![Page 48: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/48.jpg)
Virtual Private Networks (VPNs) One of the most common types of RAS Uses an unsecured public network, such as the Internet,
as if it were a secure private network Encrypts all data that is transmitted between the remote
device and the network Common types of VPNs
Remote-access VPN or virtual private dial-up network (VPDN)
Site-to-site VPN
![Page 49: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/49.jpg)
Virtual Private Networks (VPNs)
![Page 50: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/50.jpg)
Virtual Private Networks (VPNs) VPN transmissions are achieved through communicating
with endpoints Endpoint
End of the tunnel between VPN devices VPN concentrator
Aggregates hundreds or thousands of multiple connections Depending upon the type of endpoint that is being used,
client software may be required on the devices that are connecting to the VPN
![Page 51: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/51.jpg)
Virtual Private Networks (VPNs) VPNs can be software-based or hardware-based Software-based VPNs offer the most flexibility in how
network traffic is managed Hardware-based VPNs generally tunnel all traffic they
handle regardless of the protocol Generally, software based VPNs do not have as good
performance or security as a hardware-based VPN
![Page 52: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/52.jpg)
VPN Advantages Cost savings (no long-distance phone call) Scalability (easy to add more users) Full protection (all traffic is encrypted) Speed (faster than direct dial-up) Transparency (invisible to the user) Authentication (only authorized users can connect) Industry standards
![Page 53: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/53.jpg)
VPN Disadvantages Management Availability and performance Interoperability Additional protocols Performance impact Expense
![Page 54: Authentication](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816465550346895dd6499f/html5/thumbnails/54.jpg)
Remote Access Policies Establishing strong remote access policies is important Some recommendations for remote access policies:
Remote access policies should be consistent for all users Remote access should be the responsibility of the IT
department Form a working group and create a standard that all
departments will agree to