Chapter 10 - Youngstown State Universitypeople.ysu.edu/~mawelton/CSIS3755/CSIS 3755 - Chapter 10.pdfFirewalls & Network Security, 2nd ed. - Chapter 10 Slide 2 The Authentication Process

FIREWALLS & NETWORK SECURITY with

Intrusion Detection and VPNs, 2nd ed.

Chapter 10 Authenticating Users

Learning Objectives

Explain why authentication is a critical aspect of network security

Explain why firewalls authenticate and how they identify users

Describe user, client, and session authentication

List the advantages and disadvantages of popular centralized authentication systems

Discuss the potential weaknesses of password security systems

Discuss the use of password security tools

Describe common authentication protocols used by firewalls

Slide 2 Firewalls & Network Security, 2nd ed. - Chapter 10

The Authentication Process in General

The act of identifying users and providing

network services to them based on their identity

Two forms

– Local authentication

– Centralized authentication service (often uses

two-factor authentication)


How Firewalls Implement the

Authentication Process

1. Client makes request to access a resource

2. Firewall intercepts the request and prompts the user for name and password

3. User submits information to firewall

4. User is authenticated

5. Request is checked against firewall’s rule base

6. If request matches existing allow rule, user is granted access

7. User accesses desired resources


How Firewalls Implement the

Authentication Process (continued)


Firewall Authentication Methods

User authentication

Client authentication

Session authentication


User Authentication

Basic authentication; user supplies username

and password to access networked resources

Users who need to legitimately access your

internal servers must be added to your access

control lists (ACLs)


User Authentication (continued)


Client Authentication

Same as user authentication but with additional

time limit or usage limit restrictions

When configuring, set up one of two types of

authentication systems

– Standard sign-on system

– Specific sign-on system


Client Authentication (continued)


Session Authentication

Required any time the client establishes a

session with a server of other networked

resource


Comparison of Authentication Methods


Centralized Authentication

Centralized server maintains all authorizations

for users regardless of where user is located

and how user connects to network

Most common methods

– Kerberos

– TACACS+ (Terminal Access Controller Access

Control System)

– RADIUS (Remote Authentication Dial-In User

Service)


Process of Centralized Authentication


Kerberos

Provides authentication and encryption through standard clients and servers

Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources

Used internally on Windows 2000/XP

Advantages

– Passwords are not stored on the system

– Widely used in UNIX environment; enables authentication across operating systems


Kerberos Authentication


TACACS+

Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems)

Provides AAA services

– Authentication

– Authorization

– Auditing

Uses MD5 algorithm to encrypt data


RADIUS

Centralized dial-in authentication service that

uses UDP

Transmits authentication packets unencrypted

across the network

Provides lower level of security than TACACS+

but more widely supported


TACACS+ and RADIUS Compared

Strength of security

Filtering characteristics

Proxy characteristics

NAT characteristics


Strength of Security


Filtering Characteristics


Proxy Characteristics

RADIUS

– Doesn’t work with generic proxy systems, but a

RADIUS server can function as a proxy server

TACACS+

– Works with generic proxy systems


NAT Characteristics

RADIUS

– Doesn’t work with NAT

TACACS+

– Should work through NAT systems


Password Security Issues

Passwords that can be cracked (accessed by

an unauthorized user)

Password vulnerabilities

Lax security habits


Passwords That Can Be Cracked

Ways to crack passwords

– Find a way to authenticate without knowing the password

– Uncover password from system that holds it

– Guess the password

To avoid the issue

– Protect passwords effectively

– Observe security habits


Password Vulnerabilities

Built-in vulnerabilities

– Often easy to guess

– Often stored visibly

– Social engineering

To avoid the issues

– Choose complicated passwords

– Memorize passwords

– Never give passwords out to anyone


Lax Security Habits

To maintain some level of integrity, draw up a

formal Memorandum of Understanding (MOU)


Password Security Tools

One-time password software

Shadow password system


One-Time Password Software

Password is generated using a secret key

Password is used only once, when the user authenticates

Different passwords are used for each authentication session

Types

– Challenge-response passwords

– Password list passwords


Shadow Password System

A feature of Linux that stores passwords in

another file that has restricted access

Passwords are stored only after being

encrypted by a randomly generated value and

an encoding formula


Other Authentication Systems

Single-password systems

One-time password systems

Certificate-based authentication

802.1x Wi-Fi authentication


Single-Password Systems

Operating system password

Internal firewall password


One-Time Password Systems

Single Key (S/Key)

SecurID

Axent Pathways Defender


Single Key (S/Key)

Uses multiple-word rather than single word passwords

– User specifies single-word password and the number of times it is to be encrypted

– Password is processed by a hash function n times; resulting encrypted passwords are stored on the server

Never stores original password on the server


SecurID

Uses two-factor authentication

– Physical object

– Piece of knowledge

Most frequently used one-time password

solution with FireWall-1


SecurID Tokens


Axent Pathways Defender

Uses two-factor authentication and a challenge-

response system


Certificate-Based Authentication

FireWall-1 supports the use of digital certificates

to authenticate users

Organization sets up a public key infrastructure

(PKI) that generates keys to users

– User receives a code (public key) that is

generated using the server’s private key and

uses the public key to send encrypted

information to the server

– Server receives the public key and can decrypt

the information using its private key


802.1x Wi-Fi Authentication

Supports wireless Ethernet connections

Not supported by FireWall-1

802.1x protocol provides for authentication of

users on wireless networks

Wi-Fi uses Extensible Authentication Protocol

(EAP)


Wireless Authentication


Chapter Summary

Overview of authentication and its importance to

network security

How and why firewalls perform authentication

services

Types of authentication performed by firewalls

– User

– Client

– Session


Chapter Summary (continued)

Generally, users supply:

– Something they have (such as a smart card) or

– Something they know (such as a password) or

– Both

Latest authentication systems measure or evaluate a physical attribute, such as a fingerprint or voiceprint



In a centralized authentication system:

– Firewall works with an authentication server

– Authentication server handles

• Username and password maintenance/generation

• Login requests

• Auditing

Examples of centralized authentication systems:

– Kerberos

– TACACS+

– RADIUS

Firewalls & Network Security, 2nd ed. - Chapter 10 Slide 43


Passwords

– Important part of virtually every authentication system

– Take one of two general forms:

• Single-word

– User password compared against database of passwords; access granted if match is made

– Vulnerable to ability of hackers to determine passwords, to user error, and to bad security habits

• One-time passwords

– Generated dynamically each time user attempts to log on to network

– Secret key used to generate single- or multiple-word password

Firewalls & Network Security, 2nd ed. - Chapter 10 Slide 44

Documents

Chapter 10 - Youngstown State Universitypeople.ysu.edu/~mawelton/CSIS3755/CSIS 3755 - Chapter 10.pdfFirewalls & Network Security, 2nd ed. - Chapter 10 Slide 2 The Authentication Process