Network access security methods

Unit objective Explain the methods of ensuring

network access security Explain methods of user

authentication

Topic A

Topic A: Network access security methods

Topic B: User authentication

Network Access Control

Ensures that computers comply with security policies

Network Access Protection (NAP) Overall NAC architecture

Access control lists

MAC address filtering IP address and port filtering

VPN technologies

Authentication Tunneling Encryption

VPN security models

Authentication before connection Trusted delivery network Secure VPNs

VPN protocols

PPTP L2TP IPSec SSL/TLS

PPTP vs. L2TP

Encryption Authentication Data protocols Port

IPSec protocols

Authentication Header (AH) Encapsulating Security Payload (ESP) IP Payload Compression Protocol

(IPComp) Internet Key Exchange (IKE)

IPSec encryption

Transport mode Tunnel mode

PPPoE

Encapsulates PPP inside Ethernet frames

Allows users to establish a secure connection from one computer to another

Used to connect multiple users to the Internet through DSL and cable modem connections

Remote desktop services

RDP (Remote Desktop Protocol) ICA (Independent Computing

Architecture)

SSH

Remote command-line access Server service and client program Native to Linux distributions SSH-2

– Transport layer– User Authentication layer– Connection layer

Activity A-1

Discussing network access security methods

Topic B

Topic A: Network access security methods

Topic B: User authentication

AAA

Authentication Authorization Accounting

Authentication factors

Something you know Something you have Something you are

One-factor authentication

Something you know OR something you have OR something you are

Two-factor authentication

Something you know PLUS– Something you have OR something you are

Three-factor authentication

Something you know + something you have + something you are

Single sign-on

User is authenticated to other resources based on strength of initial sign-on

SSL, LDAP Windows Live ID, Microsoft Passport,

Open ID

Kerberos

Current version is 5 Provides authentication on physically

insecure networks Freely available in U.S. and Canada Authenticates users over open multi-

platform network using single login

Kerberos system components

Principal Authentication server Ticket-granting server Key distribution center Realm Remote ticket-granting server

Kerberos data types

Credentials Session key Authentication Ticket Ticket-granting ticket

Kerberos authentication process

CHAP

EAP

PPP extension Used in wireless connections Can use token cards, one-time

passwords, certificates, biometrics Runs over Data Link layers Defines formats

– LEAP– EAP-TLS– EAP-FAST

PPPoE

PPP encapsulated inside Ethernet frames

Connects multiple uses to Internet

Mutual authentication

Client and server authenticate to each other

Also known as two-way authentication Trust other computer’s digital

certificate Can block rogue services

Cryptography

Science of encryption Encryption = convert to unreadable

format Decryption = convert back to readable

format Algorithm = procedure for encrypting

or decrypting Cipher = encryption & decryption

algorithm pair

ROT13 cipher

Keys

Secret information used by cipher Symmetric = same key for encryption

and decryption Asymmetric = differing keys for

encryption and decryption Key sharing and management issues

Symmetric encryption in action

Public key cryptography

Asymmetric Two keys

– What one encrypts, only the other can decrypt

– One kept private– One shared (public)

Encryption process Keys mathematically related

Asymmetric encryption in action

Public key cryptography

Mathematically difficult to derive private key from public key

Data encrypted with public key can be decrypted with only private key

Data encrypted with private key can be decrypted with only public key

Public key infrastructure

Certificate authority (CA) Registration authority (RA) Certificate server

Setup and initialization phase

Process components– Registration– Key pair generation– Certificate generation– Certificate dissemination

RADIUS

Remote Authentication Dial-in User Service

Client = network access server or device (e.g., wireless router)

Server = AAA service provider

RADIUS authentication

1. User connects to NAS

2. RADIUS client requests authentication from server

3. User supplies logon credentials

4. Client encrypts and forwards to server

5. Server authenticates, returns message

6. Client receives message and acts– Accept– Reject– Challenge

TACACS+

Terminal Access Controller Access Control System– TACACS– XTACACS

AAA functions

TACACS+ vs. RADIUS

TCP rather than UDP Message body fully encrypted AAA services provided independently Flexible

– Username/password, ARA, SLIP, PAP, CHAP, Telnet

Multiprotocol– TCP/IP, AppleTalk, NetBIOS Novell Asyc

Services Interface, X.25

802.1x

Authentication protocol Device access control Works with RADIUS and TACACS+ Device roles

– Supplicant (end-user device)– Authenticator– Authentication server

Activity B-1

Discussing methods of authenticating users

Unit summary

Explained the methods of ensuring network access security

Explained methods of user authentication